1, set the account lockout policy login failures, increase the difficulty of the user's password is compromised violence.
Reference links
http://man7.org/linux/man-pages/man8/pam_tally2.8.html
5 is provided continuously wrong passwords, account lock 5 minutes.
Before this security reinforcement work is under way, check the PAM module versions, search pam_tally2 exists, if there is pam_tally2, modify the configuration file. [Note: Each system configuration varies, please properly configured according to the current system, and to carefully evaluate the impact on the system's]
rehabilitation program:
centos
modify the configuration /etc/pam.d/password-auth (the configuration to the appropriate position):
the auth required pam_tally2.so unlock_time the deny. 5 = 300 = 300 = even_deny_root root_unlock_time
Account required pam_tally2.so
ubuntu, debian:
modify the configuration /etc/pam.d/common-auth (the configuration to the appropriate position):
the auth required pam_tally2.so unlock_time the deny. 5 = 300 = 300 = even_deny_root root_unlock_time
modify the configuration /etc/pam.d/ parameter common-account (the configuration to the appropriate position):
Account required pam_tally2.so
2, Linux account timeout automatically logged out configuration
Modify / etc / profile file, set the timer account automatic logout time:
Export the TMOUT = 180 [
3, limiting the root user remote login
Modify the file / etc / ssh / sshd_config configuration:
PermitRootLogin NO
modification is complete, restart sshd service.
4, Linux account password lifetime policy
Modify the file /etc/login.defs, configuration
PASS_MAX_DAYS 90
5, Linux longest number of days after the password expiration policy account
Edit / etc / default / useradd file, configuration:
INACTIVE = 365