星期一, 5月 12, 2008

Linux 密碼安全性

Linux的密碼安全原則(一)


安裝 pam_cracklib

編輯 /etc/pam.d/passwd
#可試3次,最少8位
password required pam_cracklib.so retry=3 minlen=8


#可試3次,最少8位,至少含1個小寫,1個數字
password required pam_cracklib.so retry=3 minlen=8 icredit=1 dcredit=1



說明
  1. debugUsed to write module information to syslog.
  2. type=string Replaces the string UNIX with "STRING" when a user uses the passwd command.
  3. retry=n Specifies how many times a user may retry to change a password.
  4. difok=n Specifies the number of characters in the new password that must be different from the current password. A new password with at least half the characters different from the current password is accepted.
  5. minlen=n Specifies the minimum password length +1. A minlen value of 9 would actually set a minimum password length of 10 characters.
  6. icredit=n Specifies the number of characters by which the minlen value is reduced by having at least one lowercase character in the new password. If minlen is 7, the minimum password length would be 4 + 1, or 5 characters. Disabled by setting icredit to 0.
  7. Ucredit Specifies the number of characters by which the password length is reduced by having at least one uppercase character in the new password.
  8. dcredit=n Specifies the number of characters by which the password length is reduced by having at least one numeric character in the new password.
  9. ocredit=n Specifies the number of characters by which the password length is reduced by having at least one numeric character in the new password.


安全性原則(二)password aging

只用於新建user,原存在user要套用的話需用chage指令
#vi /etc/login.defs
PASS_MAX_LEN 8
PASS_MAX_DAYS 90 #90天後過期,過期後還可登錄

#vi /etc/default/useradd
INACTIVE=15 #過期後15天失效,失效後不可登錄


安全性原則(二)限制root登錄

不應該開放telnet服務

限制 從console登入
remote ssh/telnet
#vi /etc/securetty
#tty0
#tty1
#tty2
#....

限制從X11登入
#vi /etc/gdm/gdm.conf (ubuntu GDM,其它版本可能在不同目錄)
/etc/X11/gdm


限制從ssh登入
#vi /etc/ssh/sshd_config
PermitRootLogin no


安全性原則(二)限制其它user su 成root

加入wheel group,wheel代表可su 成root的user group
useradd -a -G wheel danny

#vi /etc/pam.d/su
auth required /lib/security/$ISA/pam_wheel.so use_uid

posted by Danny @ 9:11 上午   0 comments

0 Comments:

張貼留言

<< Home