728x90
우분투 계정 보안 조치
패스워드 복잡성 설정
/etc/login.defs
cat /etc/login.defs | egrep -v '^#' | egrep 'PASS_MIN_LEN|PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE'$ cat /etc/login.defs | egrep -v '^#' | egrep 'PASS_MIN_LEN|PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE'
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7sudo sed -i 's/PASS_MAX_DAYS\s*99999/PASS_MAX_DAYS\t90/g; s/PASS_MIN_DAYS\s*0/PASS_MIN_DAYS\t1/g; s/#PASS_MIN_LEN/PASS_MIN_LEN\t8/g; s/PASS_WARN_AGE\s*7/PASS_WARN_AGE\t7/g;' /etc/login.defs$ cat /etc/login.defs | egrep -v '^#' | egrep 'PASS_MIN_LEN|PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE'
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_WARN_AGE 7
PASS_MIN_LEN 8useradd -s /bin/bash devops$ chage -l devops
Last password change : May 03, 2023
Password expires : Aug 01, 2023
Password inactive : never
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
libpam-pwquality 패키지 설치
sudo apt install -y libpam-pwquality$ cat /etc/security/pwquality.conf | egrep -v '^#|^$'
/etc/pam.d/common-password
$ cat /etc/pam.d/common-password | egrep -v '^#|^$'
password requisite pam_pwquality.so retry=3
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
password requisite pam_deny.so
password required pam_permit.sosudo sed -i 's/^password\s*\[success=1 default=ignore\]\s*pam_unix.so\s*obscure\s*use_authtok\s*try_first_pass\s*yescrypt/password\t[success=1 default=ignore]\tpam_unix.so obscure use_authtok try_first_pass yescrypt nullok ignore_root/' /etc/pam.d/common-password** ignore_root는 root 계정을 제외하고 패스워드 정책을 적용
$ cat /etc/pam.d/common-password | egrep -v '^#|^$'
password requisite pam_pwquality.so retry=3
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt nullok ignore_root
password requisite pam_deny.so
password required pam_permit.so
/etc/security/pwquality.conf
$ cat /etc/security/pwquality.conf | egrep -v '^#|^$'cat <<EOF >> /etc/security/pwquality.conf
#password policy
minlen = 8
minclass = 3
lcredit = 1
dcredit = 1
ocredit = 1
EOF$ cat /etc/security/pwquality.conf | egrep -v '^#|^$'
minlen = 8
minclass = 3
lcredit = 1
dcredit = 1
ocredit = 1
useradd -s /bin/bash devops2$ chage -l devops2
Last password change : May 10, 2023
Password expires : Aug 08, 2023
Password inactive : never
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7sudo chage --maxdays 90 --mindays 1 --warndays 7 --inactive 8 --inactive 0 devops2
sudo chage --maxdays 60 --mindays 2 --warndays 5 --inactive 8 --inactive 0 devops2$ chage -l devops2
Last password change : May 10, 2023
Password expires : Jul 09, 2023
Password inactive : Jul 09, 2023
Account expires : never
Minimum number of days between password change : 2
Maximum number of days between password change : 60
Number of days of warning before password expires : 5
chage -d 2023-05-03 devopschage -l devops
계정 잠금 임계값 설정
/etc/pam.d/common-auth
$ cat /etc/pam.d/common-auth | egrep -v '^#|^$'
auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.sosudo sed -i 's/^auth\s*\[success=1 default=ignore\]\s*pam_unix.so\s*nullok/auth\t[success=1 default=ignore] pam_faillock.so authfail audit deny=5 unlock_time=600/' /etc/pam.d/common-authsudo sed -i '/^auth\s*required\s*pam_permit.so$/a auth\trequisite\t\t\tpam_faillock.so' /etc/pam.d/common-auth$ cat /etc/pam.d/common-auth | egrep -v '^#|^$'
auth [success=1 default=ignore] pam_faillock.so authfail audit deny=5 unlock_time=600
auth requisite pam_deny.so
auth required pam_permit.so
auth requisite pam_faillock.so
728x90
'리눅스' 카테고리의 다른 글
| 우분투에서 최신 버전의 ansible을 설치하는 방법 (0) | 2023.05.08 |
|---|---|
| [리눅스] SecureCRT에서 우분투 서버로 접속되지 않을 때 (0) | 2023.05.08 |
| Packer 명령어의 자동 완성을 활성화하는 방법 (0) | 2023.05.02 |
| [리눅스] Ubuntu에서 BoringSSL을 설치하는 방법 (0) | 2023.04.29 |
| [리눅스] nginx HTTP/3(QUIC) 프로토콜 지원 (0) | 2023.04.29 |
