The server of the security evaluation is not configured with the login failure locking policy and the login connection timeout automatic exit policy

The server of the security evaluation is not configured with the login failure locking policy and the login connection timeout automatic exit policy

It's really another thing before it's finished. There are a lot of problems in the waiting insurance evaluation received yesterday. Here, some problems will be recorded

Look at the problem

The questions are as follows

Test server

The main problem is whether there is such a problem in the test server. After testing, the problem exists. The testing process is omitted here

Problem description

Malicious personnel can obtain the account password by brute force cracking. Moreover, the equipment is easy to be maliciously operated by unauthorized personnel, and there is a risk of unauthorized access.

Problem solving

  • After the file configuration is completed, it does not need to restart the server. It takes effect directly. In addition, it is recommended to maintain an ssh Remote connection to the server during operation to facilitate timely rollback in case of errors
Backup mainly involves two important files
[root@localhost ~]# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak    #This is the ssh configuration file
[root@localhost ~]# cp /etc/pam.d/login /etc/pam.d/login.bak
[root@localhost ~]# ll /etc/pam.d/sshd.bak  /etc/pam.d/login.bak   ##This file records all the configuration file records about login
-rw-r--r--. 1 root root 796 10 October 13:01 /etc/pam.d/login.bak
-rw-r--r--. 1 root root 904 10 October 13:00 /etc/pam.d/sshd.bak

Check for important pam module. so files

[root@localhost ~]# find /* -name "*pam_tally2.so*"
/usr/lib64/security/pam_tally2.so

Configure login failure handling function policy (server terminal)

[root@localhost ~]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
[root@localhost ~]# vim /etc/pam.d/system-auth
[root@localhost ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so
auth required pam_tally2.so  onerr=fail  deny=3  unlock_time=40 even_deny_root root_unlock_time=30   ###This line needs to be added

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

  • deny specifies the maximum number of authentication errors. If this error is exceeded, the following policies will be executed. If locked for N seconds, if there is no other policy specified later, it will be locked forever by default unless unlocked manually.
  • lock_time how long to lock, in seconds;
  • unlock_time specifies how long the user will be automatically unlocked after the authentication is locked;
  • magic_ If root user uid = 0 (i.e. root account or account equivalent to root) calls this module during account authentication, and it is found that it fails, it will not be included in the statistics;
  • no_lock_time does not use. Fail_ The locktime item records the user in / var/log/faillog - if you don't understand it in English, you won't lock the user if you understand it personally;
  • even_ deny_ The root user is locked in case of authentication error (this function should be used with caution, otherwise it will be unlocked in case of single user)
  • root_ unlock_ Time how long does the root user lock when it fails. This option is generally used with even_ deny_ Used with root.

The terminal test results are as follows:

View security log verification:

[root@localhost ~]# tail -100 /var/log/secure | grep "max"
Oct 13 10:19:17 localhost sshd[2242]: PAM service(sshd) ignoring max retries; 5 > 3

Configure login failure handling function policy (ssh Remote Connection login)

[root@localhost ~]# vim /etc/pam.d/sshd
[root@localhost ~]# cat  /etc/pam.d/sshd
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
auth required pam_tally2.so  onerr=fail  deny=3  unlock_time=40 even_deny_root root_unlock_time=30   ##Add section
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

ssh Remote Test Effect:

After 3 consecutive login tests, even if you enter the correct password for the fourth time or within 40 seconds after entering the wrong password, you will not log in normally

View security log verification:

Other auxiliary commands

[root@localhost ~]# pam_tally2 --user root       ###Where root is the user. This is to view the number of login failures of the current root user
Login           Failures Latest failure     From
root                4    10/13/21 10:43:06  192.168.211.1
[root@localhost ~]# pam_tally2 -r -u  root    ##Unlock root user
Login           Failures Latest failure     From
root                8    10/13/21 10:44:54  tty1
[root@localhost ~]# pam_tally2 --user root   #Check the number of login failures of root user again. At this time, it is 0
Login           Failures Latest failure     From
root                0 

Tags: Linux Operation & Maintenance ssh

Posted on Tue, 12 Oct 2021 22:26:19 -0400 by facets