The server of the security evaluation is not configured with the login failure locking policy and the login connection timeout automatic exit policy
It's really another thing before it's finished. There are a lot of problems in the waiting insurance evaluation received yesterday. Here, some problems will be recorded
Look at the problem
The questions are as follows
Test server
The main problem is whether there is such a problem in the test server. After testing, the problem exists. The testing process is omitted here
Problem description
Malicious personnel can obtain the account password by brute force cracking. Moreover, the equipment is easy to be maliciously operated by unauthorized personnel, and there is a risk of unauthorized access.
Problem solving
- After the file configuration is completed, it does not need to restart the server. It takes effect directly. In addition, it is recommended to maintain an ssh Remote connection to the server during operation to facilitate timely rollback in case of errors
Backup mainly involves two important files
[root@localhost ~]# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak #This is the ssh configuration file [root@localhost ~]# cp /etc/pam.d/login /etc/pam.d/login.bak [root@localhost ~]# ll /etc/pam.d/sshd.bak /etc/pam.d/login.bak ##This file records all the configuration file records about login -rw-r--r--. 1 root root 796 10 October 13:01 /etc/pam.d/login.bak -rw-r--r--. 1 root root 904 10 October 13:00 /etc/pam.d/sshd.bak
Check for important pam module. so files
[root@localhost ~]# find /* -name "*pam_tally2.so*" /usr/lib64/security/pam_tally2.so
Configure login failure handling function policy (server terminal)
[root@localhost ~]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak [root@localhost ~]# vim /etc/pam.d/system-auth [root@localhost ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so auth required pam_tally2.so onerr=fail deny=3 unlock_time=40 even_deny_root root_unlock_time=30 ###This line needs to be added account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
- deny specifies the maximum number of authentication errors. If this error is exceeded, the following policies will be executed. If locked for N seconds, if there is no other policy specified later, it will be locked forever by default unless unlocked manually.
- lock_time how long to lock, in seconds;
- unlock_time specifies how long the user will be automatically unlocked after the authentication is locked;
- magic_ If root user uid = 0 (i.e. root account or account equivalent to root) calls this module during account authentication, and it is found that it fails, it will not be included in the statistics;
- no_lock_time does not use. Fail_ The locktime item records the user in / var/log/faillog - if you don't understand it in English, you won't lock the user if you understand it personally;
- even_ deny_ The root user is locked in case of authentication error (this function should be used with caution, otherwise it will be unlocked in case of single user)
- root_ unlock_ Time how long does the root user lock when it fails. This option is generally used with even_ deny_ Used with root.
The terminal test results are as follows:
View security log verification:
[root@localhost ~]# tail -100 /var/log/secure | grep "max" Oct 13 10:19:17 localhost sshd[2242]: PAM service(sshd) ignoring max retries; 5 > 3
Configure login failure handling function policy (ssh Remote Connection login)
[root@localhost ~]# vim /etc/pam.d/sshd [root@localhost ~]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin auth required pam_tally2.so onerr=fail deny=3 unlock_time=40 even_deny_root root_unlock_time=30 ##Add section # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
ssh Remote Test Effect:
After 3 consecutive login tests, even if you enter the correct password for the fourth time or within 40 seconds after entering the wrong password, you will not log in normally
View security log verification:
Other auxiliary commands
[root@localhost ~]# pam_tally2 --user root ###Where root is the user. This is to view the number of login failures of the current root user Login Failures Latest failure From root 4 10/13/21 10:43:06 192.168.211.1 [root@localhost ~]# pam_tally2 -r -u root ##Unlock root user Login Failures Latest failure From root 8 10/13/21 10:44:54 tty1 [root@localhost ~]# pam_tally2 --user root #Check the number of login failures of root user again. At this time, it is 0 Login Failures Latest failure From root 0