Use the useradd / usermod commands to create and maintain user accounts. Make sure you have a good and strong password policy. For example, a good password includes at least 8 characters long and mixture of alphabets, number, special character, upper & lower alphabets etc. Most important pick a password you can remember.1: Password Aging
The chage command changes the number of days between password changes and the date of the last password change. This information is used by the system to determine when a user must change his/her password. The /etc/login.defs file defines the site-specific configuration for the shadow password suite including password aging configuration. To disable password aging,
#chage -M 99999 userName
To get password expiration information
#chage -l username
you can also edit the /etc/shadow file in the following fields:
{userName}:{password}:{lastpasswdchanged}:{Minimum_days}:{Maximum_days}:{Warn}:{Inactive}:{Expire}:
Ø Minimum_days: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password.
Ø Maximum_days: The maximum number of days the password is valid (after that user is forced to change his/her password).
Ø Warn : The number of days before password is to expire that user is warned that his/her password must be changed.
Ø Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.
I recommend chage command instead of editing the /etc/shadow by hand:
#chage -M 60 -m 7 -W 7 userName
#chage -M 60 -m 7 -W 7 userName
2: Restricting Use of Previous Passwords
You can prevent all users from using or reuse same old passwords under Linux. The pam_unix module parameters remember can be used to configure the number of previous passwords that cannot be reused.
Ø PAM is a flexible mechanism for authenticating users. For example, you do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam unix PAM module.
Ø This module provides functionality for PAM modules such as authentication, account management etc. Same module can be used to maintain a list of old passwords for every user. This is useful if you want to disallow use of old passwords. The old password list is located in the /etc/security/opasswd file.
Limit Password Reuse
Open your /etc/pam.d/common-password file under Debian / Ubuntu Linux, run:
# vi /etc/pam.d/common-password
# vi /etc/pam.d/common-password
If you are using CentOS / RHEL / RedHat / Fedora Linux, edit /etc/pam.d/system-auth file, run:
# vi /etc/pam.d/system-auth
# vi /etc/pam.d/system-auth
Now, update existing password line and append remember=10 to prevent a user from re-using any of his or her last 10 passwords. Do not append new line, update exiting password line and append remember=10.
password sufficient pam_unix.so use_authtok md5 shadow remember=10
password sufficient pam_unix.so use_authtok md5 shadow remember=10
Save and close the file.
Now Linux will remember last 10 passwords. If user tries to use any one of the last 10 old passwords, he/she will get an error:
Password has been already used. Choose another.
Password has been already used. Choose another.
3: Locking User Accounts After Login Failures
Under Linux you can use the faillog command to display faillog records or to set login failure limits. faillog formats the contents of the failure log from /var/log/faillog database / log file. It also can be used for maintains failure counters and limits.To see failed login attempts, enter:
#faillog
To unlock an account after login failures, run:
#faillog -r -u userName
Note you can use passwd command to lock and unlock accounts:
# lock account
passwd -l username
# unlocak account
passwd -u username
#faillog
To unlock an account after login failures, run:
#faillog -r -u userName
Note you can use passwd command to lock and unlock accounts:
# lock account
passwd -l username
# unlocak account
passwd -u username
4: How Do I Verify No Accounts Have Empty Passwords?
Type the following command
# awk -F: '($2 == "") {print}' /etc/shadow
Lock all empty password accounts:
# passwd -l accountName
# awk -F: '($2 == "") {print}' /etc/shadow
Lock all empty password accounts:
# passwd -l accountName
5: Make Sure No Non-Root Accounts Have UID Set To 0
Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:
# awk -F: '($3 == "0") {print}' /etc/passwd
You should only see one line as follows:
# awk -F: '($3 == "0") {print}' /etc/passwd
You should only see one line as follows:
root:x:0:0:root:/root:/bin/bash
0 comments:
Post a Comment