[Linux - 보안조치] 계정 잠금 임계값 설정

Linux  서버 위험 조치 관련  보안 조치 방법에 대한 작성이다. 

 

• 항        목 :  계정 잠금 임계값 설정
• 잠재 위험 :  계정 잠금 임계값 미 설정시 패스워드 노출 위험이 있음
•  조치 방법

/etc/pam.d/system-auth 파일과 /etc/pam.d/password-auth에 아래와 같이 추가 한다.

root # vim /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
## User console/su  login lock - add 2019.10
auth        required      pam_tally2.so deny=5 unlock_time=60
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
## User console/su  login lock - add 2019.10
account     required      pam_tally2.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

 

root # cat /etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
## User GUI/ssh  login lock - add 2019.10
auth        required      pam_tally2.so deny=5 unlock_time=60
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so
auth        sufficient    pam_krb5.so use_first_pass

account     required      pam_unix.so broken_shadow
account     required      pam_tally2.so
## User GUI/ssh  login lock - add 2019.10
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session     optional      pam_krb5.so

 

간단하게는 아래 명령어를 통해 변경할 수 있다. 

라인위치의 경우 필자가 임의로 지정한곳이므로 사용자 환경에 맞게 위치를 변경하면 된다. 

sed -i '7 i\## User console/su  login lock - add 2019.10'       /etc/pam.d/system-auth 
sed -i '8 i\auth        required      pam_tally2.so deny=5 unlock_time=60'  /etc/pam.d/system-auth

sed -i '14 i\## User console/su  login lock - add 2019.10'       /etc/pam.d/system-auth 
sed -i '15 i\account     required      pam_tally2.so'            /etc/pam.d/system-auth


sed -i '7 i\## User GUI/ssh  login lock - add 2019.10'       /etc/pam.d/password-auth
sed -i '8 i\auth        required      pam_tally2.so deny=5 unlock_time=60'  /etc/pam.d/password-auth

sed -i '14 i\## User GUI/ssh  login lock - add 2019.10'       /etc/pam.d/password-auth
sed -i '15 i\account     required      pam_tally2.so'         /etc/pam.d/password-auth