#Question1:
I'm hardening my system with this guidehttps://wiki.centos.org/HowTos/OS_Protection
But I'm not sure whether this guide is updated to CentOS7.
It says I should update /etc/pam.d/system-auth in this way:
Code: Select all
And now we need to update /etc/pam.d/system-auth
touch /var/log/tallylog
cat << 'EOF' > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally2.so per_user
password requisite pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-2 ucredit=-2 dcredit=-2 ocredit=-2
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=10
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF
#Question2:
I'm following this guide https://highon.coffee/blog/security-har ... er-session,
it says:
Code: Select all
Max Password Login Attempts per Session
Set the amount of password reprompts per session, by editing the pam_pwquality.so statement in /etc/pam.d/system-auth to retry=3 or lower.
#Question3
This guide https://highon.coffee/blog/security-har ... er-session also says:
Code: Select all
Set Deny For Failed Password Attempts
Blocks logins for failed authentication on accounts.
Add the following lines immediately below the pam_unix.so statement in AUTH section of both /etc/pam.d/system-auth and /etc/pam.d/password-auth:
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
#Question4
If someone attempt to log onto my system from remote, and if he type the wrong password twice, I wish to forbidden his logon in 10 min. How to configure my system for this case?
Cheers
yao