본문 바로가기

리눅스

[리눅스] 우분투 계정 보안 조치

728x90

우분투 계정 보안 조치

패스워드 복잡성 설정

/etc/login.defs

cat /etc/login.defs | egrep -v '^#' | egrep 'PASS_MIN_LEN|PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE'
$ cat /etc/login.defs | egrep -v '^#' | egrep 'PASS_MIN_LEN|PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE'
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_WARN_AGE	7
sudo sed -i 's/PASS_MAX_DAYS\s*99999/PASS_MAX_DAYS\t90/g; s/PASS_MIN_DAYS\s*0/PASS_MIN_DAYS\t1/g; s/#PASS_MIN_LEN/PASS_MIN_LEN\t8/g; s/PASS_WARN_AGE\s*7/PASS_WARN_AGE\t7/g;' /etc/login.defs
$ cat /etc/login.defs | egrep -v '^#' | egrep 'PASS_MIN_LEN|PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE'
PASS_MAX_DAYS	90
PASS_MIN_DAYS	1
PASS_WARN_AGE	7
PASS_MIN_LEN	8
useradd -s /bin/bash devops
$ chage -l devops
Last password change                                    : May 03, 2023
Password expires                                        : Aug 01, 2023
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 1
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

 

libpam-pwquality 패키지 설치

sudo apt install -y libpam-pwquality
$ cat /etc/security/pwquality.conf | egrep -v '^#|^$'

 

/etc/pam.d/common-password

$ cat /etc/pam.d/common-password | egrep -v '^#|^$'
password	requisite			pam_pwquality.so retry=3
password	[success=1 default=ignore]	pam_unix.so obscure use_authtok try_first_pass yescrypt
password	requisite			pam_deny.so
password	required			pam_permit.so
sudo sed -i 's/^password\s*\[success=1 default=ignore\]\s*pam_unix.so\s*obscure\s*use_authtok\s*try_first_pass\s*yescrypt/password\t[success=1 default=ignore]\tpam_unix.so obscure use_authtok try_first_pass yescrypt nullok ignore_root/' /etc/pam.d/common-password

** ignore_root는 root 계정을 제외하고 패스워드 정책을 적용

$ cat /etc/pam.d/common-password | egrep -v '^#|^$'
password	requisite			pam_pwquality.so retry=3
password	[success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt nullok ignore_root
password	requisite			pam_deny.so
password	required			pam_permit.so

 

/etc/security/pwquality.conf

$ cat /etc/security/pwquality.conf | egrep -v '^#|^$'
cat <<EOF >> /etc/security/pwquality.conf
#password policy
minlen = 8
minclass = 3
lcredit = 1
dcredit = 1
ocredit = 1
EOF
$ cat /etc/security/pwquality.conf | egrep -v '^#|^$'
minlen = 8
minclass = 3
lcredit = 1
dcredit = 1
ocredit = 1

 

useradd -s /bin/bash devops2
$ chage -l devops2
Last password change					: May 10, 2023
Password expires					: Aug 08, 2023
Password inactive					: never
Account expires						: never
Minimum number of days between password change		: 1
Maximum number of days between password change		: 90
Number of days of warning before password expires	: 7
sudo chage --maxdays 90 --mindays 1 --warndays 7 --inactive 8 --inactive 0 devops2
sudo chage --maxdays 60 --mindays 2 --warndays 5 --inactive 8 --inactive 0 devops2
$ chage -l devops2
Last password change					: May 10, 2023
Password expires					: Jul 09, 2023
Password inactive					: Jul 09, 2023
Account expires						: never
Minimum number of days between password change		: 2
Maximum number of days between password change		: 60
Number of days of warning before password expires	: 5

 

chage -d 2023-05-03 devops
chage -l devops

 

계정 잠금 임계값 설정

/etc/pam.d/common-auth

$ cat /etc/pam.d/common-auth | egrep -v '^#|^$'
auth	[success=1 default=ignore]	pam_unix.so nullok
auth	requisite			pam_deny.so
auth	required			pam_permit.so
sudo sed -i 's/^auth\s*\[success=1 default=ignore\]\s*pam_unix.so\s*nullok/auth\t[success=1 default=ignore] pam_faillock.so authfail audit deny=5 unlock_time=600/' /etc/pam.d/common-auth
sudo sed -i '/^auth\s*required\s*pam_permit.so$/a auth\trequisite\t\t\tpam_faillock.so' /etc/pam.d/common-auth
$ cat /etc/pam.d/common-auth | egrep -v '^#|^$'
auth	[success=1 default=ignore] pam_faillock.so authfail audit deny=5 unlock_time=600
auth	requisite			pam_deny.so
auth	required			pam_permit.so
auth	requisite			pam_faillock.so

 

728x90