1、设置会话超时;(设置20分钟超时)
Vim /etc/profile
export TMOUT=1200
2、账户锁定策略;(终端登录失败5次,锁定半小时)
vi /etc/pam.d/system-auth文件,
在# User changes will be destroyed the next time authconfig is run.行的下面,添加
auth required pam_tally2.so deny=5 unlock_time=1800 even_deny_root root_unlock_time=1800
3、新口令不能与10个最近使用的相同
vi /etc/pam.d/system-auth文件,在
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok 所在行的后面添加 remember=11
4、修改密码策略
vi /etc/pam.d/system-auth
将password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= 注释
并在其下面新增1行
password requisite pam_cracklib.so try_first_pass minlen=8 difok=5 dcredit=-1 lcredit=-1 ocredit=-1 retry=1 type=
5、密码策略(开启密码有限期(三个月),修改密码的最短期限(十天),密码过期提醒)
Vim /etc/login.defs
修改以下两个key的值
PASS_MAX_DAYS 90
PASS_MIN_DAYS 10
6、关闭不必要的系统服务:
systemctl list-unit-files | grep enable 过滤查看启动项如下abrt-ccpp.service enabled abrt为auto bug report的缩写 用于bug报告 关闭dbus-org.freedesktop.NetworkManager.service enabled 桌面网卡管理 关闭NetworkManager-dispatcher.service enabled 网卡守护进程 关闭postfix.service enabled 邮件服务 关闭#设置开机不启动命令如下:
systemctl disable abrt-ccpp.service
systemctl disable dbus-org.freedesktop.NetworkManager.service
systemctl disable NetworkManager-dispatcher.service
systemctl disable postfix.service
#停止运行
systemctl stop abrt-ccpp
systemctl stop dbus-org.freedesktop.NetworkManager
systemctl stop NetworkManager-dispatcher
systemctl stop postfix
7、检查无密码用户:
验证帐户是否存在空密码:awk -F: '($2 == "") {print}' /etc/shadow锁定所有空密码帐户:passwd -l accountName
