Linux security configuration Miscellaneous

Linux security configuration Miscellaneous SSH configuration vim/etc/ssh/sshd_config & lt; VIM & gt;/dev/null2 & gt; & amp; 1: s/# LoginGraceTime2m/LoginGraceTime2m/: s/# PermitRootLoginyes/PermitRootLogin Linux security configuration Miscellaneous SSH configuration vim/etc/ssh/sshd_config < /Dev/null 2> & 1: s/# LoginGraceTime 2 m/LoginGraceTime 2 m/: s/# PermitRootLogin yes/PermitRootLogin no /: s/# MaxAuthTries 6/MaxAuthTries 3/: % s $ # AuthorizedKeysFile $ AuthorizedKeysFile/dev/null $: % s/GSSAPIAuthentication yes/GSSAPIAuthentication no /: % s/keys yes/GSSAPICleanupCredentials no/: wq VIM prohibit certificate login AuthorizedKeysFile/dev/null lock user prohibited login passwd-l binpasswd-l daemonpasswd-l admpasswd- L lppasswd-l syncpasswd-l shutdownpasswd-l haltpasswd-l mailpasswd-l serial-l ftppasswd-l serial-l saslauth passwd- l postfix check the Java code of login users and users with passwords #! /Bin/bash function section () {local title = $1 echo "================================== ======================== "echo" $ title "echo" ====================== ======================================================== "} section" check login user "grep-v nologin/etc/passwd section" Check login password "grep '\ $'/etc/shadow section" Check SSH authorized_keys file "for key in $ (ls -1/home) do if [-e $ key /. ssh/authorized_keys]; then ec Ho "$ key: $ key /. ssh/authorized_keys "else echo" $ key: "fi done 55.2.1. pam_tally2.so the function of this module is to log on to the module three times by mistake and automatically unban the module five minutes later. if you enter the correct password during the unblocking period, you cannot log on to the module. In the configuration file/etc/pam. add auth required pam_tally2.so deny = 3 onerr = fail unlock_time = 300 to the top of d/sshd to view Failures # reset Failures Latest failure Fromroot 14 07/12/13 15:44:37 192.168.6.2neo 8 07/12/13 15:45:36 192.168.6.2 # Your-r-u rootLogin Failures Latest failure Fromroot 14 07/12/13 15:44:37 192.168.6.2 # pam_tally2-r-u neoLogin Failures Latest failure Fromneo 8 07/12/13 15:45:36 192.168.6.2 pam_tally2 counter logs are saved in/ var/log/tallylog note, this is a binary file example 55.1. /etc/pam. d/sshd # cat/etc/pam. d/sshd # % PAM-1.0auth required pam_tally2.so deny = 3 onerr = fail unlock_time = 300 auth required users include password-authaccount required users include password-authpassword include password-auth # pam_selinux.so close shocould be first session rulesession required when closesession required then # When open shocould only be followed by sessions to be executed in the user contextsession required when open env_paramssession optional when force revokesession include password-auth above the configuration root user unrestricted, to restrict the root user, see auth required pam_tally2.so deny = 3 unlock_time = 5 even_deny_root root_unlock_time = 1800 55.2.2. pam_listfile.so add the following line to/etc/pam. in d/sshd, the whitelist method is used here, you can also blacklist auth required pam_listfile.so item = user sense = allow file =/etc/ssh/whitelist onerr = fail to add users allowed to log on to/etc/ssh/whitelist, other users cannot log on to your system via ssh # cat/etc/ssh/whitelistneowww example 55.2. /etc/pam. d/sshd-pam_listfile.so # cat/etc/pam. d/sshd # % PAM-1.0auth required pam_listfile.so item = user sense = allow file =/etc/ssh/whitelist onerr = failauth required includeny = 3 onerr = fail unlock_time = 300 auth required incluinclude password-authaccount required should include password-authpassword include password-auth # pam_selinux.so close shocould be the first session rulesession required should closesession required should # should open shocould only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession optional pam_keyinit.so force revokesession include password-auth sense = allow whitelist method, sense = deny blacklist auth required pam_listfile.so item = user sense = deny file =/etc/ssh/blacklist onerr = fail