1 Restrict permission to use the SU command except for the root user
Under/etc/pam.d/su, add:
Auth Required pam_wheel.so
2 Timeout settings
/etc/profile inside
tmout=1800
3 Timing Password Change
· /etc/shadow
User name: $1$8zdakdfc$xda8esus2i7nql7ujrsiy/:13025:5:60:7:2:13125:
1 2 3 4 5 67 8 9
What does that mean? Note that the 13025 is 2005/08/30, so dmtsai This user his password related meaning is:
The latest password change date is 2005/08/30 (13025);
Can change the password time is 5 days later, that is, 2005/09/04 ago Dmtsai can not modify their password;
· users must change their passwords within the 60-day limit between 2005/09/04 and 2005/10/29, and if they do not change their passwords after 2005/10/29, the account will be invalidated;
· If the user has not changed the password, then in the 7 days before 2005/10/29, the system will warn Dmtsai should change the password information;
· If the account has not changed the password until 2005/10/29, because there are two days of the time limit, so Dmtsai can continue to log in until 2005/10/31;
· If the user has changed the password before 2005/10/29, then the 13025 date will be changed, so all the constraint dates will follow the relative changes. ^_^
· No matter how the user moves, to 13125, around 2005/12/8, the account will be invalid ~
View the number that corresponds to the current date :echo $ (($ (Date--date= "2008/09/04" +%s)/86400+1) —————— looks like the end result is wrong .
Reference: Http://vbird.dic.ksu.edu.tw/linux_basic/fedora_4/0410accountmanager-fc4.php#account_user
Therefore, the demand can be changed to: password valid for 120 days before the expiration of 14 days before the expiration of a warning, 14 days after failure to login
User name: password: 16695:0:120:14:14::
4 login error n times auto lock n minutes
Under the character terminal, a user is locked out for x minutes after a continuous error has been logged n times.
Executive Vi/etc/pam.d/sshd
/etc/pam.d/login The configuration is limited only on the local text terminal;
/etc/pam.d/kde (SuSE for GDM) is limited when it is configured to invoke in the KDE graphical interface;
/etc/pam.d/sshd In the configuration when the SSH connection is limited;
/etc/pam.d/system-auth Any service that calls the System-auth file in the configuration will take effect
A new line under #%pam-1.0, join
Auth Required pam_tally2.so deny=3 unlock_time=5 even_deny_rootroot_unlock_time=10
If you do not restrict the root user, you can write
Auth Required pam_tally2.so deny=3 unlock_time=5
The approximate meanings are as follows:
Even_deny_root also restricts root users;
Deny sets the maximum number of consecutive error logins for regular users and root users, and the maximum number of times to lock the user;
Unlock_time set the normal user lock, how much time after unlocking, Unit is seconds;
Root_unlock_time set the root user lock, after how much time to unlock, the unit is seconds
Unlock and view failed
You can view the number of errors and details of 361way user logons using the following instructions:
1. pam_tally2--user AAA
You can use the following command to clear the number of incorrect logons for 361way users, which is manually unlocked:
1. pam_tally2--user AAA--reset
Similarly, using the Faillog-r command can also be unlocked
The Pam_tally2 module is used here, and if Pam_tally2 is not supported, the Pam_tally module can be used. In addition, different Pam version, the settings may be different, specific use of methods, you can refer to the use of the relevant module rules.
SnmpV3 Configuration: (cacti available to)
First VNC Mounts the installation package and then installs
Yum–y Install net-snmp*
Useradd SNMP
passwd SNMP
Service SNMPD Stop
Net-snmp-config--create-snmpv3-user-ro-aaaaaaaaa-a MD5 SNMP
Service SNMPD Start
Chkconfig snmpd on
Snmpwalk-v3-u snmp-l auth-a md5-a aaaaaaaa 127.0.0.1if
Operation:
1 Restrict permission to use the SU command except for the root user
under/etc/pam.d/su , add:
Auth Required pam_wheel.so
3 Timing Password Change
/etc/shadow
User name: password: 16695:0:120:14:14::
4 Login error 8 times auto Lock 30 minutes
vi/etc/pam.d/sshd (Root user also counted in )
A new line under #%pam-1.0, join
Auth Required pam_tally2.so deny=8 unlock_time=1800 even_deny_rootroot_unlock_time=1800
VI/ETC/PAM.D/GDM (root user not counted)
a new line under #%pam-1.0, join
Auth Required pam_tally2.so deny=8unlock_time=1800
Release port 514 on the log server
Iptables–a input-m state--state new-m tcp-p tcp--dport 514–j ACCEPT
Iptables–a input-p udp-m state-m UDP--dport 514--state new-j ACCEPT
New account:
Useradd-g 0-m-d/home/aaaa-s/bin/bash AAAA
Linux System some configuration commands