Linux System some configuration commands

1 Restrict permission to use the SU command except for the root user

Under/etc/pam.d/su, add:

Auth Required pam_wheel.so

2 Timeout settings

/etc/profile inside
tmout=1800

3 Timing Password Change

· /etc/shadow

User name: $1$8zdakdfc$xda8esus2i7nql7ujrsiy/:13025:5:60:7:2:13125:

1 2 3 4 5 67 8 9

What does that mean? Note that the 13025 is 2005/08/30, so dmtsai This user his password related meaning is:

• The latest password change date is 2005/08/30 (13025);

• Can change the password time is 5 days later, that is, 2005/09/04 ago Dmtsai can not modify their password;

· users must change their passwords within the 60-day limit between 2005/09/04 and 2005/10/29, and if they do not change their passwords after 2005/10/29, the account will be invalidated;

· If the user has not changed the password, then in the 7 days before 2005/10/29, the system will warn Dmtsai should change the password information;

· If the account has not changed the password until 2005/10/29, because there are two days of the time limit, so Dmtsai can continue to log in until 2005/10/31;

· If the user has changed the password before 2005/10/29, then the 13025 date will be changed, so all the constraint dates will follow the relative changes. ^_^

· No matter how the user moves, to 13125, around 2005/12/8, the account will be invalid ~

View the number that corresponds to the current date :echo $ (($ (Date--date= "2008/09/04" +%s)/86400+1) —————— looks like the end result is wrong .

Reference: Http://vbird.dic.ksu.edu.tw/linux_basic/fedora_4/0410accountmanager-fc4.php#account_user

Therefore, the demand can be changed to: password valid for 120 days before the expiration of 14 days before the expiration of a warning, 14 days after failure to login

User name: password: 16695:0:120:14:14::

4 login error n times auto lock n minutes

Under the character terminal, a user is locked out for x minutes after a continuous error has been logged n times.
Executive Vi/etc/pam.d/sshd

/etc/pam.d/login The configuration is limited only on the local text terminal;

/etc/pam.d/kde (SuSE for GDM) is limited when it is configured to invoke in the KDE graphical interface;

/etc/pam.d/sshd In the configuration when the SSH connection is limited;

/etc/pam.d/system-auth Any service that calls the System-auth file in the configuration will take effect

A new line under #%pam-1.0, join

Auth Required pam_tally2.so deny=3 unlock_time=5 even_deny_rootroot_unlock_time=10

If you do not restrict the root user, you can write

Auth Required pam_tally2.so deny=3 unlock_time=5

The approximate meanings are as follows:
Even_deny_root also restricts root users;
Deny sets the maximum number of consecutive error logins for regular users and root users, and the maximum number of times to lock the user;
Unlock_time set the normal user lock, how much time after unlocking, Unit is seconds;
Root_unlock_time set the root user lock, after how much time to unlock, the unit is seconds

Unlock and view failed

You can view the number of errors and details of 361way user logons using the following instructions:

1. pam_tally2--user AAA

You can use the following command to clear the number of incorrect logons for 361way users, which is manually unlocked:

1. pam_tally2--user AAA--reset

Similarly, using the Faillog-r command can also be unlocked

The Pam_tally2 module is used here, and if Pam_tally2 is not supported, the Pam_tally module can be used. In addition, different Pam version, the settings may be different, specific use of methods, you can refer to the use of the relevant module rules.

SnmpV3 Configuration: (cacti available to)

First VNC Mounts the installation package and then installs

Yum–y Install net-snmp*

Useradd SNMP

passwd SNMP

Service SNMPD Stop

Net-snmp-config--create-snmpv3-user-ro-aaaaaaaaa-a MD5 SNMP

Service SNMPD Start

Chkconfig snmpd on

Snmpwalk-v3-u snmp-l auth-a md5-a aaaaaaaa 127.0.0.1if

Operation:

1 Restrict permission to use the SU command except for the root user

under/etc/pam.d/su , add:

Auth Required pam_wheel.so

3 Timing Password Change

/etc/shadow

User name: password: 16695:0:120:14:14::

4 Login error 8 times auto Lock 30 minutes

vi/etc/pam.d/sshd (Root user also counted in )

A new line under #%pam-1.0, join

Auth Required pam_tally2.so deny=8 unlock_time=1800 even_deny_rootroot_unlock_time=1800

VI/ETC/PAM.D/GDM (root user not counted)

a new line under #%pam-1.0, join

Auth Required pam_tally2.so deny=8unlock_time=1800

Release port 514 on the log server

Iptables–a input-m state--state new-m tcp-p tcp--dport 514–j ACCEPT

Iptables–a input-p udp-m state-m UDP--dport 514--state new-j ACCEPT

New account:

Useradd-g 0-m-d/home/aaaa-s/bin/bash AAAA

Linux System some configuration commands