Boronczyk / NADAREISHVILI | CentOS 7 Server Deployment Cookbook | E-Book | www.sack.de
E-Book

E-Book, Englisch, 406 Seiten

Boronczyk / NADAREISHVILI CentOS 7 Server Deployment Cookbook

CentOS 7 Server Deployment Cookbook
1. Auflage 2025
ISBN: 978-1-78328-889-2
Verlag: De Gruyter
Format: EPUB
 Kopierschutz: Adobe DRM (»Systemvoraussetzungen)

CentOS 7 Server Deployment Cookbook

E-Book, Englisch, 406 Seiten

ISBN: 978-1-78328-889-2
Verlag: De Gruyter
Format: EPUB
 Kopierschutz: Adobe DRM (»Systemvoraussetzungen)

CentOS is derived from Red Hat Enterprise Linux (RHEL) sources and is widely used as a Linux server. This book will help you to better configure and manage Linux servers in varying scenarios and business requirements.

Starting with installing CentOS, this book will walk you through the networking aspects of CentOS. You will then learn how to manage users and their permissions, software installs, disks, filesystems, and so on. You'll then see how to secure connection to remotely access a desktop and work with databases. Toward the end, you will find out how to manage DNS, e-mails, web servers, and more. You will also learn to detect threats by monitoring network intrusion. Finally, the book will cover virtualization techniques that will help you make the most of CentOS.

Boronczyk / NADAREISHVILI CentOS 7 Server Deployment Cookbook jetzt bestellen!

Autoren/Hrsg.

Boronczyk, Timothy
NADAREISHVILI, IRAKLI

Fachgebiete

Weitere Infos & Material

Enforcing password restrictions


A weak password can be one of the weakest security points of any system. Simple passwords are susceptible to brute-force attacks and long-lived passwords, if they are compromised, provide a wide window of opportunity for malicious activity. Because of this, it's important to ensure that your users choose sufficiently complex passwords and change them regularly. This recipe shows you how to strengthen your system's security by enforcing various restrictions on users' passwords. You'll learn how to specify the minimum complexity requirements for a password, how long before a password must be changed, and how to lock down an account after a number of failed login attempts.

Getting ready


This recipe requires a CentOS system and administrative access, either provided by logging in with the account or by using .

How to do it...


Follow these steps to enforce password restrictions that will increase the security of your CentOS system:

  1. The parameters governing password aging are found in ; open the file using your text editor of choice: vi /etc/login.defs
  2. Locate the password aging controls section and update the value of , , , and : PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_MIN_LEN 8 PASS_WARN_AGE 15
  3. Save your changes and close the file.
  4. The values specified in will be applied to new accounts when they are created. Existing users must have their password parameters set separately using the command: chage --maxdays 90 --mindays 0 --warndays 15 tboronczyk
  5. The parameters governing the acceptable complexity for passwords are found in ; open the file for editing: vi /etc/security/pwquality.conf
  6. Uncomment the value to specify the desired minimum password complexity plus 1. For example, an eight-character password consisting of all lowercase characters would require a of : minlen = 9
  7. You may uncomment other values and set them as well if you like. Each value is preceded by a brief descriptive comment of what it does. To require a minimum number of characters to be from a certain class (uppercase, lowercase, digits, and other/special), specify the value as a negative number. For example, if passwords require at least one numeric digit and one uppercase character then both and would be set to :

    Options for configuring your system's password complexity requirements are found in pwquality.conf

  8. Save your changes and close the file.
  9. Next we'll update PAM's and module configurations to lock out an account after a number of unsuccessful login-attempts. Open the file : vi /etc/pam.d/password-auth
  10. Update the group of lines at the beginning of the file to read as follows. The second and fourth lines have been added and include to the authentication stack: auth required pam_env.so auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so
  11. Update the group of lines to read as follows. The second line has been added to include to the account stack: account required pam_unix.so account required pam_faillock.so account sufficient pam_localuser.com account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so

    Note


    Be careful when updating the and files. The order in which modules are listed in a stack is significant!

  12. Save your changes and close the file. Then repeat steps 9 to 11 with the file .

How it works...


Properly configuring the authentication requirements for local accounts is a bit of a fractured experience. First, there's the traditional Unix password files ( and ) and the package, which adds shadowing support (). Together, these form the core database for local account credentials. In addition, similar to most other modern Linux systems, CentOS uses PAM, a collection of pluggable authentication modules. The PAM stack is configured by default to lookup account information in the shadow file, but it also provides additional functionality that PAM-aware programs can leverage, such as password-strength checking. As an administrator, you're responsible for configuring these services so that they work properly in tandem and operate within the acceptable security guidelines set by your organization.

In this recipe, we first updated the password aging related controls found in :

PASS_MAX_DAYS 90 PASS_MIN_DAYS 0 PASS_MIN_LEN 8 PASS_WARN_AGE 15

defines how much time can pass before a password must be changed. By setting the value to , a user must change their password at least once every three months (90 days). specifies how many days a user must wait to change a new password. Since this value is 0, a user can change their password any time they want-even several times a day if they like. defines how many days in advance a user will be notified of their password's pending expiration as approaches.

Note


is supposed to set the minimum password length, but you'll find PAM's password complexity requirements supersede this, making the setting pretty much worthless.

Utilities such as use these settings as the defaults when creating entries in the password and shadow files. They aren't applied retroactively to existing users so we need to use to update their accounts:

chage --maxdays 90 --mindays 0 --warndays 15 tboronczyk

can set the minimum and maximum age of a user's password and the notification window for pending expirations, but note the absence of a minimum length requirement.

We can also use to make a user's password expire immediately so that they must specify a new one the next time they log in. To do so, we provide the argument with a value of 0:

chage --lastdays 0 tboronczyk

Tip


If you have more than a handful of accounts, you may want to automate using with some basic shell scripting. Here's a series of commands piped together that update all of the existing user accounts in an automated fashion:

getent shadow | awk -F : 'substr($2, 0, 1) == "$" { print $1 }' | xargs -n 1 chage --maxdays 90 --mindays 0   --warndays 15

This works by retrieving the contents of the shadow file and using to split each record using as the field separator. looks at the value in the second field (the encrypted password) to see if it begins with , indicating the account has a password, to filter out disabled accounts and system accounts without a password. The username from each matching record is then piped to which then feeds the names one at a time to .

As the PAM module checks the complexity of passwords, we specify our password complexity requirements in the module's configuration file, . It gauges the quality of a password using a credit system where each character credits a point towards the password's total score. This score then must meet or exceed the value we gave for .

The page at http://wpollock.com/AUnix2/PAM-Help.htm has a good explanation of how calculates a password's complexity. It explains the algorithm as follows:

  • Add one for each character in the password regardless of the type of the character
  • Add one to that for each lowercase letter used, up to a maximum of
  • Add one to that for each uppercase letter...

Boronczyk Timothy :

Timothy Boronczyk is a native of Syracuse, New York, where he works as a lead developer at Optanix, Inc. (formerly ShoreGroup, Inc.). He's been involved with web technologies since 1998, has a degree in Software Application Programming, and is a Zend Certified Engineer. In what little spare time he has left, Timothy enjoys hanging out with friends, studying Esperanto, and sleeping with his feet off the end of the bed. He's easily distracted by shiny objects.

Ihre Fragen, Wünsche oder Anmerkungen
Vorname*
Nachname*
Ihre E-Mail-Adresse*
Kundennr.
Ihre Nachricht*
Lediglich mit * gekennzeichnete Felder sind Pflichtfelder.
Wenn Sie die im Kontaktformular eingegebenen Daten durch Klick auf den nachfolgenden Button übersenden, erklären Sie sich damit einverstanden, dass wir Ihr Angaben für die Beantwortung Ihrer Anfrage verwenden. Selbstverständlich werden Ihre Daten vertraulich behandelt und nicht an Dritte weitergegeben. Sie können der Verwendung Ihrer Daten jederzeit widersprechen. Das Datenhandling bei Sack Fachmedien erklären wir Ihnen in unserer Datenschutzerklärung.