On this document I will go through a series of steps to configure the most relevant settings to harden a RHEL server.
This document is based on the Red Hat Enterprise Linux 7 Security Guide that can be downloaded from the RedHat network here.
Secure passwords
Passwords are the primary method that Red Hat Enterprise Linux 7 uses to verify a user's
identity. This is why password security is so important for protection of the user, the
workstation, and the network.
By default RHEL uses shadow passwords which eliminate this type of attack by storing the password hashes in the file /etc/shadow, which is readable only by the root user.
Strong passwords
Since the storing of passwords has already been taken care of the next step is to force the creation of strong passwords.
When users are asked to create or change passwords, they can use the passwd
command-line utility, which is PAM-aware (Pluggable Authentication Modules) and checks to
see if the password is too short or otherwise easy to crack. This checking is performed by
the pam_pwquality.so PAM module.
PAM reads its configuration from the /etc/pam.d/passwd file, but the file we want to edit for tuning password policies is /etc/security/pwquality.conf
Have a look at the configuration options:
Here are the details of what each entry means:
NOTE: Credit works like money, if you have a plus number like three you have spare and don't have to worry, but if you have a negative number (debts) you have to pay for them. For instance "ucredit = 2" means the user will have to give at least two upper case characters as part of the password for creating a password.
Something practical to do is to set a "minlen = 8" value and "minclass = 4" value. Whith this two settings you would ensure that the password has to be at least 8 characters long and that it will need to have letters Upper case, Lower case, numbers and symbols. That is what you will normally find on production servers.
Some like to uncomment dictpath and let GECOS use the default dictionary. You could go much further with this, but it is not recommended because passwords would need to be too complex and users wouldn't be able to remember them and the SA would have to be resetting passwords too often.
This is the result of a strong password file:
NOTE: As the root user is the one who enforces the rules for password creation, he can set any password for himself or for a regular user, despite the warning messages.
Password aging
This technique is used to limit the time of cracked passwords. The downside is that if you set this value too low (password change required very often) the users will tend to write their passwords down generating a weak spot.
A common practice is to specify the maximum number of days for which the password is valid.
Password aging is performed with the command "chage".
This command is normally used when hardening a system to expire old unsecure password immediately.
I will show three examples on how to use this command on a console.
Account Locking
In Red Hat Enterprise Linux 7, the pam_faillock PAM module allows system administrators to lock out user accounts after a specified number of failed attempts.
Limiting user login attempts serves mainly as a security measure that aims to prevent
possible brute force attacks targeted to obtain a user's account password.
Follow these steps to configure account locking:
auth required pam_faillock.so preauth silent audit
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3
unlock_time=600
deny=3 unlock_time=600
Disclaimer - Views expressed in this blog are author's own and do not necessarily represents the policies of aclnz.com