帳號管理

登入失敗後鎖定帳號
進階管理技巧

登入失敗後鎖定帳號

RedHat 8

NOTE:

RH8 新增一個 faillock 設定檔在 /etc/security/faillock.conf。
如果在 system-auth 內有指定參數，會忽略 faillock.conf 相同參數的設定。
unlock_time - 帳號鎖定後，經過多久時間會自動解鎖。
deny - 密碼錯誤次數。

新增目錄 faillock (optional)

TIP: 如果不指定目錄，預設目錄是 /var/run/faillock。

mkdir /var/log/faillock

Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

# for auth
# faillock, add the below line BEFORE pam_unix.so
auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 fail_interval=900 unlock_time=600
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=600
#

auth        sufficient    pam_unix.so try_first_pass nullok

# faillock, add the below line AFTER pam_unix.so
auth        [default=die] pam_faillock.so authfail deny=3 fail_interval=900 unlock_time=600
#

# for account
# faillock, add the below line BEFORE pam_unix.so
account required pam_faillock.so
#

account     required      pam_unix.so

RedHat 6

Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

# for auth
# add the below line BEFORE pam_unix.so
auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600  # insert this

auth        sufficient    pam_unix.so nullok try_first_pass

# add the below line AFTER pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600  # insert this

# for account
# add the below line BEFORE pam_unix.so
account required pam_faillock.so  # insert this

account     required      pam_unix.so

預設不會套用在 root；如果需要限制 root，下面這一行加上 even_deny_root ：

auth    required    pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600

如果要排除特定 user，在第一個 pam_faillock.so 之前加上這行:

auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2:user3

如何手動解鎖與檢查被鎖定的帳戶

# display the authentication failure for all users 
faillock

# display the authentication failure for the specified user
faillock --user mytest

# unlock the user
faillock --user mytest --reset

Tip:

要確認設定是否有作用，可以監看 log 檔 /var/log/secure，登入錯誤次數達到設定值時，應該要出現下面的訊息。

Mar 8 15:26:08 centos7 sshd[26995]: pam_faillock(sshd:auth): Consecutive login failures for user i04181 account temporarily locked

VSFTPD

如果 vsftpd 使用系統帳號做認證時，也適用帳號鎖定的規則。

參考教學

進階管理技巧

建立系統用帳號

CentOS/RedHat)

groupadd -r asterisk
useradd -r -g asterisk -d /var/lib/asterisk -M asterisk

Ubuntu/Debian)

addgroup --system asterisk
adduser --system --ingroup asterisk --home /var/lib/asterisk --no-create-home --shell /bin/bash asterisk

變更帳號為管理者權限

# Debian/Ubuntu
# Add the user into the group sudo
sudo usermod -aG sudo <user-name>
# Verify the user's groups
groups <user-name>

強制修改密碼

強迫使用者在第一次登入後，修改他們的登入密碼

# 先將帳號鎖定
usermod -L <username>

# 強制第一次登入必須修改密碼
# 套用後，原密碼會立即過期，直到完成密碼變更。
chage -d 0 <username>

# 解除帳號鎖定
usermod -U <username>

# 檢查帳號的期限
chage -l <user-name>

帳號使用期限

# 檢查帳號期限
chage -l <user-name>

# 設定有效期限 
chage -M 10 <user-name>             # 10 天後密碼即失效
chage -E "2017-02-20" <user-name>   # 2017-02-20 以後帳號即鎖定
chage -I 10 <user-name>             # 如有設定密碼期限時，當密碼失效起 10 日後自動鎖定帳號 

# 解除期限
chage -E -1 <user-name>       ; 數字 -1 解除期限設定

帳號鎖定與解鎖

# 鎖定帳號
usermod -L <user-name>
passwd -l <user-name>
chage -E 0 <user-name>

# 解鎖帳號
usermod -U <user-name>
passwd -u <user-name>
chage -E <user-name>

# 檢查帳號鎖定狀態
grep <user-name> /etc/shadow

dbtest:!$6$hFCW6eI1$kI9J9QrxCjnpvzFPJnxSpNvQ...  密碼欄有 ! 符號表示鎖定

TIPs:
注意：passwd 雖然可以鎖定帳號，但仍可以用 SSH-Key 登入。

修改既有帳號的設定

# 修改註解
usermod -c "John" john
# 修改 shell
usermod -s "/sbin/nologin" alang
# 修改帳號名稱
usermod -l newuser currentuser

限制某帳號不可遠端登入

但可以由其他允許帳號從遠端登入後，執行 su 切換到該帳號

情境：限制 devrpt 可以從遠端登入，但其他帳號在登入後可以 su 到 devrpt。

方法一: 修改 sshd_config

# Added by Alang
# prevent certain users from using ssh for login
# while retaining the option to 'su username'
#
DenyUsers istdc

方法二: 最快速且容易設定但不適用需要有密碼的帳號

# 刪除 devrpt 的密碼
passwd -d devrpt

方法三: 比較嚴謹的做法

以 CentOS 為例：

1. 編輯 /etc/security/access.conf，加上這幾行

# The line 'cron crond' is required
+:devrpt:cron crond tty1 tty2 tty3 tty4 tty5 tty6
-:devrpt:ALL

TIPs：
內容格式為 permission : username: origins
permission + 允許或 - 拒絕
username 帳號
origins 來源，這可以是 tty 名稱'、主機/網域名稱、IP 。
注意：在此例，必須加上 cron crond 這一行，否則該帳號的 crontab 會無法工作。

2. 對於不同的登入服務，需要修改相應的安全設定檔

telnet : /etc/pam.d/remote (修改後立即生效)
SSH : /etc/pam.d/sshd (修改後需重新載入 SSHD)
Local 本機登入 : /etc/pam.d/login

視需要將以下內容加入其中一項或多項檔案內

# Limited users for remote login via telnet
# Check the file /etc/security/access.conf
account    required     pam_access.so

重建帳號的家目錄

mkhomedir_helper <username>

限制登入後的行為

情境: 帳號執行遠端登入後，只能變更密碼與幾個受限制的指令權限

RedHat-KB: https://access.redhat.com/solutions/65822

# Create the restricted shell
cp /bin/bash /bin/rbash

# Create a directory that is used as the HOME of the user
mkdir /home/dbuser/
mkdir /home/dbuser/bin

# Modify the target user for the shell as restricted shell
usermod -d /home/dbuser -s /bin/rbash siview
# or for new user
useradd -d /home/dbuser -s /bin/rbash siview

If a user uses rbash, the user can not do the following after login:

Changing directories with the |cd| built in.
Setting or unsetting the values of the |SHELL|, |PATH|, |ENV|, or |BASH_ENV| variables.
Specifying command names containing slashes.
Specifying a filename containing a slash as an argument to the |.| built in command.
Importing function definitions from the shell environment at startup.
Parsing the value of |SHELLOPTS| from the shell environment at startup.
Redirecting output using the `|>|', `|>||', `|<>|', `|>&|', `|&>|', and `|>>|' redirection operators.
Using the |exec| built in to replace the shell with another command.
Adding or deleting built in commands with the `|-f|' and `|-d|' options to the |enable| built in.
Specifying the `|-p|' option to the |command| built in.
Turning off restricted mode with `|set +r|' or `|set +o restricted|'.

# Create specific profile for the user
vi /home/dbuser/.bash_profile

.bash_profile:

# cat /home/localuser/.bash_profile  
# .bash_profile  

# Get the aliases and functions  
if [ -f ~/.bashrc ]; then  
. ~/.bashrc  
fi  
# User specific environment and startup programs  
PATH=$HOME/bin  
export PATH

# Create the softlinks of commands which are required for the user
ln -s /bin/date /home/dbuser/bin/
ln -s /bin/ls /home/dbuser/bin/
ln -s /usr/bin/passwd /home/dbuser/bin/

密碼強度

RH-KB: https://access.redhat.com/solutions/66322 (RHEL6)
RH-KB: Set a password policy in Red Hat Enterprise Linux 7 (RHEL7)
How to Set password policy in CentOS or RHEL system
RedHat/CentOS: /usr/share/doc/pam-<version>/txts/README.pam_cracklib
[中文] https://www.lijyyh.com/2012/07/pam-managing-account-security-with-pam.html

預設強度:

difok=N , 預設字元數 5 位數
minlen=N, 最少字元位數，預設是 9。
dcredit=-1, 數字至少 1 位數
ucredit=-1, 大寫字母至少 1 位數
lcredit=-1, 小寫字母至少 1 位數

Edit /etc/pam.d/system-auth , /etc/pam.d/password-auth

CentOS 5/6)

NOTE: CentOS 5 沒有 /etc/pam.d/password-auth , 所以只需要設定 /etc/pam.d/system-auth

# Set password strength
#password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    requisite     pam_cracklib.so minlen=8 dcredit=-1 ucredit=-1 lcredit=-1

CentOS 7/8)

Edit /etc/security/pwquality.conf

# Set password strength
minlen = 8
dcredit = -1
ucredit = -1
lcredit = -1

預設 root 不會套用密碼強度規則，如果要做限制，編輯 /etc/pam.d/system-auth 與 /etc/pam.d/password-auth ，在 password 這一行加上 enforce_for_root。

# Enforce root for password strength
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= enforce_for_root

記住幾代密碼
CentOS 5/6)

# Keep history of passwords used
# Add remember=N
# The last n passwords for each user are saved in /etc/security/opasswd in order to force password change history 
# and keep the user from alternating between the same password too frequently.
#password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_unix.so sha512 remember=8 shadow nullok try_first_pass use_authtok

CentOS 7/8)

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
# Keep history of passwords used, insert the below line after pam_pwquality.so line
password    requisite     pam_pwhistory.so remember=8 use_authtok

TIP: 歷史密碼會被儲存在 /etc/security/opasswd .

群組管理

# Create a new group
groupadd <group-name>
addgroup <group-name>

# add a group into an account
usermod -aG mygroup user1
useradd -aG family,friends james

# To change the primary group of the user tom to family
usermod -g family tom

# remove user from a group
gpasswd -d user1 mygroup

# list all users in a group
lid -g mygroup

# list groups
groups

指令 passwd

# displays the status of user account password settings
# [Username] [Status] [Date Last Changed] [Min. Age] [Max. Age] [Warn. Period] [ Inactivity Period]
# Status: 
#  - P: Usable password
#  - NP: No password
#  - L: Locked password
# Age: 
#  - 99999: Never expires
#  - 0: Can be changed at anytime
#  - -1: Disabled
passwd -S evans
 evans PS 2020-09-07 0 99999 7 -1 (Password set, SHA512 crypt.)

# Check password status for all accounts
passwd -Sa

# lock the password of a specified account
passwd -l user1

# unlock the password
passwd -u user2

# delete a password for an account
passwd -d user1

# expire a password for an account
# This will force user to change the password at next login.
passwd -e user2

# This sets the number of days before a password can be changed. 
# By default, a value of zero is set, which indicates that the user may change 
# their password at any time.
# This means user2 cannot change its own password until 10 days have passed.
passwd -n 10 user2

# To confirm the password setting made with the -n option above, run the following command:
# The value of 10 after the date indicates the minimum number of days 
# until the password can be changed.
passwd -S user1
user1 PS 2020-12-04 10 99999 7 -1 (Password set, SHA512 crypt.)

# This means after 90 days, the password is required to be changed.
passwd -x 90 user2

# This means the user will receive warnings that the password will expire 7 days 
# before the expiration.
passwd -w 7 user2

# This means after a user account has had an expired password for 5 days, 
# the user may no longer sign on to the account.
passwd -i 5 user2

# This command will read from the echo command and pass it to the passwd command. 
# So this will set the user1 password to userpasswd1.
echo "userpasswd1"|passwd --stdin user1

批次建立多個帳號

# Step 1 – Create an encrypted password
## perl one liner ##
#perl -e 'print crypt("Your-Clear-Text-Password-Here", "salt"),"\n"'

password="1YelloDog@"
pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
echo "$pass"

# Step 2 – Shell script to add a user and password on Linux
#!/bin/bash
# Purpose - Script to add a user to Linux system including passsword
# Author - Vivek Gite <www.cyberciti.biz> under GPL v2.0+
# ------------------------------------------------------------------
# Am i Root user?
if [ $(id -u) -eq 0 ]; then
	read -p "Enter username : " username
	read -s -p "Enter password : " password
	egrep "^$username" /etc/passwd >/dev/null
	if [ $? -eq 0 ]; then
		echo "$username exists!"
		exit 1
	else
		pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
		useradd -m -p "$pass" "$username"
		[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"
	fi
else
	echo "Only root may add a user to the system."
	exit 2
fi

# Step 3 – Change existing Linux user’s password in one CLI
echo "vivek:password" | chpasswd

# Verify that password has been changed
chage -l vivek

# Step 4 – Create Users and change passwords with passwd on a CentOS/RHEL
echo "YourPassword" | passwd --stdin UserName

系統帳號與密碼遷移

在來源主機執行

# 只遷移 uid=501 以上的帳號
export UGIDLIMIT=501
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd | sed '/nfsnobody/d' > passwd.move
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group | sed '/nfsnobody/d' > group.move
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | egrep -wf - /etc/shadow | sed '/nfsnobody/d' > shadow.move

NOTE: 如果系統有設定群組密碼，還要加上檔案 /etc/gshadow 的遷移。

將以上的檔案 *.move 複製到目的主機，然後執行

cat passwd.move >> /etc/passwd
cat shadow.move >> /etc/shadow
cat group.move >> /etc/group

pwconv
grpconv

# 帳號如果需要建立 home 目錄，可以執行
mkhomedir_helper <user-name>

Optional: 清除之前匯入的帳密

NOTE: 清除帳密時，只需要編輯 /etc/passwd 與 /etc/group，然後執行 pwconv 與 grpconv，就可以自動更新 /etc/shadow 與 /etc/gshadow。這方法不適用在匯入帳密時。

# 清除之前匯入的帳密
## 修改 /etc/passwd
vipw

## 修改 /etc/group
vigr

## 更新 /etc/shadow, /etc/gshadow
pwconv
grpconv

Optional: 指定 UID 範圍的帳號轉移 (501 ~ 600)

export UGID_DOWN=501
export UGID_UP=600
awk -v LIMIT_DOWN=$UGID_DOWN -v LIMIT_UP=$UGID_UP -F: '($3>=LIMIT_DOWN) && ($3<=LIMIT_UP) && ($3!=65534)' /etc/passwd | sed '/nfsnobody/d' > passwd.move
awk -v LIMIT_DOWN=$UGID_DOWN -v LIMIT_UP=$UGID_UP -F: '($3>=LIMIT_DOWN) && ($3<=LIMIT_UP) && ($3!=65534)' /etc/group | sed '/nfsnobody/d' > group.move
awk -v LIMIT_DOWN=$UGID_DOWN -v LIMIT_UP=$UGID_UP -F: '($3>=LIMIT_DOWN) && ($3<=LIMIT_UP) && ($3!=65534) {print $1}' /etc/passwd | egrep -wf - /etc/shadow | sed '/nfsnobody/d' > shadow.move

帳號活動監控 psacct

yum install psacct

How to Monitor Linux Users Activity with psacct or acct Tools
Display total statistics of connect time in hours
Print All Linux Commands Executed by Users
Print Linux User Information
Print Number of Linux Processes
Print and Sort Usage by Percentage
Search Logs for Commands

遠端連線自動登出 (TMOUT)

Linux: /etc/profile.d/timeout.sh

#!/bin/bash
# Set the TMOUT 600 for specified group
grpname="sshusers"
#if [[ "`id -Gn`" =~ .*"$grpname".* ]]; then
if grep -q "$grpname" <<< "`id -Gn`"; then
    export TMOUT=600
fi

Multi groups

#!/bin/bash
# Set the TMOUT 600 for specified groups
#grpnames="(group1|group2|group3)"
grpnames="(sshusers)"
if echo "`id -Gn`" | grep -wEq "$grpnames"; then
    export TMOUT=600
fi

AIX: /etc/profile

# Set the TMOUT 600 for specified groups
#grpnames="(group1|group2|group3)"
grpnames="(sshusers)"
if echo "`id -Gn`" | grep -wEq "$grpnames"; then
    export TMOUT=600
fi