1) DEFAULT 不严格的安全等级,可以让系统使用 TLSv1.2
2) FUTURE 严格的安全等级,只能让系统使用 TLSv1.2 不能使用 TLSv1.3
# update-crypto-policies --show
DEFAULT(补充:从这里可以看出目前的 update-crypto-policies 参数是 DEFAULT)
# update-crypto-policies --set=FUTURE(补充:这里以将 update-crypto-policies 参数设置为 FUTURE 为例)
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failureRocky Linux 8 & RHEL 8 已经默认废弃 TLSv1.2
可以使用 TLSv1.3 替代 TLSv1.2 或者将 update-crypto-policies 参数设置为 DEFAULT 以解决此报错
# update-crypto-policies --show
FUTURE(补充:从这里可以看出目前的 update-crypto-policies 参数是 FUTURE)
# update-crypto-policies --set=DEFAULT(补充:这里以将 update-crypto-policies 参数设置为 DEFAULT 为例)
# vim /etc/sudoers或者:
# visudo添加以下内容:
……
zhumingyu ALL=(ALL) /usr/bin/mysql(补充:这里以给用户 zhumingyu 添加 /usr/bin/mysql 命令为例)
# vim /etc/sudoers在
......
env_reset
......这一行下面添加:
......
Defaults env_keep += "http_proxy https_proxy"
......(补充:这里以允许用户在进行 sudo 提权的同时也能使用 http_proxy、https_proxy 为例)
从 CentOS Linux 8 & RHEL 8 开始,系统的身份验证模块从 CentOS Linux 7 & RHEL 7 的 pam_tally2 换成了 pam_faillock
# vim /etc/ssh/sshd_config将以下内容:
......
#UsePAM no
......修改为:
......
UsePAM yes
......# systemctl restart sshd# cat /etc/pam.d/login | grep system-auth确保包含以下内容:
auth substack system-auth
account include system-auth
password include system-auth
session include system-auth# cat /etc/pam.d/sshd | grep password-auth确保包含以下内容:
auth substack password-auth
account include password-auth
password include password-auth
session include password-auth# vim /etc/pam.d/system-auth在此行:
......
auth required pam_env.so
......下面添加:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180
......在此行:
......
auth sufficient pam_unix.so nullok try_first_pass
......下面添加:
......
auth [default=die] pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180
......在此行:
......
account required pam_unix.so
......下面添加:
......
account required pam_faillock.so
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(注意:Rocky Linux 8 & RHEL 8 不建议执行此步骤,执行后 Rocky Linux 8 & RHEL 8 正常的 SFTP 登陆会被视为失败,不过正常的 SSH 登录不受影响)
# vim /etc/pam.d/system-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
# vim /etc/pam.d/password-auth在此行:
......
auth required pam_env.so
......下面添加:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180
......在此行:
......
auth sufficient pam_unix.so try_first_pass nullok
......下面添加:
......
auth [default=die] pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180
......在此行:
......
account required pam_unix.so
......下面添加:
......
account required pam_faillock.so
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(注意:Rocky Linux 8 & RHEL 8 不建议执行此步骤,执行后 Rocky Linux 8 & RHEL 8 正常的 SFTP 登陆会被视为错误失败,不过正常的 SSH 登录不受影响)
# vim /etc/pam.d/password-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
# vim /etc/security/faillock.conf将以下内容:
......
# deny =
......
# unlock_time =
......修改为:
......
deny = 6
......
unlock_time = 180
......(注意:只在 Rocky Linux 8 & RHEL 8 才进行此操作)
# authconfig --enablefaillock --faillockargs="deny=6 unlock_timeout=180" --update(
补充:
1) 这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒
2) 登录失败 3 次后提示登录失败
为例
)
# authconfig --disablefaillock --update# faillock --user root(补充:这里以显示 root 用户近期输错了几次密码为例)
# faillock --user root --reset# faillock --reset# vim /etc/pam.d/system-auth在此行:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180
......下面添加:
......
auth [success=1 default=ignore] pam_succeed_if.so user in mingyuzhu1:mingyuzhu2:mingyuzhu3
......(补充:这里以排除用户 zhumingyu1、zhumingyu2 和 zhumingyu3 的输错密码次数限制为例)
(注意:Rocky Linux 8 & RHEL 8 不建议执行此步骤)
# vim /etc/pam.d/password-auth在此行:
......
auth [default=die] pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180
......下面添加:
......
auth [success=1 default=ignore] pam_succeed_if.so user in mingyuzhu1:mingyuzhu2:mingyuzhu3
......(补充:这里以排除用户 zhumingyu1、zhumingyu2 和 zhumingyu3 的输错密码次数限制为例)
(注意:Rocky Linux 8 & RHEL 8 不建议执行此步骤)
https://access.redhat.com/solutions/62949
从 Rocky Linux 8 & RHEL 8 开始,系统的身份验证模块从 CentOS Linux 7 & RHEL 7 的 pam_tally2 换成了 pam_faillock
# vim /etc/ssh/sshd_config将以下内容:
......
#UsePAM no
......修改为:
......
UsePAM yes
......# systemctl restart sshd# cat /etc/pam.d/login | grep system-auth确保包含以下内容:
auth substack system-auth
account include system-auth
password include system-auth
session include system-auth# cat /etc/pam.d/sshd | grep password-auth确保包含以下内容:
auth substack password-auth
account include password-auth
password include password-auth
session include password-auth# authselect current | awk 'NR == 1 {print $3}' | grep custom/
custom/password-policy(补充:从这里显示的结果可以看出这里选择的自定义配置文件是 custom/password-policy ,如果没有输出则代表没有选择自定义配置文件)
# authselect check
Current configuration is valid.(补充:从这里显示的结果可以看出自定义配置文件是生效的)
# vim /etc/authselect/custom/password-policy/system-auth将以下内容:
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......修改为:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......
auth required pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(注意:不建议执行此步骤,执行后正常的 SFTP 登陆会被视为登陆失败,不过正常的 SSH 登录不受影响)
# vim /etc/authselect/custom/password-policy/system-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
# vim /etc/authselect/custom/password-policy/password-auth将以下内容:
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......
修改为:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......
auth required pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(注意:不建议执行此步骤,执行后正常的 SFTP 登陆会被视为登陆失败,不过正常的 SSH 登录不受影响)
# vim /etc/authselect/custom/password-policy/password-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
# authselect apply-changes -b --backup=sssd.backup(补充:这里以创建 sssd.backup 备份文件为例)
# authselect create-profile password-policy -b sssd --symlink-meta --symlink-pam(补充:这里以生成名为 password-policy 的自定义配置文件为例)
# authselect select custom/password-policy with-sudo with-faillock without-nullok with-mkhomedir --force(
补充:
1) 这里以选择名为 password-policy 的自定义配置文件为例
2) 这里设置了 with-sudo、with-faillock、without-nullok 和 with-mkhomedir 参数
)
(注意:使用了 with-mkhomedir 参数后,会提示需要开启 oddjobd)
# dnf install oddjob ; systemctl enable --now oddjobd.service# authselect current(补充:这里以生成并选择名为 password-policy 的自定义配置文件为例)
# vim /etc/authselect/custom/password-policy/system-auth将以下内容:
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......修改为:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......
auth required pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(注意:不建议执行此步骤,执行后正常的 SFTP 登陆会被视为登陆失败,不过正常的 SSH 登录不受影响)
# vim /etc/authselect/custom/password-policy/system-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
# vim /etc/authselect/custom/password-policy/password-auth将以下内容:
......
auth required pam_faillock.so preauth silent {include if "with-faillock"}
......
auth required pam_faillock.so authfail {include if "with-faillock"}
......修改为:
......
auth required pam_faillock.so preauth silent audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......
auth required pam_faillock.so authfail audit even_deny_root deny=6 unlock_time=180 {include if "with-faillock"}
......(
补充:
1) 这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒
2) 登录失败 3 次后提示登录失败
为例
)
(注意:不建议执行此步骤,执行后正常的 SFTP 登陆会被视为登陆失败,不过正常的 SSH 登录不受影响)
# vim /etc/authselect/custom/password-policy/password-auth将以下内容:
......
password requisite pam_pwquality.so ......
......修改为:
......
password requisite pam_pwquality.so try_first_pass local_users_only enforce-for-root retry=3 ......
......(补充:这里以登录失败 3 次后提示登录失败为例)
# authselect apply-changes(注意:此步骤会刷新 /etc/authselect/system-auth 配置文件和 /etc/authselect/password-auth 配置文件)
# vim /etc/security/faillock.conf将以下内容:
......
# deny =
......
# unlock_time =
......修改为:
......
deny = 6
......
unlock_time = 180
......(补充:这里以包括 root 用户每使用密码 SSH 远程登录失败 6 次则被锁定 180 秒为例)
(注意:只在 Rocky Linux 8 & RHEL 8 才进行此操作)
# faillock --user root(补充:这里以显示 root 用户近期输错了几次密码为例)
# faillock --user root --reset# faillock --reset# authselect disable-feature with-faillock# authselect enable-feature with-faillockhttps://access.redhat.com/solutions/62949