{"id":5182,"date":"2015-09-03T10:13:45","date_gmt":"2015-09-03T02:13:45","guid":{"rendered":"http:\/\/rmohan.com\/?p=5182"},"modified":"2015-09-03T10:13:45","modified_gmt":"2015-09-03T02:13:45","slug":"hardening-rhel-7-1","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5182","title":{"rendered":"Hardening RHEL 7.1"},"content":{"rendered":"<p><strong>Secure passwords<\/strong><\/p>\n<p>Passwords are the primary method that Red Hat Enterprise Linux 7 uses to verify a user&#8217;s<br \/>\nidentity. This is why password security is so important for protection of the user, the<br \/>\nworkstation, and the network.<\/p>\n<p>By default RHEL uses shadow passwords which eliminate this type of attack by storing the password hashes in the file\u00a0\/etc\/shadow, which is readable only by the root user.<\/p>\n<p><strong>Strong passwords<\/strong><\/p>\n<p>Since the storing of passwords has already been taken care of the next step is to force the creation of strong passwords.<\/p>\n<p>When users are asked to create or change passwords, they can use the passwd<br \/>\ncommand-line utility, which is PAM-aware (Pluggable Authentication Modules) and checks to<br \/>\nsee if the password is too short or otherwise easy to crack. This checking is performed by<br \/>\nthe pam_pwquality.so PAM module.<\/p>\n<p>PAM reads its configuration from the\u00a0\/etc\/pam.d\/passwd file, but the file we want to edit for tuning password policies is\u00a0\/etc\/security\/pwquality.conf<\/p>\n<p>Have a look at the configuration options:<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_01.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5183\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_01.png\" alt=\"hardening_rhel_01\" width=\"746\" height=\"497\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_01.png 746w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_01-300x200.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_01-150x100.png 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_01-400x266.png 400w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Here are the details of what each entry means:<\/p>\n<ul>\n<li>difok &#8211;\u00a0Number of characters in the new password that must not be present in the\u00a0old password.<\/li>\n<li class=\"_mce_tagged_br\">minlen &#8211;\u00a0Minimum acceptable size for the new password<\/li>\n<li>dcredit &#8211; Credit for having digits in the new password<\/li>\n<li>ucredit &#8211; Credit for having uppercase characters in the new password<\/li>\n<li>lcredit &#8211; Credit for having lowercase characters in the new password<\/li>\n<li>ocredit &#8211; Credit for having other characters in the new password<\/li>\n<li>maxrepeat &#8211;\u00a0maximum number of allowed consecutive same characters in the new password.<\/li>\n<li>minclass &#8211;\u00a0minimum number of required classes of characters for the new\u00a0password (digits, uppercase, lowercase, others).<\/li>\n<li>maxclassrepeat &#8211;\u00a0maximum number of allowed consecutive characters of the same class in the new password.<\/li>\n<li>gecoscheck &#8211;\u00a0Whether to check for the words from the passwd entry GECOS string of the user (0=check).<\/li>\n<li>dictpath &#8211;\u00a0Path to the cracklib dictionaries. Blank is to use the cracklib default.<\/li>\n<\/ul>\n<p><em><strong>NOTE:<\/strong><\/em> Credit works like money, if you have a plus number like three you have spare and don&#8217;t have to worry, but if you have a negative number (debts) you have to pay for them. For instance &#8220;ucredit = 2&#8221; means the user will have to give at least two upper case characters as part of the password for creating a password.<\/p>\n<p>Something practical to do is to set a &#8220;minlen = 8&#8221; value and &#8220;minclass = 4&#8221; value. Whith this two settings you would ensure that the password has to be at least 8 characters long and that it will need to have letters Upper case, Lower case, numbers and symbols. That is what you will normally find on production servers.<\/p>\n<p>Some like to uncomment dictpath and let GECOS use the default dictionary. You could go much further with this, but it is not recommended because passwords would need to be too complex and users wouldn&#8217;t be able to remember them and the SA would have to be resetting passwords too often.<\/p>\n<p>This is the result of a strong password file:<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_02.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5184\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_02.png\" alt=\"hardening_rhel_02\" width=\"746\" height=\"497\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_02.png 746w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_02-300x200.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_02-150x100.png 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_02-400x266.png 400w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/a><\/p>\n<p>NOTE:\u00a0As the root user is the one who enforces the rules for password creation, he can\u00a0set any password for himself or for a regular user, despite the warning messages.<\/p>\n<p><strong>Password aging<\/strong><\/p>\n<p>This technique is used to limit the time of cracked passwords. The downside is that if you set this value too low (password change required very often) the users will tend to write their passwords down generating a weak spot.<\/p>\n<p>A common practice is to specify the maximum number of days for which the\u00a0password is valid.<\/p>\n<p>Password aging is performed with the command &#8220;chage&#8221;.<\/p>\n<p>This command is normally used when hardening a system to expire old unsecure password immediately.<\/p>\n<p>I will show three examples on how to use this command on a console.<\/p>\n<ol>\n<li>Set a 90 day period for the password of user fpalacios to expire.<\/li>\n<li>Expire the password for fpalacios to have the user change it on the next log on.<\/li>\n<li>Expire the password of every user on group developers.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_03.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5185\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_03.png\" alt=\"hardening_rhel_03\" width=\"746\" height=\"497\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_03.png 746w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_03-300x200.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_03-150x100.png 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_03-400x266.png 400w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Account Locking<\/strong><\/p>\n<p>In Red Hat Enterprise Linux 7, the pam_faillock PAM module allows system\u00a0administrators to lock out user accounts after a specified number of failed attempts.<\/p>\n<p>Limiting user login attempts serves mainly as a security measure that aims to prevent<br \/>\npossible brute force attacks targeted to obtain a user&#8217;s account password.<\/p>\n<p>Follow these steps to configure account locking:<\/p>\n<ol>\n<li>To lock out any non-root user after three unsuccessful attempts and unlock that user after 10 minutes, add the following lines to the auth section of the \/etc\/pam.d\/system-auth and \/etc\/pam.d\/password-auth files:<br \/>\n<em>auth required pam_faillock.so preauth silent audit<\/em><br \/>\n<em>auth sufficient pam_unix.so nullok try_first_pass<\/em><br \/>\n<em>auth [default=die] pam_faillock.so authfail audit deny=3<\/em><br \/>\n<em>unlock_time=600<\/em><br \/>\n<em>deny=3 unlock_time=600<\/em><\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_05.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5186\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_05.png\" alt=\"hardening_rhel_05\" width=\"746\" height=\"497\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_05.png 746w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_05-300x200.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_05-150x100.png 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_05-400x266.png 400w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_06.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5187\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_06.png\" alt=\"hardening_rhel_06\" width=\"746\" height=\"497\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_06.png 746w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_06-300x200.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_06-150x100.png 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_06-400x266.png 400w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><\/li>\n<li>Add the following line to the account section of both files specified in the previous files:\n<p><em>account required pam_faillock.so<\/p>\n<p><\/em>I will show you the end result of one of the files:<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_07.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5188\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2015\/09\/hardening_rhel_07.png\" alt=\"hardening_rhel_07\" width=\"746\" height=\"497\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_07.png 746w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_07-300x200.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_07-150x100.png 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2015\/09\/hardening_rhel_07-400x266.png 400w\" sizes=\"(max-width: 746px) 100vw, 746px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Secure passwords<\/p>\n<p>Passwords are the primary method that Red Hat Enterprise Linux 7 uses to verify a user&#8217;s identity. This is why password security is so important for protection of the user, the workstation, and the network.<\/p>\n<p>By default RHEL uses shadow passwords which eliminate this type of attack by storing the password hashes in [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5182"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5182"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5182\/revisions"}],"predecessor-version":[{"id":5189,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5182\/revisions\/5189"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}