As part of our becoming-PCI-compliant project, there are a list of requirements about user security that needed translating from legal-speak into practical actions and ways to implement these actions for our Linux servers. We’re using Debian, your mileage may vary.
“The last 4 passwords must be different”
This is controlled by PAM using the pam_unix.so (or pam_unix2.so) module, which ships as default in Debian.
In the config file /etc/pam.d/common-password the line containing “pam_unix.so” needs to include “remember-4”, eg:
password requisite pam_unix.so obscure use_authtok try_first_pass sha512 remember=4
“Passwords must contain more than 7 characters, and must be a mixture of upper and lowercase letters, and numbers”
Passwords can be tested with the PAM module pam_cracklib.so. On debian/ubuntu, this can be installed with
$ apt-get install libpam-cracklib
and this will generate an entry in the config file found at /etc/pam.d/common-password along the lines of
password requisite pam_cracklib.so retry=3 minlen=11 lcredit=1 ucredit=1 dcredit=1 ocredit=1 What we're interested in here is primarily minlen - but it's not exactly the minumum length of the password as you might expect. Rather, it's a total of the number of characters in the password, plus scores from lcredit, ucredit, dcredit and ocredit, where the parameters mean
- lcredit = maximum credit allowed from required lower-case characters
- ucredit = number of required upper-case characters
- dcredit = number of required digits
- ocredit = number of required other characters (non-alphanumeric)
So, if we have the requirement of 8 or more characters including numbers, and upper and lowercase letters, then we can set lcredit, ucredit, and dcredit all to 1, and require minlen = (8+1+1+1) = 11 to ensure this policy is enforced.
“Passwords must be changed every 45 days”
Aha, an easy one. In /etc/login.defs , set
“Accounts are made inactive 90 days after last login”
Also straightforwards. In /etc/default/useradd , set
“Sessions timeout after 15 mins inactivity”
Within /etc/bash.bashrc, set
“Account locks out for 30 mins after 6 failed login attempts”
For this one, we need to install fail2ban (apt-get install fail2ban), and then create a file at /etc/fail2ban/jail.local which contains the following:
[DEFAULT]
bantime = 1800
maxretry =6
Remember to restart fail2ban after you've made the config change.
References:
- http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
- http://www.cyberciti.biz/tips/how-to-linux-prevent-the-reuse-of-old-passwords.html
- http://www.cyberciti.biz/tips/linux-check-passwords-against-a-dictionary-attack.html
- https://www.digitalocean.com/community/articles/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04