본문 바로가기

리눅스

CentOS 7에서 pam_faillock 모듈을 사용해서 계정 잠금 정책을 설정하는 방법

반응형

CentOS 7에서 pam_faillock 모듈을 사용해서 계정 잠금 정책을 설정하는 방법

PAM 모듈 존재 확인

ls -l /usr/lib64/security/pam_faillock.so
-rwxr-xr-x. 1 root root 15512 Apr 11  2018 /usr/lib64/security/pam_faillock.so

sshd가 PAM을 사용하는지 확인(기본 yes)

grep -E '^[# ]*UsePAM' /etc/ssh/sshd_config
UsePAM yes

백업

  • system-auth
sudo cp /etc/pam.d/system-auth /etc/pam.d/system-auth_$(date '+%Y%m%d-%H%M%S')
  • password-auth
sudo cp /etc/pam.d/password-auth /etc/pam.d/password-auth_$(date '+%Y%m%d-%H%M%S')
728x90

PAM 설정 수정

/etc/pam.d/system-auth와 /etc/pam.d/password-auth 두 파일의 auth/account 섹션을 수정합니다.

 

system-auth

vim /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
### 로그인 시도 전에 미리 확인 (실패 기록 누적)
auth        required      pam_faillock.so preauth silent audit deny=5 unlock_time=300
auth        [success=1 default=bad] pam_unix.so nullok try_first_pass
### 실패 시 faillock에 기록
auth        [default=die] pam_faillock.so authfail audit deny=5 unlock_time=300
### 성공 시 faillock 초기화
auth        sufficient    pam_faillock.so authsucc
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so
### faillock 계정 정책 적용
account     required      pam_faillock.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
더보기
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

password-auth

vim /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
### 로그인 시도 전에 미리 확인 (실패 기록 누적)
auth        required      pam_faillock.so preauth silent audit deny=5 unlock_time=300
auth        [success=1 default=bad] pam_unix.so nullok try_first_pass
### 실패 시 faillock에 기록
auth        [default=die] pam_faillock.so authfail audit deny=5 unlock_time=300
### 성공 시 faillock 초기화
auth        sufficient    pam_faillock.so authsucc
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so
### faillock 계정 정책 적용
account     required      pam_faillock.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
더보기
cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
  • 로그인 실패 5회 → 계정 잠금 (deny=5)
  • 잠금 유지 5분 (unlock_time=300)
  • preauth → 로그인 전 실패 기록 확인
  • authfail → 실패 시 기록 누적
  • authsucc → 성공 시 실패 기록 초기화
  • audit → 실패 시 감사 로그 기록

잠금 정책 테스트

실패 기록 확인

sudo faillock --user ec2-user
ec2-user:
When                Type  Source                                           Valid

실패 기록 초기화(잠금 해제)

sudo faillock --user ec2-user --reset

 

728x90
반응형