From 9eb4412dfa72d5045dc7577006abbb86cb5959e8 Mon Sep 17 00:00:00 2001 From: Tastatur Date: Fri, 29 Dec 2023 17:06:13 +0100 Subject: [PATCH] Added section on login pam --- .../post-install/security.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/docs/alpine-desktop-setup/post-install/security.md b/docs/alpine-desktop-setup/post-install/security.md index c9b15d7..ccef656 100644 --- a/docs/alpine-desktop-setup/post-install/security.md +++ b/docs/alpine-desktop-setup/post-install/security.md @@ -6,6 +6,8 @@ Here are a few of the sources used: * [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel). +* [PlagueOS](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations) + ## Apparmor and LSM Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy: @@ -143,3 +145,34 @@ And create a config file in `/usr/lib/modules-load.d/jitterentropy.conf` so that ``` jitterentropy_rng ``` + +## PAM + +There are a few changes that can be made to improve login protection. + +Delays can be a deterent against bruteforcing login attempts. Simply add this line to it's corresponding section in `/etc/pam.d/login`: + +``` +auth optional pam_faildelay.so delay=5000000 +``` + +Which will add a 5 second delay between login attempts. + +The system can also enforce strong passwords with PAM with `libpwquality` which has to be installed first: + +``` +# apk add libpwquality +``` + +Then configure `/etc/pam.d/passwd`, you can configure it to your [liking](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam), but these settings should do: + +``` +password required pam_pwquality.so retry=2 minlen=10 difok=0 dcredit=0 ucredit=1 lcredit=0 ocredit=0 enforce_for_root +password required pam_unix.so use_authtok sha512 shadow nullok rounds=1000000 +``` + +Then change your password so that its also secure: + +``` +$ passwd +```