Added section on login pam

2023-12-29 17:06:13 +01:00 · 2023-12-29 17:06:13 +01:00 · 9eb4412dfa
commit 9eb4412dfa
parent 041d573784
1 changed files with 33 additions and 0 deletions
--- a/docs/alpine-desktop-setup/post-install/security.md
+++ b/docs/alpine-desktop-setup/post-install/security.md
@ -6,6 +6,8 @@ Here are a few of the sources used:

 * [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel).

+* [PlagueOS](https://0xacab.org/optout/plagueos/-/wikis/Security-Considerations)
+
 ## Apparmor and LSM

 Apparmor is a mandatory access control (MAC) mechanism which restricts a programs capabilities. Installation is easy:
@ -143,3 +145,34 @@ And create a config file in `/usr/lib/modules-load.d/jitterentropy.conf` so that
 ```
 jitterentropy_rng
 ```
+
+## PAM
+
+There are a few changes that can be made to improve login protection.
+
+Delays can be a deterent against bruteforcing login attempts. Simply add this line to it's corresponding section in `/etc/pam.d/login`:
+
+```
+auth optional pam_faildelay.so delay=5000000
+```
+
+Which will add a 5 second delay between login attempts.
+
+The system can also enforce strong passwords with PAM with `libpwquality` which has to be installed first:
+
+```
+# apk add libpwquality
+```
+
+Then configure `/etc/pam.d/passwd`, you can configure it to your [liking](https://madaidans-insecurities.github.io/guides/linux-hardening.html#pam), but these settings should do:
+
+```
+password required pam_pwquality.so retry=2 minlen=10 difok=0 dcredit=0 ucredit=1 lcredit=0 ocredit=0 enforce_for_root
+password required pam_unix.so use_authtok sha512 shadow nullok rounds=1000000
+``` 
+
+Then change your password so that its also secure:
+
+```
+$ passwd
+```