Hardening system accounts
The chage command can be used to configure the support account:
| Option | Description |
|---|---|
-l | Displays password aging information for a user. |
-E DATE | Sets the account expiration date (format: YYYY-MM-DD or days since epoch). |
-I DAYS | Sets the number of inactive days after password expiration before account is locked. |
-m DAYS | Sets the minimum number of days between password changes. |
-M DAYS | Sets the maximum number of days a password is valid before requiring a change. |
-W DAYS | Sets the number of days before expiration to warn the user. |
Example :
sudo chage -M 100 suppport
Hardening ssh and cockpit accounts
To enables account lockout after multiple failed login attempts, improving security by preventing brute-force attacks :
sudo authselect select minimal --force
sudo authselect enable-feature with-faillock
sudo authselect apply-changes
To rollback this configuration:
sudo authselect disable-feature with-faillock
sudo authselect apply-changes
Update defaults security configurations
The /etc/security/faillock.conf file can be updated to set your security level:
sudo vi /etc/security/faillock.conf
| Parameter | Description |
|---|---|
deny=N | Number of failed login attempts before the account is locked. Default is 3. |
fail_interval=N | Time period (in seconds) in which failed attempts are counted. If exceeded, the counter resets. Default is 900 |
unlock_time=N | Time (in seconds) an account remains locked before it is automatically unlocked. Do not set 0, Default is 600 |