[리눅스/계정관리] 계정 잠금 임계값 설정 (U-03)

취약점 개요

■ 위험도
   - 상

■ 보안 위협
   - 침입자에 의한 패스워드 "무작위 대입 공격(Brute Force Attack)이나 패스워드 추측 공격(Password Guessing) 발생 시 암호 입력 실패 횟수를 적정하게 제한함으로써 자동공격을 차단하고 공격 시간을 지체시켜 패스워드 유출 위험을 줄일 수 있음

점검 및 조치 방법

■ 판단 기준
    - 양호 : 계정 잠금 임계값이 5이하의 값으로 설정되어 있는 경우
    - 취약 : 계정 잠금 임계값이 설정되어 있지 않거나, 5 이하의 값으로 설정되지 않은 경우

■ 조치 방법 
   - 계정 잠금 임계값을 5 이하로 설정

    1. vi 편집기를 이용하여 "/etc/pam.d/system-auth" 파일을 연 후
    2. 아래와 같이 수정 또는, 신규 삽입
        auth required /lib/security/pam_tally.so deny=5 unlock_time=120 no_magic_root
        account required /lib/security/pam_tally.so no_magic_root reset

옵 션 설 명

no_magic_root    root에게는 패스워드 잠금 설정을 적용하지 않음 
deny=5   5회 입력 실패 시 패스워드 잠금
unlock_time  계정잠김 후 마지막 계정 실패 시간부터 설정된 시간이 지나면 자동 계정 잠김 해제 (단위 : 초) 
reset    접속 시도 성공 시 실패한 횟수 초기화 

■ 스크립트
 
#!/bin/bash

cat << EOF

===================[U-03] 계정 잠금 임계값 설정    ==============

1. /etc/pam.d/system-auth file 점검
2. /etc/pam.d/system-auth 파일에 
   auth required /lib/security/pam_tally.so 라는 단어가 있는지 점검

auth required /lib/security/pam_tally.so deny=5 unlock_time=120 no_magic_root
account required /lib/security/pam_tally.so no_magic_root reset

no_magic_root   : root 사용자에게 패스워드 잠금 설정을 적용하지 않음
deny=5          : 5회 입력 실패시 패스워드 잠금
unlock_time     : 계정 잠김 후 마지막 계정 실패 시간부터 설정된 시간이 지나면 자
동 계정 잠김 해제(단위 : 초)
reset           : 접속 시도 성공 시 실패한 횟수 초기화
   
    /etc/pam.d/system-auth file에 pam_tally.so 단어가 있으면 "정상"
    /etc/pam.d/system-auth file에 pam_tally.so 단어가 없으면 "비정상"

=================================================================

EOF

. /root/check/print.sh
LINE=`grep pam_tally.so /etc/pam.d/system-auth`
grep pam_tally.so /etc/pam.d/system-auth > /dev/null 2>&1
if [ $? -eq 0 ] ; then
        print_good "[  OK  ] : $LINE"
else
        print_error "[ WARN ] $LINE"
fi

용어 설명 / 팁

무작위 대입 공격(Brute Force Attack): 컴퓨터로 암호를 해독하기 위해 가능한 모든 키를 하나하나 추론해 보는 시도를 말함.