General System Security
Running a password cracker on a weekly basis on your system is a good idea. This helps to find and replace passwords that are easily guessed or weak. Also, a password checking mechanism should be present to reject a weak password when first choosing a password or changing an old one. Character strings that are plain dictionary words, or are all in the same case, or do not contain numbers or special characters should not be accepted as a new password.
We recommend the following rules to make passwords effective:
• They should be at least six characters in length, preferably eight characters including at
least one numeral or special character.
• They must not be trivial; a trivial password is one that is easy to guess and is usually
based on the user’s name, family, occupation or some other personal characteristic.
• They should have an aging period, requiring a new password to be chosen within a
specific time frame.
• They should be revoked and reset after a limited number of concurrent incorrect retries.
The password length
The minimum acceptable password length by default when you install your Linux system is 5. This mean that when a new user is allowed to have a access on the server, his/her password length will be at minimum 5 mixes of character strings, letter, number, special character etc. This is not enough and must be 8. To prevent non-security-minded people or administrators from being able to enter just 5 characters for the valuable password, edit the rather important “/etc/login.defs” file and change the value of 5 to 8.
Edit the login.defs file (vi /etc/login.defs) and change the line that read:
PASS_MIN_LEN 5 To read: PASS_MIN_LEN 8
The “login.defs” is the configuration file for the login program. You should review or make changes to this file for your particular system. This is where you set other security policy settings (like password expiration defaults or minimum acceptable password length).
The root account
The “root” account is the most privileged account on a Unix system. The “root” account has no security restrictions imposed upon it. This means the system assumes you know what you are doing, and will do exactly what you request - no questions asked. Therefore it is easy, with a mistyped command, to wipe out crucial system files. When using this account it is important to be as careful as possible. For security reasons, never log in on your server as “root” unless it is absolutely an instance that necessitates root access. Also, if you are not on your server, never sign in and leave yourself on as “root”-this is VERY, VERY. VERY BAD.
Set login time out for the root account
Despite the notice to never, if they are not on the server, sign in as “root” and leave it unattended, administrators still stay on as “root” or forget to logout after finishing their work and leave their terminals unattended. The answer to solve this problem is to make the bash shell automatically logout after not being used for a period of time. To do that, you must set the special variable of Linux named “TMOUT” to the time in seconds of no input before logout.
Edit your profile file “vi /etc/profile” and add the following line somewhere after the line that read “HISTFILESIZE=” on this file:
TMOUT=7200