Debian based Linux Account Policies

Default minimum password age

sudo nano /etc/login.defs

Add the following or change the existing:

PASS_MIN_DAYS = 2

Minimum password length

sudo nano etc/pam.d/common-password

Add the following or change the existing:

password    ⇥    requisite    ⇥    pam_pwquality.so retry=3 minlen=10

Account lockout policy

Lets add 2 new policies to PAM

Add faillock

sudo touch /usr/share/pam-configs/faillock
sudo nano /usr/share/pam-configs/faillock

Add the following to /usr/share/pam-configs/faillock:

Name: Enforce failed login attempt counter
Default: no
Priority: 0
Auth-Type: Primary
Auth:
  [default=die] pam_faillock.so authfail
  sufficient pam_faillock.so authsucc

Add faillock_notify

sudo touch /usr/share/pam-configs/faillock_notify
sudo nano /usr/share/pam-configs/faillock_notify

Add the following to /usr/share/pam-configs/faillock_notify:

Name: Notify on failed login attempts
Default: no
Priority: 1024
Auth-Type: Primary
Auth:
  requisite pam_faillock.so preauth

Turn on new policies

sudo pam-auth-update

Select the following in the list:

[X] Notify on failed login attempts
[X] Enforce failed login attempt counter

Do not allow null passwords

sudo nano /etc/pam.d/common-auth

Remove nullok

auth [success=2 default=ignore] pam_unix.so nullok
auth [success=2 default=ignore] pam_unix.so

Secure `/etc/shadow`

First lets list out all files, folders, pipes, etc:

ls -alF /etc/shadow

Example output:

-rw-r----- 1 root shadow 866 May 24  2022 /etc/shadow

Now secure it:

sudo chmod 640 /etc/shadow

ipv4 policies

sudo nano /etc/sysctl.conf

Add the following to /etc/sysctl.conf

net.ipv4.tcp_syncookies=1
net.ipv4.ip_forward=0

And then reload settings:

sudo sysctl --system

Disable services

Disable nginx web server

sudo systemctl disable --now nginx

Disable vsftpd aka Very Secure File Transfer Protocol Daemon

sudo systemctl disable --now vsftpd