You want make your Fedora Linux computer very safe because bad peoples always want hack your password and enter your system. Fedora 44 use thing called authselect for control how people login and now I show you how change this settings for make your computer like a big metal wall that nobody can break. Many teenager like me just install Fedora and leave it like default, but default is not very good if you want real secure computer. If you have server or even just laptop, you need do this steps I write here because security is very important. I learn this because my friend try hack my laptop at school and he success because my setup was too weak. Now I write this guide so you can make your Fedora login system very strong.
First step we must change how the system do the login things. Fedora use a system called PAM, this mean Pluggable Authentication Modules. It is like a big boss that check your password when you want login. Fedora use tool called authselect for make this easy. If you just install Fedora 44, it use local settings that is very basic. We need to change this to sssd profile. Why sssd? Because it is more modern and it have nice features for make security.
First you must open your terminal app. Then you must type this command very carefully. This command will change the profile and force it to use faillock and mkhomedir:
sudo authselect select sssd with-faillock with-mkhomedir --forceLet me explain what this command do. The select sssd part tell authselect to use the sssd profile. The with-faillock is very important because it will lock user accounts if they type bad password too many times. The with-mkhomedir is also good because if you have LDAP or Active Directory users, it will make home directory for them automatically when they first login. The force is for make sure it overwrite old files so no error happen.
After you type that, you must check if it work. You type this command:
sudo authselect currentThis will show you what profile is active now. You should see sssd with the options we choose. Then you must check if there is some errors in your PAM files. Type this command:
sudo authselect checkIf everything is good, it will say Current configuration is valid. This is very important because if you edit PAM files manually before, authselect might get confused and this check will tell you if there is some problems.
Now I want show you about other options you can use with authselect. If you want see all features that you can use with sssd profile, you can type this command in your terminal:
sudo authselect list-features sssdThis will print a big list of things you can turn on. For example, if you have a laptop with fingerprint sensor, you can use with-fingerprint feature. This is very cool because you can login with your finger. If you want do this, you just add it to your select command. Another cool feature is with-pamaccess. This is for use a file called /etc/security/access.conf to control who can login to your computer. You can say User bob cannot login from network or things like that. Also, there is a feature called without-nullok. This is very important for security. It means the system will not allow any empty passwords. If someone have no password, they cannot login. The CIS benchmark, which is a big list of rules for make systems super safe, say you must use this.
Next thing we need to do is configure the lockout policy. This means if some hacker try to guess your password, the system will lock them out so they cannot try anymore. The file for this configuration is /etc/security/faillock.conf. By default, Fedora is too nice to people who type wrong passwords. It allow 15 failures and lock them for 10 minutes. This is too much! A hacker can try many passwords. We want make it much more tight. We want only 5 tries, and if they fail, they must wait 15 minutes.
To make this configuration, you can use this command. It will write the settings into the file:
sudo tee /etc/security/faillock.conf > /dev/null <<'EOF'
deny = 5
unlock_time = 900
fail_interval = 900
silent
audit
EOFLet me explain what these lines mean because it is important you understand. The deny = 5 means if someone type wrong password 5 times, they get locked. The unlock_time = 900 means they must wait 900 seconds, which is 15 minutes, before they can try again. The fail_interval = 900 means the 5 wrong passwords must happen within 15 minutes. If they type wrong password one time today and one time tomorrow, it will not lock them. The silent line is very important. It make the system not tell the user if the account exist or not. If we dont use silent, a hacker can see if a username is real or fake. The audit line will write all lock events to /var/log/audit/audit.log file so you can see if someone try to hack you.
You can test this easily. Open another terminal window and try to login with su or ssh with wrong password. Do it some times. Then, in your main terminal, type this command to see who is locked:
sudo faillockThis will show a list of usernames, how many times they failed, and when they tried. If you accidentally lock yourself or your friend, you can reset the lock with this command:
sudo faillock --user username --resetJust change username to the real name of the user.
Now we must make sure people choose strong passwords. If they choose password123, then even 5 tries is enough for hacker to guess it. Fedora use a tool called pwquality to check if password is good. It is already loaded when we select the sssd profile, but we need to write a good configuration file for it.
First, we must make a folder for our new configuration so we do not mess up the default files. Type this command:
sudo mkdir -p /etc/security/pwquality.conf.dNow we write our settings into a new file inside that folder. We can call it cfg-hardening.conf. Type this command:
sudo tee /etc/security/pwquality.conf.d/cfg-hardening.conf > /dev/null <<'EOF'
minlen = 14
minclass = 4
maxrepeat = 3
maxclassrepeat = 4
ucredit = -1
lcredit = -1
dcredit = -1
ocredit = -1
difok = 8
enforcing = 1
enforce_for_root
EOFLet me explain all this options because they look like alien code but they are actually simple. The minlen = 14 means the password must be at least 14 characters long. Long passwords are much harder for computers to crack. The minclass = 4 means the password must have four types of characters. These are uppercase letters, lowercase letters, numbers, and special symbols like @ or #. The maxrepeat = 3 means you cannot type same letter more than 3 times in a row. Like aaaa is not allowed. The maxclassrepeat = 4 means you cannot have more than 4 characters of same class together.
The lines with ucredit = -1, lcredit = -1, dcredit = -1, and ocredit = -1 are very smart. They force the user to have at least one uppercase, one lowercase, one digit, and one other character. The minus sign means at least this many. The difok = 8 means when you change your password, the new password must have at least 8 characters that are different from your old password. This stops people from just changing one number at the end of their password. The enforcing = 1 means the system will actually reject the password if it is bad. If you set it to 0, it will only warn you but still let you use the bad password, which is useless.
The enforce_for_root is the most important line! If you do not write this, the root user, who is the main administrator, can still choose a super weak password. Root must also have strong password because if root get hacked, everything is gone. When you save this file, PAM will use it immediately when someone try to change password. But remember, this does not force people who already have weak passwords to change them right now. It only check when they decide to change it or when their password expire.
Now your Fedora 44 system is much more safe than before. We changed the authselect profile to use sssd with faillock and mkhomedir, we set a strong lockout policy so hackers cannot guess password forever, and we made sure everyone must choose a long and complex password. This is very good for security of your system. If you want more security, you can also look at other things, but this is a very good first step for make your computer safe.