Habib M'henni / Wikimedia Commons, CC BY-SA

Niaj hnub no, tsa tus neeg rau zaub mov ntawm lub hosting yog qhov teeb meem ntawm ob peb feeb thiab ob peb nas clicks. Tab sis tam sim ntawd tom qab tso tawm, nws pom nws tus kheej nyob rau hauv ib tug hostile ib puag ncig, vim hais tias nws yog qhib rau tag nrho Internet zoo li ib tug dawb huv ntxhais nyob rau hauv lub rocker disco. Cov scanners yuav pom nws sai sai thiab tshawb xyuas ntau txhiab tus ntawv sau cia bots uas cuam tshuam lub network nrhiav qhov tsis zoo thiab kev teeb tsa tsis raug. Muaj ob peb yam uas koj yuav tsum ua tam sim tom qab tso tawm kom ntseeg tau tias muaj kev tiv thaiv yooj yim.

Txheem

• Cov neeg siv tsis yog hauv paus
• Cov yuam sij hloov SSH passwords
• firewall
• Fail2Ban
• Tsis siv neeg kev ruaj ntseg hloov tshiab
• Hloov cov chaw nres nkoj default

Cov neeg siv tsis yog hauv paus

Thawj kauj ruam yog los tsim cov neeg siv tsis yog hauv paus rau koj tus kheej. Lub ntsiab lus yog tus neeg siv root Cov cai tshwj xeeb hauv lub kaw lus, thiab yog tias koj tso cai rau nws tswj hwm chaw taws teeb, ces koj yuav ua ib nrab ntawm kev ua haujlwm rau tus neeg nyiag nkas, tawm hauv lub npe siv tau rau nws.

Yog li, koj yuav tsum tsim lwm tus neeg siv, thiab lov tes taw kev tswj hwm chaw taws teeb ntawm SSH rau hauv paus.

Tus neeg siv tshiab yog pib los ntawm cov lus txib useradd:

useradd [options] <username>

Tom qab ntawd tus password ntxiv rau nws nrog cov lus txib passwd:

passwd <username>

Thaum kawg, tus neeg siv no yuav tsum tau ntxiv rau ib pab pawg uas muaj txoj cai los ua cov lus hais kom siab sudo. Nyob ntawm Linux faib, cov no yuav yog pawg sib txawv. Piv txwv li, hauv CentOS thiab Red Hat, tus neeg siv tau ntxiv rau pawg wheel:

usermod -aG wheel <username>

Hauv Ubuntu nws tau ntxiv rau pawg sudo:

usermod -aG sudo <username>

Cov yuam sij hloov SSH passwords

Brute quab yuam los yog lo lus zais xau yog tus qauv tawm tsam vector, yog li nws yog qhov zoo tshaj rau lov tes taw lo lus zais authentication hauv SSH (Secure Plhaub) thiab siv qhov tseem ceeb authentication hloov.

Muaj ntau yam kev pab cuam rau kev siv SSH raws tu qauv, xws li lsh ua и Txij Nkawm Txoj Kev Ntshaw, tab sis qhov nrov tshaj plaws yog OpenSSH. Txhim kho OpenSSH tus thov kev pab ntawm Ubuntu:

sudo apt install openssh-client

Server installation:

sudo apt install openssh-server

Pib lub SSH daemon (sshd) ntawm Ubuntu server:

sudo systemctl start sshd

Pib lub daemon ntawm txhua lub khau raj:

sudo systemctl enable sshd

Nws yuav tsum raug sau tseg tias tus neeg rau zaub mov feem ntawm OpenSSH suav nrog cov neeg siv khoom. Uas yog, dhau openssh-server koj tuaj yeem txuas rau lwm cov servers. Ntxiv mus, los ntawm koj lub tshuab neeg siv khoom, koj tuaj yeem pib qhov SSH qhov los ntawm cov chaw taws teeb chaw taws teeb mus rau lwm tus tswv tsev, thiab tom qab ntawd tus tswv tsev thib peb yuav xav txog cov chaw taws teeb tswj hwm qhov chaw thov. Ib qho yooj yim heev rau kev npog koj lub cev. Saib kab lus kom paub meej "Cov tswv yim tswv yim, piv txwv, thiab SSH qhov".

Ntawm lub tshuab neeg siv khoom, nws feem ntau ua rau tsis muaj kev nkag siab rau nruab ib lub server uas muaj tag nrho txhawm rau tiv thaiv qhov muaj peev xwm ntawm cov chaw taws teeb sib txuas rau lub khoos phis tawj (rau kev ruaj ntseg).

Yog li, rau koj tus neeg siv tshiab, koj yuav tsum xub tsim cov yuam sij SSH ntawm lub computer uas koj yuav nkag mus rau lub server:

ssh-keygen -t rsa

Tus yuam sij pej xeem tau muab khaws cia rau hauv cov ntaub ntawv .pub thiab zoo li ib txoj hlua ntawm cov cim random uas pib nrog ssh-rsa.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname

Tom qab ntawd, los ntawm hauv paus, tsim ib qho SSH directory ntawm tus neeg rau zaub mov hauv tus neeg siv lub tsev directory thiab ntxiv SSH pej xeem tus yuam sij rau cov ntaub ntawv authorized_keys, siv cov ntawv nyeem zoo li Vim:

mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keys

vim /home/user_name/.ssh/authorized_keys

Thaum kawg, teeb tsa qhov kev tso cai raug rau cov ntaub ntawv:

chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keys

thiab hloov tswv cuab rau tus neeg siv no:

chown -R username:username /home/username/.ssh

Ntawm cov neeg siv khoom, koj yuav tsum qhia qhov chaw ntawm tus yuam sij zais cia rau kev lees paub:

ssh-add DIR_PATH/keylocation

Tam sim no koj tuaj yeem nkag mus rau hauv lub server hauv qab lub npe siv siv tus yuam sij no:

ssh [username]@hostname

Tom qab kev tso cai, koj tuaj yeem siv cov lus txib scp los luam cov ntaub ntawv, cov nqi hluav taws xob sshfs ua mus remotely mount ib cov ntaub ntawv system los yog directory.

Nws raug nquahu kom ua ob peb daim ntawv theej ntawm tus yuam sij ntiag tug, vim tias yog tias koj lov tes taw lo lus zais authentication thiab poob nws, ces koj yuav tsis muaj txoj hauv kev nkag mus rau koj tus kheej server txhua.

Raws li tau hais los saum toj no, hauv SSH koj yuav tsum lov tes taw kev lees paub rau hauv paus (qhov no yog vim li cas peb pib tus neeg siv tshiab).

Ntawm CentOS/Red Hat peb pom cov kab PermitRootLogin yes nyob rau hauv cov ntaub ntawv config /etc/ssh/sshd_config thiab hloov nws:

PermitRootLogin no

Ntawm Ubuntu ntxiv kab PermitRootLogin no mus rau config file 10-my-sshd-settings.conf:

sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf

Tom qab paub tseeb tias tus neeg siv tshiab tau lees paub nrog lawv tus yuam sij, koj tuaj yeem lov tes taw lo lus zais authentication kom tshem tawm qhov kev pheej hmoo ntawm lo lus zais nkag lossis brute quab yuam. Tam sim no, txhawm rau nkag mus rau lub server, tus neeg tawm tsam yuav tsum tau txais tus yuam sij ntiag tug.

Ntawm CentOS/Red Hat peb pom cov kab PasswordAuthentication yes nyob rau hauv cov ntaub ntawv config /etc/ssh/sshd_config thiab hloov nws zoo li no:

PasswordAuthentication no

Ntawm Ubuntu ntxiv kab PasswordAuthentication no ua ntaub ntawv 10-my-sshd-settings.conf:

sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf

Rau cov lus qhia txog kev ua kom muaj ob qhov kev lees paub tseeb ntawm SSH, saib no.

firewall

Lub firewall xyuas kom meej tias tsuas yog cov tsheb khiav ntawm cov chaw nres nkoj uas koj tso cai ncaj qha mus rau lub server. Qhov no tiv thaiv kev siv ntawm cov chaw nres nkoj uas tau ua yuam kev nrog lwm cov kev pabcuam, uas ua rau txo qis qhov chaw nres.

Ua ntej txhim kho lub firewall, koj yuav tsum xyuas kom meej tias SSH suav nrog hauv cov npe cais thiab yuav tsis raug thaiv. Txwv tsis pub, tom qab pib lub firewall, peb yuav tsis muaj peev xwm txuas mus rau lub server.

Ubuntu kev faib tawm los nrog Uncomplicated Firewall (ufw), thiab nrog CentOS / Red Hat - firewalld.

Tso cai SSH hauv firewall ntawm Ubuntu:

sudo ufw allow ssh

Ntawm CentOS/Red Hat siv cov lus txib firewall-cmd:

sudo firewall-cmd --zone=public --add-service=ssh --permanent

Tom qab cov txheej txheem no, koj tuaj yeem pib firewall.

Ntawm CentOS / Red Hat, pib qhov kev pabcuam systemd rau firewalld:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Ntawm Ubuntu peb siv cov lus txib hauv qab no:

sudo ufw enable

Fail2Ban

kev pab cuam Fail2Ban txheeb xyuas cov ntawv teev npe ntawm tus neeg rau zaub mov thiab suav cov lej nkag mus los ntawm txhua tus IP chaw nyob. Cov chaw teeb tsa qhia cov kev cai rau ntau npaum li cas kev sim nkag tau tso cai rau qee lub sijhawm - tom qab ntawd qhov chaw nyob IP no raug txwv rau lub sijhawm teev tseg. Piv txwv li, cia peb tso cai 5 ua tsis tiav SSH authentication sim nyob rau hauv 2 teev, ces thaiv tus IP chaw nyob rau 12 teev.

Txhim kho Fail2Ban ntawm CentOS thiab Red Hat:

sudo yum install fail2ban

Kev teeb tsa ntawm Ubuntu thiab Debian:

sudo apt install fail2ban

Tua tawm:

systemctl start fail2ban
systemctl enable fail2ban

Qhov kev zov me nyuam muaj ob cov ntaub ntawv teeb tsa: /etc/fail2ban/fail2ban.conf и /etc/fail2ban/jail.conf. Kev txwv txwv yog teev nyob rau hauv cov ntaub ntawv thib ob.

Lub tsev kaw neeg rau SSH tau qhib los ntawm lub neej ntawd nrog kev teeb tsa ua ntej (5 sim, ncua 10 feeb, txwv rau 10 feeb).

[DEFAULT] ignorecommand=bantime=10m findtime=10m maxretry=5

Ntxiv rau SSH, Fail2Ban tuaj yeem tiv thaiv lwm yam kev pabcuam ntawm nginx lossis Apache web server.

Tsis siv neeg kev ruaj ntseg hloov tshiab

Raws li koj paub, qhov tsis zoo tshiab tau pom nyob rau hauv txhua txoj haujlwm. Tom qab cov ntaub ntawv tau tshaj tawm, kev siv tau ntxiv rau cov khoom siv nrov nrov, uas tau siv ntau heev los ntawm cov neeg nyiag nkas thiab cov tub ntxhais hluas thaum luam tawm tag nrho cov servers ua ke. Yog li ntawd, nws yog ib qho tseem ceeb heev rau nruab kev ruaj ntseg hloov tshiab sai li sai tau thaum lawv tshwm sim.

Ntawm Ubuntu server, tsis siv neeg kev ruaj ntseg hloov tshiab tau qhib los ntawm lub neej ntawd, yog li tsis tas yuav tsum ua dab tsi ntxiv.

Ntawm CentOS / Red Hat koj yuav tsum tau nruab daim ntawv thov dnf-automatic thiab qhib lub timer:

sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer

Timer check:

sudo systemctl status dnf-automatic.timer

Hloov cov chaw nres nkoj default

SSH tau tsim nyob rau xyoo 1995 los hloov telnet (chaw nres nkoj 23) thiab ftp (chaw nres nkoj 21), yog li tus sau qhov program, Tatu Iltonen xaiv chaw nres nkoj 22 los ntawm lub neej ntawd, thiab tau pom zoo los ntawm IANA.

Lawm, txhua tus neeg tawm tsam paub txog qhov chaw nres nkoj SSH tab tom ua haujlwm - thiab luam theej nws nrog rau cov chaw nres nkoj txheem kom paub cov software version, txhawm rau txheeb xyuas tus qauv hauv paus passwords, thiab lwm yam.

Hloov cov qauv chaw nres nkoj - obfuscation - ob peb zaug txo cov nqi ntawm cov khib nyiab tsheb, qhov loj ntawm cov cav thiab cov load ntawm lub server, thiab kuj txo qhov chaw nres. Txawm tias ib txhia thuam txoj kev no ntawm "kev tiv thaiv los ntawm kev tsis meej pem" (kev ruaj ntseg los ntawm obscurity). Yog vim li cas yog tias cov txheej txheem no tawm tsam cov hauv paus kev tiv thaiv architectural. Yog li, piv txwv li, US National Institute of Standards and Technology in "Server Security Guide" qhia txog qhov xav tau rau kev qhib server architecture: "Kev ruaj ntseg ntawm lub kaw lus yuav tsum tsis txhob cia siab rau qhov zais cia ntawm kev siv nws cov khoom," cov ntaub ntawv hais.

Raws li txoj cai, hloov cov chaw nres nkoj default yog tawm tsam kev coj ua ntawm qhib architecture. Tab sis nyob rau hauv kev xyaum, tus nqi ntawm kev phem tsheb yog tiag tiag txo, yog li qhov no yog ib qho yooj yim thiab zoo ntsuas.

Tus lej chaw nres nkoj tuaj yeem teeb tsa los ntawm kev hloov cov lus qhia Port 22 nyob rau hauv cov ntaub ntawv config / etc / ssh / sshd_config. Nws kuj yog qhia los ntawm parameter -p <port> в sshd. SSH cov neeg siv khoom thiab cov kev pabcuam sftp kuj txhawb kev xaiv -p <port>.

Parameter -p <port> tuaj yeem siv los qhia tus lej chaw nres nkoj thaum txuas nrog cov lus txib ssh hauv linux. IN sftp и scp parameter yog siv -P <port> (Capital P). Cov lus qhia kab hais kom dhau ib qho nqi hauv cov ntaub ntawv teeb tsa.

Yog tias muaj ntau lub servers, yuav luag tag nrho cov haujlwm no los tiv thaiv Linux server tuaj yeem ua haujlwm hauv ib tsab ntawv. Tab sis yog tias tsuas muaj ib tus neeg rau zaub mov xwb, ces nws yog qhov zoo dua los tswj cov txheej txheem manually.

Rau Txoj Cai Kev Tshaj Tawm

Order thiab pib tam sim ntawd! Tsim VDS ib qho kev teeb tsa thiab nrog txhua qhov kev ua haujlwm hauv ib feeb. Qhov siab tshaj plaws configuration yuav tso cai rau koj tawm mus rau tag nrho - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Epic ua 🙂

Tau qhov twg los: www.hab.com