, CC BY-SA
N'oge a, ịkwalite ihe nkesa na nnabata bụ ihe dị ka nkeji ole na ole na ịpị bọtịnụ ole na ole. Ma ozugbo emechara ya, ọ chọtara onwe ya na gburugburu ebe obibi ọjọọ, n'ihi na ọ na-emeghe ịntanetị niile dị ka nwa agbọghọ aka ya dị ọcha na diski rocker. Ndị nyocha ga-achọta ya ngwa ngwa wee chọpụta puku kwuru puku bots na-ederede na-akpaghị aka nke na-enyocha netwọkụ ahụ na-achọ adịghị ike na nhazi. Enwere ihe ole na ole ị ga-eme ozugbo ịmalitechara iji hụ na nchekwa bụ isi.
Ihe
Onye ọrụ na-abụghị mgbọrọgwụ
Nzọụkwụ mbụ bụ ịmepụta onye na-abụghị mgbọrọgwụ maka onwe gị. Isi ihe bụ na onye ọrụ root ihe ùgwù zuru oke na usoro ahụ, ma ọ bụrụ na ị na-ahapụ ya ka ọ dịpụrụ adịpụ nchịkwa, mgbe ahụ, ị ga-eme ọkara ọrụ maka onye hacker, na-ahapụ aha njirimara maka ya.
Ya mere, ịkwesịrị ịmepụta onye ọrụ ọzọ, ma gbanyụọ nchịkwa anya site na SSH maka mgbọrọgwụ.
A na-eji iwu ahụ malite onye ọrụ ọhụrụ useradd:
useradd [options] <username>
Mgbe ahụ, a ga-agbakwunye paswọọdụ maka ya site na iwu ahụ passwd:
passwd <username>
N'ikpeazụ, onye ọrụ a kwesịrị ịgbakwunye na otu ndị nwere ikike ịme iwu dị elu sudo. Dabere na nkesa Linux, ndị a nwere ike ịbụ otu dị iche iche. Dịka ọmụmaatụ, na CentOS na Red Hat, a na-agbakwunye onye ọrụ na otu wheel:
usermod -aG wheel <username>
Na Ubuntu, a na-agbakwunye ya na otu sudo:
usermod -aG sudo <username>
Igodo kama okwuntughe SSH
Ntupu ike ma ọ bụ okwuntughe bụ ọkọlọtọ ọgụ vector, yabụ ọ kacha mma ka ị gbanyụọ njirimara paswọọdụ na SSH (Secure Shell) wee jiri nyocha igodo kama.
Enwere mmemme dị iche iche maka imejuputa usoro SSH, dịka и , mana nke kacha ewu ewu bụ OpenSSH. Ịwụnye onye ahịa OpenSSH na Ubuntu:
sudo apt install openssh-clientNwụnye nkesa:
sudo apt install openssh-serverMalite SSH daemon (sshd) na sava Ubuntu:
sudo systemctl start sshdBido daemon na akpaghị aka na buut ọ bụla:
sudo systemctl enable sshd
Ekwesịrị ịmara na akụkụ nkesa nke OpenSSH gụnyere akụkụ ndị ahịa. Ya bụ, site na openssh-server ị nwere ike jikọọ na sava ndị ọzọ. Ọzọkwa, site na igwe ahịa gị, ị nwere ike ịmalite ọwara SSH site na ihe nkesa dịpụrụ adịpụ gaa na onye ọbịa nke atọ, mgbe ahụ, onye ọbịa nke atọ ga-atụle ihe nkesa dịpụrụ adịpụ dị ka isi iyi nke arịrịọ. Akụkụ dị mma maka ikpuchi sistemu gị. Lee akụkọ maka nkọwa .
N'elu igwe ndị ahịa, ọ na-abụkarị enweghị ezi uche ịwụnye ihe nkesa zuru oke iji gbochie ohere nke njikọ dịpụrụ adịpụ na kọmputa (n'ihi ihe nchekwa).
Yabụ, maka onye ọrụ ọhụrụ gị, ị ga-ebu ụzọ mepụta igodo SSH na kọmpụta nke ị ga-esi nweta sava ahụ:
ssh-keygen -t rsa
A na-echekwa igodo ọha na faịlụ .pub ma dị ka eriri mkpụrụedemede na-amalite na-amalite ssh-rsa.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Mgbe ahụ, site na mgbọrọgwụ, mepụta ndekọ SSH na ihe nkesa na ndekọ ụlọ onye ọrụ wee tinye igodo ọha SSH na faịlụ ahụ. authorized_keys, iji editọ ederede dị ka Vim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keysvim /home/user_name/.ssh/authorized_keysN'ikpeazụ, tọọ ikike ziri ezi maka faịlụ ahụ:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keysma gbanwee nwe ya nye onye ọrụ a:
chown -R username:username /home/username/.sshN'akụkụ ndị ahịa, ịkwesịrị ịkọwapụta ebe igodo nzuzo dị maka nyocha:
ssh-add DIR_PATH/keylocationUgbu a ị nwere ike ịbanye na sava n'okpuru aha njirimara site na iji igodo a:
ssh [username]@hostnameMgbe ị nwetachara ikike, ịnwere ike iji iwu scp detuo faịlụ, akụrụngwa iji bulie sistemụ faịlụ ma ọ bụ akwụkwọ ndekọ aha n'ụzọ dịpụrụ adịpụ.
Ọ bụ ihe amamihe dị na ya ịme ọtụtụ nnomi nke igodo nzuzo, n'ihi na ọ bụrụ na ị gbanyụọ njirimara paswọọdụ wee tufuo ya, mgbe ahụ ị gaghị enwe ụzọ ọ bụla iji banye na nkesa nke gị ma ọlị.
Dị ka e kwuru n'elu, na SSH ịkwesịrị gbanyụọ nkwenye maka mgbọrọgwụ (nke a bụ ihe mere anyị ji malite onye ọrụ ọhụrụ).
Na CentOS/Okpu uhie anyị na-ahụ ahịrị PermitRootLogin yes na config faịlụ /etc/ssh/sshd_config ma gbanwee ya:
PermitRootLogin no
Na Ubuntu tinye ahịrị PermitRootLogin no na faịlụ config 10-my-sshd-settings.conf:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confMgbe enyochachara na onye ọrụ ọhụrụ na-eji igodo ha na-emezi, ị nwere ike gbanyụọ njirimara paswọọdụ iji wepụ ihe egwu nke mwepu okwuntughe ma ọ bụ ike ọjọọ. Ugbu a, iji nweta ihe nkesa, onye na-awakpo ga-achọ ịnweta igodo nzuzo.
Na CentOS/Okpu uhie anyị na-ahụ ahịrị PasswordAuthentication yes na config faịlụ /etc/ssh/sshd_config ma gbanwee ya dị ka nke a:
PasswordAuthentication no
Na Ubuntu tinye ahịrị PasswordAuthentication no ịgba akwụkwọ 10-my-sshd-settings.conf:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confMaka ntuziaka maka ime ka nyocha ihe abụọ sitere na SSH, hụ .
firewall
Firewall na-achọpụta na ọ bụ naanị okporo ụzọ dị na ọdụ ụgbọ mmiri ị na-ekwe ka ọ ga-aga na ihe nkesa ahụ. Nke a na-echebe megide nrigbu nke ọdụ ụgbọ mmiri ndị na-enyere aka na mberede na ọrụ ndị ọzọ, nke na-ebelata oke ọgụ.
Tupu ịwụnye firewall, ịkwesịrị ijide n'aka na etinyere SSH na ndepụta mwepu na agaghị egbochi ya. Ma ọ bụghị ya, mgbe ịmalitere firewall, anyị agaghị enwe ike jikọọ na ihe nkesa.
Nkesa Ubuntu na-abịa na Firewall enweghị mgbagwoju anya (), yana CentOS/Okpu uhie - .
Ikwe ka SSH na firewall na Ubuntu:
sudo ufw allow ssh
Na CentOS/Okpu uhie jiri iwu a firewall-cmd:
sudo firewall-cmd --zone=public --add-service=ssh --permanentMgbe usoro a gasịrị, ị nwere ike ịmalite firewall.
Na CentOS/Okpu uhie, bido ọrụ sistemu maka firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalldNa Ubuntu anyị na-eji iwu a:
sudo ufw enable
Adaeze2Ban
ọrụ na-enyocha ndekọ na ihe nkesa wee gụọ ọnụọgụ ohere ịnweta site na adreesị IP ọ bụla. Ntọala ahụ na-akọwapụta iwu maka ole ohere ịnweta ohere maka oge ụfọdụ - mgbe nke ahụ gasịrị, a na-egbochi adreesị IP a maka oge a kapịrị ọnụ. Dịka ọmụmaatụ, ka anyị kwe ka mbọ nyocha SSH 5 dara ada n'ime awa 2, wee gbochie adreesị IP enyere maka awa 12.
Ịwụnye Fail2Ban na CentOS na okpu uhie:
sudo yum install fail2banNwụnye na Ubuntu na Debian:
sudo apt install fail2banMmalite:
systemctl start fail2ban
systemctl enable fail2ban
Mmemme nwere faịlụ nhazi abụọ: /etc/fail2ban/fail2ban.conf и /etc/fail2ban/jail.conf. akọwapụtara mmachibido iwu na faịlụ nke abụọ.
A na-akwado ụlọ mkpọrọ maka SSH site na ndabara yana ntọala ndabara (mgbalị 5, nkeji 10, mmachibidoro maka nkeji iri).
[DEFAULT] eleghara iwu anya = bantime = 10m chọta oge = 10m maxretry=5
Na mgbakwunye na SSH, Fail2Ban nwere ike ichekwa ọrụ ndị ọzọ na nginx ma ọ bụ sava weebụ Apache.
Mmelite nche akpaaka
Dị ka ị maara, a na-ahụ adịghị ike ọhụrụ na mmemme niile. Mgbe e bipụtachara ozi ahụ, a na-agbakwunye nrigbu na ngwugwu nrigbu ndị na-ewu ewu, bụ nke ndị hackers na ndị nọ n'afọ iri na ụma na-eji nke ukwuu mgbe ha na-enyocha ihe nkesa niile n'usoro. Ya mere, ọ dị ezigbo mkpa ịwụnye mmelite nchekwa ozugbo ha pụtara.
Na sava Ubuntu, a na-akwado mmelite nchekwa akpaka site na ndabara, yabụ ọ nweghị ihe ọzọ achọrọ.
Na CentOS/Okpu uhie, ịkwesịrị ịwụnye ngwa ahụ ma gbanye oge:
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerNyocha oge:
sudo systemctl status dnf-automatic.timer
Ịgbanwe ọdụ ụgbọ mmiri ndabara
Emepụtara SSH na 1995 iji dochie telnet (ọdụ ụgbọ mmiri 23) na ftp (ọdụ ụgbọ mmiri 21), yabụ onye edemede nke mmemme ahụ, Tatu Iltonen. , ma IANA kwadoro ya.
Dị ka o kwesịrị ịdị, ndị niile na-awakpo ahụ maara nke ọdụ ụgbọ mmiri SSH na-arụ - wee nyochaa ya na ọdụ ụgbọ mmiri ndị ọzọ iji chọpụta ụdị ngwanrọ, iji lelee okwuntughe mgbọrọgwụ, na ihe ndị ọzọ.
Ịgbanwe ọdụ ụgbọ mmiri ọkọlọtọ - obfuscation - ọtụtụ oge na-ebelata ọnụ ọgụgụ nke okporo ụzọ mkpofu, nha nke ndekọ na ibu dị na ihe nkesa, ma na-ebelatakwa elu ọgụ. Ọ bụ ezie na ụfọdụ (nchekwa site na nzuzo). Ihe kpatara ya bụ na usoro a na-emegide ihe bụ isi . Ya mere, dịka ọmụmaatụ, US National Institute of Standards and Technology in na-egosi mkpa maka ihe owuwu ihe nkesa mepere emepe: "Nchekwa nke usoro ekwesịghị ịdabere na nzuzo nke mmejuputa ihe mejupụtara ya," akwụkwọ ahụ na-ekwu.
N'ụzọ doro anya, ịgbanwe ọdụ ụgbọ mmiri ndabara megidere omume nke ime ụlọ mepere emepe. Ma na omume, a na-ebelata ọnụọgụ nke okporo ụzọ ọjọọ, ya mere nke a bụ ihe dị mfe ma dị irè.
Enwere ike ịhazi nọmba ọdụ ụgbọ mmiri site na ịgbanwe ntuziaka Port 22 na config faịlụ . A na-egosikwa ya site na oke -p <port> в . Ndị ahịa SSH na mmemme na-akwadokwa nhọrọ -p <port>.
Ogologo -p <port> enwere ike iji kọwaa nọmba ọdụ ụgbọ mmiri mgbe ị na-ejikọta ya na iwu ahụ ssh na linux. N'ime и scp a na-eji paramita eme ihe -P <port> (isi obodo P). Ntuziaka ahịrị iwu kagburu uru ọ bụla dị na faịlụ nhazi.
Ọ bụrụ na enwere ọtụtụ sava, ihe fọrọ nke nta ka ọ bụrụ omume ndị a niile iji chebe ihe nkesa Linux nwere ike ịmegharị ya na edemede. Ma ọ bụrụ na enwere naanị otu ihe nkesa, mgbe ahụ ọ ka mma iji aka gị chịkwaa usoro ahụ.
Ikike nke Mgbasa Ozi
Nye iwu wee malite ozugbo! nhazi ọ bụla na sistemụ arụmọrụ ọ bụla n'ime nkeji. Nhazi kachasị ga-enye gị ohere ịpụ n'uju - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Epic 🙂
isi: www.habr.com