çŸåšã§ã¯ããã¹ãã£ã³ã°äžã§ãµãŒããŒãç«ã¡äžããã®ã¯ãããŠã¹ãæ°åã¯ãªãã¯ããã ãã§æ°åã§å®äºããŸãã ããããèµ·åçŽåŸã圌ã¯ããã«ãŒãã£ã¹ã³ã«ããç¡éªæ°ãªå¥³ã®åã®ããã«ã€ã³ã¿ãŒãããå
šäœã«ãªãŒãã³ã§ãããããèªåãæµå¯Ÿçãªç°å¢ã«ããããšã«ãªããŸãã ã¹ãã£ããŒã¯ãããããã«èŠã€ãããããã¯ãŒã¯å
ãæ¢çŽ¢ããŠè匱æ§ãæ§æãã¹ãæ¢ããèªåçã«ã¹ã¯ãªããåãããäœåãã®ããããæ€åºããŸãã åºæ¬çãªä¿è·ã確ä¿ããããã«ãèµ·åçŽåŸã«è¡ãã¹ãããšãããã€ããããŸãã
ããŒãžå 容
érootãŠãŒã¶ãŒ SSHãã¹ã¯ãŒãã®ä»£ããã«ã㌠ãã¡ã€ã¢ãŠã©ãŒã« Fail2Ban èªåã»ãã¥ãªãã£æŽæ° ããã©ã«ãã®ããŒãã®å€æŽ
érootãŠãŒã¶ãŒ
æåã®ã¹ãããã¯ãèªåçšã®é root ãŠãŒã¶ãŒãäœæããããšã§ãã ãã€ã³ãã¯ãŠãŒã¶ãŒã root
ã·ã¹ãã å
ã§çµ¶å¯Ÿçãªæš©éãäžãã圌ã«ãªã¢ãŒã管çãèš±å¯ãããšãããªãã¯ããã«ãŒã®ä»äºã®ååãè¡ãããšã«ãªããããã«ãŒã«æå¹ãªãŠãŒã¶ãŒåãæ®ãããšã«ãªããŸãã
ãããã£ãŠãå¥ã®ãŠãŒã¶ãŒãäœæããroot ã® SSH çµç±ã®ãªã¢ãŒã管çãç¡å¹ã«ããå¿ èŠããããŸãã
æ°ãããŠãŒã¶ãŒã¯ã³ãã³ãã«ãã£ãŠéå§ãããŸã useradd
:
useradd [options] <username>
次ã«ãã³ãã³ãã䜿çšããŠãã¹ã¯ãŒããè¿œå ããŸã passwd
:
passwd <username>
æåŸã«ããã®ãŠãŒã¶ãŒãã管çè
ç¹æš©ã§ã³ãã³ããå®è¡ããæš©éãæã€ã°ã«ãŒãã«è¿œå ããå¿
èŠããããŸãã sudo
ã Linux ãã£ã¹ããªãã¥ãŒã·ã§ã³ã«ãã£ãŠã¯ããããã¯ç°ãªãã°ã«ãŒãã«ãªãå ŽåããããŸãã ããšãã°ãCentOS ãš Red Hat ã§ã¯ããŠãŒã¶ãŒã¯ã°ã«ãŒãã«è¿œå ãããŸãã wheel
:
usermod -aG wheel <username>
Ubuntuã§ã¯ã°ã«ãŒãã«è¿œå ãããŸã sudo
:
usermod -aG sudo <username>
SSHãã¹ã¯ãŒãã®ä»£ããã«ããŒ
ãã«ãŒã ãã©ãŒã¹ããã¹ã¯ãŒãã®æŒæŽ©ã¯æšæºçãªæ»æãã¯ãã«ã§ãããããSSH (Secure Shell) ã§ã®ãã¹ã¯ãŒãèªèšŒãç¡å¹ã«ãã代ããã«ããŒèªèšŒã䜿çšããããšãæåã§ãã
SSH ãããã³ã«ãå®è£
ããããã®ããŸããŸãªããã°ã©ã ããããŸãã
sudo apt install openssh-client
ãµãŒããŒã®ã€ã³ã¹ããŒã«:
sudo apt install openssh-server
Ubuntu ãµãŒããŒäžã§ SSH ããŒã¢ã³ (sshd) ãèµ·åããŸãã
sudo systemctl start sshd
èµ·åãããã³ã«ããŒã¢ã³ãèªåçã«èµ·åããŸãã
sudo systemctl enable sshd
OpenSSH ã®ãµãŒããŒéšåã«ã¯ã¯ã©ã€ã¢ã³ãéšåãå«ãŸããããšã«æ³šæããŠãã ããã ã€ãŸãã openssh-server
ä»ã®ãµãŒããŒã«æ¥ç¶ã§ããŸãã ããã«ãã¯ã©ã€ã¢ã³ã ãã·ã³ãããªã¢ãŒã ãµãŒããŒãããµãŒãããŒã㣠ãã¹ããžã® SSH ãã³ãã«ãéå§ãããšããµãŒãããŒã㣠ãã¹ãã¯ãªã¢ãŒã ãµãŒããŒããªã¯ãšã¹ãã®éä¿¡å
ãšèŠãªããŸãã ã·ã¹ãã ããã¹ã¯ããããã®éåžžã«äŸ¿å©ãªæ©èœã§ãã 詳现ã«ã€ããŠã¯èšäºãåç
§ããŠãã ãã
éåžžãã¯ã©ã€ã¢ã³ã ãã·ã³ã« (ã»ãã¥ãªãã£ç®çã§) ã³ã³ãã¥ãŒã¿ãžã®ãªã¢ãŒãæ¥ç¶ã®å¯èœæ§ãé²ãããã«æ¬æ ŒçãªãµãŒããŒãã€ã³ã¹ããŒã«ããããšã¯æå³ããããŸããã
ãããã£ãŠãæ°ãããŠãŒã¶ãŒã®å Žåã¯ããŸããµãŒããŒã«ã¢ã¯ã»ã¹ããã³ã³ãã¥ãŒã¿ãŒäžã§ SSH ããŒãçæããå¿ èŠããããŸãã
ssh-keygen -t rsa
å
¬ééµã¯ãã¡ã€ã«ã«ä¿åãããŸã .pub
ã§å§ãŸãã©ã³ãã ãªæååã®ããã«èŠããŸãã ssh-rsa
.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
次ã«ãroot ã®äžãããµãŒããŒäžã®ãŠãŒã¶ãŒã®ããŒã ãã£ã¬ã¯ããªã« SSH ãã£ã¬ã¯ããªãäœæãããã®ãã¡ã€ã«ã« SSH å
¬éããŒãè¿œå ããŸãã authorized_keys
Vim ãªã©ã®ããã¹ã ãšãã£ã¿ã䜿çšããŠ:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keys
vim /home/user_name/.ssh/authorized_keys
æåŸã«ããã¡ã€ã«ã«æ£ããã¢ã¯ã»ã¹èš±å¯ãèšå®ããŸãã
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keys
ãããŠæææš©ããã®ãŠãŒã¶ãŒã«å€æŽããŸãã
chown -R username:username /home/username/.ssh
ã¯ã©ã€ã¢ã³ãåŽã§ã¯ãèªèšŒçšã®ç§å¯ããŒã®å Žæãæå®ããå¿ èŠããããŸãã
ssh-add DIR_PATH/keylocation
ããã§ã次ã®ããŒã䜿çšããŠãŠãŒã¶ãŒåã§ãµãŒããŒã«ãã°ã€ã³ã§ããããã«ãªããŸãã
ssh [username]@hostname
èªèšŒåŸãscp ã³ãã³ãã䜿çšããŠãã¡ã€ã«ãã³ããŒã§ããŸãã
ãã¹ã¯ãŒãèªèšŒãç¡å¹ã«ããŠç§å¯ããŒãçŽå€±ãããšãèªåã®ãµãŒããŒã«ãŸã£ãããã°ã€ã³ã§ããªããªããããç§å¯ããŒã®ããã¯ã¢ãã ã³ããŒãããã€ãäœæããããšããå§ãããŸãã
äžã§è¿°ã¹ãããã«ãSSH ã§ã¯ root ã®èªèšŒãç¡å¹ã«ããå¿ èŠããããŸã (ãããæ°ãããŠãŒã¶ãŒãéå§ããçç±ã§ã)ã
CentOS/Red Hat ã§ã¯ã次ã®è¡ãèŠã€ãããŸãã PermitRootLogin yes
èšå®ãã¡ã€ã«å
㧠/etc/ssh/sshd_config
ãããŠãããå€æŽããŸã:
PermitRootLogin no
Ubuntu ã§ã¯æ¬¡ã®è¡ãè¿œå ããŸã PermitRootLogin no
èšå®ãã¡ã€ã«ã« 10-my-sshd-settings.conf
:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf
æ°ãããŠãŒã¶ãŒãããŒã䜿çšããŠèªèšŒããŠããããšã確èªããåŸããã¹ã¯ãŒãèªèšŒãç¡å¹ã«ããŠããã¹ã¯ãŒãæŒæŽ©ããã«ãŒã ãã©ãŒã¹ã®ãªã¹ã¯ãæé€ã§ããŸãã ããã§ãæ»æè ããµãŒããŒã«ã¢ã¯ã»ã¹ããã«ã¯ãç§å¯ããŒãååŸããå¿ èŠããããŸãã
CentOS/Red Hat ã§ã¯ã次ã®è¡ãèŠã€ãããŸãã PasswordAuthentication yes
èšå®ãã¡ã€ã«å
㧠/etc/ssh/sshd_config
次ã®ããã«å€æŽããŸãã
PasswordAuthentication no
Ubuntu ã§ã¯æ¬¡ã®è¡ãè¿œå ããŸã PasswordAuthentication no
ãã¡ã€ã«ãž 10-my-sshd-settings.conf
:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf
SSH çµç±ã§ XNUMX èŠçŽ èªèšŒãæå¹ã«ããæé ã«ã€ããŠã¯ã次ãåç
§ããŠãã ããã
ãã¡ã€ã¢ãŠã©ãŒã«
ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãçŽæ¥èš±å¯ããããŒãäžã®ãã©ãã£ãã¯ã®ã¿ããµãŒããŒã«éä¿¡ãããããã«ããŸãã ããã«ãããä»ã®ãµãŒãã¹ã§èª€ã£ãŠæå¹ã«ãªã£ãããŒãã®æªçšãé²æ¢ãããæ»æ察象é åãå€§å¹ ã«æžå°ããŸãã
ãã¡ã€ã¢ãŠã©ãŒã«ãã€ã³ã¹ããŒã«ããåã«ãSSH ãé€å€ãªã¹ãã«å«ãŸããŠããããããã¯ãããªãããšã確èªããå¿ èŠããããŸãã ããããªããšããã¡ã€ã¢ãŠã©ãŒã«ã®èµ·ååŸã«ãµãŒããŒã«æ¥ç¶ã§ããªããªããŸãã
Ubuntu ãã£ã¹ããªãã¥ãŒã·ã§ã³ã«ã¯ Uncomplicated Firewall (
Ubuntu ã®ãã¡ã€ã¢ãŠã©ãŒã«ã§ SSH ãèš±å¯ãã:
sudo ufw allow ssh
CentOS/Red Hat ã§ã¯ã次ã®ã³ãã³ãã䜿çšããŸãã firewall-cmd
:
sudo firewall-cmd --zone=public --add-service=ssh --permanent
ãã®æé ã®åŸããã¡ã€ã¢ãŠã©ãŒã«ãéå§ã§ããŸãã
CentOS/Red Hat ã§ãfirewalld ã® systemd ãµãŒãã¹ãéå§ããŸãã
sudo systemctl start firewalld
sudo systemctl enable firewalld
Ubuntu ã§ã¯æ¬¡ã®ã³ãã³ãã䜿çšããŸãã
sudo ufw enable
Fail2Ban
ãµãŒãã¹
CentOS ããã³ Red Hat ãžã® Fail2Ban ã®ã€ã³ã¹ããŒã«:
sudo yum install fail2ban
Ubuntu ããã³ Debian ãžã®ã€ã³ã¹ããŒã«:
sudo apt install fail2ban
å®è¡ïŒ
systemctl start fail2ban
systemctl enable fail2ban
ããã°ã©ã ã«ã¯ XNUMX ã€ã®æ§æãã¡ã€ã«ããããŸãã /etc/fail2ban/fail2ban.conf
О /etc/fail2ban/jail.conf
ã çŠæ¢å¶é㯠XNUMX çªç®ã®ãã¡ã€ã«ã§æå®ãããŸãã
SSH ã® Jail ã¯ãããã©ã«ãèšå® (è©Šè¡ 5 åãéé 10 åãçŠæ¢ 10 å) ã§ããã©ã«ãã§æå¹ã«ãªã£ãŠããŸãã
[ããã©ã«ã]ignorecommand=bantime=10m findtime=10m maxretry=5
SSH ã«å ããŠãFail2Ban 㯠nginx ãŸã㯠Apache Web ãµãŒããŒäžã®ä»ã®ãµãŒãã¹ãä¿è·ã§ããŸãã
èªåã»ãã¥ãªãã£æŽæ°
ãåç¥ã®ãšããããã¹ãŠã®ããã°ã©ã ã§æ°ããè匱æ§ãåžžã«çºèŠãããŠããŸãã æ å ±ãå ¬éããããšã人æ°ã®ãããšã¯ã¹ããã€ã ããã¯ã«ãšã¯ã¹ããã€ããè¿œå ãããããã«ãŒããã£ãŒã³ãšã€ãžã£ãŒããã¹ãŠã®ãµãŒããŒãé£ç¶ããŠã¹ãã£ã³ããéã«å€§éã«äœ¿çšãããŸãã ãããã£ãŠãã»ãã¥ãªãã£æŽæ°ããã°ã©ã ãæäŸããããããã«ã€ã³ã¹ããŒã«ããããšãéåžžã«éèŠã§ãã
Ubuntu ãµãŒããŒã§ã¯ãèªåã»ãã¥ãªãã£æŽæ°ãããã©ã«ãã§æå¹ã«ãªã£ãŠããããããã以äžã®ã¢ã¯ã·ã§ã³ã¯å¿ èŠãããŸããã
CentOS/Red Hat ã§ã¯ã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ããå¿
èŠããããŸã
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer
ã¿ã€ããŒãã§ãã¯:
sudo systemctl status dnf-automatic.timer
ããã©ã«ãã®ããŒãã®å€æŽ
SSH ã¯ãTelnet (ããŒã 1995) ãš FTP (ããŒã 23) ã眮ãæããããã« 21 幎ã«éçºãããŸããã
åœç¶ã®ããšãªããããã¹ãŠã®æ»æè 㯠SSH ãã©ã®ããŒãã§å®è¡ãããŠããããèªèããŠããããã®ããŒããæ®ãã®æšæºããŒããšãšãã«ã¹ãã£ã³ããŠããœãããŠã§ã¢ã®ããŒãžã§ã³ã調ã¹ãããæšæºã® root ãã¹ã¯ãŒãããã§ãã¯ãããããŸãã
æšæºããŒãã®å€æŽ (é£èªå) ãæ°åè¡ããšãã¬ããŒãž ãã©ãã£ãã¯ã®éããã°ã®ãµã€ãºããµãŒããŒã®è² è·ã軜æžãããæ»æ察象é åãæžå°ããŸãã å€å°ã§ãã
çè«çã«ã¯ãããã©ã«ãã®ããŒããå€æŽããããšã¯ãªãŒãã³ ã¢ãŒããã¯ãã£ã®å®è·µã«åããŸãã ãããå®éã«ã¯ãæªæã®ãããã©ãã£ãã¯ã®éã¯å®éã«æžå°ãããããããã¯ç°¡åã§å¹æçãªå¯Ÿçã§ãã
ããŒãçªå·ã¯ãã£ã¬ã¯ãã£ããå€æŽããããšã§èšå®ã§ããŸã Port 22
èšå®ãã¡ã€ã«å
㧠-p <port>
в -p <port>
.
ãã©ã¡ãŒã¿ãŒ -p <port>
ã³ãã³ãã§æ¥ç¶ãããšãã«ããŒãçªå·ãæå®ããããã«äœ¿çšã§ããŸã ssh
Linuxã§ã ã® scp
ãã©ã¡ãŒã¿ã䜿çšãããŸã -P <port>
(倧æåã® P)ã ã³ãã³ãã©ã€ã³åœä»€ã¯ãæ§æãã¡ã€ã«å
ã®å€ããªãŒããŒã©ã€ãããŸãã
ãµãŒããŒãå€æ°ããå ŽåãLinux ãµãŒããŒãä¿è·ããããã®ãããã®ã¢ã¯ã·ã§ã³ã®ã»ãšãã©ãã¹ãŠãã¹ã¯ãªããã§èªååã§ããŸãã ãã ãããµãŒããŒã XNUMX ã€ãããªãå Žåã¯ãããã»ã¹ãæåã§å¶åŸ¡ããããšããå§ãããŸãã
åºåã®æš©å©ã«ã€ããŠ
泚æããŠããã«å§ããŸãããïŒ
åºæïŒ habr.com