kdpv - Reuters
Ngati mubwereka seva, ndiye kuti mulibe ulamuliro wonse pa izo. Izi zikutanthauza kuti nthawi iliyonse anthu ophunzitsidwa mwapadera akhoza kubwera kwa hoster ndikufunsani kuti mupereke deta yanu iliyonse. Ndipo woyang'anira adzawabwezera ngati zofunazo zakhazikitsidwa motsatira malamulo.
Simukufuna kuti zipika zanu za seva yapaintaneti kapena deta ya ogwiritsa ntchito zidutse kwa wina aliyense. Sizingatheke kumanga chitetezo choyenera. Ndizosatheka kudziteteza ku hoster yemwe ali ndi hypervisor ndikukupatsirani makina enieni. Koma mwina kudzakhala kotheka kuchepetsa ngozi pang'ono. Kubisa magalimoto obwereketsa sizothandiza monga momwe zimawonekera poyang'ana koyamba. Pa nthawi yomweyo, tiyeni tione kuopseza kwa deta m'zigawo maseva thupi.
Zowopsa chitsanzo
Monga lamulo, woyang'anira adzayesa kuteteza zofuna za kasitomala momwe angathere mwalamulo. Ngati kalata yochokera kwa akuluakulu aboma idangopempha zipika zolowera, wolandirayo sangakupatseni zinyalala zamakina anu onse okhala ndi nkhokwe. Osachepera siziyenera kutero. Ngati afunsa deta yonse, woyang'anira adzatengera ma disks enieni ndi mafayilo onse ndipo simudzadziwa za izo.
Mosasamala kanthu za zomwe zikuchitika, cholinga chanu chachikulu ndikupangitsa kuti kuwukirako kukhale kovuta komanso kokwera mtengo. Nthawi zambiri pamakhala njira zitatu zazikulu zowopseza.
Zogwira ntchito
Nthawi zambiri, kalata yamapepala imatumizidwa ku ofesi yovomerezeka ya hosteryo ndi chofunikira kuti apereke zidziwitso zofunika malinga ndi malamulo oyenera. Ngati zonse zachitika molondola, hoster amapereka zipika zofunika kupeza ndi deta zina kwa akuluakulu aboma. Kawirikawiri amangokufunsani kuti mutumize deta yofunikira.
Nthawi zina, ngati kuli kofunikira, oimira mabungwe azamalamulo amabwera kumalo osungiramo deta. Mwachitsanzo, mukakhala ndi seva yanu yodzipatulira ndi deta kuchokera kumeneko zikhoza kutengedwa mwakuthupi.
M'mayiko onse, kupeza mwayi wopeza katundu waumwini, kufufuza ndi zochitika zina kumafuna umboni wakuti deta ikhoza kukhala ndi chidziwitso chofunikira pakufufuza zaumbanda. Kuphatikiza apo, chikalata chofufuzira chomwe chimaperekedwa motsatira malamulo onse chimafunikira. Pakhoza kukhala ma nuances okhudzana ndi zodziwika bwino zamalamulo amderalo. Chinthu chachikulu chomwe muyenera kumvetsetsa ndi chakuti ngati njira yovomerezeka ili yolondola, oimira malo a data sangalole aliyense kudutsa pakhomo.
Komanso, m'maiko ambiri simungathe kungotulutsa zida zothamangitsira. Mwachitsanzo, ku Russia, mpaka kumapeto kwa chaka cha 2018, malinga ndi Article 183 ya Code of Criminal Procedure of the Russian Federation, gawo 3.1, zidatsimikiziridwa kuti panthawi ya kulanda, kulanda zida zosungiramo zinthu zamagetsi kunachitika ndi kutenga nawo gawo. wa katswiri. Pa pempho la mwini malamulo analanda atolankhani yosungirako pakompyuta kapena mwini wa mfundo zili pa iwo, katswiri nawo kulanda, pamaso pa mboni, makope zambiri kuchokera anagwira pakompyuta yosungirako TV zina pakompyuta yosungirako TV.
Kenaka, mwatsoka, mfundoyi inachotsedwa m'nkhaniyi.
Chinsinsi ndi chosavomerezeka
Ili kale gawo la ntchito za abwenzi ophunzitsidwa mwapadera ku NSA, FBI, MI5 ndi mabungwe ena atatu. Nthawi zambiri, malamulo a mayiko amapereka mphamvu zambiri pamagulu otere. Komanso, pafupifupi nthawi zonse pamakhala kuletsa kwamalamulo kuwululidwa kwachindunji kapena kosalunjika kwenikweni kwa mgwirizano ndi mabungwe azamalamulo. Ku Russia kulinso zofananira .
Pakachitika chiwopsezo chotere ku data yanu, iwo pafupifupi adzachotsedwa. Kuphatikiza apo, kuphatikiza kugwidwa kosavuta, zida zonse zosavomerezeka zam'mbuyo, ziwopsezo zamasiku a zero, kutulutsa deta kuchokera ku RAM yamakina anu enieni, ndi zosangalatsa zina zitha kugwiritsidwa ntchito. Pankhaniyi, woyang'anira adzakakamizika kuthandiza akatswiri azamalamulo momwe angathere.
Wantchito wosakhulupirika
Sikuti anthu onse ali abwino mofanana. Mmodzi wa oyang'anira ma data center angasankhe kupanga ndalama zowonjezera ndikugulitsa deta yanu. Zowonjezereka zimadalira mphamvu zake ndi mwayi wake. Chokwiyitsa kwambiri ndi chakuti woyang'anira yemwe ali ndi mwayi wopeza ma virtualization console ali ndi mphamvu zonse pamakina anu. Mutha kutenga chithunzithunzi pamodzi ndi zonse zomwe zili mu RAM ndikuwerenga pang'onopang'ono.
VDS
Chifukwa chake muli ndi makina enieni omwe hoster adakupatsani. Kodi mungagwiritse ntchito bwanji encryption kuti mudziteteze? Ndipotu, palibe chilichonse. Komanso, ngakhale seva yodzipatulira ya munthu wina imatha kukhala makina enieni momwe zida zofunika zimayikidwamo.
Ngati ntchito yakutali sikungosunga deta, koma kuwerengera, ndiye njira yokhayo yogwirira ntchito ndi makina osadalirika ndiyo kukhazikitsa. . Pankhaniyi, dongosololi lidzachita mawerengedwe osatha kumvetsetsa zomwe likuchita. Tsoka ilo, ndalama zogwiritsira ntchito kubisa koteroko ndizokwera kwambiri kotero kuti kugwiritsidwa ntchito kwawo kumangokhala ntchito zochepa kwambiri.
Komanso, panthawi yomwe makina enieni akugwira ntchito ndikuchita zinthu zina, mavoti onse obisika ali m'malo opezeka, apo ayi OS sangathe kugwira nawo ntchito. Izi zikutanthauza kuti kukhala ndi mwayi wopeza ma virtualization console, mutha kutenga chithunzithunzi cha makina othamanga ndikuchotsa makiyi onse ku RAM.
Ogulitsa ambiri ayesa kukonza kubisa kwa hardware kwa RAM kotero kuti ngakhale woyang'anira alibe mwayi wopeza izi. Mwachitsanzo, ukadaulo wa Intel Software Guard Extensions, womwe umalinganiza madera omwe ali pamalo adilesi omwe amatetezedwa kuti asawerenge ndi kulemba kuchokera kunja kwa dera lino ndi njira zina, kuphatikiza makina ogwiritsira ntchito. Tsoka ilo, simungathe kukhulupirira mokwanira matekinoloje awa, chifukwa mudzangokhala ndi makina anu enieni. Kuphatikiza apo, zitsanzo zokonzedwa kale zilipo zaukadaulo uwu. Komabe, kubisa makina enieni sikuli kopanda phindu monga momwe kungawonekere.
Timabisa deta pa VDS
Ndiroleni ndisungitse nthawi yomweyo kuti zonse zomwe tikuchita pansipa sizikhala chitetezo chokwanira. Hypervisor imakulolani kuti mupange makope ofunikira popanda kuyimitsa ntchitoyo komanso osazindikira.
- Ngati, atapempha, wobwereketsa asamutsa chithunzi "chozizira" cha makina anu enieni, ndiye kuti ndinu otetezeka. Izi ndizofala kwambiri.
- Ngati hoster ikupatsani chithunzithunzi chonse cha makina othamanga, ndiye kuti zonse ndi zoyipa. Deta yonse idzayikidwa mu dongosolo momveka bwino. Kuphatikiza apo, zitheka kusanthula RAM posaka makiyi achinsinsi ndi zina zofananira.
Mwachikhazikitso, ngati mutatumiza OS kuchokera pa chithunzi cha vanila, wolandirayo alibe mizu. Mutha kuyika zowulutsa nthawi zonse ndi chithunzi chopulumutsa ndikusintha mawu achinsinsi pochotsa chilengedwe cha makina. Koma izi zidzafuna kuyambiranso, zomwe zidzazindikiridwe. Kuphatikiza apo, magawo onse osungidwa osungidwa adzatsekedwa.
Komabe, ngati kutumizidwa kwa makina owoneka bwino sikuchokera ku chithunzi cha vanila, koma kuchokera kuzomwe zidakonzedweratu, ndiye kuti hoster nthawi zambiri amatha kuwonjezera akaunti yamwayi kuti athandizire pakagwa mwadzidzidzi kwa kasitomala. Mwachitsanzo, kusintha achinsinsi muzu aiwala.
Ngakhale mu nkhani ya chithunzithunzi wathunthu, si zonse ndi chisoni kwambiri. Wowukira sangalandire mafayilo obisidwa ngati mutawayika kuchokera pakompyuta yakutali yamakina ena. Inde, mwamalingaliro, mutha kusankha kutaya kwa RAM ndikuchotsa makiyi obisa pamenepo. Koma pochita izi sizochepa kwambiri ndipo ndizokayikitsa kuti njirayi ipitilira kusamutsa mafayilo osavuta.
Onjezani galimoto
Pazoyesa zathu, timatenga makina osavuta . Sitikusowa zinthu zambiri, choncho tidzasankha kulipira megahertz ndi magalimoto omwe agwiritsidwa ntchito. Zokwanira kungosewera nazo.
Dm-crypt yachikale ya gawo lonse silinachoke. Mwachikhazikitso, disk imaperekedwa mu chidutswa chimodzi, ndi mizu ya magawo onse. Kuchepetsa gawo la ext4 pamizu yokhala ndi mizu ndi njerwa yotsimikizika m'malo mwa fayilo. Ndinayesa) Ngoche sinathandize.
Kupanga chotengera cha crypto
Chifukwa chake, sitidzabisa magawo onse, koma tidzagwiritsa ntchito zotengera za fayilo ya crypto, zomwe ndi VeraCrypt yowerengedwa komanso yodalirika. Zolinga zathu izi ndi zokwanira. Choyamba, timatulutsa ndikuyika phukusi ndi mtundu wa CLI kuchokera patsamba lovomerezeka. Mutha kuyang'ana siginecha nthawi yomweyo.
wget https://launchpad.net/veracrypt/trunk/1.24-update4/+download/veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb
dpkg -i veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb
Tsopano tipanga chidebecho kwinakwake kunyumba kwathu kuti tithe kuziyika pamanja poyambiranso. Mu njira yolumikizirana, ikani kukula kwa chidebe, mawu achinsinsi ndi ma aligorivimu achinsinsi. Mutha kusankha cipher cipher Grasshopper ndi ntchito ya Stribog hashi.
veracrypt -t -c ~/my_super_secretTsopano tiyeni tiyike nginx, kukwera chidebecho ndikuchidzaza ndi zinsinsi.
mkdir /var/www/html/images
veracrypt ~/my_super_secret /var/www/html/images/
wget https://upload.wikimedia.org/wikipedia/ru/2/24/Lenna.pngTiyeni tikonze /var/www/html/index.nginx-debian.html kuti tipeze tsamba lomwe mukufuna ndipo mutha kuliyang'ana.
Gwirizanitsani ndi kufufuza
Chidebecho chimayikidwa, deta imapezeka ndikutumizidwa.
Ndipo apa pali makina pambuyo kuyambiransoko. Zambiri zimasungidwa bwino mu ~/my_super_secret.
Ngati mukuifuna ndipo mukuyifuna yolimba, ndiye kuti mutha kubisa OS yonse kuti mukayambiranso imafunika kulumikizana kudzera pa ssh ndikulowetsa mawu achinsinsi. Izi zidzakhalanso zokwanira muzochitika zongochotsa "deta yozizira". Pano ndi remote disk encryption. Ngakhale pankhani ya VDS ndizovuta komanso zosafunikira.
Chitsulo chopanda kanthu
Sikophweka kukhazikitsa seva yanu mu data center. Wodzipereka wa wina akhoza kukhala makina enieni omwe zida zonse zimasamutsidwa. Koma china chake chosangalatsa pankhani yachitetezo chimayamba mukakhala ndi mwayi woyika seva yanu yodalirika pa data center. Apa mutha kugwiritsa ntchito kale dm-crypt, VeraCrypt kapena kubisa kwina kulikonse komwe mungafune.
Muyenera kumvetsetsa kuti ngati kubisa kwathunthu kukhazikitsidwa, seva siidzatha kuyambiranso yokha ikayambiranso. Zidzakhala zofunikira kukweza kulumikizana kwa IP-KVM, IPMI kapena mawonekedwe ena ofanana. Pambuyo pake timalowetsa pamanja kiyi ya master. Chiwembucho chikuwoneka motere potsata kupitiriza ndi kulekerera zolakwika, koma palibe njira zina zapadera ngati deta ili yofunika kwambiri.
NCpher nShield F3 Hardware Security Module
Njira yochepetsetsa imaganiza kuti detayo yasungidwa ndipo fungulo limapezeka mwachindunji pa seva yokha mu HSM yapadera (Hardware Security Module). Monga lamulo, izi ndi zida zogwira ntchito kwambiri zomwe sizimangopereka cryptography ya hardware, komanso zimakhala ndi njira zodziwira kuyesayesa kwakuthupi. Ngati wina ayamba kuyang'ana mozungulira seva yanu ndi chopukusira ngodya, HSM yokhala ndi magetsi odziyimira pawokha idzakhazikitsanso makiyi omwe imasunga kukumbukira kwake. Wowukirayo adzalandira mincemeat yobisika. Pankhaniyi, kuyambiransoko kumatha kuchitika zokha.
Kuchotsa makiyi ndi njira yachangu komanso yaumunthu kuposa kuyatsa bomba la thermite kapena chomangira chamagetsi. Pazida zotere, mudzamenyedwa kwa nthawi yayitali kwambiri ndi anansi anu pamalo opangira data. Komanso, pakugwiritsa ntchito kubisa pa TV palokha, inu kukumana pafupifupi palibe pamwamba. Zonsezi zimachitika mowonekera kwa OS. Zowona, pakadali pano muyenera kudalira Samsung yokhazikika ndikuyembekeza kuti ili ndi AES256 yowona, osati banal XOR.
Nthawi yomweyo, tisaiwale kuti madoko onse osafunikira ayenera kukhala olumala kapena kungodzazidwa ndi pawiri. Apo ayi, mumapereka mwayi kwa omwe akuukirani kuti achite . Ngati muli ndi PCI Express kapena Thunderbolt yotuluka, kuphatikiza USB ndi chithandizo chake, muli pachiwopsezo. Wowukira azitha kuchita chiwembu kudzera m'madoko awa ndikupeza mwayi wolowera molunjika ndi makiyi.
Mu mtundu wotsogola kwambiri, wowukirayo azitha kuchita chiwembu chozizira cha boot. Nthawi yomweyo, imangothira gawo labwino la nayitrogeni yamadzi mu seva yanu, imachotsa zomata zoziziritsa kukhosi ndikutaya kutaya ndi makiyi onse. Nthawi zambiri, kutsitsi kozizira kokhazikika komanso kutentha kwa pafupifupi -50 madigiri ndikokwanira kuchita chiwembu. Palinso njira yolondola kwambiri. Ngati simunalepheretse kutsitsa kuchokera kuzipangizo zakunja, ndiye kuti algorithm ya wowukirayo ikhala yosavuta:
- Ikani ma memory sticks osatsegula
- Lumikizani bootable USB flash drive yanu
- Gwiritsani ntchito zida zapadera kuchotsa deta kuchokera ku RAM yomwe idapulumuka kuyambiranso chifukwa cha kuzizira.
Gawani ndipo gonjetsani
Chabwino, tili ndi makina enieni okha, koma ndikufuna kuchepetsa kuopsa kwa kutayikira kwa data.
Mukhoza, makamaka, kuyesa kukonzanso zomangamanga ndikugawa kusungirako ndi kukonza deta m'madera osiyanasiyana. Mwachitsanzo, kutsogolo kokhala ndi makiyi obisa ndikuchokera ku Czech Republic, ndipo kumbuyo komwe kuli ndi data yobisika kuli kwinakwake ku Russia. Pankhani yoyesera kulanda, ndizokayikitsa kwambiri kuti mabungwe achitetezo azitha kuchita izi nthawi imodzi m'malo osiyanasiyana. Kuphatikiza apo, izi zimatilimbikitsa pang'ono kutengera chithunzithunzi.
Chabwino, kapena mutha kulingalira njira yoyera kwathunthu - End-to-End encryption. Zachidziwikire, izi zimapitilira kuchuluka kwazomwe zafotokozedwera ndipo sizitanthauza kuwerengera mbali ya makina akutali. Komabe, iyi ndi njira yovomerezeka mwangwiro ikafika posunga ndi kulunzanitsa deta. Mwachitsanzo, izi zimayendetsedwa mosavuta mu Nextcloud. Nthawi yomweyo, kulunzanitsa, kumasulira ndi zina zapa seva sizidzatha.
Chiwerengero
Palibe machitidwe otetezedwa mwangwiro. Cholinga chake ndi kungopangitsa kuukirako kukhala kopindulitsa kwambiri kuposa kupindula komwe kungatheke.
Kuchepetsa kwina kwa ziwopsezo zopeza deta patsamba lenilenilo kumatha kutheka pophatikiza kubisa ndi kusungirako kosiyana ndi ma hosters osiyanasiyana.
Njira yodalirika kwambiri kapena yocheperako ndiyo kugwiritsa ntchito seva yanu ya hardware.
Koma wolandirayo adzayenerabe kudaliridwa mwanjira ina. Makampani onse akukhazikika pa izi.
Source: www.habr.com