, CC NDI-SA
Masiku ano, kukweza seva pa hosting ndi nkhani ya mphindi zingapo ndikudina pang'ono mbewa. Koma atangoyamba kumene, amadzipeza ali m'malo ovuta, chifukwa ali omasuka ku intaneti yonse ngati msungwana wosalakwa mu disco ya rocker. Makanema amazipeza mwachangu ndikuwona masauzande a ma bots odzilemba okha omwe amangoyang'ana pa netiweki akuyang'ana zofooka ndi zolakwika. Pali zinthu zingapo zomwe muyenera kuchita mukangoyambitsa kuti mutsimikizire chitetezo choyambirira.
Zamkatimu
Wopanda mizu
Gawo loyamba ndikupanga wosuta wopanda mizu nokha. Mfundo ndi yakuti wosuta root mwayi mtheradi mu dongosolo, ndipo ngati mumulola kulamulira kutali, ndiye kuti mudzachita theka la ntchito kwa wowononga, ndikusiya dzina lolowera kwa iye.
Chifukwa chake, muyenera kupanga wogwiritsa ntchito wina, ndikuletsa kuwongolera kwakutali kudzera pa SSH pamizu.
Wogwiritsa ntchito watsopano amayambitsidwa ndi lamulo useradd:
useradd [options] <username>
Ndiye mawu achinsinsi awonjezedwa kwa izo ndi lamulo passwd:
passwd <username>
Pomaliza, wogwiritsa ntchitoyu akuyenera kuwonjezeredwa ku gulu lomwe lili ndi ufulu wopereka malamulo apamwamba sudo. Kutengera kugawa kwa Linux, awa akhoza kukhala magulu osiyanasiyana. Mwachitsanzo, mu CentOS ndi Red Hat, wogwiritsa ntchitoyo amawonjezedwa pagulu wheel:
usermod -aG wheel <username>
Mu Ubuntu zimawonjezedwa ku gulu sudo:
usermod -aG sudo <username>
Makiyi m'malo mwa mawu achinsinsi a SSH
Mphamvu zopanda mphamvu kapena kutulutsa mawu achinsinsi ndi njira yolumikizira mawu achinsinsi, choncho ndibwino kuletsa kutsimikizika kwa mawu achinsinsi mu SSH (Secure Shell) ndikugwiritsa ntchito kutsimikizira kwachinsinsi m'malo mwake.
Pali mapulogalamu osiyanasiyana ogwiritsira ntchito protocol ya SSH, monga ΠΈ , koma otchuka kwambiri ndi OpenSSH. Kuyika kasitomala wa OpenSSH pa Ubuntu:
sudo apt install openssh-clientKuyika kwa seva:
sudo apt install openssh-serverKuyambitsa daemon ya SSH (sshd) pa seva ya Ubuntu:
sudo systemctl start sshdYambitsani daemon pa boot iliyonse:
sudo systemctl enable sshd
Tiyenera kuzindikira kuti gawo la seva la OpenSSH limaphatikizapo gawo la kasitomala. Ndiko kuti, kupyolera openssh-server mutha kulumikizana ndi ma seva ena. Komanso, kuchokera pamakina a kasitomala anu, mutha kuyambitsa ngalande ya SSH kuchokera ku seva yakutali kupita kwa munthu wachitatu, ndiyeno wolandila gulu lachitatu amawona seva yakutali ngati gwero la zopempha. Mbali yothandiza kwambiri yosunga dongosolo lanu. Onani nkhani kuti mumve zambiri .
Pa makina a kasitomala, nthawi zambiri zimakhala zopanda nzeru kukhazikitsa seva yodzaza kwathunthu kuti muteteze kuthekera kwa kulumikizana kwakutali ndi kompyuta (chifukwa chachitetezo).
Chifukwa chake, kwa wogwiritsa ntchito watsopano, choyamba muyenera kupanga makiyi a SSH pakompyuta komwe mungapeze seva:
ssh-keygen -t rsa
Kiyi yapagulu imasungidwa mufayilo .pub ndipo zikuwoneka ngati mndandanda wa zilembo zomwe zimayambira ssh-rsa.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Kenako, kuchokera pansi pamizu, pangani chikwatu cha SSH pa seva patsamba lanyumba la wogwiritsa ntchito ndikuwonjezera kiyi ya SSH pafayiloyo. authorized_keys, pogwiritsa ntchito mkonzi wamalemba ngati Vim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keysvim /home/user_name/.ssh/authorized_keysPomaliza, ikani zilolezo zolondola pafayiloyo:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keysndikusintha umwini kwa wosuta uyu:
chown -R username:username /home/username/.sshKumbali ya kasitomala, muyenera kufotokoza komwe kuli kiyi yachinsinsi kuti mutsimikizire:
ssh-add DIR_PATH/keylocationTsopano mutha kulowa mu seva pansi pa dzina lolowera pogwiritsa ntchito kiyi iyi:
ssh [username]@hostnamePambuyo pa chilolezo, mutha kugwiritsa ntchito lamulo la scp kukopera mafayilo, zofunikira kuti muyike pulogalamu yamafayilo kapena mayendedwe akutali.
Ndikofunikira kupanga zosunga zobwezeretsera zingapo za kiyi yachinsinsi, chifukwa ngati muletsa kutsimikizika kwa mawu achinsinsi ndikutaya, ndiye kuti simudzakhala ndi njira yolowera mu seva yanu.
Monga tafotokozera pamwambapa, mu SSH muyenera kuletsa kutsimikizika kwa mizu (ndicho chifukwa chake tidayambitsa wosuta watsopano).
Pa CentOS / Red Hat timapeza mzere PermitRootLogin yes mu fayilo ya config /etc/ssh/sshd_config ndi kusintha:
PermitRootLogin no
Pa Ubuntu onjezani mzere PermitRootLogin no ku config file 10-my-sshd-settings.conf:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confPambuyo potsimikizira kuti wogwiritsa ntchito watsopanoyo akutsimikizira ndi kiyi yawo, mutha kuletsa kutsimikizika kwa mawu achinsinsi kuti muchotse chiwopsezo cha kutulutsa mawu achinsinsi kapena mphamvu yankhanza. Tsopano, kuti mupeze seva, wowukira adzafunika kupeza kiyi yachinsinsi.
Pa CentOS / Red Hat timapeza mzere PasswordAuthentication yes mu fayilo ya config /etc/ssh/sshd_config ndikusintha motere:
PasswordAuthentication no
Pa Ubuntu onjezani mzere PasswordAuthentication no ku file 10-my-sshd-settings.conf:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confKuti mudziwe zambiri zakuthandizira kutsimikizika kwazinthu ziwiri kudzera pa SSH, onani .
firewall
Chowotcha moto chimatsimikizira kuti magalimoto okha pamadoko omwe mumawalola mwachindunji amapita ku seva. Izi zimateteza ku kugwiritsidwa ntchito kwa madoko omwe amathandizidwa mwangozi ndi ntchito zina, zomwe zimachepetsa kwambiri malo owukira.
Musanayike chozimitsa moto, muyenera kuonetsetsa kuti SSH ikuphatikizidwa pamndandanda wopatula ndipo sidzatsekedwa. Kupanda kutero, titayambitsa firewall, sitingathe kulumikizana ndi seva.
Kugawa kwa Ubuntu kumabwera ndi Uncomplicated Firewall (), ndi CentOS/Red Hat - .
Kulola SSH mu firewall pa Ubuntu:
sudo ufw allow ssh
Pa CentOS/Red Hat gwiritsani ntchito lamulo firewall-cmd:
sudo firewall-cmd --zone=public --add-service=ssh --permanentPambuyo pa ndondomekoyi, mukhoza kuyambitsa firewall.
Pa CentOS/Red Hat, yambani ntchito ya systemd ya firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalldPa Ubuntu timagwiritsa ntchito lamulo ili:
sudo ufw enable
Kusayera2Ban
utumiki amasanthula zipika pa seva ndikuwerengera kuchuluka kwa zoyeserera kuchokera ku adilesi iliyonse ya IP. Zokonda zimatchula malamulo a kuchuluka kwa zoyeserera zomwe zimaloledwa pakapita nthawi - pambuyo pake adilesi iyi ya IP imatsekedwa kwa nthawi yodziwika. Mwachitsanzo, tiyeni tilole kuyesa 5 kulephera kutsimikizira kwa SSH mkati mwa maola awiri, kenako kuletsa adilesi ya IP yoperekedwa kwa maola 2.
Kuyika Fail2Ban pa CentOS ndi Red Hat:
sudo yum install fail2banKuyika pa Ubuntu ndi Debian:
sudo apt install fail2banKukhazikitsa:
systemctl start fail2ban
systemctl enable fail2ban
Pulogalamuyi ili ndi mafayilo awiri osinthira: /etc/fail2ban/fail2ban.conf ΠΈ /etc/fail2ban/jail.conf. Zoletsa zafotokozedwa mufayilo yachiwiri.
Jail for SSH imayatsidwa mwachisawawa ndi zosintha zosasintha (zoyeserera 5, mphindi 10, kuletsa kwa mphindi 10).
[KUSINTHA] ignorecommand=bantime=10m findtime=10m maxretry=5
Kuphatikiza pa SSH, Fail2Ban ikhoza kuteteza ntchito zina pa nginx kapena Apache web server.
Zosintha zokha zachitetezo
Monga mukudziwa, zofooka zatsopano zimapezeka nthawi zonse mumapulogalamu onse. Zambirizi zikasindikizidwa, zomwe zachitika zimawonjezeredwa ku mapaketi otchuka, omwe amagwiritsidwa ntchito kwambiri ndi achiwembu ndi achinyamata akamasanthula ma seva onse motsatana. Chifukwa chake, ndikofunikira kwambiri kukhazikitsa zosintha zachitetezo zikangowoneka.
Pa seva ya Ubuntu, zosintha zodzitchinjiriza zokha zimayatsidwa mwachisawawa, kotero palibenso china chofunikira.
Pa CentOS/Red Hat muyenera kukhazikitsa pulogalamuyi ndi kuyatsa chowerengera:
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerKuwona nthawi:
sudo systemctl status dnf-automatic.timer
Kusintha madoko okhazikika
SSH idapangidwa mu 1995 kuti ilowe m'malo mwa telnet (port 23) ndi ftp (port 21), kotero wolemba pulogalamuyi, Tatu Iltonen , ndipo wavomerezedwa ndi IANA.
Mwachilengedwe, onse omwe akuwukira akudziwa kuti SSH ikuyendetsa pa doko liti - ndikuyijambula pamodzi ndi madoko ena onse kuti mudziwe mtundu wa pulogalamuyo, kuwona mapasiwedi amizu, ndi zina zotero.
Kusintha madoko wamba - obfuscation - kangapo kumachepetsa kuchuluka kwa zinyalala, kukula kwa zipika ndi katundu pa seva, komanso kumachepetsa kuukira. Ngakhale ena (chitetezo kudzera mumdima). Chifukwa chake ndikuti njira iyi imatsutsana ndi zofunikira . Chifukwa chake, mwachitsanzo, US National Institute of Standards and Technology in ikuwonetsa kufunikira kwa zomangamanga zotseguka za seva: "Chitetezo cha dongosolo sichiyenera kudalira chinsinsi cha kukhazikitsidwa kwa zigawo zake," chikalatacho chimati.
Mwachidziwitso, kusintha madoko osasinthika kumatsutsana ndi mchitidwe wamamangidwe otseguka. Koma pochita, kuchuluka kwa magalimoto oyipa kumachepetsedwa, kotero iyi ndi njira yosavuta komanso yothandiza.
Nambala ya doko ikhoza kukhazikitsidwa posintha malangizo Port 22 mu fayilo ya config . Zimasonyezedwanso ndi parameter -p <port> Π² . SSH kasitomala ndi mapulogalamu thandiziraninso njirayo -p <port>.
chizindikiro -p <port> angagwiritsidwe ntchito kufotokoza nambala ya doko polumikizana ndi lamulo ssh ku linux. MU ΠΈ scp parameter imagwiritsidwa ntchito -P <port> (likulu P). Lamulo la mzere wolamula limaposa mtengo uliwonse mumafayilo osinthira.
Ngati pali ma seva ambiri, pafupifupi zonsezi kuti muteteze seva ya Linux zitha kukhala zongolemba. Koma ngati pali seva imodzi yokha, ndiye kuti ndi bwino kuwongolera pamanja.
Pa Ufulu Wotsatsa
Konzani ndikuyamba pomwepo! kasinthidwe kalikonse ndi makina aliwonse opangira mkati mwa miniti imodzi. Kukonzekera kwakukulu kukulolani kuti mufike mokwanira - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Epic π
Source: www.habr.com