, CC BY-SA
I aso nei, o le faʻatulagaina o se 'auʻaunaga i luga o se talimalo o se mataupu o ni nai minute ma ni nai kiliki o le kiore. Ae o le taimi lava na uma ai le faʻalauiloaina, na te maua ai o ia lava i se siosiomaga faʻafefe, aua o loʻo tatala i luga ole Initaneti e pei o se teine mama i se rocker disco. O le a vave ona maua e le au suʻesuʻe ma maua le faitau afe o bots otometi faʻapipiʻiina o loʻo suʻeina le fesoʻotaʻiga i le sailiga o faʻafitauli ma faʻatonuga le saʻo. E i ai nai mea e tatau ona e faia vave pe a uma ona faʻalauiloa e faʻamautinoa ai le puipuiga faavae.
Mataupu
Le fa'aoga a'a
O le mea muamua e tatau ona e faia o le fatuina lea o se tagata e le o aʻa. O le manatu o le tagata faʻaoga root avanoa atoatoa i le faiga, ma afai e te faatagaina o ia pulega mamao, ona e faia lea o le afa o le galuega mo le Hacker, ma tuua ai se username aoga mo ia.
O le mea lea, e tatau ona e fatuina se isi tagata faʻaoga, ma faʻamalo le pulega mamao e ala i le SSH mo aʻa.
Ua faia se tagata fou ma le poloaiga useradd:
useradd [options] <username>
Ona fa'aopoopoina lea o se fa'aupuga mo lea fa'atonuga passwd:
passwd <username>
Ma le mea mulimuli, e manaʻomia le faʻaopoopoina o lenei tagata faʻaoga i se vaega o loʻo i ai le aia tatau e faʻatino ai faʻatonuga ma tulaga maualuga sudo. Faʻalagolago i le tufatufaina atu o Linux, atonu o ni vaega eseese. Mo se faʻataʻitaʻiga, i CentOS ma Red Hat e faʻaopoopoina se tagata faʻaoga i se vaega wheel:
usermod -aG wheel <username>
I luga o le Ubuntu ua faʻaopoopoina i le vaega sudo:
usermod -aG sudo <username>
Ki nai lo SSH passwords
O le malosi faʻamalosi poʻo le faʻaogaina o upu faʻamaonia o se osofaʻiga masani, o lea e sili ai le faʻamalo le faʻamaonia o upu faʻamaonia i le SSH (Secure Shell) ma faʻaoga le faʻamaoniga autu nai lo.
E iai polokalame eseese e fa'atino ai le SSH protocol, pei ole и , ae o le sili ona lauiloa o le OpenSSH. Faʻapipiʻi le OpenSSH client ile Ubuntu:
sudo apt install openssh-clientFa'apipi'i le server:
sudo apt install openssh-serverAmataina le SSH daemon (sshd) i luga o le Ubuntu server:
sudo systemctl start sshdOtometi ona amata le daemon i luga o seevae uma:
sudo systemctl enable sshd
E tatau ona maitauina o le vaega OpenSSH server e aofia ai le vaega o tagata o tausia. O lona uiga, e ala i openssh-server e mafai ona e faʻafesoʻotaʻi i isi 'auʻaunaga. E le gata i lea, mai lau masini kalani e mafai ona e faʻalauiloaina se SSH tunnel mai se server mamao i se isi vaega lona tolu, ona manatu ai lea o le vaega lona tolu o le server mamao e avea ma puna o talosaga. O se galuega sili ona faigofie mo le faʻapipiʻiina o lau masini. Mo nisi fa'amatalaga, va'ai le tala. .
E masani lava e leai se mea e faʻapipiʻi ai se 'auʻaunaga atoa i luga o le masini kalani ina ia puipuia ai le avanoa o fesoʻotaʻiga mamao i le komepiuta (mo mafuaaga saogalemu).
O lea la, mo lau tagata fou, e te manaʻomia muamua e faʻatupu SSH ki i luga o le komepiuta e te maua ai le server:
ssh-keygen -t rsa
O lo'o teuina le ki lautele i se faila .pub ma e foliga mai o se manoa o mataitusi fa'afuase'i e amata i ssh-rsa.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Ona, pei o le aʻa, fatuina se SSH directory i luga o le 'auʻaunaga i le fale o le tagata faʻaoga ma faʻaopopo le SSH lautele ki i le faila. authorized_keysfaʻaaoga se faʻamatalaga tusitusi e pei o Vim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keysvim /home/user_name/.ssh/authorized_keysMulimuli ane, seti faʻatagaga saʻo mo le faila:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keysma sui le pule i lenei tagata fa'aoga:
chown -R username:username /home/username/.sshI le itu o le kalani, e tatau ona e faʻamaonia le nofoaga o le ki faalilolilo mo le faʻamaoni:
ssh-add DIR_PATH/keylocationO lea e mafai ona e saini i totonu o le 'auʻaunaga i lalo o le igoa faʻaoga e faʻaaoga ai lenei ki:
ssh [username]@hostnameA maeʻa le faʻatagaina, e mafai ona e faʻaogaina le scp poloaiga e kopi faila, le aoga mo le faʻapipiʻiina mamao o se faila faila poʻo faʻamaumauga.
E fautuaina le faia o ni kopi faaleoleo o le ki tumaoti, aua afai e te faʻamalo le faʻamaonia o upu faʻamaonia ma leiloa, o le a leai sau auala e te ulufale ai i lau lava server.
E pei ona taʻua i luga, i le SSH e te manaʻomia e faʻamalo le faʻamaoni mo aʻa (mo le mafuaʻaga lea na matou fatuina ai se tagata fou).
I luga ole CentOS/Red Hat tatou te maua ai le laina PermitRootLogin yes i le faila faatulagaina /etc/ssh/sshd_config ma sui ai:
PermitRootLogin no
I le Ubuntu faʻaopoopo le laina PermitRootLogin no i le faila faatulagaina 10-my-sshd-settings.conf:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confA maeʻa ona faʻamaonia e faʻamaonia le tagata fou e faʻaaoga ai la latou ki, e mafai ona e faʻamalo le faʻamaonia o upu faʻamaonia e faʻaumatia ai le lamatiaga o le faʻaogaina o upu faʻaulu poʻo le malosi. I le taimi nei, ina ia maua le 'auʻaunaga, e manaʻomia e le tagata osofaʻi ona maua le ki faʻapitoa.
I luga ole CentOS/Red Hat tatou te maua ai le laina PasswordAuthentication yes i le faila faatulagaina /etc/ssh/sshd_config ma suia e faapea:
PasswordAuthentication no
I le Ubuntu faʻaopoopo le laina PasswordAuthentication no e faila 10-my-sshd-settings.conf:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confMo faʻatonuga ile faʻaogaina o faʻamaoniga e lua ile SSH, vaʻai .
Pa puipui
O le firewall e fa'amautinoa e na'o felauaiga i luga o ports e te fa'atagaina sa'o e alu i le server. O lenei mea e puipuia ai mai le faʻaogaina o ports e faʻafuaseʻi ona mafai e isi auaunaga, lea e matua faʻaitiitia ai le osofaʻiga.
Aʻo leʻi faʻapipiʻi se pa puipui, e tatau ona e faʻamautinoa o loʻo aofia ai le SSH i le lisi faʻapitoa ma o le a le poloka. A leai, a uma ona amata le firewall, o le a le mafai ona matou faʻafesoʻotaʻi i le server.
O le tufatufaina o le Ubuntu e sau ma le Uncomplicated Firewall (), ma le CentOS/Red Hat - .
Faʻatagaina SSH i totonu o le firewall i Ubuntu:
sudo ufw allow ssh
I luga o CentOS / Red Hat matou te faʻaaogaina le poloaiga firewall-cmd:
sudo firewall-cmd --zone=public --add-service=ssh --permanentA maeʻa lenei faiga, e mafai ona e amataina le pa puipui.
I luga o le CentOS / Red Hat matou te faʻalauiloaina le auaunaga systemd mo firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalldI luga o le Ubuntu matou te faʻaogaina le poloaiga lenei:
sudo ufw enable
Fail2Ban
tautua au'ili'ili ogalaau a le 'au'aunaga ma faitau le aofa'i o taumafaiga avanoa mai tuatusi IP ta'itasi. O faʻatulagaga o loʻo faʻamaoti ai tulafono mo le tele o taumafaiga avanoa e faʻatagaina i se vaitau faʻapitoa - pe a maeʻa ona poloka lenei tuatusi IP mo se vaitaimi faʻapitoa. Mo se faʻataʻitaʻiga, matou te faʻatagaina 5 taumafaiga faʻamaonia le manuia e ala i le SSH i totonu o se vaitaimi o 2 itula, a maeʻa matou poloka lenei tuatusi IP mo 12 itula.
Faʻapipiʻi Fail2Ban i CentOS ma Red Hat:
sudo yum install fail2banFaʻapipiʻi ile Ubuntu ma Debian:
sudo apt install fail2banFa'alauiloa:
systemctl start fail2ban
systemctl enable fail2ban
O le polokalame e lua faila fetuutuunai: /etc/fail2ban/fail2ban.conf и /etc/fail2ban/jail.conf. Fa'asaina tapu o lo'o fa'amaoti mai ile faila lona lua.
O le falepuipui mo le SSH e mafai ona fa'aletonu i tulaga fa'aletonu (5 taumafaiga, vaeluaga 10 minute, fa'asa mo le 10 minute).
[DEFAULT] le amana'ia le poloaiga = fa'amuta taimi = 10m taimi su'esu'e = 10m toe taumafai = 5
I le faaopoopo atu i le SSH, Fail2Ban e mafai ona puipuia isi auaunaga i luga o le nginx poʻo le Apache web server.
Fa'afouga saogalemu otometi
E pei ona e iloa, o faʻafitauli fou e maua i taimi uma i polokalame uma. A maeʻa ona faʻasalalau faʻamatalaga, faʻapipiʻi faʻaoga i pusa faʻaoga taʻutaʻua, lea e masani ona faʻaogaina e tagata taʻavale ma tupulaga talavou pe a suʻesuʻeina 'auʻaunaga uma i se laina. O le mea lea, e taua tele le faʻapipiʻiina o faʻafouga saogalemu i le taimi lava e maua ai.
O lo'o iai fa'afouga fa'afouga otometi a le 'au'aunaga a le Ubuntu e ala i le fa'aletonu, o lea e leai ni la'asaga fa'aopoopo e mana'omia.
I luga ole CentOS/Red Hat e te manaʻomia le faʻapipiʻiina o le talosaga ma ki le taimi:
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerSiaki taimi:
sudo systemctl status dnf-automatic.timer
Suia o ports e le masani ai
Na fausia le SSH i le 1995 e sui ai le telenet (taulaga 23) ma le ftp (taulaga 21), o lona uiga o le tusitala o le polokalame o Tatu Iltonen. , ma sa faamaonia e IANA.
E masani lava, o tagata osofaʻi uma latou te iloa poʻo fea le taulaga SSH o loʻo faʻaogaina - ma faʻataʻitaʻi faʻatasi ma isi ports masani e suʻe ai le polokalama faakomepiuta, siaki faʻaupuga aʻa masani, ma isi.
Suia o ports masani - obfuscation - faʻaitiitia le tele o feʻaveaʻi leaga, le tele o ogalaau ma le uta i luga o le 'auʻaunaga i le tele o taimi, ma faʻaitiitia ai foi le osofaʻiga. E ui lava o nisi (security through obscurity). O le mafuaʻaga o lenei metotia e faʻafeagai ma le faʻavae . O le mea lea, mo se faʻataʻitaʻiga, le US National Institute of Standards and Technology o loʻo faʻaalia ai le manaʻomia o se fausaga faʻapipiʻi tatala: "O le saogalemu o se faiga e le tatau ona faʻalagolago i le faalilolilo o le faʻatinoina o ona vaega," o le tala lea a le pepa.
I le talitonuga, o le suia o ports e le mafai ona faʻaaogaina e feteenai ma faiga faʻataʻitaʻiga tatala. Ae i le faʻatinoga, o le tele o fefaʻatauaʻiga leaga e faʻaitiitia moni lava, o lea o se fua faigofie ma aoga.
O le numera o le taulaga e mafai ona faʻatulagaina e ala i le suia o le faʻatonuga Port 22 i le faila faatulagaina . O loʻo faʻaalia foi e le parakalafa -p <port> в . SSH client ma polokalame lagolago foi le parakalafa -p <port>.
Parakalafa -p <port> e mafai ona faʻaaoga e faʻamaonia ai le numera o le taulaga pe a faʻafesoʻotaʻi faʻaaoga le poloaiga ssh i Linux. IN и scp fa'aogaina le parakalafa -P <port> (ulutala P). O le faʻamaonia mai le laina o le faʻatonuga e faʻafefe ai soʻo se tau i faila faʻatulagaina.
Afai o loʻo i ai le tele o 'auʻaunaga, toetoe lava o nei gaioiga uma e puipuia ai se Linux server e mafai ona faʻaogaina i se tusitusiga. Ae afai e naʻo le tasi le 'auʻaunaga, e sili atu le pulea ma le lima o le faagasologa.
I Aia Tatau o Faasalalauga
Faʻatonu ma amata galue vave! soʻo se faʻatulagaga ma soʻo se faiga faʻaogaina i totonu o le minute. O le faʻatulagaina maualuga o le a faʻatagaina oe e maua se faʻalavelave - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Manaia tele :)
puna: www.habr.com