Habib M'henni/Wikimedia Commons, CC BY-SA

Maalmahan, kor u qaadista server-ka martigelinta waa arrin ku saabsan dhowr daqiiqo iyo dhowr jiir oo gujis ah. Laakiin isla markiiba ka dib markii la bilaabay, wuxuu isku arkaa inuu ku jiro jawi colaadeed, sababtoo ah wuxuu u furan yahay internetka oo dhan sida gabadh aan waxba galabsan oo ku jirta riwaayad dhagax ah. Sawir-qaadayaashu waxay si dhakhso ah u heli doonaan oo ay ogaan doonaan kumanaan bots si toos ah u qoran kuwaas oo indha-indheynaya shabakada raadinaya baylahda iyo qaabeynta khaldan. Waxaa jira dhowr waxyaalood oo ay tahay inaad sameyso isla markaaba ka dib bilawga si aad u hubiso ilaalinta aasaasiga ah.

Tusmo

• Isticmaale aan xidid lahayn
• Furayaasha halkii laga isticmaali lahaa furayaasha sirta ah ee SSH
• firewall
• Fail2Ban
• Cusbooneysiinta amniga tooska ah
• Beddelida dekedaha caadiga ah

Isticmaale aan xidid lahayn

Talaabada ugu horeysa waa inaad naftaada u abuurto isticmaale aan xidid lahayn. Ujeedadu waa in isticmaalaha root mudnaanta buuxda ee nidaamka, iyo haddii aad u ogolaato isaga maamulka fog, markaas waxaad samayn doontaa kala badh shaqada ee Hackers, tegaayo username ansax ah isaga.

Sidaa darteed, waxaad u baahan tahay inaad abuurto isticmaale kale, oo aad joojiso maamulka fog ee SSH ee xididka.

Isticmaale cusub ayaa lagu bilaabay amarka useradd:

useradd [options] <username>

Kadibna waxaa lagu daraa furaha sirta ah ee amarka leh passwd:

passwd <username>

Ugu dambeyntii, isticmaalehan wuxuu u baahan yahay in lagu daro koox xaq u leh inay fuliyaan amarrada sare sudo. Iyadoo ku xiran qaybinta Linux, kuwani waxay noqon karaan kooxo kala duwan. Tusaale ahaan, gudaha CentOS iyo Koofiyada Cas, isticmaalaha waxaa lagu daraa kooxda wheel:

usermod -aG wheel <username>

Ubuntu waxaa lagu daraa kooxda sudo:

usermod -aG sudo <username>

Furayaasha halkii laga isticmaali lahaa furayaasha sirta ah ee SSH

Xoogagga sirta ah ama sirta sirta ah ee daadanaya waa halbeegga weerarka caadiga ah, marka waxaa fiican in la joojiyo xaqiijinta erayga sirta ah ee SSH (Secure Shell) oo beddelka la isticmaalo aqoonsiga furaha.

Waxaa jira barnaamijyo kala duwan oo loogu talagalay hirgelinta nidaamka SSH, sida lsh и dharbaaxo, laakiin kan ugu caansan waa OpenSSH. Ku rakibida macmiilka OpenSSH ee Ubuntu:

sudo apt install openssh-client

Rakibaadda adeegaha:

sudo apt install openssh-server

Laga bilaabo SSH daemon (sshd) ee server-ka Ubuntu:

sudo systemctl start sshd

Si toos ah ugu billow daemonka boot kasta:

sudo systemctl enable sshd

Waa in la ogaadaa in qaybta server-ka ee OpenSSH ay ku jirto qaybta macmiilka. Taasi waa, iyada oo loo marayo openssh-server waxaad ku xidhi kartaa server kale. Waxaa intaa dheer, laga bilaabo mashiinkaaga macmiilka, waxaad ka bilaabi kartaa tunnel SSH ee server fog ilaa martigeliyaha qolo saddexaad, ka dibna kooxda saddexaad waxay u tixgelin doontaa server-ka fog inuu yahay isha codsiyada. Muuqaal aad u anfacaya oo lagu qarinayo nidaamkaaga. Faahfaahinta ka eeg maqaalka "Talooyin wax ku ool ah, Tusaalayaal, iyo Tunnels SSH".

Mashiinka macmiilka, badanaa macno ma samaynayso in lagu rakibo server buuxa si looga hortago suurtagalnimada xiriirinta fog ee kombuyuutarka (sababo ammaan dartood).

Marka, isticmaalehaaga cusub, waxaad marka hore u baahan tahay inaad soo saarto furayaasha SSH kumbuyuutarka oo aad ka geli doonto server-ka:

ssh-keygen -t rsa

Furaha guud waxa lagu kaydiyaa fayl .pub oo u eg xarfo xarfo random ah oo ku bilaabma ssh-rsa.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname

Kadib, xididka hoostiisa, ka samee tusaha SSH ee serverka ku jira tusaha guriga isticmaalaha oo ku dar furaha guud ee SSH faylka authorized_keys, adoo isticmaalaya tifaftiraha qoraalka sida Vim:

mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keys

vim /home/user_name/.ssh/authorized_keys

Ugu dambeyntii, deji oggolaanshaha saxda ah ee faylka:

chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keys

oo u beddel lahaanshaha isticmaalahan:

chown -R username:username /home/username/.ssh

Dhinaca macmiilka, waxaad u baahan tahay inaad qeexdo goobta furaha sirta ah ee xaqiijinta:

ssh-add DIR_PATH/keylocation

Hadda waxaad geli kartaa server-ka hoostiisa isticmaalaha adigoo isticmaalaya furahan:

ssh [username]@hostname

Oggolaanshaha ka dib, waxaad isticmaali kartaa amarka scp si aad u nuqul ka sameyso, utility shfs in meel fog laga rakibo nidaamka faylka ama hagaha.

Waxaa lagugula talinayaa inaad sameyso koobi dhowr ah oo furaha gaarka ah, sababtoo ah haddii aad joojiso xaqiijinta erayga sirta ah oo aad lumiso, markaa ma heli doontid waddo aad ku gasho server-kaaga gabi ahaanba.

Sida kor ku xusan, gudaha SSH waxaad u baahan tahay inaad joojiso aqoonsiga xididka (tani waa sababta aan u bilownay isticmaale cusub).

On CentOS/Koofiyadda Cas waxaan ka heleynaa khadka PermitRootLogin yes ee faylka config /etc/ssh/sshd_config oo beddel:

PermitRootLogin no

On Ubuntu ku dar khadka PermitRootLogin no ku shub faylka config 10-my-sshd-settings.conf:

sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf

Ka dib markii la xaqiijiyo in isticmaaleha cusub uu ku xaqiijinayo furihiisa, waxaad joojin kartaa xaqiijinta erayga sirta ah si aad meesha uga saarto khatarta furaha sirta ah Hadda, si loo galo server-ka, weeraryahanku wuxuu u baahan doonaa inuu helo fure gaar ah.

On CentOS/Koofiyadda Cas waxaan ka heleynaa khadka PasswordAuthentication yes ee faylka config /etc/ssh/sshd_config una beddel sidatan:

PasswordAuthentication no

On Ubuntu ku dar khadka PasswordAuthentication no in la xareeyo 10-my-sshd-settings.conf:

sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf

Si aad u hesho tilmaamo ku saabsan suurtagelinta aqoonsiga laba-factor ee SSH, eeg halkan.

firewall

Firewall-ku wuxuu hubinayaa in kaliya taraafikada dekedaha aad si toos ah u ogolaato inay aadi doonto server-ka. Tani waxay ka ilaalinaysaa ka faa'iidaysiga dekedaha si lama filaan ah ugu suurtagashay adeegyada kale, taas oo si weyn u yaraynaysa dusha weerarka.

Kahor intaadan rakibin firewall, waxaad u baahan tahay inaad hubiso in SSH ay ku jirto liiska ka saarida oo aan la xannibi doonin. Haddii kale, ka dib markii la bilaabo firewall-ka, ma awoodi doono in ay ku xidhmaan server ka.

Qaybinta Ubuntu waxay la socotaa Firewall aan dhib lahayn (ufw), oo wata CentOS/Koofiyad Cas - dab-damis.

Oggolaanshaha SSH gudaha Ubuntu:

sudo ufw allow ssh

On CentOS/Koofiyadda Cas isticmaal amarka firewall-cmd:

sudo firewall-cmd --zone=public --add-service=ssh --permanent

Nidaamkan ka dib, waxaad bilaabi kartaa firewall-ka.

Korka CentOS/Koofiyadda Cas, ka billow adeegga habaysan ee dab-damiska:

sudo systemctl start firewalld
sudo systemctl enable firewalld

On Ubuntu waxaan isticmaalnaa amarka soo socda:

sudo ufw enable

Fail2Ban

adeegga Fail2Ban waxay falanqaysaa diiwaannada server-ka waxayna tirisaa tirada isku dayga gelitaanka cinwaanka IP kasta. Nidaamyadu waxay qeexayaan xeerarka inta jeer ee isku-dayga gelitaanka ee loo oggol yahay muddo cayiman - ka dib markaa cinwaanka IP-ga waa la xannibay muddo cayiman. Tusaale ahaan, aan ogolaano 5 isku day xaqiijinta SSH ah oo guuldaraystay 2 saacadood gudahood, ka dibna xannibo ciwaanka IP-ga ee la bixiyay 12 saacadood.

Ku rakibida Fail2Ban ee CentOS iyo Koofiyada Cas:

sudo yum install fail2ban

Ku rakib Ubuntu iyo Debian:

sudo apt install fail2ban

Bilaw

systemctl start fail2ban
systemctl enable fail2ban

Barnaamijku waxa uu leeyahay laba habayn faylal: /etc/fail2ban/fail2ban.conf и /etc/fail2ban/jail.conf. Xayiraadaha mamnuucida waxay ku qeexan yihiin faylka labaad.

Jeel for SSH waa la dajiyay iyadoo la raacayo dejinta caadiga ah (5 isku day, 10 daqiiqo u dhexeeya, ganaax 10 daqiiqo ah).

[DEFAULT] iligcommand=bantime=10m Findtime=10m maxretry=5

Marka lagu daro SSH, Fail2Ban waxay ilaalin kartaa adeegyada kale ee nginx ama server-ka shabakadda Apache.

Cusbooneysiinta amniga tooska ah

Sida aad ogtahay, dayacanka cusub ayaa si joogto ah looga helaa dhammaan barnaamijyada. Ka dib marka xogta la daabaco, ka faa'iidaysigu waxa lagu daraa xidhmooyin faa'iido caan ah, kuwaas oo ay si weyn u isticmaalaan hackers-ka iyo dhalinyaradu marka ay iskaanayaan dhammaan server-yada isku xigta. Sidaa darteed, aad bay muhiim u tahay in la rakibo cusbooneysiinta amniga isla marka ay soo baxaan.

Ubuntu Server-ku waxa uu leeyahay cusboonaysiinta amniga oo toos ah oo si toos ah loo kartiyeeyay, markaa tallaabo dheeraad ah looma baahna.

On CentOS/Koofiyadda Cas waxaad u baahan tahay inaad ku rakibto codsiga dnf-automatic ah oo shid saacadda:

sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer

Hubinta wakhtiga:

sudo systemctl status dnf-automatic.timer

Beddelida dekedaha caadiga ah

SSH waxaa la sameeyay 1995 si loogu beddelo telnet (dekedda 23) iyo ftp (dekedda 21), sidaa darteed qoraaga barnaamijka, Tatu Iltonen dekedda 22 la doortay by default, waxaana ogolaatay IANA.

Dabcan, dhammaan weeraryahanadu way ka warqabaan dekedda SSH ay ku socoto - oo ku sawir inta ka hartay dekedaha caadiga ah si aad u ogaato nooca software, si loo hubiyo furaha sirta ah ee xididka, iyo wixii la mid ah.

Beddelka dekedaha caadiga ah - xannibaadda - dhowr jeer waxay yaraynaysaa tirada taraafikada qashinka, cabbirka qoryaha iyo culeyska server-ka, sidoo kale waxay yareysaa dusha weerarka. Inkastoo qaar dhaleeceeya habkan "ilaalinta mugdiga" (amniga oo mugdi ku jiro). Sababta ayaa ah in farsamadani ay ka soo horjeedo aasaaska ilaalinta naqshadaha. Sidaa darteed, tusaale ahaan, Machadka Heerarka iyo Tignoolajiyada Qaranka ee Maraykanka "Hagaha Amniga Adeegga" waxay muujinaysaa baahida loo qabo qaab-dhismeedka server-ka furan: "Nabadgelyada nidaamku waa inaanay ku tiirsanayn sirta hirgelinta qaybihiisa," dukumeentigu wuxuu leeyahay.

Aragti ahaan, beddelidda dekedaha caadiga ah waxay ka soo horjeedaa dhaqanka dhismaha furan. Laakiin ficil ahaan, qadarka taraafikada xaasidnimada ah ayaa dhab ahaantii la dhimay, markaa tani waa qiyaas sahlan oo waxtar leh.

Lambarka dekedda waxaa lagu habeyn karaa iyadoo la beddelo dardaaranka Port 22 ee faylka config / etc / ssh / sshd_config. Waxa kale oo lagu tilmaamay halbeegga -p <port> в sshd. Macmiilka SSH iyo barnaamijyada sftp sidoo kale taageer doorashada -p <port>.

Xildhibaan -p <port> waxaa loo isticmaali karaa in lagu qeexo lambarka dekedda marka lagu xiro amarka ssh linux. IN sftp и scp parameter ayaa la isticmaalaa -P <port> (caasimadda P). Tilmaanta khadka talisku waxa uu meesha ka saarayaa qiima kasta oo ku jira faylalka habaynta.

Haddii ay jiraan adeegayaal badan, ku dhawaad ​​dhammaan tallaabooyinkan si loo ilaaliyo server-ka Linux waxaa si toos ah loogu samayn karaa qoraal. Laakiin haddii ay jirto hal server kaliya, markaa way fiicantahay in gacanta lagu xakameeyo habka.

Iidheh ahaan

Dalbo oo billow isla markiiba! Abuuritaanka VDS qaabeyn kasta iyo nidaam kasta oo ku shaqeeya hal daqiiqo gudaheed. Qaabaynta ugu badan waxay kuu ogolaanaysaa inaad si buuxda u soo baxdo - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Dhacdo 🙂

Source: www.habr.com