, CC BY-SA
Matsatsing ana, ho phahamisa seva ho moamoheli ke taba ea metsotso e seng mekae le ho tobetsa litoeba tse 'maloa. Empa hang ka mor'a ho qala, o iphumana a le sebakeng se tletseng bora, hobane o bulehile ho Internet eohle joaloka ngoanana ea se nang molato ka har'a rocker disco. Li-scanner li tla e fumana kapele 'me li bone likete tsa li-bots tse ngolisitsoeng ka bo eona tse phenyang marang-rang li batla bofokoli le liphoso. Ho na le lintho tse 'maloa tseo u lokelang ho li etsa hang ka mor'a ho qala ho netefatsa tšireletso ea motheo.
Tse ka hare
Mosebelisi eo e seng motso
Mohato oa pele ke ho iketsetsa mosebelisi e seng motso bakeng sa hau. Taba ke hore mosebelisi root litokelo tse feletseng tsamaisong, 'me haeba u mo lumella tsamaiso e hōle, joale u tla etsa halofo ea mosebetsi bakeng sa mohatelli, u siee lebitso la mosebedisi le nepahetseng bakeng sa hae.
Ka hona, o hloka ho theha mosebelisi e mong, mme o tima tsamaiso e hole ka SSH bakeng sa motso.
Mosebelisi e mocha o qalisoa ka taelo useradd:
useradd [options] <username>
Ebe password e eketsoa bakeng sa eona ka taelo passwd:
passwd <username>
Qetellong, mosebelisi enoa o hloka ho kenyelletsoa sehlopheng se nang le tokelo ea ho phethahatsa litaelo tse phahameng sudo. Ho latela kabo ea Linux, tsena e kanna ea ba lihlopha tse fapaneng. Mohlala, ho CentOS le Red Hat, mosebelisi o eketsoa sehlopheng wheel:
usermod -aG wheel <username>
Ho Ubuntu e eketsoa sehlopheng sudo:
usermod -aG sudo <username>
Linotlolo sebakeng sa li-password tsa SSH
Brute force kapa password leaks ke vector e tloaelehileng ea tlhaselo, kahoo ho molemo ho thibela netefatso ea password ho SSH (Secure Shell) 'me u sebelise netefatso ea bohlokoa ho e-na le hoo.
Ho na le mananeo a fapaneng a ho kenya tšebetsong protocol ea SSH, joalo ka и , empa e tsebahalang haholo ke OpenSSH. Ho kenya moreki oa OpenSSH ho Ubuntu:
sudo apt install openssh-clientHo kenya seva:
sudo apt install openssh-serverHo qala daemon ea SSH (sshd) ho seva sa Ubuntu:
sudo systemctl start sshdQala daemon ka boiketsetso boteng bo bong le bo bong:
sudo systemctl enable sshd
Hoa lokela ho hlokomeloa hore karolo ea seva ea OpenSSH e kenyelletsa karolo ea bareki. Ke hore, ka openssh-server o ka hokela ho li-server tse ling. Ho feta moo, ho tloha mochine oa mochine oa hau, u ka qala kotopo ea SSH ho tloha ho seva se hōle ho ea ho motho ea amohelang motho oa boraro, 'me moeti oa boraro o tla nka seva se hōle e le mohloli oa likopo. Karolo e sebetsang haholo bakeng sa ho pata sistimi ea hau. Sheba sengoloa bakeng sa lintlha .
Mochineng oa bareki, hangata ha ho utloahale ho kenya seva e felletseng e le ho thibela monyetla oa ho hokahana hole le komporo (bakeng sa merero ea ts'ireletso).
Kahoo, bakeng sa mosebelisi oa hau e mocha, u lokela ho qala ka ho hlahisa linotlolo tsa SSH khomphuteng eo u tla fumana seva ho eona:
ssh-keygen -t rsa
Senotlolo sa sechaba se bolokiloe faeleng .pub mme e shebahala joalo ka letoto la litlhaku tse sa reroang tse qalang ka ssh-rsa.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Ebe, ho tloha ka tlas'a motso, theha bukana ea SSH ho seva bukeng ea lehae ea mosebelisi ebe u eketsa senotlolo sa sechaba sa SSH faeleng. authorized_keys, ho sebelisa mohlophisi oa mongolo joalo ka Vim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keysvim /home/user_name/.ssh/authorized_keysQetellong, beha litumello tse nepahetseng bakeng sa faele:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keys'me u fetole botho ho mosebelisi enoa:
chown -R username:username /home/username/.sshKa lehlakoreng la bareki, o hloka ho hlakisa sebaka sa senotlolo sa lekunutu bakeng sa netefatso:
ssh-add DIR_PATH/keylocationJoale o ka kena ho seva tlasa lebitso la mosebelisi o sebelisa senotlolo sena:
ssh [username]@hostnameKamora tumello, o ka sebelisa taelo ea scp ho kopitsa lifaele, sesebelisoa ho kenya sistimi ea faele kapa li-directory u le hole.
Ho bohlokoa ho etsa likopi tse 'maloa tsa "backup" tsa senotlolo sa poraefete, hobane haeba o tima netefatso ea password mme o lahleheloa ke eona, u ke ke ua ba le mokhoa oa ho kena ho seva ea hau ho hang.
Joalokaha ho boletsoe ka holimo, ho SSH o hloka ho tima netefatso bakeng sa motso (ke ka lebaka lena re qalileng mosebelisi e mocha).
Ho CentOS / Red Hat re fumana mohala PermitRootLogin yes ho config file /etc/ssh/sshd_config ebe oa e fetola:
PermitRootLogin no
Ho Ubuntu eketsa mohala PermitRootLogin no ho file ea config 10-my-sshd-settings.conf:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confKamora ho netefatsa hore mosebelisi e mocha o netefatsa ka senotlolo sa bona, o ka thibela netefatso ea password ho felisa kotsi ea ho lutla ha password kapa matla a sehlōhō. Hona joale, e le hore u fihlele seva, mohlaseli o tla hloka ho fumana senotlolo sa lekunutu.
Ho CentOS / Red Hat re fumana mohala PasswordAuthentication yes ho config file /etc/ssh/sshd_config 'me u fetole ka tsela ena:
PasswordAuthentication no
Ho Ubuntu eketsa mohala PasswordAuthentication no ho file 10-my-sshd-settings.conf:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confBakeng sa litaelo tsa ho nolofalletsa netefatso ea lintlha tse peli ka SSH, bona .
firewall
Setsi sa mollo se tiisa hore sephethephethe feela likoung tseo u li lumellang ka kotloloho se tla ea ho seva. Sena se sireletsa khahlanong le ts'ebeliso ea likou tse lumelletsoeng ka phoso ka lits'ebeletso tse ling, e leng ho fokotsang sebaka sa tlhaselo haholo.
Pele o kenya firewall, o hloka ho etsa bonnete ba hore SSH e kenyelelitsoe lethathamong la ho khetheloa 'me e ke ke ea thibeloa. Ho seng joalo, ka mor'a ho qala firewall, re ke ke ra khona ho hokahanya le seva.
Kabo ea Ubuntu e tla le Firewall e sa rarahaneng (), le CentOS/Red Hat - .
Ho lumella SSH ho firewall ho Ubuntu:
sudo ufw allow ssh
Ho CentOS/Red Hat sebelisa taelo firewall-cmd:
sudo firewall-cmd --zone=public --add-service=ssh --permanentKa mor'a mokhoa ona, o ka qala firewall.
Ho CentOS/Red Hat, qala ts'ebeletso ea systemd bakeng sa firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalldHo Ubuntu re sebelisa taelo e latelang:
sudo ufw enable
Ho hloloa2Ban
tšebeletso ea e sekaseka lits'oants'o ho seva mme e bala palo ea liteko tsa phihlello ho tsoa atereseng ka 'ngoe ea IP. Litlhophiso li totobatsa melao ea hore na ho na le liteko tse kae tsa ho fihlella tse lumelletsoeng bakeng sa nako e itseng - ka mor'a moo aterese ena ea IP e koetsoe ka nako e itseng. Mohlala, ha re lumelle liteko tse 5 tse hlolehileng tsa netefatso ea SSH nakong ea lihora tse 2, ebe re thibela aterese ea IP e fanoeng ka lihora tse 12.
Ho kenya Fail2Ban ho CentOS le Red Hat:
sudo yum install fail2banHo kenya Ubuntu le Debian:
sudo apt install fail2banQala:
systemctl start fail2ban
systemctl enable fail2ban
Lenaneo le na le lifaele tse peli tsa tlhophiso: /etc/fail2ban/fail2ban.conf и /etc/fail2ban/jail.conf. Lithibelo tsa thibelo li boletsoe faeleng ea bobeli.
Chankana bakeng sa SSH e lumelloa ka mokhoa o ikhethileng ka litlhophiso tsa kamehla (boiteko ba 5, nako ea metsotso e 10, thibelo ea metsotso e 10).
[DEFAULT] iphapanyetsa taelo=bantime=10m findtime=10m maxretry=5
Ho phaella ho SSH, Fail2Ban e ka sireletsa lits'ebeletso tse ling ho nginx kapa Apache web server.
Lintlafatso tsa ts'ireletso tse ikemetseng
Joalo ka ha u tseba, bofokoli bo bocha bo lula bo fumanoa mananeong ohle. Kamora hore tlhaiso-leseling e phatlalatsoe, ho kenyelletsoa lits'ebetso ho lipakete tse tsebahalang tsa tlhekefetso, tse sebelisoang haholo ke linokoane le bacha ha ho hlahlojoa li-server tsohle ka tatellano. Ka hona, ho bohlokoa haholo ho kenya lisebelisoa tsa ts'ireletso hang ha li hlaha.
Ho seva sa Ubuntu, liapdeite tsa ts'ireletso tsa othomathike li nolofalloa ka boiketsetso, ka hona, ha ho na ketso e 'ngoe e hlokahalang.
Ho CentOS/Red Hat o hloka ho kenya ts'ebeliso ebe o bulela sebali:
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerHo hlahloba nako:
sudo systemctl status dnf-automatic.timer
Ho fetola li-port tsa kamehla
SSH e ile ea ntlafatsoa ka 1995 ho nka sebaka sa telnet (port 23) le ftp (port 21), kahoo mongoli oa lenaneo, Tatu Iltonen. , mme e amohetswe ke IANA.
Ka tlhaho, bahlaseli bohle baa tseba hore na SSH e sebetsa ho boema-kepeng bofe - 'me u e hlahlobe hammoho le likou tse ling tse tloaelehileng ho fumana mofuta oa software, ho lekola li-password tse tloaelehileng, joalo-joalo.
Ho fetola likou tse tloaelehileng - obfuscation - ka makhetlo a 'maloa ho fokotsa bongata ba sephethephethe sa lithōle, boholo ba lifate le mojaro ho seva, hape ho fokotsa sebaka sa tlhaselo. Leha ba bang (tšireletseho ka ho fifala). Lebaka ke gore thekniki ye e thulana le ya motheo . Ka hona, ho etsa mohlala, Setsi sa Naha sa Maemo le Theknoloji sa US ka e bonts'a tlhoko ea meralo e bulehileng ea seva: "Ts'ireletso ea sistimi ha ea lokela ho itšetleha ka lekunutu la ts'ebetsong ea likarolo tsa eona," tokomane e re.
Ka khopolo, ho fetola likou tsa kamehla ho khahlanong le mokhoa oa ho haha o bulehileng. Empa ha e le hantle, palo ea sephethephethe se kotsi e hlile e fokotsehile, kahoo ena ke tekanyo e bonolo le e sebetsang.
Nomoro ea boema-kepe e ka hlophisoa ka ho fetola taelo Port 22 ho config file . E boetse e bontšoa ke parameter -p <port> в . SSH moreki le mananeo hape tšehetsa kgetho -p <port>.
Parameter -p <port> e ka sebelisoa ho hlakisa nomoro ea boema-kepe ha o hokahana le taelo ssh ho linux. IN и scp parameter e sebelisoa -P <port> (motse-moholo P). Taelo ea mola oa taelo e fetisa boleng bofe kapa bofe lifaeleng tsa tlhophiso.
Haeba ho na le li-server tse ngata, hoo e batlang e le liketso tsena kaofela ho sireletsa seva sa Linux li ka etsoa ka mokhoa o ikemetseng. Empa haeba ho na le seva se le seng, joale ho molemo ho laola ts'ebetso ka letsoho.
E le papatso
Odara 'me u qale hang-hang! tlhophiso efe kapa efe le sistimi efe kapa efe ea ts'ebetso nakong ea motsotso. Tlhophiso e phahameng e tla u lumella ho tsoa ka botlalo - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. Epic 🙂
Source: www.habr.com