ProHoster > Ibhulogi > Ulawulo > Sukuvula amazibuko emhlabeni - uya kwaphulwa (imingcipheko)

Sukuvula amazibuko emhlabeni - uya kwaphulwa (imingcipheko)

Sukuvula amazibuko emhlabeni - uya kwaphulwa (imingcipheko)

Ixesha kunye nexesha, emva kokwenza uphicotho-zincwadi, ekuphenduleni iziphakamiso zam zokufihla amachweba emva koluhlu olumhlophe, ndidibana nodonga lokungaqondi. Kwanabaphathi abapholileyo / i-DevOps bayabuza: "Kutheni?!?"

Ndicebisa ukuba kuthathelwe ingqalelo imingcipheko ekuhlayo okunokwenzeka kokwenzeka kunye nomonakalo.

  1. Impazamo yoqwalaselo
  2. DDoS phezu IP
  3. Amandla akhohlakeleyo
  4. Ubuthathaka benkonzo
  5. Ubuthathaka besitaki seKernel
  6. Ukwanda kohlaselo lweDDoS

Impazamo yoqwalaselo

Eyona meko iqhelekileyo kunye neyingozi. Kwenzeka njani. Umphuhlisi kufuneka avavanye ngokukhawuleza i-hypothesis; umisela iseva yethutyana kunye ne-mysql/redis/mongodb/elastic. Igama eliyimfihlo, ngokuqinisekileyo, liyinkimbinkimbi, ulisebenzisa kuyo yonke indawo. Ivula inkonzo kwihlabathi-ilungele ukuba aqhagamshele kwiPC yakhe ngaphandle kwezi VPNs zakho. Kwaye ndonqena ukukhumbula iptables syntax; umncedisi wethutyana. Iintsuku ezimbalwa ezingakumbi zophuhliso-kwaye kwaba kuhle, sinokuyibonisa kumthengi. Umthengi uyayithanda, akukho xesha lokuyenza kwakhona, siyisungula kwiPROD!

Umzekelo ubaxiwe ngabom ukuze uhambe kuyo yonke iraki:

  1. Akukho nto isigxina kunexeshana-andithandi eli binzana, kodwa ngokweemvakalelo, i-20-40% yaloo maseva ahlala ixesha elide.
  2. Igama eliyimfihlo elintsonkothileyo elisetyenziswa kwiinkonzo ezininzi libi. Ngenxa yokuba enye yeenkonzo apho le phasiwedi isetyenziswe khona inokuba igqekeziwe. Indlela enye okanye enye, ugcino-lwazi lweenkonzo eziqhekeziweyo zingena kwenye, esetyenziselwa [i-brute force]*.
    Kufanelekile ukongeza ukuba emva kofakelo, i-redis, i-mongodb kunye ne-elastic zifumaneka ngokubanzi ngaphandle kokuqinisekiswa, kwaye zihlala zizaliswa kwakhona. ingqokelela yogcino-lwazi oluvulekileyo.
  3. Kungabonakala ngathi akukho mntu uya kujonga izibuko lakho le-3306 kwiintsuku ezimbalwa. Yinkohliso! I-Masscan siskena esigqwesileyo kwaye sinokuskena kumazibuko ayi-10M ngomzuzwana. Kwaye kukho iibhiliyoni ezi-4 kuphela ze-IPv4 kwi-Intanethi. Ngokufanelekileyo, onke amazibuko angama-3306 kwi-Intanethi afumaneka kwimizuzu esi-7. Charles!!! Imizuzu esixhenxe!
    "Ngubani ofuna oku?" -uyachasa. Ke ndothuswa xa ndijonga izibalo zeepakethe eziwisiweyo. I-40 yamawaka eenzame zokuskena ezivela kwi-3 yamawaka e-IP ekhethekileyo zivela phi ngosuku? Ngoku wonke umntu uyaskena, ukusuka kubahlaseli bakamama ukuya koorhulumente. Kulula kakhulu ukujonga - thatha nayiphi na i-VPS ye-3-5 yeedola ukusuka kuyo nayiphi na inqwelomoya yexabiso eliphantsi **, vumela ukugawulwa kweepakethi eziwisiweyo kwaye ujonge kwilog ngosuku.

Ukuvumela ukungena

Kwi /etc/iptables/rules.v4 yongeza ukuya ekupheleni:
-A IINPUT -j LOG --log-prefix "[FW - ZONKE] " --log-level 4

Kwaye kwi /etc/rsyslog.d/10-iptables.conf
:msg,iqulathe,"[FW - "/var/log/iptables.log
& Yeka

DDoS phezu IP

Ukuba umhlaseli uyayazi i-IP yakho, unokuqweqwedisa iseva yakho iiyure ezininzi okanye iintsuku. Ayinabo bonke ababoneleli ngexabiso eliphantsi lokubamba abanokhuseleko lwe-DDoS kwaye iseva yakho iya kukhutshwa ngokulula kwinethiwekhi. Ukuba ufihle iseva yakho emva kwe-CDN, ungalibali ukutshintsha i-IP, ngaphandle koko i-hacker iya ku-google kwaye i-DDoS iseva yakho idlula i-CDN (impazamo ethandwa kakhulu).

Ubuthathaka benkonzo

Yonke isoftware eyaziwayo ngokukhawuleza okanye kamva ifumana iimpazamo, nezona zivavanyiweyo nezibalulekileyo. Phakathi kweengcali ze-IB, kukho i-half-joke - ukhuseleko lweziseko zophuhliso lunokuhlolwa ngokukhuselekileyo ngexesha lokuhlaziywa kokugqibela. Ukuba isiseko sakho sityebile kumazibuko aphuma kwihlabathi, kwaye awukahlaziyi unyaka, ke nayiphi na ingcali yezokhuseleko iya kukuxelela ngaphandle kokujonga ukuba uyavuza, kwaye kusenokwenzeka ukuba sele uqhekeziwe.
Kukwafanelekile ukukhankanya ukuba bonke ubuthathaka obaziwayo babekhe bangaziwa. Khawucinge nge-hacker efumene ubuthathaka obunjalo kwaye yahlola yonke i-Intanethi ngemizuzu ye-7 ngenxa yobukho bayo ... Nantsi intsholongwane entsha yentsholongwane) Kufuneka sihlaziye, kodwa oku kunokulimaza imveliso, utsho. Kwaye uya kuba ulungile ukuba iipakethe azifakwanga kwiindawo zokugcina ezisemthethweni ze-OS. Ukususela kumava, uhlaziyo oluvela kwindawo yokugcina esemthethweni alufane luyiphule imveliso.

Amandla akhohlakeleyo

Njengoko kuchaziwe ngasentla, kukho i-database enesiqingatha sebhiliyoni yamagama ayimfihlo alungele ukuchwetheza kwikhibhodi. Ngamanye amagama, ukuba awuvelisanga igama eligqithisiweyo, kodwa uchwetheze iisimboli ezikufutshane kwibhodi yezitshixo, qiniseka* ukuba ziyakukubhidanisa.

Ubuthathaka besitaki seKernel.

Kuyenzeka kwakhona **** ukuba akukhathaliseki nokuba yeyiphi inkonzo evula izibuko, xa istaki sothungelwano sekernel ngokwaso sisengozini. Oko kukuthi, ngokuqinisekileyo nayiphi na isokethi ye-tcp/udp kwinkqubo yeminyaka emibini ubudala ichaphazeleka kubuthathaka obukhokelela kwi-DDoS.

Ukwanda kohlaselo lweDDoS

Ayiyi kubangela nawuphi na umonakalo othe ngqo, kodwa inokuvala ishaneli yakho, yandise umthwalo kwinkqubo, i-IP yakho iya kugqiba kuluhlu oluthile olumnyama *****, kwaye uya kufumana ukuxhatshazwa kwi-host.

Ngaba ngokwenene ufuna zonke ezi ngozi? Yongeza ikhaya lakho kunye ne-IP yomsebenzi kuluhlu olumhlophe. Nokuba inamandla, ngena ngephaneli yomphathi we-host, ngekhonsoli yewebhu, kwaye wongeze enye.

Ndakha kwaye ndikhusela iziseko ze-IT iminyaka eyi-15. Ndiphuhlise umthetho endiwucebisa ngamandla kuye wonke umntu- akukho zibuko kufuneka lincame kwihlabathi ngaphandle koluhlu olumhlophe.

Umzekelo, eyona ikhuselekileyo iseva yewebhu*** yileyo ivula i-80 kunye ne-443 kuphela kwi-CDN/WAF. Kwaye izibuko zenkonzo (ssh, netdata, bacula, phpmyadmin) kufuneka ubuncinane emva koluhlu olumhlophe, kwaye ngcono emva kweVPN. Kungenjalo, uzibeka esichengeni.

Nantso kuphela into ebendifuna ukuyithetha. Gcina amazibuko akho evaliwe!

  • (1) UPD1: kuyinto Ungajonga igama lokugqitha lakho elipholileyo jikelele (sukwenza oku ngaphandle kokubuyisela eli gama lokugqitha ngerandom kuzo zonke iinkonzo), nokuba ivele kwisiseko sedatha esidityanisiweyo. Kwaye apha ungabona ukuba zingaphi iinkonzo ezigqekeziweyo, apho i-imeyile yakho yafakwa khona, kwaye, ngokufanelekileyo, ufumanise ukuba igama lakho eliyimfihlo elipholileyo liye lathotywa.
  • (2) Kwityala leAmazon, iLightSail ineskena esincinci. Ngokucacileyo bayayihluza ngandlela ithile.
  • (3) Umncedisi wewebhu okhuselekileyo ngakumbi nguye osemva kwe-firewall ezinikeleyo, i-WAF yayo, kodwa sithetha ngeVPS yoluntu / eZinikezelweyo.
  • (4) Segmentsmak.
  • (5) I-Firehol.

Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. Ngena, ndiyacela.

Ngaba amazibuko akho ayaphuma?

  • Ngamaxesha onke

  • Ngamanye amaxesha

  • Ungaze

  • Andazi, mka

Bangama-54 abasebenzisi abavotileyo. Abasebenzisi abali-6 abakhange.

umthombo: www.habr.com

Yongeza izimvo