Kule mihla, ukuphakamisa iseva kwindawo yokubamba ngumcimbi wemizuzu embalwa kunye nokucofa okumbalwa kwemouse. Kodwa ngokukhawuleza emva kokusungulwa, uzifumana ekwimeko ekhohlakeleyo, kuba uvule i-Intanethi yonke njengentombazana emsulwa kwi-rocker disco. Abaskena baya kuyifumana ngokukhawuleza kwaye babone amawaka ee-bots ezibhalwe ngokuzenzekelayo ezihlola inethiwekhi ekhangela ubuthathaka kunye noqwalaselo olugwenxa. Kukho izinto ezimbalwa ekufuneka uyenzile emva kokuqaliswa ukuqinisekisa ukhuseleko olusisiseko.
Iziqulatho
Umsebenzisi ongengongcambu Izitshixo endaweni ye-SSH amagama ayimfihlo i-firewall Ukusilela2Ban Uhlaziyo lokhuseleko oluzenzekelayo Ukutshintsha izibuko ezingagqibekanga
Umsebenzisi ongengongcambu
Inyathelo lokuqala kukwenza umsebenzisi ongeyongcambu ngokwakho. Ingongoma kukuba umsebenzisi root
amalungelo apheleleyo kwinkqubo, kwaye ukuba uyamvumela ulawulo olukude, ngoko uya kwenza isiqingatha somsebenzi we-hacker, ushiye igama lomsebenzisi elisebenzayo kuye.
Ke ngoko, kufuneka wenze omnye umsebenzisi, kwaye ukhubaze ulawulo olukude nge-SSH yeengcambu.
Umsebenzisi omtsha uqalwa ngumyalelo useradd
:
useradd [options] <username>
Emva koko i-password yongezwa kuyo kunye nomyalelo passwd
:
passwd <username>
Okokugqibela, lo msebenzisi ufuna ukudityaniswa kwiqela elinelungelo lokuphumeza imiyalelo ephakamileyo sudo
. Kuxhomekeke kunikezelo lweLinux, la angamaqela ahlukeneyo. Ngokomzekelo, kwi-CentOS kunye ne-Red Hat, umsebenzisi wongezwa kwiqela wheel
:
usermod -aG wheel <username>
Ku-Ubuntu yongezwa kwiqela sudo
:
usermod -aG sudo <username>
Izitshixo endaweni ye-SSH amagama ayimfihlo
Amandla amdaka okanye ukuvuza kwegama lokugqitha yivektha yohlaselo oluqhelekileyo, ngoko ke kungcono ukukhubaza uqinisekiso lwegama lokugqitha kwi-SSH (iShell eKhuselekileyo) kwaye endaweni yoko usebenzise uqinisekiso olungundoqo.
Kukho iinkqubo ezahlukeneyo zokuphumeza iprotocol ye-SSH, njenge
sudo apt install openssh-client
Ufakelo lweseva:
sudo apt install openssh-server
Ukuqala i-daemon ye-SSH (sshd) kwiseva ye-Ubuntu:
sudo systemctl start sshd
Qalisa ngokuzenzekelayo i-daemon kuyo yonke i-boot:
sudo systemctl enable sshd
Kufuneka kuqatshelwe ukuba inxalenye yeseva ye-OpenSSH ibandakanya inxalenye yomxhasi. Oko kukuthi, ngokusebenzisa openssh-server
ungaqhagamshela kwezinye iiseva. Ngaphezu koko, kumatshini wakho womxhasi, ungaqala itonela ye-SSH ukusuka kwiseva ekude ukuya kumamkeli weqela lesithathu, kwaye umamkeli weqela lesithathu uya kuthathela ingqalelo iseva ekude njengomthombo wezicelo. Uphawu oluluncedo kakhulu lokufihla inkqubo yakho. Jonga inqaku ngeenkcukacha
Kumatshini womxhasi, ngokuqhelekileyo akukho ngqiqweni ukufaka umncedisi ogcweleyo ukuze uthintele uxhulumaniso olukude kwikhompyutheni (ngenxa yezizathu zokhuseleko).
Ke, kumsebenzisi wakho omtsha, kufuneka kuqala uvelise izitshixo ze-SSH kwikhompyuter apho uya kufikelela kwiseva:
ssh-keygen -t rsa
Isitshixo sikawonke-wonke sigcinwe kwifayile .pub
kwaye ijongeka njengoluhlu lwamagama angaqhelekanga aqala ngawo ssh-rsa
.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Emva koko, ukusuka phantsi kweengcambu, yenza ulawulo lwe-SSH kumncedisi kulawulo lwasekhaya lomsebenzisi kwaye wongeze isitshixo sikawonke-wonke se-SSH kwifayile. authorized_keys
, usebenzisa umhleli wokubhaliweyo onje ngeVim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keys
vim /home/user_name/.ssh/authorized_keys
Okokugqibela, seta iimvume ezichanekileyo zefayile:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keys
kwaye utshintshe ubunini kulo msebenzisi:
chown -R username:username /home/username/.ssh
Kwicala lomxhasi, kufuneka ucacise indawo yeqhosha eliyimfihlo lokungqinisisa:
ssh-add DIR_PATH/keylocation
Ngoku ungangena kwiseva phantsi kwegama lomsebenzisi usebenzisa eli qhosha:
ssh [username]@hostname
Emva kogunyaziso, ungasebenzisa umyalelo we-scp ukukopa iifayile, into eluncedo
Kuyacetyiswa ukuba wenze iikopi ezininzi zogcino lwesitshixo sabucala, kuba ukuba ukhubaza ukuqinisekiswa kwegama eliyimfihlo kwaye ulahlekelwe yiyo, ngoko awuyi kuba nayo nayiphi na indlela yokungena kwiseva yakho konke konke.
Njengoko kukhankanyiwe ngasentla, kwi-SSH kufuneka ukhubaze uqinisekiso lweengcambu (esi sizathu sokuba siqale umsebenzisi omtsha).
Kwi-CentOS / Red Hat sifumana umgca PermitRootLogin yes
kwifayile yoqwalaselo /etc/ssh/sshd_config
kwaye uyitshintshe:
PermitRootLogin no
Ku-Ubuntu yongeza umgca PermitRootLogin no
kwifayile yoqwalaselo 10-my-sshd-settings.conf
:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf
Emva kokuqinisekisa ukuba umsebenzisi omtsha uqinisekisa ngesitshixo sakhe, unokukhubaza ukuqinisekiswa kwegama lokugqitha ukuze uphelise umngcipheko wokuvuza kwephasiwedi okanye amandla akhohlakeleyo. Ngoku, ukuze ufikelele kumncedisi, umhlaseli uya kufuna ukufumana isitshixo sabucala.
Kwi-CentOS / Red Hat sifumana umgca PasswordAuthentication yes
kwifayile yoqwalaselo /etc/ssh/sshd_config
kwaye uyitshintshe ngolu hlobo:
PasswordAuthentication no
Ku-Ubuntu yongeza umgca PasswordAuthentication no
ukwenza ifayile 10-my-sshd-settings.conf
:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf
Ngemiyalelo yokwenza uqinisekiso lwezinto ezimbini nge-SSH, bona
i-firewall
I-firewall iqinisekisa ukuba kuphela i-traffic kumazibuko owavumela ngokuthe ngqo aya kumncedisi. Oku kukhusela ukuxhatshazwa kwamazibuko anikwe amandla ngengozi kunye nezinye iinkonzo, ezinciphisa kakhulu indawo yokuhlaselwa.
Ngaphambi kokufaka i-firewall, kufuneka uqinisekise ukuba i-SSH ibandakanyiwe kuluhlu lokukhutshelwa kwaye ayiyi kuvalelwa. Ngaphandle koko, emva kokuqala i-firewall, asiyi kukwazi ukudibanisa kumncedisi.
Ukuhanjiswa koBuntu kuza kunye neFirewall engantsonkothanga (
Ukuvumela i-SSH kwi-firewall ku-Ubuntu:
sudo ufw allow ssh
Kwi-CentOS/Mnqwazi oBomvu sebenzisa umyalelo firewall-cmd
:
sudo firewall-cmd --zone=public --add-service=ssh --permanent
Emva kwale nkqubo, unokuqalisa i-firewall.
Kwi-CentOS/Hat eBomvu, qalisa inkonzo ye-systemd ye-firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Kwi-Ubuntu sisebenzisa lo myalelo ulandelayo:
sudo ufw enable
Ukusilela2Ban
inkonzo
Ukufaka iFail2Ban kwiCentOS kunye neRed Hat:
sudo yum install fail2ban
Ufakelo kwi-Ubuntu kunye neDebian:
sudo apt install fail2ban
Qalisa:
systemctl start fail2ban
systemctl enable fail2ban
Inkqubo ineefayile ezimbini zoqwalaselo: /etc/fail2ban/fail2ban.conf
и /etc/fail2ban/jail.conf
. Izithintelo zokuvalwa zichazwe kwifayile yesibini.
Ijele ye-SSH yenziwe ngokungagqibekanga kunye nezicwangciso ezingagqibekanga (imizamo ye-5, ikhefu le-10 imizuzu, ukuvalwa kwemizuzu eyi-10).
[UKUSILALELA] ukungahoyi umyalelo=bantime=10m ixesha lokufumana=10m maxretry=5
Ukongeza kwi-SSH, iFail2Ban inokukhusela ezinye iinkonzo kwi-nginx okanye i-Apache web server.
Uhlaziyo lokhuseleko oluzenzekelayo
Njengoko usazi, ubuthathaka obutsha bufumaneka rhoqo kuzo zonke iinkqubo. Emva kokuba ulwazi lupapashiwe, izinto zokuxhaphaza zongezwa kwiipakethi zokuxhaphaza ezidumileyo, ezisetyenziswa kakhulu ngabageki kunye nabakwishumi elivisayo xa kuhlolwa zonke iiseva ngokulandelelana. Ngoko ke, kubaluleke kakhulu ukufaka uhlaziyo lokhuseleko ngokukhawuleza nje ukuba luvele.
Kwiseva ye-Ubuntu, uhlaziyo lokhuseleko oluzenzekelayo luvulwa ngokungagqibekanga, ngoko ke akukho ntshukumo ifunekayo.
Kwi-CentOS/Mnqwazi oBomvu kufuneka ufake isicelo
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer
Ukukhangela ixesha:
sudo systemctl status dnf-automatic.timer
Ukutshintsha izibuko ezingagqibekanga
I-SSH yaphuhliswa kwi-1995 ukuze ithathe indawo ye-telnet (port 23) kunye ne-ftp (i-port 21), ngoko umbhali wenkqubo, uTatu Iltonen
Ngokwemvelo, bonke abahlaseli bayazi ukuba yeyiphi izibuko i-SSH esebenza kuyo - kwaye uyiskene kunye namanye amazibuko aqhelekileyo ukufumana inguqulelo yesoftware, ukujonga iipassword ezisezantsi, njalo njalo.
Ukutshintsha izibuko eziqhelekileyo - i-obfuscation - amaxesha amaninzi kunciphisa ubuninzi betrafikhi yenkunkuma, ubungakanani beelogi kunye nomthwalo kumncedisi, kwaye kunciphisa indawo yokuhlaselwa. Nangona abanye
Ngokwethiyori, ukutshintsha izibuko ezingagqibekanga kuchasene nomsebenzi woyilo oluvulekileyo. Kodwa ekusebenzeni, inani lezithuthi ezinobungozi ngokwenene liyancitshiswa, ngoko ke lo ngumlinganiselo olula kwaye osebenzayo.
Inombolo yezibuko ingaqwalaselwa ngokutshintsha isikhokhelo Port 22
kwifayile yoqwalaselo -p <port>
в -p <port>
.
IParamu -p <port>
ingasetyenziselwa ukukhankanya inombolo yezibuko xa idibanisa nomyalelo ssh
kwi-linux. IN scp
iparameter isetyenziswa -P <port>
(ikomkhulu P). Umyalelo womgca womyalelo ubeka ngaphezulu naliphi na ixabiso kwiifayile zoqwalaselo.
Ukuba kukho iiseva ezininzi, phantse zonke ezi ntshukumo zokukhusela iseva yeLinux zinokuzenzekela kwiscript. Kodwa ukuba kukho iseva enye kuphela, ke kungcono ukulawula inkqubo ngesandla.
Njengentengiso
Oda kwaye uqalise kwangoko!
umthombo: www.habr.com