, CC BY-SA
Kule mihla, ukuphakamisa iseva kwindawo yokubamba ngumcimbi wemizuzu embalwa kunye nokucofa okumbalwa kwemouse. Kodwa ngokukhawuleza emva kokusungulwa, uzifumana ekwimeko ekhohlakeleyo, kuba uvule i-Intanethi yonke njengentombazana emsulwa kwi-rocker disco. Abaskena baya kuyifumana ngokukhawuleza kwaye babone amawaka ee-bots ezibhalwe ngokuzenzekelayo ezihlola inethiwekhi ekhangela ubuthathaka kunye noqwalaselo olugwenxa. Kukho izinto ezimbalwa ekufuneka uyenzile emva kokuqaliswa ukuqinisekisa ukhuseleko olusisiseko.
Iziqulatho
Umsebenzisi ongengongcambu
Inyathelo lokuqala kukwenza umsebenzisi ongeyongcambu ngokwakho. Ingongoma kukuba umsebenzisi root amalungelo apheleleyo kwinkqubo, kwaye ukuba uyamvumela ulawulo olukude, ngoko uya kwenza isiqingatha somsebenzi we-hacker, ushiye igama lomsebenzisi elisebenzayo kuye.
Ke ngoko, kufuneka wenze omnye umsebenzisi, kwaye ukhubaze ulawulo olukude nge-SSH yeengcambu.
Umsebenzisi omtsha uqalwa ngumyalelo useradd:
useradd [options] <username>
Emva koko i-password yongezwa kuyo kunye nomyalelo passwd:
passwd <username>
Okokugqibela, lo msebenzisi ufuna ukudityaniswa kwiqela elinelungelo lokuphumeza imiyalelo ephakamileyo sudo. Kuxhomekeke kunikezelo lweLinux, la angamaqela ahlukeneyo. Ngokomzekelo, kwi-CentOS kunye ne-Red Hat, umsebenzisi wongezwa kwiqela wheel:
usermod -aG wheel <username>
Ku-Ubuntu yongezwa kwiqela sudo:
usermod -aG sudo <username>
Izitshixo endaweni ye-SSH amagama ayimfihlo
Amandla amdaka okanye ukuvuza kwegama lokugqitha yivektha yohlaselo oluqhelekileyo, ngoko ke kungcono ukukhubaza uqinisekiso lwegama lokugqitha kwi-SSH (iShell eKhuselekileyo) kwaye endaweni yoko usebenzise uqinisekiso olungundoqo.
Kukho iinkqubo ezahlukeneyo zokuphumeza iprotocol ye-SSH, njenge и , kodwa eyona idumileyo yi-OpenSSH. Ukufaka umxhasi we-OpenSSH ku-Ubuntu:
sudo apt install openssh-clientUfakelo lweseva:
sudo apt install openssh-serverUkuqala i-daemon ye-SSH (sshd) kwiseva ye-Ubuntu:
sudo systemctl start sshdQalisa ngokuzenzekelayo i-daemon kuyo yonke i-boot:
sudo systemctl enable sshd
Kufuneka kuqatshelwe ukuba inxalenye yeseva ye-OpenSSH ibandakanya inxalenye yomxhasi. Oko kukuthi, ngokusebenzisa openssh-server ungaqhagamshela kwezinye iiseva. Ngaphezu koko, kumatshini wakho womxhasi, ungaqala itonela ye-SSH ukusuka kwiseva ekude ukuya kumamkeli weqela lesithathu, kwaye umamkeli weqela lesithathu uya kuthathela ingqalelo iseva ekude njengomthombo wezicelo. Uphawu oluluncedo kakhulu lokufihla inkqubo yakho. Jonga inqaku ngeenkcukacha .
Kumatshini womxhasi, ngokuqhelekileyo akukho ngqiqweni ukufaka umncedisi ogcweleyo ukuze uthintele uxhulumaniso olukude kwikhompyutheni (ngenxa yezizathu zokhuseleko).
Ke, kumsebenzisi wakho omtsha, kufuneka kuqala uvelise izitshixo ze-SSH kwikhompyuter apho uya kufikelela kwiseva:
ssh-keygen -t rsa
Isitshixo sikawonke-wonke sigcinwe kwifayile .pub kwaye ijongeka njengoluhlu lwamagama angaqhelekanga aqala ngawo ssh-rsa.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Emva koko, ukusuka phantsi kweengcambu, yenza ulawulo lwe-SSH kumncedisi kulawulo lwasekhaya lomsebenzisi kwaye wongeze isitshixo sikawonke-wonke se-SSH kwifayile. authorized_keys, usebenzisa umhleli wokubhaliweyo onje ngeVim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keysvim /home/user_name/.ssh/authorized_keysOkokugqibela, seta iimvume ezichanekileyo zefayile:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keyskwaye utshintshe ubunini kulo msebenzisi:
chown -R username:username /home/username/.sshKwicala lomxhasi, kufuneka ucacise indawo yeqhosha eliyimfihlo lokungqinisisa:
ssh-add DIR_PATH/keylocationNgoku ungangena kwiseva phantsi kwegama lomsebenzisi usebenzisa eli qhosha:
ssh [username]@hostnameEmva kogunyaziso, ungasebenzisa umyalelo we-scp ukukopa iifayile, into eluncedo ukunyusa ukude inkqubo yefayile okanye abalawuli.
Kuyacetyiswa ukuba wenze iikopi ezininzi zogcino lwesitshixo sabucala, kuba ukuba ukhubaza ukuqinisekiswa kwegama eliyimfihlo kwaye ulahlekelwe yiyo, ngoko awuyi kuba nayo nayiphi na indlela yokungena kwiseva yakho konke konke.
Njengoko kukhankanyiwe ngasentla, kwi-SSH kufuneka ukhubaze uqinisekiso lweengcambu (esi sizathu sokuba siqale umsebenzisi omtsha).
Kwi-CentOS / Red Hat sifumana umgca PermitRootLogin yes kwifayile yoqwalaselo /etc/ssh/sshd_config kwaye uyitshintshe:
PermitRootLogin no
Ku-Ubuntu yongeza umgca PermitRootLogin no kwifayile yoqwalaselo 10-my-sshd-settings.conf:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confEmva kokuqinisekisa ukuba umsebenzisi omtsha uqinisekisa ngesitshixo sakhe, unokukhubaza ukuqinisekiswa kwegama lokugqitha ukuze uphelise umngcipheko wokuvuza kwephasiwedi okanye amandla akhohlakeleyo. Ngoku, ukuze ufikelele kumncedisi, umhlaseli uya kufuna ukufumana isitshixo sabucala.
Kwi-CentOS / Red Hat sifumana umgca PasswordAuthentication yes kwifayile yoqwalaselo /etc/ssh/sshd_config kwaye uyitshintshe ngolu hlobo:
PasswordAuthentication no
Ku-Ubuntu yongeza umgca PasswordAuthentication no ukwenza ifayile 10-my-sshd-settings.conf:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confNgemiyalelo yokwenza uqinisekiso lwezinto ezimbini nge-SSH, bona .
i-firewall
I-firewall iqinisekisa ukuba kuphela i-traffic kumazibuko owavumela ngokuthe ngqo aya kumncedisi. Oku kukhusela ukuxhatshazwa kwamazibuko anikwe amandla ngengozi kunye nezinye iinkonzo, ezinciphisa kakhulu indawo yokuhlaselwa.
Ngaphambi kokufaka i-firewall, kufuneka uqinisekise ukuba i-SSH ibandakanyiwe kuluhlu lokukhutshelwa kwaye ayiyi kuvalelwa. Ngaphandle koko, emva kokuqala i-firewall, asiyi kukwazi ukudibanisa kumncedisi.
Ukuhanjiswa koBuntu kuza kunye neFirewall engantsonkothanga (), kunye neCentOS/Mnqwazi oBomvu - .
Ukuvumela i-SSH kwi-firewall ku-Ubuntu:
sudo ufw allow ssh
Kwi-CentOS/Mnqwazi oBomvu sebenzisa umyalelo firewall-cmd:
sudo firewall-cmd --zone=public --add-service=ssh --permanentEmva kwale nkqubo, unokuqalisa i-firewall.
Kwi-CentOS/Hat eBomvu, qalisa inkonzo ye-systemd ye-firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalldKwi-Ubuntu sisebenzisa lo myalelo ulandelayo:
sudo ufw enable
Ukusilela2Ban
inkonzo uhlalutya iilogi kumncedisi kwaye ubala inani lokuzama ukufikelela kwidilesi nganye ye-IP. Izicwangciso zicacisa imigaqo yokuba zingaphi iinzame zokufikelela ezivunyelwe kwithuba elithile - emva koko le dilesi ye-IP ivaliwe ixesha elithile. Umzekelo, masivumele iinzame zoqinisekiso ezi-5 ezingaphumelelanga phakathi kweeyure ezi-2, emva koko sivale idilesi ye-IP enikiweyo iiyure ezili-12.
Ukufaka iFail2Ban kwiCentOS kunye neRed Hat:
sudo yum install fail2banUfakelo kwi-Ubuntu kunye neDebian:
sudo apt install fail2banQalisa:
systemctl start fail2ban
systemctl enable fail2ban
Inkqubo ineefayile ezimbini zoqwalaselo: /etc/fail2ban/fail2ban.conf и /etc/fail2ban/jail.conf. Izithintelo zokuvalwa zichazwe kwifayile yesibini.
Ijele ye-SSH yenziwe ngokungagqibekanga kunye nezicwangciso ezingagqibekanga (imizamo ye-5, ikhefu le-10 imizuzu, ukuvalwa kwemizuzu eyi-10).
[UKUSILALELA] ukungahoyi umyalelo=bantime=10m ixesha lokufumana=10m maxretry=5
Ukongeza kwi-SSH, iFail2Ban inokukhusela ezinye iinkonzo kwi-nginx okanye i-Apache web server.
Uhlaziyo lokhuseleko oluzenzekelayo
Njengoko usazi, ubuthathaka obutsha bufumaneka rhoqo kuzo zonke iinkqubo. Emva kokuba ulwazi lupapashiwe, izinto zokuxhaphaza zongezwa kwiipakethi zokuxhaphaza ezidumileyo, ezisetyenziswa kakhulu ngabageki kunye nabakwishumi elivisayo xa kuhlolwa zonke iiseva ngokulandelelana. Ngoko ke, kubaluleke kakhulu ukufaka uhlaziyo lokhuseleko ngokukhawuleza nje ukuba luvele.
Kwiseva ye-Ubuntu, uhlaziyo lokhuseleko oluzenzekelayo luvulwa ngokungagqibekanga, ngoko ke akukho ntshukumo ifunekayo.
Kwi-CentOS/Mnqwazi oBomvu kufuneka ufake isicelo kwaye uvule isibali-xesha:
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerUkukhangela ixesha:
sudo systemctl status dnf-automatic.timer
Ukutshintsha izibuko ezingagqibekanga
I-SSH yaphuhliswa kwi-1995 ukuze ithathe indawo ye-telnet (port 23) kunye ne-ftp (i-port 21), ngoko umbhali wenkqubo, uTatu Iltonen , kwaye yamkelwe yi-IANA.
Ngokwemvelo, bonke abahlaseli bayazi ukuba yeyiphi izibuko i-SSH esebenza kuyo - kwaye uyiskene kunye namanye amazibuko aqhelekileyo ukufumana inguqulelo yesoftware, ukujonga iipassword ezisezantsi, njalo njalo.
Ukutshintsha izibuko eziqhelekileyo - i-obfuscation - amaxesha amaninzi kunciphisa ubuninzi betrafikhi yenkunkuma, ubungakanani beelogi kunye nomthwalo kumncedisi, kwaye kunciphisa indawo yokuhlaselwa. Nangona abanye (ukhuseleko ngokufihlakala). Isizathu kukuba obu buchule buchasene nesiseko . Ngoko ke, umzekelo, i-US National Institute of Standards and Technology in ibonisa imfuno yoyilo lwe-server evulekileyo: "Ukhuseleko lwenkqubo akufanele luxhomekeke kwimfihlo yokuphunyezwa kwamacandelo ayo," uxwebhu luthi.
Ngokwethiyori, ukutshintsha izibuko ezingagqibekanga kuchasene nomsebenzi woyilo oluvulekileyo. Kodwa ekusebenzeni, inani lezithuthi ezinobungozi ngokwenene liyancitshiswa, ngoko ke lo ngumlinganiselo olula kwaye osebenzayo.
Inombolo yezibuko ingaqwalaselwa ngokutshintsha isikhokhelo Port 22 kwifayile yoqwalaselo . Kwakhona kuboniswa yiparameter -p <port> в . Umxhasi we-SSH kunye neenkqubo kwakhona xhasa ukhetho -p <port>.
IParamu -p <port> ingasetyenziselwa ukukhankanya inombolo yezibuko xa idibanisa nomyalelo ssh kwi-linux. IN и scp iparameter isetyenziswa -P <port> (ikomkhulu P). Umyalelo womgca womyalelo ubeka ngaphezulu naliphi na ixabiso kwiifayile zoqwalaselo.
Ukuba kukho iiseva ezininzi, phantse zonke ezi ntshukumo zokukhusela iseva yeLinux zinokuzenzekela kwiscript. Kodwa ukuba kukho iseva enye kuphela, ke kungcono ukulawula inkqubo ngesandla.
Njengentengiso
Oda kwaye uqalise kwangoko! naluphi na uqwalaselo kunye nayo nayiphi na inkqubo yokusebenza ngaphakathi komzuzu. Ukucwangciswa okuphezulu kuya kukuvumela ukuba uphume ngokupheleleyo - i-128 CPU cores, i-512 GB RAM, i-4000 GB NVMe. Epic 🙂
umthombo: www.habr.com