I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Okufanele ukwenze uma i-siloviki iza kumphathi wakho

Okufanele ukwenze uma i-siloviki iza kumphathi wakho

Okufanele ukwenze uma i-siloviki iza kumphathi wakhokdpv - Reuters

Uma uqasha iseva, lapho-ke awunakho ukulawula okugcwele phezu kwayo. Lokhu kusho ukuthi nganoma isiphi isikhathi abantu abaqeqeshwe ngokukhethekile bangeza kumsingathi futhi bakucele ukuthi unikeze noma iyiphi idatha yakho. Futhi umninikhaya uzowabuyisela uma isidingo sisemthethweni ngokomthetho.

Awufuni ngempela izingodo zakho zeseva yewebhu noma idatha yomsebenzisi iputshukele kunoma ubani omunye. Akunakwenzeka ukwakha isivikelo esifanele. Cishe akunakwenzeka ukuzivikela kumsingathi ongumnikazi we-hypervisor futhi akunikeze umshini obonakalayo. Kodwa mhlawumbe kuzokwazi ukunciphisa izingozi kancane. Ukubhala ngekhodi izimoto eziqashwayo akusizi ngalutho njengoba kubonakala ekuqaleni. Ngesikhathi esifanayo, ake sibheke izinsongo zokukhipha idatha kumaseva aphathekayo.

Imodeli yosongo

Njengomthetho, umninikhaya uzozama ukuvikela izithakazelo zeklayenti ngangokunokwenzeka ngokomthetho. Uma incwadi evela kwabaphathi abasemthethweni icele kuphela amalogi okufinyelela, umsingathi ngeke akunikeze ukulahlwa kwayo yonke imishini yakho ebonakalayo enemininingwane yolwazi. Okungenani akufanele. Uma becela yonke idatha, umphathi uzokopisha amadiski abonakalayo nawo wonke amafayela futhi ngeke wazi ngakho.

Kungakhathaliseki ukuthi yisiphi isimo, umgomo wakho oyinhloko ukwenza ukuhlasela kube nzima kakhulu futhi kubize. Ngokuvamile kunezinketho ezintathu eziyinhloko zokusongela.

Okusemthethweni

Imvamisa, incwadi yephepha ithunyelwa ehhovisi elisemthethweni le-hoster enesidingo sokuhlinzeka ngedatha edingekayo ngokuhambisana nomthethonqubo ofanele. Uma konke kwenziwa ngendlela efanele, umsingathi unikeza izingodo zokufinyelela ezidingekayo kanye neminye imininingwane kuziphathimandla ezisemthethweni. Ngokuvamile bavele bakucele ukuthi uthumele idatha edingekayo.

Kwesinye isikhathi, uma kunesidingo, abamele izikhungo zokugcinwa komthetho bafika mathupha esikhungweni sedatha. Isibonelo, uma uneseva yakho ezinikele kanye nedatha evela lapho ingathathwa ngokomzimba kuphela.

Kuwo wonke amazwe, ukuthola ukufinyelela empahleni yangasese, ukusesha kanye neminye imisebenzi kudinga ubufakazi bokuthi idatha ingase iqukathe ulwazi olubalulekile lokuphenywa kobugebengu. Ngaphezu kwalokho, iwaranti yokusesha eyenziwe ngokuhambisana nayo yonke imithetho iyadingeka. Kungase kube nama-nuances ahlobene nezici zomthetho wendawo. Into esemqoka okudingeka uyiqonde ukuthi uma indlela esemthethweni ilungile, abamele isikhungo sedatha ngeke bavumele noma ubani ukuba adlule emnyango.

Ngaphezu kwalokho, emazweni amaningi awukwazi ukumane ukhiphe imishini yokugijima. Isibonelo, eRussia, kuze kube sekupheleni kuka-2018, ngokusho kwe-Article 183 ye-Code of Criminal Procedure of the Russian Federation, ingxenye 3.1, kwaqinisekiswa ukuthi ngesikhathi sokubanjwa, ukuthunjwa kwemithombo ye-electronic storage kwenziwa ngokubamba iqhaza. kachwepheshe. Ngesicelo somnikazi osemthethweni wemithombo yezokuxhumana ethathiwe noma umnikazi wolwazi oluqukethwe kubo, uchwepheshe obambe iqhaza ekuthunjweni, phambi kofakazi, ukopisha ulwazi oluvela kumithombo ye-elekthronikhi ethathiwe kwezinye izinto zokugcina izinto zikagesi.

Khona-ke, ngeshwa, leli phuzu lasuswa esihlokweni.

Imfihlo futhi engekho emthethweni

Lena kakade insimu yomsebenzi wamaqabane aqeqeshwe ngokukhethekile kusukela ku-NSA, FBI, MI5 nezinye izinhlangano ezinezinhlamvu ezintathu. Ezikhathini eziningi, umthetho wamazwe unikeza amandla abanzi kakhulu ezinhlakeni ezinjalo. Ngaphezu kwalokho, cishe njalo kunomthetho ovimbela noma yikuphi ukudalulwa okuqondile noma okungaqondile kweqiniso lokubambisana nezinhlaka ezinjalo zokuqinisa umthetho. Kukhona okufanayo eRussia izimiso zomthetho.

Uma kwenzeka kuba nosongo olunjalo kudatha yakho, cishe zizokhishwa. Ngaphezu kwalokho, ngaphezu kokubanjwa okulula, yonke i-arsenal engekho emthethweni ye-backdoors, ubungozi bosuku oluyizero, ukukhishwa kwedatha ku-RAM yomshini wakho obonakalayo, nezinye izinto ezijabulisayo zingasetshenziswa. Kulokhu, umninikhaya uzophoqeleka ukuthi asize ochwepheshe bokugcinwa komthetho ngangokunokwenzeka.

Isisebenzi esingathembekile

Akubona bonke abantu abalungile ngokulinganayo. Omunye wabaphathi besikhungo sedatha angase anqume ukwenza imali eyengeziwe futhi athengise idatha yakho. Intuthuko eyengeziwe incike emandleni akhe nasekufinyeleleni kwakhe. Into ecasula kakhulu ukuthi umlawuli onokufinyelela kukhonsoli ye-virtualization unokulawula okuphelele emishinini yakho. Ungakwazi njalo ukuthatha isifinyezo kanye nakho konke okuqukethwe kwe-RAM bese uyifunda kancane.

I-VDS

Ngakho unomshini we-virtual owunikwe ngumsingathi. Ungakusebenzisa kanjani ukubethela ukuze uzivikele? Eqinisweni, akukho lutho. Ngaphezu kwalokho, ngisho neseva ezinikezele yomunye umuntu ingase igcine ingumshini obonakalayo lapho kufakwa khona amadivaysi adingekayo.

Uma umsebenzi wesistimu ekude ungekona nje ukugcina idatha, kodwa ukwenza izibalo, khona-ke okuwukuphela kwenketho yokusebenza ngomshini ongathembekile kungaba ukusebenzisa. ukubethela kwe-homomorphic. Kulokhu, uhlelo luzokwenza izibalo ngaphandle kwekhono lokuqonda ukuthi lenzani ngempela. Ngeshwa, izindleko ezingaphezulu zokuqalisa ukubethela okunjalo ziphezulu kangangokuthi ukusetshenziswa kwazo okungokoqobo okwamanje kukhawulelwe emisebenzini emincane kakhulu.

Futhi, okwamanje lapho umshini we-virtual usebenza futhi wenza izenzo ezithile, wonke amavolumu abethelwe asesimweni esifinyelelekayo, ngaphandle kwalokho i-OS ngeke ikwazi ukusebenza nabo. Lokhu kusho ukuthi ukufinyelela ikhonsoli ye-virtualization, ungakwazi njalo ukuthatha isifinyezo somshini osebenzayo futhi ukhiphe zonke izikhiye ku-RAM.

Abathengisi abaningi bazamile ukuhlela ukubethelwa kwehadiwe kwe-RAM ukuze ngisho nomsingathi angakwazi ukufinyelela le datha. Isibonelo, ubuchwepheshe be-Intel Software Guard Extensions, obuhlela izindawo ezisesikhaleni samakheli esibonakalayo ezivikelwe ekufundeni nasekubhaleni ngaphandle kwale ndawo ngezinye izinqubo, okuhlanganisa i-kernel yesistimu yokusebenza. Ngeshwa, ngeke ukwazi ukwethemba ngokugcwele lobu buchwepheshe, njengoba uzokhawulelwa emshinini wakho obonakalayo. Ngaphezu kwalokho, izibonelo ezenziwe ngomumo sezivele zikhona ukuhlasela ngempumelelo kulobu buchwepheshe. Noma kunjalo, ukubethela imishini ebonakalayo akusizi ngalutho njengoba kungase kubonakale.

Sibhala ngemfihlo idatha ku-VDS

Ake ngenze ukubhuka ngokushesha ukuthi yonke into esiyenzayo ngezansi ayilingani nokuvikela okuphelele. I-hypervisor izokuvumela ukuthi wenze amakhophi adingekayo ngaphandle kokumisa isevisi futhi ngaphandle kokuqaphela kwakho.

  • Uma, ngesicelo, umsingathi edlulisela isithombe β€œesibandayo” somshini wakho we-virtual, kusho ukuthi uphephile uma kuqhathaniswa. Lesi yisimo esivame kakhulu.
  • Uma umsingathi ekunikeza isifinyezo esigcwele somshini ogijimayo, khona-ke konke kubi kakhulu. Yonke idatha izofakwa kusistimu ngendlela ecacile. Ngaphezu kwalokho, uzokwazi ukuphenya nge-RAM usesha okhiye abayimfihlo nedatha efanayo.

Ngokuzenzakalelayo, uma ukhiphe i-OS esithombeni se-vanilla, isisingathi asinakho ukufinyelela kwezimpande. Ungakwazi njalo ukukhweza imidiya ngesithombe sokuhlenga futhi ushintshe iphasiwedi yempande ngokuhlunga imvelo yomshini obonakalayo. Kodwa lokhu kuzodinga ukuqalisa kabusha, okuzoqashelwa. Futhi, zonke izingxenye ezibethelwe ezifakiwe zizovalwa.

Kodwa-ke, uma ukuthunyelwa komshini we-virtual kungaveli esithombeni se-vanilla, kodwa kusukela kulowo olungiselelwe ngaphambili, khona-ke umninikhaya angakwazi ukwengeza i-akhawunti enelungelo lokusiza esimweni esiphuthumayo kuklayenti. Isibonelo, ukushintsha iphasiwedi yezimpande ekhohliwe.

Ngisho nasesithombeni esiphelele, akuyona yonke into edabukisayo. Umhlaseli ngeke aze athole amafayela abethelwe uma uwakhweze esuka kusistimu yefayela eyirimothi yomunye umshini. Yebo, ngombono, ungakhetha ukulahlwa kwe-RAM futhi ukhiphe okhiye bokubethela lapho. Kodwa ekusebenzeni lokhu akuyona into encane kakhulu futhi cishe akunakwenzeka ukuthi inqubo izodlula ukudluliswa kwefayela okulula.

Oda imoto

Okufanele ukwenze uma i-siloviki iza kumphathi wakho

Ngezinjongo zethu zokuhlola, sithatha umshini olula siwungenise isigaba soku-oda amaseva. Asidingi izinsiza eziningi, ngakho-ke sizothatha inketho yokukhokhela i-megahertz kanye nethrafikhi esetshenzisiwe. Okwanele nje ukudlala nawe.

I-dm-crypt yakudala yayo yonke ingxenye ayizange isuke. Ngokuzenzakalelayo, idiski inikezwa ngesiqeshana esisodwa, nempande yayo yonke ukwahlukanisa. Ukunciphisa ukwahlukanisa kwe-ext4 kokufakwe impande cishe kuyisitini esiqinisekisiwe esikhundleni sohlelo lwefayela. Ngazama) Ithamborini ayizange isize.

Ukudala isitsha se-crypto

Ngakho-ke, ngeke sikubhale ngemfihlo konke ukwahlukanisa, kodwa sizosebenzisa iziqukathi ze-crypto zefayela, okuyi-VeraCrypt ehloliwe futhi ethembekile. Ngezinhloso zethu lokhu kwanele. Okokuqala, sikhipha futhi sifake iphakheji ngenguqulo ye-CLI kusuka kuwebhusayithi esemthethweni. Ungahlola isiginesha ngesikhathi esifanayo.

wget https://launchpad.net/veracrypt/trunk/1.24-update4/+download/veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb
dpkg -i veracrypt-console-1.24-Update4-Ubuntu-18.04-amd64.deb

Manje sizokwakha isiqukathi ngokwaso ndawana thize ekhaya lethu ukuze sikwazi ukusikhweza mathupha lapho siqalisa kabusha. Kunketho yokusebenzisana, setha usayizi wesiqukathi, iphasiwedi kanye nama-algorithms wokubethela. Ungakhetha i-patriotic cipher Grasshopper kanye nomsebenzi we-Stribog hashi.

veracrypt -t -c ~/my_super_secret

Manje masifake i-nginx, sikhweze isiqukathi futhi sigcwalise ngolwazi oluyimfihlo.

mkdir /var/www/html/images
veracrypt ~/my_super_secret /var/www/html/images/
wget https://upload.wikimedia.org/wikipedia/ru/2/24/Lenna.png

Masilungise kancane /var/www/html/index.nginx-debian.html ukuze uthole ikhasi olifunayo futhi ungakwazi ukulihlola.

Xhuma futhi uhlole

Okufanele ukwenze uma i-siloviki iza kumphathi wakho
Isiqukathi sifakwe, idatha iyafinyeleleka futhi ithunyelwe.

Okufanele ukwenze uma i-siloviki iza kumphathi wakho
Futhi nawu umshini ngemuva kokuqalisa kabusha. Idatha igcinwe ngokuvikelekile kokuthi ~/my_super_secret.

Uma uyidinga ngempela futhi uyifuna i-hardcore, ungabhala ngemfihlo yonke i-OS ukuze kuthi lapho uqala kabusha idinga ukuxhuma nge-ssh bese ufaka iphasiwedi. Lokhu kuzokwanela futhi esimweni sokuvele kuhoxiswe "idatha ebandayo". Lapha imiyalelo yokusebenzisa i-dropbear kanye nokubethela kwediski kude. Nakuba esimweni se-VDS kunzima futhi akunamsebenzi.

Insimbi engenalutho

Akulula kangako ukufaka iseva yakho esikhungweni sedatha. Ukuzinikela komunye umuntu kungase kuvele kube umshini obonakalayo lapho zonke izisetshenziswa zidluliselwa khona. Kodwa into ethakazelisayo mayelana nokuvikela iqala lapho unethuba lokubeka iseva yakho ephathekayo ethembekile esikhungweni sedatha. Lapha usuvele usebenzise ngokugcwele i-dm-crypt yendabuko, i-VeraCrypt nanoma yikuphi ukubethela okukhethayo.

Udinga ukuqonda ukuthi uma ukubethela okuphelele kusetshenziswa, iseva ngeke ikwazi ukuzibuyiselela ngokwayo ngemva kokuqalisa kabusha. Kuzodingeka ukuphakamisa uxhumano ku-IP-KVM yendawo, i-IPMI noma enye i-interface efanayo. Ngemva kwalokho sifaka mathupha ukhiye oyinhloko. Uhlelo lubukeka lunjalo ngokuhambisana nokuqhubeka nokubekezelelana kwamaphutha, kodwa azikho ezinye izindlela ezikhethekile uma idatha ibaluleke kakhulu.

Okufanele ukwenze uma i-siloviki iza kumphathi wakho
I-NCipher nShield F3 Hardware Security Module

Inketho ethambile ithatha ukuthi idatha ibethelwe futhi ukhiye utholakala ngqo kuseva ngokwayo ku-HSM ekhethekile (Imojula Yokuphepha Yezingxenyekazi Zekhompyutha). Njengomthetho, lawa amadivaysi asebenza kakhulu anganikezi kuphela i-cryptography ye-hardware, kodwa futhi abe nezindlela zokuthola imizamo yokugebenga ngokomzimba. Uma othile eqala ukuphenya iseva yakho nge-engeli grinder, i-HSM enamandla azimele izosetha kabusha okhiye ebagcina enkumbulweni yayo. Umhlaseli uzothola i-mincemeat ebethelwe. Kulesi simo, ukuqalisa kabusha kungenzeka ngokuzenzakalelayo.

Ukukhipha okhiye kuyinketho eshesha kakhulu futhi enobuntu kunokusebenzisa ibhomu le-thermite noma isibambiso sikagesi. Kumadivayisi anjalo, uzoshaywa isikhathi eside kakhulu ngomakhelwane bakho endaweni yokubeka esikhungweni sedatha. Ngaphezu kwalokho, esimweni sokusebenzisa I-TCG Opal 2 ukubethela emithonjeni yezindaba ngokwayo, awuzwakali nhlobo. Konke lokhu kwenzeka ngokusobala ku-OS. Yiqiniso, kuleli cala udinga ukwethemba i-Samsung enemibandela futhi uthemba ukuthi ine-AES256 ethembekile, hhayi i-XOR ye-banal.

Ngesikhathi esifanayo, akufanele sikhohlwe ukuthi wonke amachweba angadingekile kufanele akhubazeke ngokomzimba noma avele agcwaliswe ngenhlanganisela. Uma kungenjalo, unikeza abahlaseli ithuba lokufeza Ukuhlaselwa kwe-DMA. Uma une-PCI Express noma i-Thunderbolt ephumela ngaphandle, okuhlanganisa ne-USB ngokusekelwa kwayo, usengozini. Umhlaseli uzokwazi ukuhlasela ngalezi zimbobo futhi athole ukufinyelela okuqondile kumemori ngokhiye.

Ngenguqulo eyinkimbinkimbi kakhulu, umhlaseli uzokwazi ukwenza ukuhlasela kwebhuthi ebandayo. Ngesikhathi esifanayo, ivele ithululele ingxenye enhle ye-nitrogen ewuketshezi kuseva yakho, icishe isuse izinti zenkumbulo ezifriziwe futhi ithathe ukulahlwa kuzo ngazo zonke izikhiye. Ngokuvamile, isifutho sokupholisa esivamile kanye nezinga lokushisa elizungeze -50 degrees kwanele ukwenza ukuhlasela. Kukhona futhi inketho enembe kakhudlwana. Uma ungazange ukhubaze ukulayisha kusuka kumadivayisi angaphandle, i-algorithm yomhlaseli izoba lula nakakhulu:

  1. Friza izinti zememori ngaphandle kokuvula ikesi
  2. Xhuma i-USB flash drive yakho ebhuthayo
  3. Sebenzisa izinsiza ezikhethekile ukuze ususe idatha ku-RAM esinde ekuqaliseni kabusha ngenxa yokuqandisa.

Hlukanisa futhi unqobe

Kulungile, sinemishini ebonakalayo kuphela, kodwa ngingathanda ukunciphisa ubungozi bokuvuza kwedatha.
Ungazama, ngokuyisisekelo, ukubuyekeza ukwakheka futhi usabalalise ukugcinwa kwedatha nokucutshungulwa ezindaweni ezahlukene. Isibonelo, indawo engaphambili enokhiye bokubethela isuka kumsingathi e-Czech Republic, futhi indawo engemuva enedatha ebethelwe isendaweni ethile e-Russia. Esimeni somzamo ojwayelekile wokuthumba, mancane kakhulu amathuba okuthi izikhungo ezigcina umthetho zikwazi ukwenza lokhu ngesikhathi esisodwa ezindaweni ezahlukene. Futhi, lokhu kusiqinisekisa kancane ngokumelene nesimo sokuthatha isifinyezo.

Hhayi-ke, noma ungacabangela inketho emsulwa ngokuphelele - ukubethela kokuphela ukuya ekupheleni. Impela, lokhu kudlula ububanzi bokucaciswa futhi akusho ukwenza izibalo eceleni komshini wesilawuli kude. Nokho, lena inketho eyamukeleka ngokuphelele uma kuziwa ekugcineni nokuvumelanisa idatha. Isibonelo, lokhu kusetshenziswa kalula kakhulu ku-Nextcloud. Ngesikhathi esifanayo, ukuvumelanisa, ukwenza inguqulo nezinye izinto eziseceleni kweseva ngeke kuhambe.

Inani

Awekho amasistimu avikeleke ngokuphelele. Umgomo uwukwenza ukuhlasela kube okubaluleke ngaphezu kwenzuzo engase ibe khona.

Ukuncishiswa okuthile kwezingozi zokufinyelela idatha kusayithi elibonakalayo kungafinyelelwa ngokuhlanganisa ukubethela kanye nesitoreji esihlukene nabasingathi abahlukahlukene.

Inketho ethembeke kakhulu noma engaphansi ukusebenzisa iseva yakho yehadiwe.

Kodwa umsingathi kusazomele athenjwe ngandlela thize. Imboni yonke incike kulokhu.

Okufanele ukwenze uma i-siloviki iza kumphathi wakho

Okufanele ukwenze uma i-siloviki iza kumphathi wakho

Source: www.habr.com

Engeza amazwana