Ngokuphindaphindiwe, ngemva kokwenza ucwaningo, ngokuphendula izincomo zami zokufihla amachweba ngemuva kohlu lwabamhlophe, ngihlangana nodonga lokungaqondi kahle. Ngisho nama-admins/DevOps apholile ayabuza: βKungani?!?β
Ngiphakamisa ukucabangela ubungozi ngohlelo olwehlayo lwamathuba okuba kwenzeke nomonakalo.
- Iphutha lokumisa
- I-DDoS nge-IP
- I-Brute force
- Ukuba sengozini kwesevisi
- Ukuba sengozini kwesitaki se-Kernel
- Ukuhlasela kwe-DDoS okwandisiwe
Iphutha lokumisa
Isimo esijwayelekile nesiyingozi kakhulu. Kwenzeka kanjani. Umthuthukisi udinga ukuhlola ngokushesha i-hypothesis; usetha iseva yesikhashana nge-mysql/redis/mongodb/elastic. I-password, yebo, iyinkimbinkimbi, uyisebenzisa yonke indawo. Ivula isevisi emhlabeni wonke - kumlungele ukuthi axhume ku-PC yakhe ngaphandle kwalawa ma-VPN akho. Futhi ngivilapha kakhulu ukukhumbula i-iptables syntax; iseva ingeyesikhashana noma kunjalo. Izinsuku ezimbalwa zokuthuthuka - kube kuhle kakhulu, singakubonisa ikhasimende. Ikhasimende liyayithanda, asikho isikhathi sokuyenza kabusha, sethula ku-PROD!
Isibonelo esenziwe ihaba ngamabomu ukuze sidlule kuwo wonke amaraki:
- Akukho lutho olungapheli kunesikhashana - angiyithandi le nkulumo, kodwa ngokuvumelana nemizwa ejulile, i-20-40% yalezi ziphakeli zesikhashana zihlala isikhathi eside.
- Iphasiwedi eyinkimbinkimbi yendawo yonke esetshenziswa ezinsizeni eziningi imbi. Ngoba enye yezinsizakalo lapho le phasiwedi isetshenziswe khona kungenzeka ukuthi igqekeziwe. Ngandlela thize, isizindalwazi samasevisi antshontshiwe singena sibe yinye, esetshenziselwa [i-brute force]*.
Kuyafaneleka ukungeza ukuthi ngemuva kokufakwa, i-redis, i-mongodb ne-elastic ngokuvamile itholakala ngaphandle kokuqinisekisa, futhi ivame ukugcwaliswa kabusha.ukuqoqwa kolwazi oluvulekile . - Kungase kubonakale sengathi akekho ozoskena imbobo yakho ye-3306 ezinsukwini ezimbalwa. Kuyinkohliso! I-Masscan iyiskena esihle kakhulu futhi ingaskena emachwebeni ayi-10M ngomzuzwana. Futhi kukhona i-IPv4 eyizigidi eziyizinkulungwane ezine kuphela ku-inthanethi. Ngakho-ke, wonke amachweba angama-4 aku-inthanethi atholakala ngemizuzu eyi-3306. Charles!!! Imizuzu eyisikhombisa!
"Ubani odinga lokhu?" - uyaphikisa. Ngakho-ke ngiyamangala uma ngibheka izibalo zamaphakheji awehlisiwe. Ivelaphi imizamo yokuskena eyizinkulungwane ezingama-40 evela kuma-IP ahlukile ayizinkulungwane ezi-3 ngosuku? Manje wonke umuntu uyaskena, kusukela kubaduni bakamama kuya kohulumeni. Kulula kakhulu ukuhlola - thatha noma iyiphi i-VPS ngo-$3-5 kunoma iyiphi** inkampani yezindiza eshibhile, vumela ukugawulwa kwamaphakheji awile futhi ubheke ilogu ngosuku.
Ivumela ukungena
Ku-/etc/iptables/rules.v4 engeza ekugcineni:
-A INPUT -j LOG --log-prefix "[FW - ALL] " --log-level 4
Futhi ku-/etc/rsyslog.d/10-iptables.conf
:msg,iqukethe,"[FW - " /var/log/iptables.log
& Ima
I-DDoS nge-IP
Uma umhlaseli azi i-IP yakho, angaduna iseva yakho amahora ambalwa noma izinsuku. Akubona bonke abahlinzeki bokusingatha abashibhile abanokuvikelwa kwe-DDoS futhi iseva yakho izomane inqanyulwe kunethiwekhi. Uma ufihle iseva yakho ngemuva kwe-CDN, ungakhohlwa ukushintsha i-IP, ngaphandle kwalokho isigebengu se-inthanethi sizoyisebenzisa ku-google bese i-DDoS iseva yakho idlula i-CDN (iphutha elidume kakhulu).
Ukuba sengozini kwesevisi
Wonke ama-software adumile ngokushesha noma kamuva athola amaphutha, ngisho nalawo ahlolwe kakhulu futhi abucayi. Phakathi kochwepheshe be-IB, kukhona ihlaya eliyisigamu - ukuphepha kwengqalasizinda kungahlolwa ngokuphepha ngesikhathi sokuvuselelwa kokugcina. Uma ingqalasizinda yakho inothile ngamachweba aphumela emhlabeni, futhi ungakayibuyekezi isikhathi esingangonyaka, khona-ke noma yimuphi uchwepheshe wezokuphepha uzokutshela ngaphandle kokubheka ukuthi uyavuza, futhi kungenzeka ukuthi usuvele ugqekeziwe.
Kufanele futhi kuphawulwe ukuthi bonke ubungozi obaziwayo ake bangaziwa. Cabanga ngomduni we-inthanethi othole ubungozi obunjalo futhi waskena yonke i-inthanethi ngemizuzu engu-7 ukuze uthole ubukhona bayo... Nansi ubhubhane olusha lwegciwane) Kudingeka sibuyekeze, kodwa lokhu kungalimaza umkhiqizo, usho. Futhi uzobe ulungile uma amaphakheji engafakiwe kusuka kumakhosombe asemthethweni we-OS. Kusukela kokuhlangenwe nakho, izibuyekezo ezivela endaweni yokugcina esemthethweni azivamile ukwephula umkhiqizo.
I-Brute force
Njengoba kuchazwe ngenhla, kukhona isizindalwazi esinamaphasiwedi ayingxenye yebhiliyoni okulula ukuwabhala kukhibhodi. Ngamanye amazwi, uma ungazange ukhiqize iphasiwedi, kodwa uthayiphe izimpawu ezincikene kukhibhodi, qiniseka* ukuthi zizokudida.
Ukuba sengozini kwesitaki se-Kernel.
Kuyenzeka futhi **** ukuthi akunandaba nokuthi iyiphi insiza evula ichweba, lapho isitaki senethiwekhi ye-kernel ngokwaso sisengozini. Okusho ukuthi, noma iyiphi isokhethi ye-tcp/udp ohlelweni oluneminyaka emibili ubudala ingaba sengozini eholela ku-DDoS.
Ukuhlasela kwe-DDoS okwandisiwe
Ngeke idale umonakalo oqondile, kodwa ingavala isiteshi sakho, ikhulise umthwalo ohlelweni, i-IP yakho izogcina isohlwini oluthile olumnyama*****, futhi uzothola ukuxhashazwa kumsingathi.
Ingabe uyazidinga ngempela zonke lezi zingozi? Engeza i-IP yekhaya lakho nomsebenzi ohlwini olumhlophe. Noma ngabe inamandla, ngena ngephaneli yomphathi womphathi, ngekhonsoli yewebhu, bese wengeza enye.
Sengineminyaka engu-15 ngakha futhi ngivikela ingqalasizinda ye-IT. Ngisungule umthetho engiwuncoma kakhulu kuwo wonke umuntu - asikho ichweba okufanele linamathele emhlabeni ngaphandle kohlu olumhlophe.
Isibonelo, iseva yewebhu evikeleke kakhulu*** yileyo evula u-80 no-443 kuphela ku-CDN/WAF. Futhi izimbobo zesevisi (ssh, netdata, bacula, phpmyadmin) kufanele okungenani zibe ngemuva kohlu olumhlophe, futhi zibe ngcono nakakhulu ngemuva kwe-VPN. Uma kungenjalo, usengozini yokuba sengozini.
Yilokho kuphela ebengifuna ukukusho. Gcina izimbobo zakho zivaliwe!
- (1) UPD1:
kuyinto ungabheka iphasiwedi yakho epholile yendawo yonke (ungakwenzi lokhu ngaphandle kokufaka le phasiwedi ngengahleliwe kuzo zonke izinsiza), noma ngabe ivele kusizindalwazi esihlanganisiwe.Futhi lapha ungabona ukuthi zingaki izinsiza ezigetshengiwe, lapho i-imeyili yakho yafakwa khona, futhi, ngokufanelekile, uthole ukuthi ingabe igama lakho eliyimfihlo eliyimfihlo lifakwe engcupheni. - (2) Ngokwekhredithi ye-Amazon, i-LightSail inokuskena okuncane. Ngokusobala bayayihlunga ngandlela thize.
- (3) Iseva yewebhu evikeleke nakakhulu yileyo engemuva kwe-firewall, i-WAF yayo, kodwa sikhuluma nge-VPS/Dedicated yomphakathi.
- (4) Segmentsmak.
- (5) I-Firehol.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo.
Ingabe amachweba akho ayaphuma?
- Njalo
- Kwesinye isikhathi
- Ngeke
- Angazi, fuck
Bangu-54 abasebenzisi abavotile. Abasebenzisi abangu-6 bagobile.
Source: www.habr.com