I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Ungavuli amachweba emhlabeni - uzophulwa (izingozi)

Ungavuli amachweba emhlabeni - uzophulwa (izingozi)

Ungavuli amachweba emhlabeni - uzophulwa (izingozi)

Ngokuphindaphindiwe, ngemva kokwenza ucwaningo, ngokuphendula izincomo zami zokufihla amachweba ngemuva kohlu lwabamhlophe, ngihlangana nodonga lokungaqondi kahle. Ngisho nama-admins/DevOps apholile ayabuza: β€œKungani?!?”

Ngiphakamisa ukucabangela ubungozi ngohlelo olwehlayo lwamathuba okuba kwenzeke nomonakalo.

  1. Iphutha lokumisa
  2. I-DDoS nge-IP
  3. I-Brute force
  4. Ukuba sengozini kwesevisi
  5. Ukuba sengozini kwesitaki se-Kernel
  6. Ukuhlasela kwe-DDoS okwandisiwe

Iphutha lokumisa

Isimo esijwayelekile nesiyingozi kakhulu. Kwenzeka kanjani. Umthuthukisi udinga ukuhlola ngokushesha i-hypothesis; usetha iseva yesikhashana nge-mysql/redis/mongodb/elastic. I-password, yebo, iyinkimbinkimbi, uyisebenzisa yonke indawo. Ivula isevisi emhlabeni wonke - kumlungele ukuthi axhume ku-PC yakhe ngaphandle kwalawa ma-VPN akho. Futhi ngivilapha kakhulu ukukhumbula i-iptables syntax; iseva ingeyesikhashana noma kunjalo. Izinsuku ezimbalwa zokuthuthuka - kube kuhle kakhulu, singakubonisa ikhasimende. Ikhasimende liyayithanda, asikho isikhathi sokuyenza kabusha, sethula ku-PROD!

Isibonelo esenziwe ihaba ngamabomu ukuze sidlule kuwo wonke amaraki:

  1. Akukho lutho olungapheli kunesikhashana - angiyithandi le nkulumo, kodwa ngokuvumelana nemizwa ejulile, i-20-40% yalezi ziphakeli zesikhashana zihlala isikhathi eside.
  2. Iphasiwedi eyinkimbinkimbi yendawo yonke esetshenziswa ezinsizeni eziningi imbi. Ngoba enye yezinsizakalo lapho le phasiwedi isetshenziswe khona kungenzeka ukuthi igqekeziwe. Ngandlela thize, isizindalwazi samasevisi antshontshiwe singena sibe yinye, esetshenziselwa [i-brute force]*.
    Kuyafaneleka ukungeza ukuthi ngemuva kokufakwa, i-redis, i-mongodb ne-elastic ngokuvamile itholakala ngaphandle kokuqinisekisa, futhi ivame ukugcwaliswa kabusha. ukuqoqwa kolwazi oluvulekile.
  3. Kungase kubonakale sengathi akekho ozoskena imbobo yakho ye-3306 ezinsukwini ezimbalwa. Kuyinkohliso! I-Masscan iyiskena esihle kakhulu futhi ingaskena emachwebeni ayi-10M ngomzuzwana. Futhi kukhona i-IPv4 eyizigidi eziyizinkulungwane ezine kuphela ku-inthanethi. Ngakho-ke, wonke amachweba angama-4 aku-inthanethi atholakala ngemizuzu eyi-3306. Charles!!! Imizuzu eyisikhombisa!
    "Ubani odinga lokhu?" - uyaphikisa. Ngakho-ke ngiyamangala uma ngibheka izibalo zamaphakheji awehlisiwe. Ivelaphi imizamo yokuskena eyizinkulungwane ezingama-40 evela kuma-IP ahlukile ayizinkulungwane ezi-3 ngosuku? Manje wonke umuntu uyaskena, kusukela kubaduni bakamama kuya kohulumeni. Kulula kakhulu ukuhlola - thatha noma iyiphi i-VPS ngo-$3-5 kunoma iyiphi** inkampani yezindiza eshibhile, vumela ukugawulwa kwamaphakheji awile futhi ubheke ilogu ngosuku.

Ivumela ukungena

Ku-/etc/iptables/rules.v4 engeza ekugcineni:
-A INPUT -j LOG --log-prefix "[FW - ALL] " --log-level 4

Futhi ku-/etc/rsyslog.d/10-iptables.conf
:msg,iqukethe,"[FW - " /var/log/iptables.log
& Ima

I-DDoS nge-IP

Uma umhlaseli azi i-IP yakho, angaduna iseva yakho amahora ambalwa noma izinsuku. Akubona bonke abahlinzeki bokusingatha abashibhile abanokuvikelwa kwe-DDoS futhi iseva yakho izomane inqanyulwe kunethiwekhi. Uma ufihle iseva yakho ngemuva kwe-CDN, ungakhohlwa ukushintsha i-IP, ngaphandle kwalokho isigebengu se-inthanethi sizoyisebenzisa ku-google bese i-DDoS iseva yakho idlula i-CDN (iphutha elidume kakhulu).

Ukuba sengozini kwesevisi

Wonke ama-software adumile ngokushesha noma kamuva athola amaphutha, ngisho nalawo ahlolwe kakhulu futhi abucayi. Phakathi kochwepheshe be-IB, kukhona ihlaya eliyisigamu - ukuphepha kwengqalasizinda kungahlolwa ngokuphepha ngesikhathi sokuvuselelwa kokugcina. Uma ingqalasizinda yakho inothile ngamachweba aphumela emhlabeni, futhi ungakayibuyekezi isikhathi esingangonyaka, khona-ke noma yimuphi uchwepheshe wezokuphepha uzokutshela ngaphandle kokubheka ukuthi uyavuza, futhi kungenzeka ukuthi usuvele ugqekeziwe.
Kufanele futhi kuphawulwe ukuthi bonke ubungozi obaziwayo ake bangaziwa. Cabanga ngomduni we-inthanethi othole ubungozi obunjalo futhi waskena yonke i-inthanethi ngemizuzu engu-7 ukuze uthole ubukhona bayo... Nansi ubhubhane olusha lwegciwane) Kudingeka sibuyekeze, kodwa lokhu kungalimaza umkhiqizo, usho. Futhi uzobe ulungile uma amaphakheji engafakiwe kusuka kumakhosombe asemthethweni we-OS. Kusukela kokuhlangenwe nakho, izibuyekezo ezivela endaweni yokugcina esemthethweni azivamile ukwephula umkhiqizo.

I-Brute force

Njengoba kuchazwe ngenhla, kukhona isizindalwazi esinamaphasiwedi ayingxenye yebhiliyoni okulula ukuwabhala kukhibhodi. Ngamanye amazwi, uma ungazange ukhiqize iphasiwedi, kodwa uthayiphe izimpawu ezincikene kukhibhodi, qiniseka* ukuthi zizokudida.

Ukuba sengozini kwesitaki se-Kernel.

Kuyenzeka futhi **** ukuthi akunandaba nokuthi iyiphi insiza evula ichweba, lapho isitaki senethiwekhi ye-kernel ngokwaso sisengozini. Okusho ukuthi, noma iyiphi isokhethi ye-tcp/udp ohlelweni oluneminyaka emibili ubudala ingaba sengozini eholela ku-DDoS.

Ukuhlasela kwe-DDoS okwandisiwe

Ngeke idale umonakalo oqondile, kodwa ingavala isiteshi sakho, ikhulise umthwalo ohlelweni, i-IP yakho izogcina isohlwini oluthile olumnyama*****, futhi uzothola ukuxhashazwa kumsingathi.

Ingabe uyazidinga ngempela zonke lezi zingozi? Engeza i-IP yekhaya lakho nomsebenzi ohlwini olumhlophe. Noma ngabe inamandla, ngena ngephaneli yomphathi womphathi, ngekhonsoli yewebhu, bese wengeza enye.

Sengineminyaka engu-15 ngakha futhi ngivikela ingqalasizinda ye-IT. Ngisungule umthetho engiwuncoma kakhulu kuwo wonke umuntu - asikho ichweba okufanele linamathele emhlabeni ngaphandle kohlu olumhlophe.

Isibonelo, iseva yewebhu evikeleke kakhulu*** yileyo evula u-80 no-443 kuphela ku-CDN/WAF. Futhi izimbobo zesevisi (ssh, netdata, bacula, phpmyadmin) kufanele okungenani zibe ngemuva kohlu olumhlophe, futhi zibe ngcono nakakhulu ngemuva kwe-VPN. Uma kungenjalo, usengozini yokuba sengozini.

Yilokho kuphela ebengifuna ukukusho. Gcina izimbobo zakho zivaliwe!

  • (1) UPD1: kuyinto ungabheka iphasiwedi yakho epholile yendawo yonke (ungakwenzi lokhu ngaphandle kokufaka le phasiwedi ngengahleliwe kuzo zonke izinsiza), noma ngabe ivele kusizindalwazi esihlanganisiwe. Futhi lapha ungabona ukuthi zingaki izinsiza ezigetshengiwe, lapho i-imeyili yakho yafakwa khona, futhi, ngokufanelekile, uthole ukuthi ingabe igama lakho eliyimfihlo eliyimfihlo lifakwe engcupheni.
  • (2) Ngokwekhredithi ye-Amazon, i-LightSail inokuskena okuncane. Ngokusobala bayayihlunga ngandlela thize.
  • (3) Iseva yewebhu evikeleke nakakhulu yileyo engemuva kwe-firewall, i-WAF yayo, kodwa sikhuluma nge-VPS/Dedicated yomphakathi.
  • (4) Segmentsmak.
  • (5) I-Firehol.

Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. Ngena ngemvume, wamukelekile.

Ingabe amachweba akho ayaphuma?

  • Njalo

  • Kwesinye isikhathi

  • Ngeke

  • Angazi, fuck

Bangu-54 abasebenzisi abavotile. Abasebenzisi abangu-6 bagobile.

Source: www.habr.com

Engeza amazwana