Namuhla, ukukhulisa iseva ekusingatheni kuyindaba yemizuzu embalwa nokuchofoza amagundane okumbalwa. Kodwa ngokushesha ngemva kokwethulwa, uzithola esendaweni enenzondo, ngoba uvuleleke kuyo yonke i-Inthanethi njengentombazane engenacala ku-rocker disco. Izikena zizoyithola ngokushesha futhi zithole izinkulungwane zama-bot abhalwe ngokuzenzakalelayo ahlola inethiwekhi efuna ubungozi kanye nokungalungiseki kahle. Kunezinto ezimbalwa okufanele uzenze ngemva nje kokwethula ukuze uqinisekise ukuvikeleka okuyisisekelo.
Okuqukethwe
Umsebenzisi ongeyona impande Okhiye esikhundleni samaphasiwedi e-SSH i-firewall I-Fail2Ban Izibuyekezo zokuphepha ezizenzakalelayo Ukushintsha izimbobo ezizenzakalelayo
Umsebenzisi ongeyona impande
Isinyathelo sokuqala wukuzidalela umsebenzisi ongeyona impande. Iphuzu ukuthi umsebenzisi root
amalungelo aphelele ohlelweni, futhi uma umvumela ukuphatha okude, khona-ke uzokwenza uhhafu womsebenzi ku-hacker, ushiye igama lomsebenzisi elivumelekile kuye.
Ngakho-ke, udinga ukudala omunye umsebenzisi, futhi ukhubaze ukuphatha okukude nge-SSH ukuze uthole impande.
Umsebenzisi omusha uqalwa ngomyalo useradd
:
useradd [options] <username>
Bese kwengezwa iphasiwedi yayo ngomyalo passwd
:
passwd <username>
Okokugcina, lo msebenzisi udinga ukwengezwa eqenjini elinelungelo lokukhipha imiyalo ephakeme sudo
. Kuye ngokusatshalaliswa kwe-Linux, lawa angase abe amaqembu ahlukene. Isibonelo, ku-CentOS ne-Red Hat, umsebenzisi wengezwa eqenjini wheel
:
usermod -aG wheel <username>
Ku-Ubuntu yengezwe eqenjini sudo
:
usermod -aG sudo <username>
Okhiye esikhundleni samaphasiwedi e-SSH
Ukuvuza kwe-Brute force noma iphasiwedi kuyi-vector evamile yokuhlasela, ngakho-ke kungcono kakhulu ukukhubaza ukufakazela ubuqiniso bephasiwedi ku-SSH (I-Shell Evikelekile) bese usebenzisa ukufakazela ubuqiniso kokhiye esikhundleni salokho.
Kunezinhlelo ezahlukahlukene zokusebenzisa iphrothokholi ye-SSH, njenge
sudo apt install openssh-client
Ukufakwa kweseva:
sudo apt install openssh-server
Ukuqala i-daemon ye-SSH (sshd) kuseva ye-Ubuntu:
sudo systemctl start sshd
Qala i-daemon ngokuzenzakalelayo kuwo wonke ama-boot:
sudo systemctl enable sshd
Kufanele kuqashelwe ukuthi ingxenye yeseva ye-OpenSSH ihlanganisa ingxenye yeklayenti. Okungukuthi, ngokusebenzisa openssh-server
ungaxhuma kwamanye amaseva. Ngaphezu kwalokho, kusukela emshinini wakho weklayenti, ungaqala umhubhe we-SSH kusuka kuseva ekude ukuya kumsingathi wenkampani yangaphandle, bese umsingathi wenkampani yangaphandle ezobheka iseva ekude njengomthombo wezicelo. Isici esiwusizo kakhulu sokufihla isistimu yakho. Bheka isihloko ukuze uthole imininingwane
Emshinini weklayenti, ngokuvamile akunangqondo ukufaka iseva egcwele ngokugcwele ukuze kuvinjwe amathuba okuxhumana okukude kukhompyutha (ngezinjongo zokuphepha).
Ngakho-ke, kumsebenzisi wakho omusha, udinga kuqala ukukhiqiza okhiye be-SSH ekhompyutheni lapho uzofinyelela khona iseva:
ssh-keygen -t rsa
Ukhiye osesidlangalaleni ugcinwa kufayela .pub
futhi kubukeka njengochungechunge lwezinhlamvu ezingahleliwe eziqala ngazo ssh-rsa
.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Bese, kusukela ngaphansi kwempande, dala uhla lwemibhalo lwe-SSH kuseva kumkhombandlela wasekhaya womsebenzisi bese wengeza ukhiye womphakathi we-SSH efayeleni. authorized_keys
, usebenzisa umhleli wombhalo njenge-Vim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keys
vim /home/user_name/.ssh/authorized_keys
Ekugcineni, setha izimvume ezifanele zefayela:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keys
futhi ushintshe ubunikazi kulo msebenzisi:
chown -R username:username /home/username/.ssh
Ohlangothini lweklayenti, udinga ukucacisa indawo yokhiye oyimfihlo ukuze uqinisekise:
ssh-add DIR_PATH/keylocation
Manje ungangena kuseva ngaphansi kwegama lomsebenzisi usebenzisa lo khiye:
ssh [username]@hostname
Ngemuva kokugunyazwa, ungasebenzisa umyalo we-scp ukukopisha amafayela, insiza
Kutuswa ukwenza amakhophi ayisipele ambalwa okhiye wangasese, ngoba uma ukhubaza ukuqinisekiswa kwephasiwedi futhi ulahlekelwe yikho, ngeke ube nayo yonke indlela yokungena kuseva yakho nhlobo.
Njengoba kushiwo ngenhla, ku-SSH udinga ukukhubaza ukuqinisekiswa kwempande (lesi isizathu sokuthi siqale umsebenzisi omusha).
Ku-CentOS/Red Hat sithola umugqa PermitRootLogin yes
kufayela le-config /etc/ssh/sshd_config
futhi uyishintshe:
PermitRootLogin no
Ku-Ubuntu engeza umugqa PermitRootLogin no
kufayela le-config 10-my-sshd-settings.conf
:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf
Ngemuva kokuqinisekisa ukuthi umsebenzisi omusha uqinisekisa ngokhiye wakhe, ungakhubaza ukufakazela ubuqiniso bephasiwedi ukuze uqede ubungozi bokuvuza kwephasiwedi noma amandla anonya. Manje, ukuze ufinyelele iseva, umhlaseli uzodinga ukuthola ukhiye oyimfihlo.
Ku-CentOS/Red Hat sithola umugqa PasswordAuthentication yes
kufayela le-config /etc/ssh/sshd_config
futhi uyishintshe kanje:
PasswordAuthentication no
Ku-Ubuntu engeza umugqa PasswordAuthentication no
ukufayela 10-my-sshd-settings.conf
:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.conf
Ukuze uthole imiyalelo yokunika amandla ukuqinisekiswa kwezinto ezimbili nge-SSH, bona
i-firewall
I-firewall iqinisekisa ukuthi kuphela ithrafikhi ezikhumulweni ozivumela ngokuqondile ezoya kuseva. Lokhu kuvikela ekuxhashazweni kwezimbobo ezinikwe amandla ngephutha namanye amasevisi, okunciphisa kakhulu indawo yokuhlasela.
Ngaphambi kokufaka i-firewall, udinga ukwenza isiqiniseko sokuthi i-SSH ifakiwe ohlwini lokukhishwa futhi ngeke ivinjwe. Uma kungenjalo, ngemva kokuqala i-firewall, ngeke sikwazi ukuxhuma kuseva.
Ukusatshalaliswa kwe-Ubuntu kuza ne-Uncomplicated Firewall (
Ukuvumela i-SSH ku-firewall ku-Ubuntu:
sudo ufw allow ssh
Ku-CentOS/Red Hat sebenzisa umyalo firewall-cmd
:
sudo firewall-cmd --zone=public --add-service=ssh --permanent
Ngemuva kwale nqubo, ungaqala i-firewall.
Ku-CentOS/Red Hat, qala insizakalo ye-systemd ye-firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Ku-Ubuntu sisebenzisa umyalo olandelayo:
sudo ufw enable
I-Fail2Ban
service
Ukufaka i-Fail2Ban ku-CentOS ne-Red Hat:
sudo yum install fail2ban
Ukufakwa ku-Ubuntu naku-Debian:
sudo apt install fail2ban
Yethula:
systemctl start fail2ban
systemctl enable fail2ban
Uhlelo lunamafayela amabili okumisa: /etc/fail2ban/fail2ban.conf
и /etc/fail2ban/jail.conf
. Imikhawulo yokuvinjelwa icaciswe efayeleni lesibili.
Ijele le-SSH linikwe amandla ngokuzenzakalela ngezilungiselelo ezizenzakalelayo (imizamo emi-5, isikhawu semizuzu eyi-10, ukuvinjelwa imizuzu eyi-10).
[DEFAULT] indivacommand=bantime=10m findtime=10m maxretry=5
Ngokungeziwe ku-SSH, i-Fail2Ban ingavikela ezinye izinsiza kuseva yewebhu ye-nginx noma ye-Apache.
Izibuyekezo zokuphepha ezizenzakalelayo
Njengoba wazi, ubungozi obusha butholakala njalo kuzo zonke izinhlelo. Ngemuva kokuthi ulwazi selushicilelwe, ukuxhashazwa kwengezwa kumaphakethe okuxhaphaza adumile, asetshenziswa kakhulu izigebengu nentsha lapho kuthwetshulwa wonke amaseva ngokulandelana. Ngakho-ke, kubaluleke kakhulu ukufaka izibuyekezo zokuphepha ngokushesha nje lapho zivela.
Kuseva ye-Ubuntu, izibuyekezo zokuphepha ezizenzakalelayo zinikwa amandla ngokuzenzakalelayo, ngakho asikho esinye isenzo esidingekayo.
Ku-CentOS/Red Hat udinga ukufaka uhlelo lokusebenza
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer
Ukuhlola isibali sikhathi:
sudo systemctl status dnf-automatic.timer
Ukushintsha izimbobo ezizenzakalelayo
I-SSH yasungulwa ngo-1995 ukuze ithathe indawo ye-telnet (port 23) kanye ne-ftp (port 21), ngakho umbhali wohlelo, u-Tatu Iltonen
Ngokwemvelo, bonke abahlaseli bayazi ukuthi iyiphi imbobo ye-SSH esebenza kuyo - futhi bayiskene kanye namanye amachweba ajwayelekile ukuze uthole inguqulo yesofthiwe, ukuhlola amaphasiwedi ezimpande ezijwayelekile, nokunye.
Ukushintsha amachweba ajwayelekile - i-obfuscation - izikhathi eziningana kunciphisa inani lethrafikhi yemfucumfucu, ubukhulu bamalogi kanye nomthwalo kuseva, futhi kunciphisa indawo yokuhlasela. Nakuba abanye
Ngokwetiyori, ukushintsha izimbobo ezizenzakalelayo kuphambene nomkhuba wezakhiwo ezivulekile. Kodwa ekusebenzeni, inani lethrafikhi enonya empeleni liyancishiswa, ngakho-ke lesi yisinyathelo esilula nesisebenzayo.
Inombolo yembobo ingalungiswa ngokushintsha isiyalo Port 22
kufayela le-config -p <port>
в -p <port>
.
Ipharamitha -p <port>
ingasetshenziswa ukucacisa inombolo yembobo lapho uxhuma nomyalo ssh
kwe linux. IN scp
ipharamitha isetshenziswa -P <port>
(inhloko-dolobha P). Umyalelo womugqa womyalo ukhipha noma yiliphi inani kumafayela okumisa.
Uma kunamaseva amaningi, cishe zonke lezi zenzo zokuvikela iseva ye-Linux zingenziwa ngokuzenzakalelayo kuskripthi. Kodwa uma kukhona iseva eyodwa kuphela, kungcono ukulawula mathupha inqubo.
Emalungelo Wokukhangisa
Oda futhi uqalise ngokushesha!
Source: www.habr.com