, CC BY-SA
Namuhla, ukukhulisa iseva ekusingatheni kuyindaba yemizuzu embalwa nokuchofoza amagundane okumbalwa. Kodwa ngokushesha ngemva kokwethulwa, uzithola esendaweni enenzondo, ngoba uvuleleke kuyo yonke i-Inthanethi njengentombazane engenacala ku-rocker disco. Izikena zizoyithola ngokushesha futhi zithole izinkulungwane zama-bot abhalwe ngokuzenzakalelayo ahlola inethiwekhi efuna ubungozi kanye nokungalungiseki kahle. Kunezinto ezimbalwa okufanele uzenze ngemva nje kokwethula ukuze uqinisekise ukuvikeleka okuyisisekelo.
Okuqukethwe
Umsebenzisi ongeyona impande
Isinyathelo sokuqala wukuzidalela umsebenzisi ongeyona impande. Iphuzu ukuthi umsebenzisi root amalungelo aphelele ohlelweni, futhi uma umvumela ukuphatha okude, khona-ke uzokwenza uhhafu womsebenzi ku-hacker, ushiye igama lomsebenzisi elivumelekile kuye.
Ngakho-ke, udinga ukudala omunye umsebenzisi, futhi ukhubaze ukuphatha okukude nge-SSH ukuze uthole impande.
Umsebenzisi omusha uqalwa ngomyalo useradd:
useradd [options] <username>
Bese kwengezwa iphasiwedi yayo ngomyalo passwd:
passwd <username>
Okokugcina, lo msebenzisi udinga ukwengezwa eqenjini elinelungelo lokukhipha imiyalo ephakeme sudo. Kuye ngokusatshalaliswa kwe-Linux, lawa angase abe amaqembu ahlukene. Isibonelo, ku-CentOS ne-Red Hat, umsebenzisi wengezwa eqenjini wheel:
usermod -aG wheel <username>
Ku-Ubuntu yengezwe eqenjini sudo:
usermod -aG sudo <username>
Okhiye esikhundleni samaphasiwedi e-SSH
Ukuvuza kwe-Brute force noma iphasiwedi kuyi-vector evamile yokuhlasela, ngakho-ke kungcono kakhulu ukukhubaza ukufakazela ubuqiniso bephasiwedi ku-SSH (I-Shell Evikelekile) bese usebenzisa ukufakazela ubuqiniso kokhiye esikhundleni salokho.
Kunezinhlelo ezahlukahlukene zokusebenzisa iphrothokholi ye-SSH, njenge и , kodwa edume kakhulu i-OpenSSH. Ukufaka iklayenti le-OpenSSH ku-Ubuntu:
sudo apt install openssh-clientUkufakwa kweseva:
sudo apt install openssh-serverUkuqala i-daemon ye-SSH (sshd) kuseva ye-Ubuntu:
sudo systemctl start sshdQala i-daemon ngokuzenzakalelayo kuwo wonke ama-boot:
sudo systemctl enable sshd
Kufanele kuqashelwe ukuthi ingxenye yeseva ye-OpenSSH ihlanganisa ingxenye yeklayenti. Okungukuthi, ngokusebenzisa openssh-server ungaxhuma kwamanye amaseva. Ngaphezu kwalokho, kusukela emshinini wakho weklayenti, ungaqala umhubhe we-SSH kusuka kuseva ekude ukuya kumsingathi wenkampani yangaphandle, bese umsingathi wenkampani yangaphandle ezobheka iseva ekude njengomthombo wezicelo. Isici esiwusizo kakhulu sokufihla isistimu yakho. Bheka isihloko ukuze uthole imininingwane .
Emshinini weklayenti, ngokuvamile akunangqondo ukufaka iseva egcwele ngokugcwele ukuze kuvinjwe amathuba okuxhumana okukude kukhompyutha (ngezinjongo zokuphepha).
Ngakho-ke, kumsebenzisi wakho omusha, udinga kuqala ukukhiqiza okhiye be-SSH ekhompyutheni lapho uzofinyelela khona iseva:
ssh-keygen -t rsa
Ukhiye osesidlangalaleni ugcinwa kufayela .pub futhi kubukeka njengochungechunge lwezinhlamvu ezingahleliwe eziqala ngazo ssh-rsa.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ3GIJzTX7J6zsCrywcjAM/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWm49NWvoo0hdM71sblF956IXY3cRLcTjPlQ84mChKL1X7+D645c7O4Z1N3KtL7l5nVKSG81ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUmt1a00mWci/1qUlaVFft085yvVq7KZbF2OP2NQACUkwfwh+iSTP username@hostname
Bese, kusukela ngaphansi kwempande, dala uhla lwemibhalo lwe-SSH kuseva kumkhombandlela wasekhaya womsebenzisi bese wengeza ukhiye womphakathi we-SSH efayeleni. authorized_keys, usebenzisa umhleli wombhalo njenge-Vim:
mkdir -p /home/user_name/.ssh && touch /home/user_name/.ssh/authorized_keysvim /home/user_name/.ssh/authorized_keysEkugcineni, setha izimvume ezifanele zefayela:
chmod 700 /home/user_name/.ssh && chmod 600 /home/user_name/.ssh/authorized_keysfuthi ushintshe ubunikazi kulo msebenzisi:
chown -R username:username /home/username/.sshOhlangothini lweklayenti, udinga ukucacisa indawo yokhiye oyimfihlo ukuze uqinisekise:
ssh-add DIR_PATH/keylocationManje ungangena kuseva ngaphansi kwegama lomsebenzisi usebenzisa lo khiye:
ssh [username]@hostnameNgemuva kokugunyazwa, ungasebenzisa umyalo we-scp ukukopisha amafayela, insiza ukukhweza ukude isistimu yefayela noma izinkomba.
Kutuswa ukwenza amakhophi ayisipele ambalwa okhiye wangasese, ngoba uma ukhubaza ukuqinisekiswa kwephasiwedi futhi ulahlekelwe yikho, ngeke ube nayo yonke indlela yokungena kuseva yakho nhlobo.
Njengoba kushiwo ngenhla, ku-SSH udinga ukukhubaza ukuqinisekiswa kwempande (lesi isizathu sokuthi siqale umsebenzisi omusha).
Ku-CentOS/Red Hat sithola umugqa PermitRootLogin yes kufayela le-config /etc/ssh/sshd_config futhi uyishintshe:
PermitRootLogin no
Ku-Ubuntu engeza umugqa PermitRootLogin no kufayela le-config 10-my-sshd-settings.conf:
sudo echo "PermitRootLogin no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confNgemuva kokuqinisekisa ukuthi umsebenzisi omusha uqinisekisa ngokhiye wakhe, ungakhubaza ukufakazela ubuqiniso bephasiwedi ukuze uqede ubungozi bokuvuza kwephasiwedi noma amandla anonya. Manje, ukuze ufinyelele iseva, umhlaseli uzodinga ukuthola ukhiye oyimfihlo.
Ku-CentOS/Red Hat sithola umugqa PasswordAuthentication yes kufayela le-config /etc/ssh/sshd_config futhi uyishintshe kanje:
PasswordAuthentication no
Ku-Ubuntu engeza umugqa PasswordAuthentication no ukufayela 10-my-sshd-settings.conf:
sudo echo "PasswordAuthentication no" >> /etc/ssh/sshd_config.d/10-my-sshd-settings.confUkuze uthole imiyalelo yokunika amandla ukuqinisekiswa kwezinto ezimbili nge-SSH, bona .
i-firewall
I-firewall iqinisekisa ukuthi kuphela ithrafikhi ezikhumulweni ozivumela ngokuqondile ezoya kuseva. Lokhu kuvikela ekuxhashazweni kwezimbobo ezinikwe amandla ngephutha namanye amasevisi, okunciphisa kakhulu indawo yokuhlasela.
Ngaphambi kokufaka i-firewall, udinga ukwenza isiqiniseko sokuthi i-SSH ifakiwe ohlwini lokukhishwa futhi ngeke ivinjwe. Uma kungenjalo, ngemva kokuqala i-firewall, ngeke sikwazi ukuxhuma kuseva.
Ukusatshalaliswa kwe-Ubuntu kuza ne-Uncomplicated Firewall (), kanye ne-CentOS/Red Hat - .
Ukuvumela i-SSH ku-firewall ku-Ubuntu:
sudo ufw allow ssh
Ku-CentOS/Red Hat sebenzisa umyalo firewall-cmd:
sudo firewall-cmd --zone=public --add-service=ssh --permanentNgemuva kwale nqubo, ungaqala i-firewall.
Ku-CentOS/Red Hat, qala insizakalo ye-systemd ye-firewalld:
sudo systemctl start firewalld
sudo systemctl enable firewalldKu-Ubuntu sisebenzisa umyalo olandelayo:
sudo ufw enable
I-Fail2Ban
service ihlaziya amalogi kuseva futhi ibala inani lemizamo yokufinyelela ekhelini ngalinye le-IP. Izilungiselelo zicacisa imithetho yokuthi mingaki imizamo yokufinyelela evunyelwe isikhathi esithile - ngemva kwalokho leli kheli lasesizindeni se-inthanethi livinjwa isikhathi esithile. Isibonelo, ake sivumele imizamo yokuqinisekisa ye-SSH ehlulekile emi-5 phakathi namahora angu-2, bese sivimba ikheli le-IP elinikeziwe amahora angu-12.
Ukufaka i-Fail2Ban ku-CentOS ne-Red Hat:
sudo yum install fail2banUkufakwa ku-Ubuntu naku-Debian:
sudo apt install fail2banYethula:
systemctl start fail2ban
systemctl enable fail2ban
Uhlelo lunamafayela amabili okumisa: /etc/fail2ban/fail2ban.conf и /etc/fail2ban/jail.conf. Imikhawulo yokuvinjelwa icaciswe efayeleni lesibili.
Ijele le-SSH linikwe amandla ngokuzenzakalela ngezilungiselelo ezizenzakalelayo (imizamo emi-5, isikhawu semizuzu eyi-10, ukuvinjelwa imizuzu eyi-10).
[DEFAULT] indivacommand=bantime=10m findtime=10m maxretry=5
Ngokungeziwe ku-SSH, i-Fail2Ban ingavikela ezinye izinsiza kuseva yewebhu ye-nginx noma ye-Apache.
Izibuyekezo zokuphepha ezizenzakalelayo
Njengoba wazi, ubungozi obusha butholakala njalo kuzo zonke izinhlelo. Ngemuva kokuthi ulwazi selushicilelwe, ukuxhashazwa kwengezwa kumaphakethe okuxhaphaza adumile, asetshenziswa kakhulu izigebengu nentsha lapho kuthwetshulwa wonke amaseva ngokulandelana. Ngakho-ke, kubaluleke kakhulu ukufaka izibuyekezo zokuphepha ngokushesha nje lapho zivela.
Kuseva ye-Ubuntu, izibuyekezo zokuphepha ezizenzakalelayo zinikwa amandla ngokuzenzakalelayo, ngakho asikho esinye isenzo esidingekayo.
Ku-CentOS/Red Hat udinga ukufaka uhlelo lokusebenza bese uvule isibali sikhathi:
sudo dnf upgrade
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerUkuhlola isibali sikhathi:
sudo systemctl status dnf-automatic.timer
Ukushintsha izimbobo ezizenzakalelayo
I-SSH yasungulwa ngo-1995 ukuze ithathe indawo ye-telnet (port 23) kanye ne-ftp (port 21), ngakho umbhali wohlelo, u-Tatu Iltonen , futhi kuvunywe yi-IANA.
Ngokwemvelo, bonke abahlaseli bayazi ukuthi iyiphi imbobo ye-SSH esebenza kuyo - futhi bayiskene kanye namanye amachweba ajwayelekile ukuze uthole inguqulo yesofthiwe, ukuhlola amaphasiwedi ezimpande ezijwayelekile, nokunye.
Ukushintsha amachweba ajwayelekile - i-obfuscation - izikhathi eziningana kunciphisa inani lethrafikhi yemfucumfucu, ubukhulu bamalogi kanye nomthwalo kuseva, futhi kunciphisa indawo yokuhlasela. Nakuba abanye (ukuphepha ngokufiphala). Isizathu siwukuthi le nqubo iphikisana nesisekelo . Ngakho-ke, isibonelo, i-US National Institute of Standards and Technology in ikhombisa isidingo sokwakhiwa kweseva evulekile: "Ukuphepha kwesistimu akufanele kuncike ekusithekeni kokuqaliswa kwezingxenye zayo," kusho lo mbhalo.
Ngokwetiyori, ukushintsha izimbobo ezizenzakalelayo kuphambene nomkhuba wezakhiwo ezivulekile. Kodwa ekusebenzeni, inani lethrafikhi enonya empeleni liyancishiswa, ngakho-ke lesi yisinyathelo esilula nesisebenzayo.
Inombolo yembobo ingalungiswa ngokushintsha isiyalo Port 22 kufayela le-config . Iphinde ikhonjiswe ngepharamitha -p <port> в . Iklayenti le-SSH nezinhlelo futhi isekela inketho -p <port>.
Ipharamitha -p <port> ingasetshenziswa ukucacisa inombolo yembobo lapho uxhuma nomyalo ssh kwe linux. IN и scp ipharamitha isetshenziswa -P <port> (inhloko-dolobha P). Umyalelo womugqa womyalo ukhipha noma yiliphi inani kumafayela okumisa.
Uma kunamaseva amaningi, cishe zonke lezi zenzo zokuvikela iseva ye-Linux zingenziwa ngokuzenzakalelayo kuskripthi. Kodwa uma kukhona iseva eyodwa kuphela, kungcono ukulawula mathupha inqubo.
Emalungelo Wokukhangisa
Oda futhi uqalise ngokushesha! noma yikuphi ukucushwa kanye nanoma yiluphi uhlelo lokusebenza phakathi nomzuzu. Ukucushwa okuphezulu kuzokuvumela ukuthi uphume ngokugcwele - 128 CPU cores, 512 GB RAM, 4000 GB NVMe. I-Epic 🙂
Source: www.habr.com