Da kyau, na kasance ina shirya wannan rubutun don shafi na na ɗan lokaci sun ba ni shawarar a ciki DesdeLinux, kuma saboda rashin lokaci, bai iya ko yarda ba. Idan na dan yi kadan 😀. Amma yanzu suna yajin aiki, kamar yadda muke fada a Cuba ...
0- Ci gaba da sabunta tsarinmu tare da sabbin abubuwan tsaro.
0.1- Lissafi masu mahimmanci na Lissafin Lissafin Lissafi [Slackware mai ba da shawara kan tsaro, Debian mai ba da shawara kan harkokin tsaro, a cikin akwati na]
1- Samun damar zahiri zuwa sabobin ta ma'aikata mara izini.
1.1- Aiwatar da kalmar sirri zuwa BIOS na sabobinmu
1.2- Babu taya ta CD / DVD
1.3- Kalmar wucewa a cikin GRUB / Lilo
2- Manufofin manufofi masu kyau, haruffan haruffa da sauransu.
2.1- Tsufa na kalmomin shiga [Tsufa ta wucewa] tare da umarnin "chage", da kuma yawan kwanaki tsakanin canjin kalmar shiga da kwanan canjin ƙarshe.
2.2- Guji amfani da kalmomin shiga da suka gabata:
a cikin /etc/pam.d/common-password
password sufficient pam_unix.so use_auth ok md5 shadow remember 10
Don haka kun canza kalmar sirri kuma tana tunatar da ku kalmomin sirri 10 na ƙarshe waɗanda mai amfani da su.
3- Manufofin gudanarwa / yanki na cibiyar sadarwarmu [masu ba da hanya, masu sauyawa, vlans] da kuma bango, gami da dokokin tace INPUT, OUTPUT, GABA [NAT, SNAT, DNAT]
4- Enable amfani da bawo [/ sauransu / bawo]. Masu amfani waɗanda basa buƙatar shiga cikin tsarin sun sami / bin / ƙarya ko / bin / nologin.
5- Toshe masu amfani idan login ya gaza [faillog], tare da sarrafa asusun mai amfani da tsarin.
passwd -l pepe -> toshe mai amfani pew passwd -v pepe -> cire katanga mai amfani pepe
6- Kunna amfani da "sudo", KADA a shiga tushen tushen ta ssh, "TAbA". A zahiri dole ne ku gyara ssh sanyi don cimma wannan manufar. Yi amfani da maɓallan jama'a / masu zaman kansu akan sabarku tare da sudo.
7- Aiwatar a cikin tsarinmu “Ka'idar mafi ƙarancin dama".
8- Duba ayyukanmu lokaci-lokaci [netstat -lptun], ga kowane sabobinmu. Toolsara kayan aikin kulawa waɗanda zasu iya taimaka mana cikin wannan aikin [Nagios, Cacti, Munin, Monit, Ntop, Zabbix].
9- Sanya IDs, Snort / AcidBase, Snotby, Barnyard, OSSEC.
10- Nmap abokinka ne, kayi amfani dashi don bincika subnet / subnets.
11- Ayyuka masu kyau na tsaro a cikin OpenSSH, Apache2, Nginx, MySQL, PostgreSQL, Postfix, Squid, Samba, LDAP [waɗanda galibi suke amfani da su] da wasu sabis ɗin da kuke buƙata a cikin hanyar sadarwar ku.
12- Alloye dukkan sadarwa yayin da zai yiwu a cikin tsarinmu, SSL, gnuTLS, StarTTLS, narkewa, da sauransu ... Kuma idan kun rike bayanai masu mahimmanci, ɓoye rumbun kwamfutarka !!!
13- Serversaukaka sabar wasikunmu tare da sabon tsaro, jerin abubuwan baƙi da dokokin antispam.
14- Shiga aiki a cikin tsarinmu tare da logwatch da logcheck.
15- Ilimi da amfani da kayan aikin kamar sama, sar, vmstat, kyauta, da sauransu.
sar -> rahoton ayyukan aiki vmstat -> matakai, ƙwaƙwalwa, tsarin, i / o, cpu aiki, da sauransu iostat -> cpu i / o status mpstat -> multiprocessor status da amfani pmap -> ƙwaƙwalwar ajiya ta hanyar aiwatarwa kyauta -> iptraf memori -> zirga-zirga a cikin ainihin lokacin tsarin sadarwarmu -> saka idanu akan ethernet na ƙididdigar na'ura mai kwakwalwa -> mai lura da cibiyar sadarwar ss -> matsayin soket [bayanin soket na tcp, udp, rami mai mahimmanci, DCCP Sockets] tcpdump -> Cikakken bincike de traffic vnstat -> mai lura da zirga-zirgar zirga-zirgar ababen sadarwa mtr -> kayan aikin bincike da kuma yin bincike akan obalodi a hanyoyin sadarwa na ethtool -> stats game da katunan hanyar sadarwa
A yanzu dai komai ya kare. Na san cewa akwai karin shawarwari guda dubu da daya a cikin irin wannan yanayin, amma wadannan sune suka fi damuna sosai, ko kuma a wani lokaci dole ne in nemi / motsa jiki a cikin yanayin da na gudanar .
Rungume ku da fatan zai muku hidima 😀
Ina gayyatarku a cikin bayanan ku gaya mana game da wasu dokokin da aka aiwatar banda waɗanda muka ambata, don haɓaka ilimin masu karatu 😀
Da kyau zan kara:
1.- Aiwatar da ka'idojin sysctl don hana dmesg, / proc, damar SysRQ, sanya PID1 izuwa ainihin, ba da damar kariya ga alamomi masu tauri da taushi, kariyar TCP / IP don duka IPv4 da IPv6, kunna cikakken VDSO don matsakaicin alamomin bazuwar keɓance sararin ƙwaƙwalwa da haɓaka ƙarfi game da ambaliyar ajiya.
2.- Createirƙiri bangon wuta na nau'in SPI (fulididdigar ageunshin Stateari) don hana haɗin da ba a ƙirƙira ba ko a baya ya ba da izinin samun damar tsarin.
3. - Idan baka da sabis wanda ke buƙatar haɗi tare da ƙimar gata daga wuri mai nisa, kawai cire izinin shiga gare su ta amfani da access.conf, ko, kasawa da hakan, ba da damar isa ga takamaiman mai amfani ko rukuni.
4.- Yi amfani da iyakoki masu wuya don hana samun damar wasu kungiyoyi ko masu amfani daga lalata tsarinka. Yana da amfani ƙwarai a cikin mahalli inda akwai mai amfani da yawa na gaske a kowane lokaci.
5.- TCPWrappers abokin ka ne, idan kana kan tsari tare da tallafi akanta, amfani da shi ba zai cutar da kai ba, saboda haka zaka iya hana samun damar shiga daga kowane mahaifa sai dai idan an tsara shi a cikin tsarin
6.- Createirƙiri mabuɗan SSH RSA na aƙalla rago 2048 ko mafi kyau na rago 4096 tare da mabuɗan lambobi sama da haruffa 16.
7.- Ta yaya ake iya rubuta labarin duniya? Duba izini game da izini na kundin adireshinku ba mummunan bane kuma shine hanya mafi kyau don hana samun izini ba tare da izini ba a cikin muhallin mai amfani da yawa, ba tare da ambaton cewa yana sanya wahalar samun wasu hanyoyin shiga mara izini don samun damar samun bayanan da kuke aikatawa ba sa son kowa ya gani.
8.- Sanya kowane bangare na waje wanda bai cancanci hakan ba, tare da zabin noexec, nosuid, nodev.
9.- Yi amfani da kayan aiki kamar rkhunter da chkrootkit don duba lokaci-lokaci cewa tsarin bashi da tushen rootkit ko malware. Gwargwadon hankali idan kun kasance ɗaya daga waɗanda ke girka abubuwa daga wuraren ajiya mara tsaro, daga PPAs, ko kuma kawai suna tattara lambar lambobi daga shafukan da ba amintattu ba.
Uhmmm, dadi… Kyakkyawan sharhi, ƙara maza… 😀
Aiwatar da Ikon Samun Mallaka tare da SElinux?
da kyau labarin
Godiya aboki 😀
Barka dai kuma idan nine mai amfanin al'ada, yakamata inyi amfani da su ko sudo?
Ina amfani da su ne saboda bana son sudo, saboda duk wanda yake da kalmar sirrin mai amfani da shi zai iya canza duk abin da yake so akan tsarin, a maimakon haka tare da su no.
A kan kwamfutarka ba damuwa da amfani da su, zaka iya amfani da shi ba tare da matsala ba, a kan sabobin, ana ba da shawarar sosai don hana amfani da su kuma amfani da sudo, da yawa suna cewa saboda gaskiyar binciken wanda ya aiwatar da wane umarni ne kuma sudo yayi wannan aikin ... Ni musamman, a pc dina ina amfani da nasa, kamar ku ...
Tabbas, ban san ainihin yadda yake aiki akan sabobin ba. Kodayake, a ganina sudo na da fa'idar da za ku iya ba da dama ga mai amfani da wata kwamfutar, idan ban yi kuskure ba.
Labari mai ban sha'awa, na ɓoye wasu fayiloli tare da gnu-gpg, kamar yadda yake na mafi ƙanƙancin gata, idan kuna son aiwatarwa, alal misali, wani binary na asalin da ba a san asalinsa ba ya ɓace a cikin manyan tekuna na bayanai a kan faifai, ta yaya zan cire samun wasu ayyuka?
Ina bin wannan bashin a gare ku, kodayake ina tsammanin ya kamata ku gudu ne kawai kamar sudo / tushen, shirye-shiryen da suke da abin dogara, wato, sun fito ne daga repo ...
Na tuna karanta cewa akwai wata hanyar da za a taimaka tushen tushen aiki a wasu littattafan akan GNU / Linux da UNIX, idan na same shi zan sanya shi 😀
@kuma anan ga labarin dana ambata da kuma karin taimako
http://www.cis.syr.edu/~wedu/seed/Labs/Capability_Exploration/Capability_Exploration.pdf
http://linux.die.net/man/7/capabilities
https://wiki.archlinux.org/index.php/Capabilities
kuma yankakken keji don binaryar da ba'a sani ba?
Amfani da sudo a kowane lokaci yafi kyau.
Ko zaka iya amfani da sudo, amma iyakance lokacin da aka tuna kalmar sirri.
Makamantan kayan aikin da nake amfani dasu wajen sanya ido kan pc, "iotop" a matsayin madadin "iostat", "htop" kwarai "manajan aiki", "iftop" saka idanu kan bandwidth.
da yawa zasuyi tunanin hakan ƙari ne, amma na riga na ga hare-hare don haɗa da sabar zuwa botnet.
https://twitter.com/monitolinux/status/594235592260636672/photo/1
ps: Yaren mabarata na China da yunƙurin sata na saba.
wani abu wanda kuma ya dace shine amfani da keɓaɓɓiyar keɓa don sabis ɗin, don haka idan da wani dalili aka kawo musu hari ba zasu sasanta tsarin ba.
Amfani da umarnin ps yana da kyau kwarai don saka idanu kuma yana iya zama ɓangare na ayyukan don bincika kuskuren tsaro. Gudun ps -ef yana jera dukkan matakai, yayi daidai da saman duk da haka yana nuna wasu bambance-bambance. shigarwar iptraf wani kayan aiki ne wanda zai iya aiki.
Kyakkyawan taimako.
Zan kara: SELinux ko Apparmor, ya danganta da harkalla, koyaushe ana aiki.
Daga kwarewar kaina na fahimci cewa mummunan aiki ne musaki waɗannan abubuwan. Kusan koyaushe muna yin sa yayin da zamu girka ko saita sabis, tare da uzurin cewa yana gudana ba tare da matsala ba, lokacin da ainihin abin da ya kamata mu yi shine koya mu riƙe su don ba da damar wannan sabis ɗin.
A gaisuwa.
1.Yaya ake ɓoye dukkan fayil ɗin fayil? yana da daraja ??
Shin dole ne a sake shi a duk lokacin da tsarin zai sabunta?
3. Shin ɓoye dukkan fayilolin fayil na inji daidai yake da ɓoye kowane fayil?
Ta yaya za ka nuna cewa ka san abin da kake magana a kai?
Hakanan, zaku iya keɓe shirye-shirye har ma da masu amfani da yawa. Kodayake yin wannan ya fi aiki, amma idan wani abu ya faru, kuma kuna da kwafin wancan babban fayil ɗin na baya, kawai ana bugawa da waƙa.
Manufar tsaro mafi kyau kuma mafi dacewa ba ta zama mai nuna damuwa ba.
Gwada shi, ma'asumi ne.
Ina amfani da csf kuma lokacin da nake bude wani kwastoma wanda ya sanya kalmar wucewarsa ta wata hanyar, hakan yakan jinkirta aikin amma hakan yakeyi Yana da al'ada?
Ina neman umarni don cire katanga daga ssh ... duk wata shawara