A wannan karon, post na shida da na karshe, daga jerin labaran mu akan Koyon SSH za mu magance a cikin m hanya, da sanyi da kuma amfani da zaɓuɓɓukan da aka ƙayyade a cikin Buɗe fayil ɗin sanyi naSSH wanda aka sarrafa a gefen ssh-uwar garke, wato fayil "SSHD Config" (sshd_config). Wanda muka yi magana a cikin kason da ya gabata.
Ta hanyar da za mu iya sani a takaice, sauki da kuma kai tsaye, wasu daga cikin mafi kyawun ayyuka (shawarwari da shawarwari) lokacin kafa SSH Servera gida da kuma a ofis.
Kuma, kafin fara batun yau, game da mafi kyau "Kyawawan ayyuka don amfani a cikin saitunan SSH Server", za mu bar wasu hanyoyin zuwa littattafai masu alaƙa, don karantawa a gaba:
Ayyuka masu kyau a cikin SSH Server
Wadanne ayyuka masu kyau ne ake amfani da su yayin daidaita Sabar SSH?
Na gaba, kuma bisa zaɓuɓɓuka da sigogi del Fayil na SSHD (sshd_config), wanda aka gani a baya a cikin sakon da ya gabata, waɗannan zasu zama wasu daga cikin mafi kyawun ayyuka don aiwatarwa game da daidaitawar fayil ɗin da aka ce, zuwa inshora mafi kyawun mu hanyoyin sadarwa masu nisa, masu shigowa da masu fita, akan Sabar SSH da aka bayar:
Ƙayyade masu amfani waɗanda za su iya shiga SSH tare da zaɓi Masu Amfani
Tunda wannan zaɓi ko siga yawanci ba a haɗa ta ta tsohuwa a cikin wannan fayil ɗin, ana iya saka shi a ƙarshensa. Yin amfani da a jerin tsarin sunan mai amfani, rabu da sarari. Don haka, idan an ƙayyade, shiga, to, iri ɗaya kawai za a ba da izini don matches na sunan mai amfani da sunan mai masauki wanda ya dace da ɗaya daga cikin tsarin da aka tsara.
Misali, kamar yadda aka gani a kasa:
AllowUsers *patron*@192.168.1.0/24 *@192.168.1.0/24 *.midominio.com *@1.2.3.4
AllowGroups ssh
Faɗa wa SSH wace hanyar sadarwar gida don saurare tare da zaɓin ListenAddress
Don yin wannan, dole ne ka kunna (uncomment) da zaɓi SaurariAdress, wanda ya zo dagae default tare da darajar "0.0.0.0", amma yana aiki a zahiri DUK yanayin, wato sauraron duk hanyoyin sadarwa na cibiyar sadarwa. Don haka, sai a ce darajar dole ne a kafa ta yadda aka ayyana wanne ko adireshin IP na gida shirin sshd zai yi amfani da su don sauraron buƙatun haɗin gwiwa.
Misali, kamar yadda aka gani a kasa:
ListenAddress 129.168.2.1 192.168.1.*
Saita shiga SSH ta maɓalli tare da zaɓi Tabbatar da kalmar wucewa
Don yin wannan, dole ne ka kunna (uncomment) da zaɓi Tabbatar da kalmar wucewa, wanda ya zo dagae default tare da iya darajar. Sannan, saita wannan ƙimar azaman "Kar ka", don buƙatar amfani da maɓallan jama'a da masu zaman kansu don samun izinin shiga ga takamaiman na'ura. Cimma cewa masu amfani da nesa kawai za su iya shiga, daga kwamfuta ko kwamfutoci, waɗanda aka ba da izini a baya. Misali, kamar yadda aka gani a kasa:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PubkeyAuthentication yes
Kashe tushen shiga ta hanyar SSH tare da zaɓi Samun RoginShigowa
Don yin wannan, dole ne ka kunna (uncomment) da Zaɓin PermitRootLogin, wanda ya zo dagae default tare da darajar "haramta-kalmar sirri".. Duk da haka, idan ana so cewa a cikakke. Ba a yarda mai amfani da tushe ya fara zaman SSH ba, ƙimar da ta dace don saita ita ce "Kar ka". Misali, kamar yadda aka gani a kasa:
PermitRootLogin no
Canja tsohuwar tashar SSH tare da zaɓin Port
Don yin wannan, dole ne ka kunna (uncomment) da zaɓi na tashar jiragen ruwa, wanda ya zo ta hanyar tsoho tare da darajar "22". Duk da haka, Yana da mahimmanci a canza wannan tashar jiragen ruwa zuwa kowace irin wacce ake da ita, don ragewa da kuma guje wa yawan hare-hare, da hannu ko kuma baƙar fata, waɗanda za a iya yi ta hanyar sanannen tashar jiragen ruwa. Yana da mahimmanci a tabbatar cewa wannan sabuwar tashar jiragen ruwa tana samuwa kuma sauran aikace-aikacen da za su haɗa zuwa uwar garken namu za su iya amfani da su. Misali, kamar yadda aka gani a kasa:
Port 4568
Wasu zaɓuɓɓuka masu amfani don saitawa
A ƙarshe, kuma tun shirin SSH ya yi yawa, kuma a cikin kashi na baya mun riga mun magance kowane zaɓin daki-daki, a ƙasa za mu nuna wasu ƙarin zaɓuɓɓuka kawai, tare da wasu dabi'u waɗanda zasu iya dacewa a lokuta masu yawa da bambance-bambancen amfani.
Kuma waɗannan su ne masu zuwa:
- Banner /etc/issue
- ClientAliveInterval 300
- ClientAliveCountMax 0
- Shiga Lokaci 30
- Matsayin Log takardunku
- MaxAuthTries 3
- MaxSessions 0
- Max Farawa 3
- IzininEmptyPasswords A'a
- PrintMotd iya
- PrintLastLog eh
- Yankuna masu tsauri A
- SyslogFacility AUTH
- X11 Gabatar da eh
- X11 NuniOffset 5
NoteLura: Lura cewa, ya danganta da matakin ƙwarewa da ƙwarewa na SysAdmins da buƙatun tsaro na kowane dandamali na fasaha, yawancin waɗannan zaɓuɓɓukan na iya bambanta daidai da ma'ana ta hanyoyi daban-daban. Bugu da kari, za a iya kunna wasu zabuka masu ci gaba ko hadaddun, saboda suna da amfani ko kuma sun zama dole a wurare daban-daban na aiki.
Sauran kyawawan ayyuka
Daga cikin wasu kyawawan ayyuka don aiwatarwa a cikin SSH Server Zamu iya ambaci waɗannan abubuwa masu zuwa:
- Saita sanarwar imel na gargaɗi don duk ko takamaiman haɗin SSH.
- Kare damar SSH zuwa sabobin mu daga hare-haren karfi ta amfani da kayan aikin Fail2ban.
- Bincika lokaci-lokaci tare da kayan aikin Nmap akan sabar SSH da sauransu, don neman yiwuwar buɗe tashoshin jiragen ruwa mara izini ko buƙata.
- Ƙarfafa tsaro na dandamalin IT ta hanyar shigar da IDS (Tsarin Gano Kutse) da IPS (Tsarin Rigakafin Kutse).
Tsaya
A takaice, tare da wannan sabon kashi-kashi "Koyan SSH" mun gama bayanin bayanin akan duk abin da ya shafi BUDE. Tabbas, a cikin ɗan gajeren lokaci, za mu raba ɗan ƙarin mahimman bayanai game da Yarjejeniyar SSH, da kuma game da nasa amfani da console mediante Scriptan Shell. Don haka muna fata kuna "Kyawawan ayyuka a cikin SSH Server", sun ƙara ƙima mai yawa, duka na sirri da ƙwararru, lokacin amfani da GNU/Linux.
Idan kuna son wannan post ɗin, ku tabbata kuyi sharhi akansa kuma kuyi sharing zuwa wasu. Kuma ku tuna, ziyarci mu «shafin gida» don bincika ƙarin labarai, da shiga tashar tashar mu ta hukuma Telegram na DesdeLinux, Yamma rukuni don ƙarin bayani kan batun yau.
Ina sa ran kashi na biyu na wannan labarin inda za ku ƙara faɗaɗa kan batu na ƙarshe:
Ƙarfafa tsaro na dandamalin IT ta hanyar shigar da IDS (Tsarin Gano Kutse) da IPS (Tsarin Rigakafin Kutse).
Gracias !!
Gaisuwa, Lhoqvso. Zan jira a gane ta. Na gode da ziyartar mu, karanta abubuwan mu da sharhi.