Wannan koyarwar tana nuna yadda ake shirya da amintaccen Virtual Private Server (VPS) tare da Debian GNU / Linux. Kafin mu fara, ana ɗaukar wasu abubuwa:
- Kuna da matsakaiciyar matakin saba da GNU / Linux.
- Akwai VPS don amfanin kanmu wanda muke samun damar zuwa ta hanyar SSH.
- VPS yana da kwazo na waje ipv4 250.250.250.155 kuma mai ba da sabis ɗinmu ya mallaki toshe 250.250.0.0/16. (1)
- A cikin VPS ɗinmu za mu sami kawai http, https da ayyukan ssh da aka kunna don samun dama daga waje.
- Ba za a kunna DNS na waje ba tunda galibi ana yin sa a cikin rukunin masu samar da mu. (2)
- Zai yi aiki a matsayin superuser.
Shigarwa
A matsayin mataki na farko, bari mu sabunta sabar kuma sanya wasu fakitin da zamu buƙata:
# haɓaka sabuntawa & ƙwarewa mai inganci-haɓakawa # ƙwarewa -RvW shigar da sauke gesftpserver sslh iptables-dagewa ulogd gaza2ban nginx-light apache2-utils dnsutils telnet ghostscript poppler-utils zip unzip unrar-free p7zip-full less multitail tee mc
sanyi
Yanzu zamu kirkiro mai amfani. Yin aiki azaman tushen akan sabar bashi da tsaro, don haka zamu fara kirkirar mai amfani na musamman:
mai amfani adduser mai amfanimodar -aG sudo
Umurnin farko ya ƙirƙiri mai amfani da mai aiki, na biyu yana ƙara shi zuwa rukuni sudo, wanda zai ba da damar gudanar da aikace-aikace azaman tushe.
Daidaita izini don manyan masu amfani
Kamar yadda muke aiki koyaushe zamu yi amfani da mai amfani mai aiki wanda aka ƙirƙira a baya, muna buƙatar daidaita zaɓuɓɓukan aiwatar da umarnin azaman superuser, wanda muke aiwatar da wannan umarnin:
amintacce
Wannan umarnin yana ba da damar canza fayil ɗin / sauransu / sudoers; a cikin abin da ya kamata mu ƙunshi waɗannan layi:
Tsoffin shafi env_reset, timestamp_timeout = 0% sudo ALL = (ALL: ALL) ALL
A layin farko an zaɓi zaɓi zuwa ƙimar da aka tanada lokacin fitowar lokaci wanda ke ba ka damar saita lokacin ƙare (a cikin mintuna) na kalmar wucewa lokacin da aka zartar da umarnin sudo. Tsoho 5 ne, amma wannan wani lokacin bashi da aminci saboda dalilai biyu:
- Idan ba da gangan muka bar kwamfutarmu ba ta shiga kafin kalmar wucewar ta ƙare, wani na iya aiwatar da umarni a matsayin tushen ba tare da wani takunkumi ba.
- Idan ta hanyar jahilci muka aiwatar da aikace-aikace ko rubutun da ke dauke da lambar cutarwa kafin kalmar wucewar ta kare, aikace-aikacen na iya samun damar shiga tsarin mu a matsayin mai kulawa, ba tare da yardarmu ba.
Don haka don kaucewa haɗari, mun sanya darajar zuwa sifili, ma'ana, duk lokacin da aka zartar da umarnin sudo, dole ne a shigar da kalmar sirri. Idan an saita ƙimar mara kyau kamar -1, sakamakon shine kalmar sirri ba ta ƙarewa, wanda zai haifar da akasin sakamakon abin da muke so.
Layi na biyu yana bayyana cewa ƙungiyar sudo na iya aiwatar da kowane irin umarni akan kowace kwamfuta, wanda hakan abu ne na yau da kullun, kodayake ana iya daidaita shi. (3) Akwai wadanda don dacewar sun sanya layin kamar haka don kaucewa samun buga kalmar sirri:
% sudo ALL = (ALL: ALL) NOPASSWD: ALL
Koyaya, kamar yadda muka bayyana a gabanin wannan yana da haɗari, sabili da haka ba shi da shawarar.
Kashe sake kunnawa
Saboda dalilan tsaro, za mu kuma dakatar da sake kunnawa ta amfani da maɓallin haɗawa Ctrl + Alt Del, wanda dole ne mu ƙara wannan layin a cikin fayil ɗin / sauransu / inittab:
ca: 12345: ctrlaltdel: / bin / echo "Ctrl + Alt + an kashe."
Sauya OpenSSH tare da DropBear
Yawancin VPS suna zuwa tare da OpenSSH da aka sanya, wanda tabbas yana da matukar amfani, amma sai dai idan muna buƙatar amfani da duk ayyukan OpenSSH, akwai wasu hanyoyi masu sauƙi don VPS, kamar dropbear, wanda yawanci ya isa don amfani na yau da kullun. Koyaya, koma bayan wannan aikace-aikacen shine bai zo da hadadden uwar garken SFTP ba, kuma wannan shine dalilin da yasa muka sanya fakitin a farkon gesftpserver.
Don saita Dropbear, zamu gyara fayil ɗin / sauransu / tsoho / dropbear don haka ya ƙunshi waɗannan layi biyu:
NO_START = 0 DROPBEAR_EXTRA_ARGS = "- w -p 127.0.0.1:22 -I 1200 -m"
Layi na farko yana ba da sabis kawai, na biyu kuma yana yin abubuwa da yawa:
- Guji tushen tushen.
- Yana sa sabis ɗin ya saurara a tashar jiragen ruwa 22 na ƙirar gida (zamu bayyana dalilin da ya sa a gaba).
- Saita lokacin jira (minti 20).
SSLH
Port 22 (SSH) sananne ne kuma gabaɗaya shine farkon waɗanda hackers ke ƙoƙarin ketawa, don haka zamuyi amfani da tashar 443 (SSL) maimakon. Ya faru cewa ana amfani da wannan tashar don amintaccen bincike akan HTTPS.
A saboda wannan dalili zamuyi amfani da kunshin sslh, wanda ba komai bane face multiplexer wanda ke nazarin fakitin da suka iso tashar jiragen ruwa 443, da kuma sanya su zuwa ciki zuwa wani sabis ko wani ya danganta da ko nau'in zirga-zirgar shine SSH ko SSL.
SSLH ba za ta iya saurara ba a yayin da wani sabis ɗin ke sauraro, wanda shine dalilin da ya sa a baya muka sanya Dropbear ya saurara a kan yankin.
Yanzu abin da yakamata muyi shine nuna sslh yanayin dubawa da tashar da yakamata ya saurara da kuma inda za'a tura fakitin ya danganta da nau'in sabis, kuma saboda wannan zamu canza fayil ɗin sanyi / sauransu / tsoho / sslh:
DAEMON = / usr / sbin / sslh DAEMON_OPTS = "- mai amfani sslh - saurara 250.250.250.155:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile / var / run / sslh / sslh. pid "RUN = eh
A ƙarshe, zamu sake fara ayyukan:
sabis ssh dakatar && service dropbear farawa && sabis sslh sake kunnawa
Bayan umarnin da ya gabata, mai yuwuwa za a katse zamanmu na amintacce, a wannan yanayin ya isa sake shiga, amma a wannan lokacin tare da mai amfani da aiki da amfani da tashar 443. Idan ba a katse zaman ba, yana da kyau a rufe shi kuma sake farawa tare da dabi'un da suka dace.
Idan komai yana aiki daidai, zamu iya ci gaba da aiki a matsayin tushen kuma idan muna so, cirewa OpenSSH:
sudo su - ƙwarewa -r share sharessh-server
Gidan wuta
Abu na gaba da zamuyi shine raba rajistan ayyukan daga Tacewar zaɓi zuwa cikin fayil ɗin daban /var/log/firewall.log don sauƙaƙe ƙarin bincike, wanda shine dalilin da ya sa muka sanya fakitin ulogd a farawa. Don wannan za mu shirya fayil ɗin /etc/logd.conf don daidaita sashin da ya dace:
[LOGEMU] fayil = "/ var / log / firewall.log" sync = 1
Gaba, zamu canza fayil ɗin juyawa na rikodin / sauransu / logrotate / ulogd don adana jujjuyawar yau da kullun (tare da kwanan wata) da kuma adana salvo ɗin da aka matse a cikin kundin adireshin / var / log / ulog /:
/var/log/ulog/*.log /var/log/firewall.log {kullum dateext missingok damfara delaycompress sharedscripts ƙirƙirar 640 tushen adm postrotate /etc/init.d/ulogd reload mv /var/log/firewall.log-* .gz / var / log / ulog / endcript}
Don haka zamu ƙirƙiri ƙa'idodin netfilter ta aiwatar da waɗannan masu zuwa:
IPT = $ (wanda iptables) IPEXT = 250.250.250.155 IPEXTBLK = 250.250.0.0 / 16 IPBCAST = 255.255.255.255 $ IPT -F $ IPT -X $ IPT -Z $ IPT -A INPUT -i lo -j ACCEPT $ IPT - P INPUT DOP $ IPT -P GABA DOP $ IPT -P KYAUTATA KARBAR $ IPT -A INPUT -m jihar - jiha INVALID -j ULOG --ulog-prefix IN_INVALID $ IPT -A INPUT -p igmp -j ULOG --ulog -prefix IN_IGMP $ IPT -A INPUT -m pkttype --pkt-type broadcast -j ULOG --ufi-prefix IN_BCAST $ IPT -A INPUT -m pkttype --pkt-type multicast -j ULOG --ufi-prefix IN_MCAST $ IPT-GABA -j ULOG --ufi-prefix GABA $ IPT -N ICMP_IN $ IPT -A INPUT! -i lo -p icmp -j ICMP_IN $ IPT -A ICMP_IN -p icmp -f -j ULOG --ufi-prefix IN_ICMP_FRAGMENTED $ IPT -A ICMP_IN -p icmp -m icmp -m tsayi! - tsawon 28: 1322 -j ULOG --ufi-prefix IN_ICMP_INVALIDSIZE $ IPT -A ICMP_IN -p icmp -m icmp -m hashlimit --hashlimit-sama 4 / sec --hashlimit-mode srcip --hashlimit-srcmask 24 - -hashlimit-name icmpflood -j ULOG --ufi-prefix IN_ICMP_FLOOD $ IPT -A ICMP_IN -p icmp -m icmp -m hashlimit --hashlimit-upto 64kb / min --hashlimit-mode srcip --hashlimit-srcmask 24 - hashlimit -name icmpattack -j ULOG --ulog-prefix IN_ICMP_FLOOD $ IPT -A ICMP_IN -p icmp -m icmp -m u32! --u32 "0x4 & 0x3fff = 0x0" -j ULOG --ufi-prefix IN_ICMP_ATTACK $ IPT -A ICMP_IN -p icmp -m icmp! -acan-amsa-roko -m-jiha - jiha NEW -j ULOG - prefix -ulog-prefix IN_ICMP_INVALID $ IPT -A ICMP_IN -p icmp -m icmp - irin rokon amsa kuwwa -j ULOG --ulog- prefix IN_ICMP $ IPT -A ICMP_IN -p icmp -m icmp - nau'in kira mai amsa kuwwa -m iyaka - rage 1 / sec --limit-fashe 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp -icic-type echo-reply -m iyaka --limit 2 / sec --limit-fashe 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp --icic-type መድረ-ba za'a iya riskar -m iyaka - iyaka 2 / sec --limit-fashe 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp - nau'in-lokaci-wuce -m iyaka --limit 2 / sec --limit-fashe 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp -icic-type siga-matsala -m iyaka --limit 2 / sec --limit-fashe 4 -j ACCEPT $ IPT -A ICMP_IN -j MAYARWA $ IPT -N UDP_IN $ IPT -A GASKIYA! -i lo -p udp -j UDP_IN $ IPT -A UDP_IN! -ina ga! -p udp -f -j ULOG --ufi-prefix IN_UDP_FRAGMENTED $ IPT -A UDP_IN -p udp -m udp --sport 53 -m tsayi! -matan 28: 576 -j ULOG --filogin-prefix IN_UDP_DNS_INVALIDSIZE $ IPT -A UDP_IN -p udp -m udp --dport 53 -m -state -state NEW -j ULOG --filogin-prefix IN_UDP_DNSREQUEST $ IPT - A UDP_IN -p udp -m udp -dport 53 -m -state --stat NEW -j REJECT - ƙi-tare da icmp-tashar-da ba za a iya samun $ IPT -A UDP_IN -p udp -m udp! --sport 53! -s $ IPEXTBLK! -d $ IPBCAST -m jihar - jiha NEW -j ULOG --ulog-prefix IN_UDP $ IPT -A UDP_IN -p udp -m udp -m state - state ESTABLISHED, RELATED -j ACCEPT $ IPT -A UDP_IN -j MAYAR DA $ IPT -N TCP_IN $ IPT -A INPUT! -i lo -p tcp -j TCP_IN $ IPT -A TCP_IN! -ina ga! -p tcp -f -j ULOG --ulog-prefix IN_TCP_FRAGMENTED $ IPT -A TCP_IN -p tcp -m tcp --sport 53 -m jihar - an kafa STATLISHED, RELATED -m length! - ƙarfin 513: 1500 -j ULOG --filogin-prefix IN_TCP_DNS_INVALIDSIZE $ IPT -A TCP_IN -p tcp -m tcp --dport 53 -m jihar --Satte NEW -j ULOG --filogin-prefix IN_TCP_DNS $ IPT -A TCP_IN -p tcp -m tcp --dport 53 -m state - jiha NEW -j REJECT - ƙi-tare da icmp-tashar-da ba za a iya samunsa ba $ IPT -A TCP_IN -p tcp -m tcp -m multiport! -dagano 80,443 -m jihar - jiha NEW -j ULOG --ulog-prefix IN_TCP $ IPT -A TCP_IN -p tcp -m tcp -m multiport --dports 80,443 -m state - NEW NEW -m hashlimit - hashlimit -upto 4 / sek -m connlimit! -connlimit-above 16 -j ACCEPT $ IPT -A TCP_IN -p tcp -m tcp -m multiport!
Tare da daidaitawar da ta gabata, VPS ɗinmu yakamata a sami amintacce, amma idan muna so zamu iya tabbatar masa da ɗan ƙari, wanda zamu iya amfani da wasu ƙa'idodi masu ci gaba.
Ba duk VPS bane ke ba da izinin shigar da ƙarin kayayyaki don netfilter, amma mai amfani sosai shine psd, wanda ke ba ka damar guje wa sikanin tashar jiragen ruwa. Abin baƙin cikin shine wannan rukunin ba a haɗa shi cikin netfilter ta hanyar tsoho ba, saboda haka ya zama dole a girka wasu kunshin sannan a gina kundin:
aptitude -RvW shigar iptables-dev xtables-addons-source module-mataimakiyar module-mataimaki -verbose -text-mode auto-kafa xtables-addons-source
Da zarar an gama sama, zamu iya ƙara doka kamar haka:
iptables -A INPUT -m psd --psd-nauyi-kofa 15 --psd-jinkirta-ƙofa 2000 --psd-lo-tashar-nauyi-3 --psd-hi-port-nauyi-nauyi 1 -j ULOG --ulog- prefix IN_PORTSCAN
Dokar da ta gabata tana nufin cewa za mu ƙirƙiri kanti wanda zai ƙaru da 3 a duk lokacin da aka yi yunƙurin samun damar tashar jirgin ƙasa ƙasa da 1024 kuma da 1 a duk lokacin da aka yi yunƙurin isa tashar jirgin sama sama da 1023, kuma a lokacin da wannan ƙirar ya kai 15 a cikin ƙasa da dakika 20, za a yi rijistar fakitin ta keɓewa azaman yunƙurin tashar jiragen ruwa. Za'a iya yin watsi da fakiti gaba ɗaya, amma a wannan yanayin muna da niyyar amfani bazaxNUMXban, wanda zamu saita shi daga baya.
Da zarar an ƙirƙiri ƙa'idodi, dole ne mu ɗauki wasu matakan kiyaye su don su dage, in ba haka ba za mu rasa su yayin sake farawa sabar. Akwai hanyoyi da yawa don cika wannan; A cikin wannan darasin za mu yi amfani da kunshin ɗorewa mai ɗorewa wanda muka girka a farkon, wanda ke adana ƙa'idodi a ciki /etc/iptables/rules.v4 y /etc/iptables/rules.v6 don ipv6.
iptables-ajiye> /etc/iptables/rules.v4
A zahiri, kodayake amfani da ipv6 a Cuba bai riga ya yadu ba, zamu iya kirkirar wasu ƙa'idodi masu mahimmanci:
IPT = $ (wanda ip6tables) $ IPT -P INTUT DOP $ IPT -P GABA DOR $ $ -i lo -m jihar - an kafa jihar, RELATED -j ACCEPT unset IPT
Hakanan ana iya yin waɗannan ƙa'idodin dorewa:
ip6table-save> /etc/iptables/rules.v6
A ƙarshe, don ƙarin tsaro, muna tsabtace rajista na Tacewar zaɓi kuma sake kunna ayyukan:
echo -n> /var/log/firewall.log sabis na sake farawa sabis ulogd sake kunnawa sabis iptables-dage sake farawa
Nginx
Zamuyi amfani da Nginx azaman sabar yanar gizo, saboda VPSs suna da ragin adadin RAM idan aka kwatanta da sabar gaske, saboda haka gabaɗaya ya dace a sami wani abu mai sauƙi fiye da Apache.
Kafin daidaita Nginx, za mu ƙirƙiri takardar shaidar (babu kalmar sirri) don amfani akan HTTPS:
cd / sauransu / nginx openssl genrsa -des3 -out cert.key 4096 cp -v cert.key cert.key.original openssl req -new -key cert.key -out cert.csr budessl rsa -in cert.key.original - daga cert.key budessl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt
Da zarar an gama wannan, za mu ƙirƙiri fayil ɗin kalmar sirri don mai amfani "elusuario":
htpasswd -c .ka wucewa mai amfani
Gaba, zamu gyara fayil din / sauransu / nginx / shafuka-samuwa / tsoho don saita abubuwan da aka fi so a shafin. Zai iya zama kamar wannan:
sabar {uwar garken_ sunan gida; fihirisar index.html index.htm tsoho.html default.htm; tushe / var / www; wuri / {# saita tsari na tabbatarwa da kuma shafin da za'a loda, idan ba'a sami URI ba a gwada_files $ uri $ uri / /inin.html; }} uwar garke {saurare 127.0.0.1:443; uwar garken_name localhost; fihirisar index.html index.htm tsoho.html default.htm; tushe / var / www; ssl akan; ssl_certificate cert.crt; ssl_certificate_key cert.da; ssl_session_outout 5m; # Enable HTTPS kawai akan TLS (mafi aminci fiye da SSL) ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ba da fifiko ga masu karfi [HIGH] ciphers, # motsa matsakaici-ƙarfi [MEDIUM] ciphers zuwa ƙarshen jerin, # musaki ƙananan ƙarfi (LOW] ciphers (40 da 56 ragowa) # kashe musaki tare da algorithms na fitarwa EXP] # a kashe np ciphers [eNULL], ba tare da tabbatarwa ba [aNULL], SSL (sigogi 2 da 3) da DSS (kawai a basu makullin har zuwa 1024 ragowa) ssl_ciphers BABBAN: + Matsakaici:! eNULL :! SSLv3 :! SSLv2 :! DSS; # Fi son hanyoyin ɓoye na uwar garke (ta hanyar tsoho ana amfani da abokin ciniki) ssl_prefer_server_ciphers on; location / {# kunna kalmar sirri auth_basic "Shiga ciki"; auth_basic_user_file /etc/nginx/.htpasswd; # saita tsari na tabbatarwa da lambar shafi don lodawa, idan ba'a samu URI ba_files $ uri $ uri / = 404; # bada izinin ƙirƙirar fihirisa don ingantattun masu amfani autoindex akan; autoindex_exact_size kashe; autoindex_localtime a kan; }}
Mun bincika cewa daidaitawar daidai ce:
nginx -t
A ƙarshe, zamu sake farawa sabis ɗin:
Sabis zata sake farawa sabis
Fail2Ban
Kafin fara saita Fail2Ban, don tsaro mafi girma mun tsayar da sabis ɗin kuma tsaftace rajista:
kasawa-abokin ciniki ya dakatar da amsa kuwwa -n> /var/log/fail2ban.log
Gaba, mun ƙirƙiri fayil ɗin sanyi /etc/fail2ban/jail.local tare da abubuwan al'ada masu zuwa:
# Fayil ɗin daidaitawa na al'ada /etc/fail2ban/jail.local # [DEFAULT] samu = 43200; 12 hours bantime = 86400; 1 rana mafi girma = 3; haramtawa zai fara aiki bayan yunƙuri na 4 [ssh] kunna = ƙarya [nginx-auth] kunna = gaskiya tace = nginx-auth action = iptables-multiport [name = NoAuthFailures, tashar jiragen ruwa = "http, https"] logpath = / var / log / nginx * / * error * .log [nginx-badbots] enabled = gashin matattara = apache-badbots action = iptables-multiport [name = BadBots, port = "http, https"] logpath = / var / log / nginx * / * samu damar ..log bantime = 604800; 1 mako maxretry = 0 [nginx-login] kunna = gaskiya tace = nginx-login mataki = iptables-multiport [name = NoLoginFailures, tashar jiragen ruwa = "http, https"] logpath = / var / log / nginx * / * access *. log bantime = 1800; Minti 30 [nginx-noscript] kunna = aiki na gaskiya = iptables-multiport [name = NoScript, tashar jiragen ruwa = "http, https"] tace = nginx-noscript logpath = /var/log/nginx*/*access*.log maxretry = 0 [nginx-wakili] kunna = aikin gaske = iptables-multiport [sunan = NoProxy, tashar jirgin ruwa = "http, https"] tace = nginx-wakili logpath = /var/log/nginx*/*access*.log bantime = 604800 ; 1 mako maxretry = 0 [Firewall] kunna = aiki na gaskiya = iptables-multiport [suna = Firewall] tace = Firewall logpath = /var/log/firewall.log maxretry = 0
Da zarar an gama wannan, za mu ƙirƙiri a cikin kundin adireshi /etc/fail2ban/filters.d/ fayiloli masu zuwa:
# /etc/fail2ban/filter.d/nginx-auth.conf # Auth filter # Toshe IPs waɗanda suka kasa tabbatarwa ta amfani da ingantaccen asali # [Definition] failregex = babu mai amfani / kalmar sirri da aka bayar don ingantaccen asali. * abokin ciniki: mai amfani. * ba a samu a cikin * abokin ciniki ba: mai amfani. * rashin daidaiton kalmar sirri. * abokin ciniki: rashin kulawa =
# /etc/fail2ban/filter.d/nginx-login.conf # Filin shiga # Toshe IPs waɗanda suka kasa tabbatarwa ta amfani da rubutun aikace-aikacen gidan yanar gizo a cikin shafin # Scan access log for HTTP 200 + POST / sessions => gaza shiga # # ] gazawargex = ^ -. * POST / zaman HTTP / 1 \ .. "200 ignoreregex =
# /etc/fail2ban/filter.d/nginx-noscript.conf # Noscript filter # Block IPs da ke ƙoƙarin aiwatar da rubutun kamar su .php, .pl, .exe da sauran rubutun ban dariya. # Matsaloli misali # 192.168.1.1 - - "SAMU /something.php # [Definition] failregex = ^ -. * SAMU. * (\. Php | \ .asp | \ .exe | \ .pl | \ .cgi | \ scgi) ignoreregex =
# /etc/fail2ban/filter.d/proxy.conf # Proxy filter # Block IPs suna ƙoƙarin amfani da sabar azaman wakili. # Matsaloli misali # 192.168.1.1 - - "SAMU http://www.something.com/ # [Definition] failregex = ^ -. * SAMU http. * Ignoreregex =
# /etc/fail2ban/filter.d/firewall.conf # Firewall filter # [Definition] failregex = ^. * IN_ (INVALID | PORTSCAN | UDP | TCP |). * SRC = . * $ watsi da hankali =
A ƙarshe, mun fara sabis ɗin kuma mun ɗora bayanan:
fail2ban-sabis -b gazawa2ban-abokin ciniki sake loda
Tabbatarwa
A matsayin mataki na ƙarshe, zamu iya duba bayanan tare da wutsiya -f o multitail – bi-duka. A zahiri, aikace-aikacen ƙarshe yana ba da fa'idar cewa tana bawa fayiloli da yawa damar kallo a lokaci guda kuma suna samar da mahimmin tsari.
Idan ba a saita asusun imel a cikin VPS ba, yana da kyau a musaki saƙon gargaɗi wanda ya bayyana yayin fara abubuwa da yawa, wanda za mu aiwatar da wannan umarnin:
amsa kuwwa "check_mail: 0"> ~ / .multitailrc
A zahiri, zamu iya yin laƙabi da kyau (4) don duba rajistan ayyukan da sauri tare da gajeren umarni, misali, "flog":
alias flog = 'multitail -follow-all /var/log/firewall.log /var/log/fail2ban.log'
1) Waɗannan darajojin ƙage ne.
2) Bada damar wasu ayyuka yana da sauki da zarar kun fahimci yadda yake aiki.
3) Don ƙarin cikakkun bayanai, gudanar da man sudoers.
4) A zahiri ana iya ƙara shi zuwa fayil ɗin ~ / .bash_aliases
Akwai wasu abubuwa masu ban sha'awa, +1
@Hugo wannan layin a cikin sanyi:
ssl_protocols SSLv3 TLSv1;
Zan cire SSLv3 daga ciki saboda waccan yarjejeniya ba ta da aminci, koda a cikin Debian Jessie, an tsara ayyuka da yawa don kaucewa amfani da waccan yarjejeniya saboda wannan dalilin.
Bayani kan batun anan:
https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle
http://disablessl3.com/
Manufar ba da gaske ba ce don ba da manyan ayyuka akan HTTPS, amma don bayyana yadda za a yi amfani da tashar 443 don SSH ba tare da rasa yiwuwar amfani da shi ba don HTTPS idan ya cancanta, amma godiya ga faɗakarwar.
Duk da haka dai na sabunta labarin don canza tsarin daidaita nginx kadan kuma ba zato ba tsammani ya haɗa da wasu tsokaci don fayyace abubuwa kaɗan tare da wannan hanyoyin ɓoyewa, da kuma gyara wasu ƙananan kurakurai.
Na gode sosai don wannan babban koyawa, yanzu zan sanya shi a aikace! :D, Ci gaba DesdeLinux, Kullum suna bani mamaki, Gaisuwa daga Peru.
Na gode sosai da rabawa.
jagora mai kyau kuma yana fitowa daga lu'u lu'u yanzu da na fara a wannan rukunin yanar gizon amma har ma fiye da haka yanzu da na kusa hawa vps dina na farko kuma har yanzu ina tare da matsaloli da yawa amma wannan labarin ya fitar dani daga yawan shakku, godiya da gaisuwa