Sannu abokai daga DesdeLinux, abin da aka yi alkawari bashi ne kuma ga post game da yadda ake kara kariyar tsarin Linux kuma tsaya haka lafiya daga masu yin kutse da kuma kare bayanai a kan sabobinku, na PC ko na laptops !!!!
Comenzando
Kasa2ban: aikace-aikace ne wanda aka rubuta a Python don hana kutse cikin tsarin, wanda yake aiki ta hanyar hukuntawa ko toshe hanyoyin sadarwa masu nisa waɗanda suke ƙoƙari samun damar karfi.
Shigarwa:
Fedora, RHEL, CentOS:
yum install fail2ban
Debian, Ubuntu:
apt-get install fail2ban
Kafa:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local
A bangaren da ake kira [DEFAULT] mun damu kuma mun gyara #bantime = 3600 mun barshi kamar haka:
#bantime = 3600 bantime = 604800
A bangaren [sshd] mun gabatar da kunna = gaskiya barin sa kamar haka:
# kunnawa = gaskiya an kunna = gaskiya
Muna adanawa tare da CTRL + O kuma muna rufe tare da CTRL + X
Mun fara sabis:
Fedora, RHEL, CentOS:
systemctl kunna fail2ban.service systemctl fara fail2ban.service
Debian, Ubuntu:
sabis ya kasa2ban farawa
Karyatawa samun tushen ta amfani da ssh:
Don kare injin mu zamu karyata ssh ta hanyar mai amfani dashi. Don yin wannan, muna shirya fayil ɗin / sauransu / ssh / sshd_config kamar haka:
cp sshd_config sshd_config.bck nano / sauransu / ssh / sshd_config
Ba mu da damuwa kuma mun canza
# Yarjejeniyar 2 Yarjejeniyar 2
Ba mu da damuwa kuma mun canza
#PermitRootLogin eh PermitRootLogin ba
Muna adanawa tare da CTRL + O kuma muna rufe tare da CTRL + X
Mun fara sabis:
Fedora, RHEL, CentOS:
systemctl kunna sshd.service systemctl fara sshd.service
Debian, Ubuntu:
service sshd fara
Denin hana samun damar zuwa sabar ssh ta amfani da kalmar wucewa kuma ba da izinin ssh kawai tare da mabuɗan RSA
Idan muna son haɗawa da PC1 zuwa Server1, abu na farko da zamuyi shine samar da maɓallin mu akan PC1. Tare da mai amfani da mu kuma ba tare da tushen akan PC1 ba muna aiwatarwa:
ssh-keygen -t rsa -b 8192 (wannan yana haifar da maɓallin da ya fi tsaro tunda ana amfani da mabuɗan daga 1024 zuwa 2048)
Da zarar mun sami kalmar sirri, sai mu loda ta a Server1:
ssh-copy-id mai amfani @ server_ip
Da zarar an gama wannan, za mu haɗi zuwa Server1 ɗinmu kuma gyara Nano / sauransu / ssh / sshd_config fayil tare da izinin izini:
mai amfani ssh @ Server1 nano / sauransu / ssh / sshd_config
Mun canza layin da yake cewa #PasswordAuthentication ae ga wannan:
#PasswordAuthentication eh
Kalmar wucewaAuttawa babu
Muna adanawa tare da CTRL + O kuma muna rufe tare da CTRL + X
Mun sake farawa sabis na ssh:
Fedora, RHEL, CentOS:
systemctl sake farawa sshd.service
Debian, Ubuntu:
service sshd sake kunnawa
Canja tashar sauraran ssh
Bugu da ƙari muna gyara / sauransu / ssh / sshd_config kuma a cikin ɓangaren da yake magana game da tashar jiragen ruwa mun bar shi kamar haka:
# Port 22 Port 2000 (ko wani lambar da ta fi 2000. A cikin misalanmu za mu yi amfani da wannan.)
Muna adanawa tare da CTRL + O kuma muna rufe tare da CTRL + X
Mun sake farawa sabis na ssh:
Fedora, RHEL, CentOS:
systemctl sake farawa sshd.service
Debian, Ubuntu:
service sshd sake kunnawa
Idan sunyi amfani da fail2ban ya zama dole a canza tsari dangane da sshd daidaita tashar jiragen ruwa.
nano /etc/fail2ban/jail.local [sshd] port = ssh, 2000 [sshd-ddos] port = ssh, 2000 [dropbear] port = ssh, 2000 [selinux-ssh] port = ssh, 2000
Muna adanawa tare da CTRL + O kuma muna rufe tare da CTRL + X
Muna sabunta sabis ɗin:
Fedora, RHEL, CentOS:
systemctl sake kunnawa fail2ban.service
Debian, Ubuntu:
Sabis ya kasa2ban sake farawa
Firewall
Fedora, RHEL, CentOS:
Selinux da Iptables suna aiki da tsoho a kan waɗannan tsarin kuma ina ba da shawarar ku ci gaba ta wannan hanyar. Yadda ake bude tashar jiragen ruwa da kayan kwalliya? Bari mu ga yadda za a buɗe sabon tashar 2000 ta tashar ssh da muka canza a baya:
Buɗe:
Nano / sauransu / sysconfig / iptables
kuma muna gyara layin da yake magana akan tsoffin tashar tashar ssh 22 kuma muka barshi kamar haka:
# -A jihar INPUT -m - jiha NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state - state NEW -m tcp --dport 2000 -j ACCEPT
Muna adanawa tare da CTRL + O kuma muna rufe tare da CTRL + X
Mun sake kunna sabis:
systemctl sake kunnawa iptables
Debian, Ubuntu:
A cikin Debian ko Ubuntu da abubuwan banbanci muna da katangar UFW wanda zai sauƙaƙa mana rayuwa tunda tana kula da Netfilter cikin sauƙi.
Shigarwa:
apt-samun shigar ufw ufw kunna
Don ganin matsayin buɗe tashoshin jiragen ruwa da muke aiwatarwa:
Matsayi ufw
Don buɗe tashar jiragen ruwa (a cikin misalinmu zai zama sabon tashar tashar ssh 2000):
ufw bada izinin 2000
Don ƙin yarda da tashar jiragen ruwa (a cikin yanayinmu zai zama tashar tashar tsoho ta 22 na ssh):
ufw musun 22 ufw share musanta 22
Kuma abokai a shirye. Wannan hanyar zasu kiyaye injunan ku. Kar ka manta da yin tsokaci kuma har zuwa lokaci na gaba: D.
da tsarin boye-boye kamar: https://www.dyne.org/software/tomb/
Hakanan kuma masu amfani da keji a cikin gidanku idan sun haɗu ta tty:
http://olivier.sessink.nl/jailkit/index.html#intro
https://operativoslinux.wordpress.com/2015/02/21/enjaular-usuarios-en-linux/ (hanya mai sauki)
Zai fi kyau kuma mafi aminci don ɓoye dukkan tsarin fayil ɗin.
Don koyawa masu zuwa game da tsaro a cikin Linux zan dauke shi cikin asusu: D.
Hakanan zai yi kyau ayi magana game da tauraruwar kwaya ta hanyar sysctl, kunna bazuwar tarkace da Exec-Garkuwa a cikin kernels da ke tallafawa ta, ba da damar shiga dmesg da / proc filesystem, gudanar da binciken kudi daemon, bawa TCP kariya SYN, takura samun dama zuwa / dev / mem, dakatar da zaɓuɓɓukan tarin TCP / IP waɗanda zasu iya zama masu haɗari ko rashin aminci ga tsarin (turawa, amsa kuwwa, hanyar kwatance), amfani da pam_cracklib ga masu amfani don ƙirƙirar kalmomin shiga masu ƙarfi, mahimmancin amfani da tsarin MAC kamar Tomoyo, AppArmor da kuma SELinux.
amfani sosai !!!! kawai abinda nake nema godiya 🙂
Maraba da aboki :).
Idan ana amfani da apache, ba ciwo don ƙara ƙa'idoji tare da mod_rewrite don gujewa bot. Yana da amfani sosai
http://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/
kuma don nginx shin akwai wata dabara ko daidaitawa?
A cikin debian 8 fayil ɗin / etc / ssh / sshd_config tuni yana da Protocol 2 yana aiki kuma aikin PermitRootLogin yana tare da zaɓi ba tare da kalmar wucewa ba (kawai zaka iya shigar da tushe tare da maɓallin tabbatarwa kuma daga kwamfutar da ke da maɓallin keɓaɓɓe)
pd in debian 8 firewalld ya isa wanda ya bar shi ƙarami zuwa ufw
Shin kun ga kullun? Ina son yadda aka bayyana dokokin.
http://ferm.foo-projects.org/download/examples/webserver.ferm
Da kyau, Na yi farin ciki Debian 8 tana amfani da wuta tun tana da kyau ƙwarai ...
Hattara da gaza2ban cewa mai kawo hari yana kera fakiti tare da ip na pc na gida kuma yana sa DOS cikin sauki.
Mutum, PC ɗin PC na gida da IP na loopback an cire su daga jerin Fail2ban.
Idan ba haka ba, za mu iya samun tabbatattun ƙarya.
Shawarwari masu kyau da inganci… Tabbas, a cikin yanayin sabar kuma idan muna karɓar gidan yanar gizo ya ƙunshi ƙarin matakai…. A halin yanzu muna kula da aikin da ake kira JackTheStripper wanda ba komai bane face rubutun bash wanda ke shiryawa da amintar da sabar tare da GNU / Linux biyo bayan mafi kyawun ayyukan tsaro, don aikace-aikacen yanar gizo ... zaku iya sanin aikin a http://www.jsitech.com/jackthestripper ....
Nice rubutu kodayake ina son adana ƙimar kernel.randomize_va_space = 2
Abu mai kyau shine kafin kayi aiki dashi, zaka iya gyara shi dan yadda kake buƙata ..... A Sannu ...
Barka dai, tabbas rubutuna yayi ma'amala da kamfanin inshora na asali kuma kowannensu dole ne ya kare kansa fiye ko dependingasa gwargwadon ayyukan da ya girka a cikin tsarinta kamar LAMP ko FTP, SFTP, BIND da dogon sauransu :)
A rubutu na gaba kan tsaro zan magance wadannan matsalolin.
Godiya ga kyakkyawan ra'ayi :).
@petercheco, jagororinku suna da kyau, zai yi kyau jagorar boye-boye ga tsarin FreeeBSD, ban san lokacin da zaku yi sashi na biyu game da FreeBSD ba, game da daidaitawa da tsara kwastomomi, game da Firewall, game da ƙirƙira da daidaitawa hanyar sadarwa mara waya.
Barka dai aboki,
Ina cikin ɗan aiki kamar yadda aika rubuce rubuce yake nunawa, amma zan sa hakan a zuciya don postBS na gaba na gaba.
Gaisuwa :).
Wannan ya daidaita a cikin maganganun, ban san abin da kuke magana ba, babu wanda xD
Babban labarin!
Wannan aikin tsaro yana nufin iyakance kayan aikin ta kowace hanya?
A'a ... Amfani da al'ada na tsarin ba'a iyakantashi kwata-kwata.
Kuma abin ban haushi (mai ban haushi) shine, kamar yadda muka gani da injunan Lenovo, idan kwarorin halittar sun kamu da malware, babu abin da kuke yi.
Muddin kayi amfani da Windows ta hanyar masana'anta ...
Kuskure: tuna cewa sun girka shi a cikin kwayar halitta ta bios, ma'ana, yana farawa da tsarin a kowane sake farawa, kafin tsarin aiki, a gaban aljannu, da farko, kuma baya baka damar yin komai akanta. za a iya yi, wanda shine dalilin da ya sa ra'ayin uefi yake da kyau bisa ka'ida.
Labari mai ban sha'awa, Zan karanta shi sosai a yau da yamma. Na gode.
Marabanku :). Ina murna.
Labari mai kyau, Na nishadantar da kaina duk maraice ina karanta shi. Lokacin da kuka ɗauka don yin bayanin komai da kyau ana yaba da ku,
Gaisuwa daga Chile
Carlos
Barka dai Carlos,
Godiya mai yawa :).
Injinan Lenovo, idan ana ganin kamar anyi katsalandan ne a cikin kayan masarrafan, sai inji (Laptop PC-Desktop Computer) a kowane lokaci sai su zo tare da Windows ta hanyar masu kera su, idan aka bada abin da ke sama… shin post… .petercheco?
Ko da ba tare da yin wannan duka yana aiki ba, tunda an yi malware don Windows, ba Linux ba.
Akwai abubuwa da dabaru da yawa da suka ɓace daga abubuwan iptables, kamar su diyiz nmap don haka na duk buɗe tashoshin, a kwance cewa windows pc ne ta amfani da ttl da girman taga, scanlogd, apache mod security, grsec, selinux ko wani abu makamancin haka . Sauya ftp tare da sftp, iyakance adadin haɗin sadarwa ta kowane IP zuwa kowane sabis a tashar X don kaucewa hakan kafin DDoS sun bar mu ba tare da ayyuka ba, haka kuma toshe IP ɗin da ke aika fiye da UDP da yawa na tsawon sakanni.
Tare da misalan da kuka gabatar, sabon mai amfani zai iya haukatar karanta shi ... Ba zaku iya sanya komai a cikin matsayi ɗaya ba. Zan yi shigarwar da yawa :).
Na sami kuskure a cikin archlinux a wannan lokacin lokacin bada sabis na farawa, na ba shi matsayi kuma wannan ya fito:
sudo systemctl status ya kasa2ban
Fail2ban.service - Fail2Ban Sabis
Loaded: ɗora Kwatancen (/usr/lib/systemd/system/fail2ban.service; kunna; saiti mai saiti: naƙasasshe)
Mai aiki: ya kasa (Sakamakon: ƙayyadadden farawa) tun Fri 2015-03-20 01:10:01 CLST; 1s da suka wuce
Docs: mutum: gaza2ban (1)
Tsarin aiki: 1695 ExecStart = / usr / bin / fail2ban-abokin ciniki -x farawa (lambar = fita, matsayi = 255)
Mar 20 01:10:01 Gundam systemd [1]: Ba a yi nasarar fara Sabis na Kasa ba.
Mar 20 01:10:01 Gundam systemd [1]: Unit fail2ban.service ya shiga jihar da ta gaza.
Mar 20 01:10:01 Gundam systemd [1]: fail2ban.service bai yi nasara ba.
Mar 20 01:10:01 Gundam systemd [1]: fara neman maimaitawa da sauri don gazawar2ban… kankara
Mar 20 01:10:01 Gundam systemd [1]: Ba a yi nasarar fara Sabis na Kasa ba.
Mar 20 01:10:01 Gundam systemd [1]: Unit fail2ban.service ya shiga jihar da ta gaza.
Mar 20 01:10:01 Gundam systemd [1]: fail2ban.service bai yi nasara ba.
Shawarwari: Wasu samfurori sune ellipsized, amfani - don nuna cikakken.
wasu taimako? D:
Barka dai, idan kun kunna fail2ban tare da systemctl kunna fail2ban.service kuma systemctl ya fara fail2ban.service, matsalar zata kasance a tsarin gidajen yari da kuka yi. Da fatan za a bincika gidan yarin ku kuma tabbatar cewa komai yana da kyau.
gaisuwa
PeterCzech
Da farko dai mai kyau koyawa. Abubuwa da yawa sun ɓace amma kun mai da hankali kan abubuwan yau da kullun.
shini-kire, duba /var/log/fail2ban.log
Na gode.
Na gode @ Maykel Franco :).
Mai kyau,
gaza2ban yakamata su girka a pc na gida ko hakan yafi ga sabobin ne ???
Gode.
Maimakon haka ga sabobin amma idan kun kasance a kan wifi wanda mutane da yawa zasu iya samun damar ku, yana da kyau ...
Barka dai aboki, ina tsammanin kyakkyawan matsayi ne na tsaro a ɓangaren ɗan gajeren wuta a cikin Gnu / Linux distros, Ina rubuta wannan bayanin ne saboda ina yin sa ne a cikin rarraba Ubuntu 14.04 sanin cewa ya riga ya kasance cikin 15.04 abin da ke faruwa shine Matsala mai zuwa na shiga nano /etc/fail2ban/jail.local azaman tushe kuma banida gani a sshd kuma na adana A bangaren da ake kira [DEFAULT] mun damu kuma mun gyara #bantime = 3600 kuma
A bangaren [sshd] mun gabatar da kunna = gaskiya barin sa kamar haka:
# kunnawa = gaskiya
kunna = gaskiya ne
Ba ya bayyana na sshd wanda zai iya zama saboda ina aiki da sigar da ta gabata godiya