Kudzidza SSH: SSHD Config Faira Sarudzo uye Paramita
mune yapfuura (yechina) chikamu yeiyi nhevedzano yezvinyorwa pa Kudzidza SSH tinotaura nezve sarudzo dzakatsanangurwa mu OpenSSH yekumisikidza faira iyo inobatwa padivi pe SSH mutengi, kureva faira "SSHConfig" (ssh_config).
Nokuda kwechikonzero ichi, nhasi tichaenderera mberi mune izvi kusvitsa kwekupedzisira uye yechishanu, nesarudzo dzakatsanangurwa mu OpenSSH yekumisikidza faira iyo inobatwa padivi pe ssh-server, kureva faira "SSHD Config" (sshd_config).
Kudzidza SSH: SSH Config Faira Sarudzo uye Paramita
Uye, usati watanga musoro wanhasi, nezve zvinogoneka zvemukati zvefaira VhuraSSH "SSHD Config" (sshd_config), tichasiya mamwe ma link e zvinyorwa zvakabatana:
SSHD Config Faira Sarudzo uye Paramita (sshd_config)
Chii chinonzi SSHD Config (sshd_config) faira reOpenSSH?
Sezvatakataura muchidzidzo chakapfuura, OpenSSH ine 2 mafaera ekugadzirisa. mumwe akafona ssh_config kuitira kugadzirisa kwe SSH mutengi divi uye imwe kufona sshd_config nokuda kwegadziriro yeparutivi ssh-server. Ose ari maviri, ari munzira inotevera kana dhairekitori: /etc/ssh.
Nokudaro, izvi zvinowanzonyanya kukosha kana kuti zvakakosha, sezvo zvichitibvumira chengetedza SSH zvinongedzo zvatiri kuzobvumira mumaSeva edu. Iyo inowanzova chikamu chechinhu chinozivikanwa se Server Hardening.
Nechikonzero ichi, nhasi ticharatidza kuti ndeapi akawanda esarudzo uye paramita mukati mefaira rakanzi ndezve, mune yedu yekupedzisira neyechitanhatu yeiyi nhevedzano kupa mamwe mazano anoshanda uye chaiwo maitiro ekugadzirisa zvakadaro kana shanduko kuburikidza nesarudzo dzakadaro uye parameter.
Rondedzero yezvisarudzo zviripo uye parameters
sezvazviri mufaira "SSH Config" (ssh_config), iyo "SSHD Config" faira (sshd_config) ine zvakawanda zvingasarudzwa uye parameters, asi imwe ye zvinonyanya kuzivikanwa, kushandiswa kana kukosha Ndizvo zvinotevera:
AllowUsers / DenyUsers
Iyi sarudzo kana parameter kazhinji haisanganisirwe nekusarudzika mune yakataurwa faira, asi inoiswa mairi, kazhinji pakupera kwayo, inopa mukana we ratidza kuti ndiani kana ndiani (vashandisi) vanogona kupinda musevha kuburikidza neSSH yekubatanidza.
Naizvozvo, iyi sarudzo kana parameter inoshandiswa ichiperekedzwa nea runyorwa rwemazita ekushandisa, akaparadzaniswa nenzvimbo. Saka kuti, kana zvichitaurwa, iyo login, zvino zvakafanana zvinotenderwa chete kune mazita ekushandisa anofanana neimwe yemapateni.
Ziva kuti nekusarudzika, kupinda kunotenderwa kune vese vashandisi pane chero host. Nekudaro, kana iyo pateni yakamiswa seizvi "USER@HOST", so USER uye HOST iwo anosimbiswa zvakasiyana, izvo zvinorambidza kupinda kune vamwe vashandisi kubva kune mamwe mauto.
Uye nokuda HOST, kero dziri muchimiro che IP kero/CIDR mask. Pakupedzisira, RegaiVashandisi inogona kutsiviwa ne DenyUsers kuramba zvakafanana mushandisi maitiro.
TeereraAddress
Inokutendera kuti utsanangure iyo zvemunharaunda IP kero (netiweki yenzvimbo yemuchina we server) pairi chirongwa che sshd chinofanira kuteerera. Uye nokuda kweizvi, nzira dzinotevera dzekugadzirisa dzinogona kushandiswa:
- ListenAddress hostname | IPv4/IPv6 kero [domain]
- TeereraAddress hostname: port [domain]
- TeereraAddress IPv4/IPv6 kero : port [domain]
- ListenAddress [hostname | IPv4/IPv6 kero] : port [domain]
LoginGraceTime
Inokutendera kuti utaure a nguva (yenyasha), mushure mezvo, sevha inobvisa, kana mushandisi ari kuedza kuita SSH yekubatanidza asina kubudirira. Kana kukosha kuri zero (0), kwakaiswa kuti hapana muganhu wenguva, apo Default inoiswa kumasekonzi zana nemakumi maviri.
LogLevel
Inokutendera kuti utsanangure iyo verbosity level ye sshd log mameseji. uye iyeZvinogona kudzoreka hunhu ndeidzi: KUNYARA, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, uye DEBUG3. Panguva, uyeIko kukosha kweiyo INFO.
MaxAuthTries
Inotsanangura huwandu hwehuwandu hwekuyedzwa kwechokwadi hunobvumidzwa pakubatanidza. Nokusingaperi, kukosha kwayo kunoiswa ku6.
MaxSessions
Inokutendera kuti utaure huwandu hwepamusoro hweakavhurika Shell masesheni panetiweki yekubatanidza yakagadzwa, kungave ne logins kana ne subsystem inoshandiswa, semuenzaniso kuburikidza ne sftp. Eisa kukosha kwayo 1 ichaita kuti chikamu chekuwedzera chivharwe, uku kuchimisa ku0 kuchivharisa marudzi ese ekubatanidza uye zvikamu. Nokusingaperi, kukosha kwayo kunoiswa ku10.
MaxStartups
Inokutendera kuti utaure huwandu hwehuwandu hwekubatana kusina kuvimbiswa kune SSH daemon, i.e. nhamba yeSSH yekubatanidza inogona kuvhurwa pa IP / Host. Kukosha kwayo kunowanzo kuve gumi, makumi matatu, kana zana, iyo inowanzonzi yakakwirira, saka kukosha kwakaderera kunokurudzirwa.
Password Authentication
Inotsanangura kana password yechokwadi ichizodikanwa. Nokusingaperi, kukosha kwayo kunoiswa ku "Hongu".
BvumiraEmptyPasswords
Inotsanangura kana sevha ichitendera (mvumo) kupinda mumaakaundi emushandisi ane tambo dzisina pasiwedhi. Nokusingaperi, kukosha kwayo kunoiswa ku "Kwete".
PermitRootLogin
Inokutendera kuti utaure kana sevha ichibvumidza (mvumo) kutanga masesesheni ekupinda pamidzi mushandisi maakaundi. Kunyange zvakadaro, dNekumisikidza, kukosha kwayo kwakaiswa ku "kurambidza-password", yakanyatso iswa ku "Kwete", iyo inoisa izvo zvizere. mudzi mushandisi haabvumidzwe kutanga chirongwa cheSSH.
poti
Inokutendera kuti utaure iyo nhamba yechiteshi iyo iyo sshd chirongwa chichateerera kune ese SSH zvikumbiro zvekubatanidza. Nokusingaperi, kukosha kwayo kunoiswa ku "22".
StrictModes
Inotsanangura kana chirongwa cheSSH chichifanira kuona mafaera uye muridzi wedhairekitori repamba remushandisi nemafaira asati abvuma kupinda. Nokusingaperi, kukosha kwayo kunoiswa ku "Hongu".
SyslogFacility
Inobvumira kodhi yekuisa kupihwa iyo inoshandiswa kana uchidhinda mameseji kubva kuchirongwa cheSSH. Nekutadza, kukosha kwayo kunoiswa ku "Mvumo" (AUTH).
chitsamba: Zvichienderana ne SysAdmin uye zvinodikanwa zvekuchengetedza zvepuratifomu yega yega tekinoroji, dzimwe sarudzo dzakawanda dzinogona kubatsira zvakanyanya kana kudikanwa. Sezvatichaona mune yedu inotevera uye yekupedzisira positi mune ino nhevedzano, apo isu tichaisa pfungwa pamaitiro akanaka (matipi uye kurudziro) paSSH, kuti ishandiswe uchishandisa zvese zvinoratidzwa kusvika zvino.
Mamwe mashoko
Uye muchikamu chechina ichi, ku wedzera ruzivo urwu uye dzidza imwe neimwe yesarudzo uye ma parameter aripo mukati me gadziriso faira "SSHD Config" (sshd_config)Tinokurudzira kuongorora zvinotevera zvinongedzo: SSH yekumisikidza faira yeOpenSSH Server y Official OpenSSH Manuals, muchirungu. Uye sezvakangoita muzvikamu zvitatu zvakapfuura, kuongorora zvinotevera zviri pamutemo uye akavimbika online nezve SSH uye OpenSSH:
- Debian Wiki
- Debian Administrator's Manual: Remote Login / SSH
- Debian Security Manual: Chitsauko 5. Kuchengetedza Masevhisi
Resumen
Muchidimbu, nechikamu chitsva ichi "Kudzidza SSH" tave kutopedza zvinotsanangura zvemukati zvese zvine chekuita nazvo OpenSSH, nekupa ruzivo rwakakosha nezvemafaira ekugadzirisa "SSHD Config" (sshd_config) y "SSH Config" (ssh_config). Naizvozvo, tinovimba kuti iri kubatsira kune vakawanda, pachedu uye nehunyanzvi.
Kana iwe wakafarira chinyorwa ichi, iva nechokwadi chekutaura pamusoro pacho uye ugovane nevamwe. Uye rangarira, shanya yedu «peji rekumba» kuti uongorore dzimwe nhau, pamwe nekujoinha chiteshi chedu chepamutemo che Teregiramu ye DesdeLinux, Madokero boka kuti uwane rumwe ruzivo nezvenyaya yanhasi.