Sawa shamwari kubva DesdeLinux, chakavimbiswa chikwereti uye heino chinyorwa pamusoro maitiro ekuwedzera kuchengetedza kweLinux masisitimu mugare makadaro safe kubva kune vapambi kuwedzera mukuchengetedza iyo ruzivo pane yako maseva, PC's kana malaptop !!!!
Comenzando
Fail2ban: chishandiso chakanyorwa muPython kudzivirira kupindirwa muchirongwa, icho chinoita nekuranga kana kuvharira kure kwokubatana kunoedza kushaya simba kuwana.
Kuisa:
Fedora, RHEL, CentOS:
yum install fail2ban
Debian, Ubuntu:
apt-get install fail2ban
Kuisa:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local
Muchikamu chinonzi [DEFAULT] isu hatigadzikane uye tinoshandura #bantime = 3600 tichiisiya yakadaro:
#bantime = 3600 bantime = 604800
Muchikamu che [sshd] isu tinosuma chakagoneswa = ichokwadi uchichisiya chakadai.
#enabled = ichokwadi inogoneswa = ichokwadi
Isu tinochengetedza neCTRL + O uye kuvhara neCTRL + X
Isu tinotanga sevhisi:
Fedora, RHEL, CentOS:
systemctl inogonesa kukundikana2service systemctl kutanga kutadza2ban.service
Debian, Ubuntu:
sevhisi ikundikana2b kutanga
Ramba mukana wekushandisa uchishandisa ssh:
Kuchengetedza muchina wedu tiri kuzoramba ssh kuburikidza nemudzi mushandisi. Kuti tiite izvi, isu tinogadzirisa iyo / etc / ssh / sshd_config faira seinotevera:
cp sshd_config sshd_config.bck nano / etc / ssh / sshd_config
Hatina kugadzikana uye tinoshanduka
#Protocol 2 Protocol 2
Hatina kugadzikana uye tinoshanduka
#PermitRootLogin hongu PermitRootLogin kwete
Isu tinochengetedza neCTRL + O uye kuvhara neCTRL + X
Isu tinotanga sevhisi:
Fedora, RHEL, CentOS:
systemctl inogonesa sshd.service systemctl kutanga sshd.service
Debian, Ubuntu:
sevhisi sshd kutanga
Ramba kupinda kune ssh server uchishandisa kiyi uye bvumira ssh chete neRSA makiyi
Kana isu tichida kubatana nePC1 kuServer1 chinhu chekutanga chatinofanira kuita kugadzira kiyi yedu paPC1. Tiine mushandisi uye tisina mudzi paPC1 isu tinoita:
ssh-keygen -t rsa -b 8192 (izvi zvinogadzira inopfuura yakachengeteka kiyi sezvo makiyi kubva 1024 kusvika 2048 anowanzo shandiswa)
Kana tangova nepassword, tinoiisa kuServer1:
ssh-kopi-id mushandisi @ server_ip
Kana izvi zvangoitwa, isu tichaenda kune yedu Server1 uye nekugadzirisa iyo nano / etc / ssh / sshd_config faira ine midzi mvumo:
ssh mushandisi @ Server1 nano / etc / ssh / sshd_config
Isu tinoshandura mutsara unoti #PasswordAuthentication hongu kune izvi:
#PasswordAuthentication hongu
Pasiwedhi Kusimbisa hapana
Isu tinochengetedza neCTRL + O uye kuvhara neCTRL + X
Isu tinotangazve iyo ssh sevhisi:
Fedora, RHEL, CentOS:
systemctl kutanga sshd.service
Debian, Ubuntu:
service sshd kutanga
Chinja ssh yekuteerera chiteshi
Zvekare isu tinogadzira / etc / ssh / sshd_config uye muchikamu chinongedzera kuchiteshi tinochisiya chakadai.
# Port 22 Port 2000 (kana chero imwe nhamba yakakura kupfuura 2000. Mune yedu mienzaniso isu tichashandisa izvi.)
Isu tinochengetedza neCTRL + O uye kuvhara neCTRL + X
Isu tinotangazve iyo ssh sevhisi:
Fedora, RHEL, CentOS:
systemctl kutanga sshd.service
Debian, Ubuntu:
service sshd kutanga
Kana vakashandisa fail2ban zvinofanirwa kushandura iyo marongero nezve sshd kugadzirisa chiteshi.
nano /etc/fail2ban/jail.local [sshd] port = ssh, 2000 [sshd-ddos] port = ssh, 2000 [dropbear] port = ssh, 2000 [selinux-ssh] port = ssh, 2000
Isu tinochengetedza neCTRL + O uye kuvhara neCTRL + X
Isu tinovandudza sevhisi:
Fedora, RHEL, CentOS:
systemctl yekutanga rest2ban.service
Debian, Ubuntu:
sevhisi fail2ban restart
firewall
Fedora, RHEL, CentOS:
Selinux uye Iptable zvinogoneswa nekukasira pane aya masisitimu uye ini ndinokurudzira kuti iwe uenderere mberi nenzira iyi. / Ungavhura sei chiteshi ne iptables? Ngatione maitiro ekuvhura iyo nyowani chiteshi 2000 yeiyo ssh chiteshi yatakachinja kare
Vhura:
nano / etc / sysconfig / iptables
uye isu tinoshandura mutsetse uchinongedzera kune yakasarudzika ssh chiteshi 22 uye toisiya yakadaro:
# -A INPUT -m mamiriro --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 2000 -j Bvuma
Isu tinochengetedza neCTRL + O uye kuvhara neCTRL + X
Isu tinotangazve sevhisi:
systemctl kutangazve iptables
Debian, Ubuntu:
MuDebian kana Ubuntu uye zvigadzirwa tine UFW firewall iyo ichaita kuti hupenyu hwedu huve nyore sezvo ichikwanisa Netfilter nyore kwazvo.
Kuisa:
apt-tora kuisa ufw ufw inogonesa
Kuti uone chinzvimbo chemasuo akavhurika isu tinoita:
mamiriro ewww
Kuvhura chiteshi (mune yedu muenzaniso chichava chitsva ssh chiteshi 2000):
ufw inobvumira 2000
Kuramba chiteshi (kwatiri ichave iri default port 22 ye ssh):
ufw kuramba 22 ufw bvisa kuramba 22
Uye shamwari dzakagadzirira. Nenzira iyi vanozochengetedza michina yako yakachengeteka. Usakanganwa kupindura uye kusvika nguva inotevera: D.
uye encryption system senge: https://www.dyne.org/software/tomb/
Uye zvakare vashandisi vevheji mumba mako kana vakabatana netty:
http://olivier.sessink.nl/jailkit/index.html#intro
https://operativoslinux.wordpress.com/2015/02/21/enjaular-usuarios-en-linux/ (iyo nzira iri nyore)
Izvo zvirinani zvirinani uye zvakachengetedzeka kunyorera iyo yose faira system.
Nezve inotevera dzidziso nezve chengetedzo muLinux ini ndichafunga nezvayo:
Zvingave zvakare zvakanaka kutaura nezvekuomesa kernel kuburikidza ne sysctl, kumisikidza murwi wakasarudzika uye Exec-Shield mune kernels dzinoitsigira, zvichigonesa kupinda kune dmesg uye iyo / proc systemystem, kumhanyisa daiti yekuongorora, zvichigonesa TCP kuchengetedza SYN, gonesa kupinda kune / dev / mem, kudzima TCP / IP masitaki esarudzo anogona kuva nenjodzi kana kusachengetedza iyo system (redirect, echo, source routing), shandisa pam_cracklib yevashandisi kugadzira mapassword akasimba, kukosha kwe kushandiswa kweMAC system senge Tomoyo, AppArmor uye SELinux.
inobatsira zvikuru !!!! izvo zvandaitsvaga ndatenda 🙂
Unogamuchirwa shamwari :).
Kana apache ichishandiswa, hazvikuvadze kuwedzera mitemo ne mod_rewrite kudzivirira bots. Inonyanya kubatsira
http://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/
uye nezve nginx pane chero hunyengeri kana kumisikidzwa?
Muna debian 8 iyo / etc / ssh / sshd_config faira ratove neProtocol 2 inoshanda uye iyo PermitRootLogin basa iri nesarudzo isina-password (iwe unogona chete kupinda mudzi nekisiti yekusimbisa uye kubva kumakomputa ine yakavanzika kiyi)
pd mune debian 8 firewalld yatosvika iyo inoisiya diki kune ufw
Wakamboona here ferm? Ini ndinoda marondedzero anoita mitemo.
http://ferm.foo-projects.org/download/examples/webserver.ferm
Zvakanaka, ndinofara Debian 8 inoshandisa firewalld sezvo iri yakanaka kwazvo ...
Ngwarira kukundikana2ban iyo inorwisa inogadzira mapaketi ne ip yeiyo pc yemuno uye inoita kuti DOS ive nyore.
Murume, iyo PC IP yemuno uye iyo loopback IP yakabviswa pane iyo Fail2ban runyorwa.
Kana zvisiri, isu tinogona kuve nenhema positi.
Akanaka uye anoshanda zvikuru Kurudziro… Ehe, mune server nharaunda uye kana tiri kubata webhusaiti inosanganisira mamwe matanho…. Isu parizvino tinochengetedza chirongwa chinonzi JackTheStripper icho chisiri chinhu kunze kweiyo bash script iyo inogadzirira uye inochengetedza sevha ine GNU / Linux zvichitevera nzira dzakanakisa dzekuchengetedza, dzekushandisa webhu ... iwe unogona kuziva chirongwa icho pa http://www.jsitech.com/jackthestripper ....
Rakanaka script kunyangwe ndichifarira kuchengeta kukosha kweiyo kernel.randomize_va_space = 2
Chinhu chakanaka ndechekuti usati wamhanya nayo, unogona kuigadzirisa zvishoma kune zvaunoda… ..Kwaziso…
Mhoroi, hongu posvo yangu inobata neinishuwarenzi yepasi uye yega yega inofanira kuzvidzivirira zvakanyanya kana zvishoma zvichienderana nemasevhisi ayo yaakaisa mumasisitimu ayo seLAMP kana FTP, SFTP, BIND uye yakareba etcetera:)…
Mutsamba inotevera pane chengetedzo ndichagadzirisa nyaya idzi.
Ndatenda nemhinduro yakanaka :).
@petercheco, magwara ako akanaka kwazvo, zvingave zvakanaka gwaro rekunyorera reFreeBB system, handizive kuti uchaita riini chikamu chechipiri nezveFreeBSD, nezve kugadzirisa uye kugadzirisa kwematafura, nezveFirewall, nezve kugadzira nekugadzirisa isina waya network.
Hesi shamwari,
Ini ndakabatikana zvakanyanya sekuratidzira kusingawanzoitika, asi ini ndichazvichengeta mundangariro kune inotevera FreeBSD posvo.
Kwaziso :).
Izvo zvakagadziriswa mumashoko, ini handina zano kana izvo zvauri kutaura nezvazvo, hapana xD
Chinyorwa chikuru!
Kuita kwekuchengetedza uku kunoreva kudzikamisa zvishandiso neimwe nzira?
Kwete ... Iko kushandiswa kwakajairika kweiyo system haina kuganhurirwa zvachose.
Uye chinosekesa (zvinosuwisa) chinhu ndechekuti, sezvatangoona nemuchina weLenovo, kana iyo bios firmware ikakanganiswa nemarware, hapana chaunoita chine basa.
Chero bedzi iwe uchishandisa Windows pre-yakaiswa nemugadziri ...
kukanganisa: rangarira kuti vakaiisa mu bios firmware, ndiko kuti, inotanga nehurongwa pakatanga yega yega, pamberi pechisimba, pamberi pemadhimoni, kutanga kwezvose, uye hazvibvumiri iwe kuti uite chero chinhu kupokana nazvo. kurwisa zvishoma zvinogona kuitwa, ndosaka pfungwa yeefi yakanaka musimboti.
Chinyorwa chinonakidza, ndichachiverenga zvakanyatsonaka masikati ano. Ndatenda.
Unogamuchirwa :). Ndafara.
Yakanaka chinyorwa, ndakazvivaraidza masikati ese ndichiiverenga. Iyo nguva yaunotora yekutsanangura zvese zvakanyatsonaka inokosheswa,
Kukwazisa kubva kuChile
Carlos
Mhoro Carlos,
Ndotenda zvikuru :).
Iyo Lenovo michina, kana iyo bios firmware ichiita kunge inopindirana ne-malware, michina (Laptop PC-Desktop Computer) inogara ichiuya yakaiswa iine Windows nemugadziri, yakapihwa pamusoro apa… inoita post… .petercheco?
Kunyangwe pasina kuita zvese izvi zvinoshanda, nekuti iyo malware inoitirwa Windows, kwete Linux.
Zvinhu zvakawanda uye hunyengeri zvinoshaikwa kubva iptables, sedzungu nmap kuitira kune ese akavhurika madoko, achinyepa kuti iwindows pc inoshandisa ttl uye saizi rewindows, scanlogd, apache mod chengetedzo, grsec, selinux kana chimwe chinhu chakadai. Tsiva ftp ne sftp, gadzirisa huwandu hwekubatana ne IP kune yega sevhisi mu X chiteshi kuti udzivise izvo pamberi peDDoS ivo vatisiye vasina masevhisi, pamwe nekuvharidzira IPs dzinotumira zvinopfuura akawanda UDP kwemasekondi mazhinji.
Nemienzaniso yawakapa, mushandisi mutsva angangopenga kana achiiverenga ... Iwe haugone kuisa zvese mune imwechete posvo. Ini ndichagadzira zvakati wandei :).
Ini ndinowana kukanganisa mu archlinux panguva ino kana ndichipa yekutanga sevhisi, ndinoipa chinzvimbo uye izvi zvinobuda:
sudo systemctl chimiro chinokundikana2ban
● fail2ban.service - Fail2Ban Service
Yakatakurwa: yakatakura (/usr/lib/systemd/system/fail2ban.service; inogoneswa; mutengesi preset: akaremara)
Inoshanda: yakundikana (Mhedzisiro: kutanga-muganho) kubvira Fri 2015-03-20 01:10:01 CLST; 1s apfuura
Docs: murume: kutadza2ban (1)
Maitiro: 1695 ExecStart = / usr / bin / fail2ban-client -x start (code = exited, status = 255)
Mar 20 01:10:01 Gundam systemd [1]: Yakundikana kutanga Fail2Ban Service.
Mar 20 01:10:01 Gundam systemd [1]: Chikamu chinokundikana2ban.service yakapinda yakundikana nyika.
Mar 20 01:10:01 Gundam systemd [1]: fail2ban.service yakundikana.
Mar 20 01:10:01 Gundam systemd [1]: tanga chikumbiro chakadzokororwa nekukurumidza zvakanyanya kukundikana2ban… chando
Mar 20 01:10:01 Gundam systemd [1]: Yakundikana kutanga Fail2Ban Service.
Mar 20 01:10:01 Gundam systemd [1]: Chikamu chinokundikana2ban.service yakapinda yakundikana nyika.
Mar 20 01:10:01 Gundam systemd [1]: fail2ban.service yakundikana.
Zano: Mimwe mitsara yakabviswa, shandisa -l kuratidza zvizere.
kumwe kubatsirwa? D:
Mhoroi, kana iwe ukagonesa kukundikana2bani ne systemctl inogonesa fail2ban.service uye systemctl kutanga fail2ban.service, dambudziko richava mukugadziriswa kwemajeri kwawakaita. Ndokumbira utarise jeri rako uye uone kuti zvese zvakanaka.
Thanks!
PeterCzech
Chekutanga pane ese akanaka dzidziso. Zvinhu zvakawanda zvinoshaikwa asi iwe wakanangisa pane izvo zvekutanga.
shini-kire, tarisa yako /var/log/fail2ban.log
Thanks.
Ndatenda @Maykel Franco :).
Zvakanaka,
vanokundikana2ban vanofanirwa kuiisa pamba pc kana ndizvo zvimwe zvemaserver ???
Ndinokutendai.
Panzvimbo pemaseva asi kana iwe uri pane wifi inowanikwa nevanhu vazhinji kupfuura iwe, zvakanaka ...
Mhoro shamwari, zvinoita senge yakanaka yekuchengetedza posvo muchikamu chemoto mupfupi muGnu / Linux distros.Ndiri kunyora chirevo ichi nekuti ndiri kuzviita mukugovera Ubuntu 14.04 ndichiziva kuti yatove muna 15.04 zvinoitika idambudziko rinotevera Ini ndinopinda nano /etc/fail2ban/jail.local semidzi uye ini handina chekuona mune iyo sshd chikamu uye ini ndinochengeta Muchikamu chinonzi [DEFAULT] isu hatigadzikane uye tinoshandura #bantime = 3600 uye
Muchikamu che [sshd] isu tinosuma chakagoneswa = ichokwadi uchichisiya chakadai.
#enabled = ichokwadi
inogoneswa = ichokwadi
Izvo hazviite kunge zveiyo sshd izvo zvinogona kuve nekuti ndiri kushanda yapfuura vhezheni yekutenda