Amanyathelo okukhusela iVPS yethu

Olu qeqesho lubonisa indlela yokulungiselela nokukhusela i-Virtual Private Server (VPS) nge-Debian GNU / Linux. Ngaphambi kokuba siqale, izinto ezithile zithathwa:

1. Unenqanaba eliphakathi lokuqhelana neGNU / Linux.
2. Kukho iVPS yokusetyenziswa komntu siqu esinokufikelela kuyo ngeSSH.
3. I-VPS ine-ipv4 250.250.250.155 yangaphandle enikezelweyo kwaye umboneleli wethu ungumnini we-250.250.0.0/16 block. (1)
4. Kwi-VPS yethu siya kuba ne-http, i-https kunye neenkonzo ze-ssh ezenzelwe ukufikelela ngaphandle.
5. I-DNS yangaphandle ayiyi kwenziwa kuba ihlala isenziwa kwipaneli yomboneleli. (2)
6. Iya kusebenza njengeyona supersterer.

Ukufakwa

Njengenyathelo lokuqala, masihlaziye iserver kwaye sifake ezinye iipakeji esizakuzidinga:

Ukuhlaziywa kwe-aptitude kunye ne-aptitude-uphuculo olukhuselekileyo # aptitude -RvW faka i-dropbear gesftpserver sslh iptables-eqhubekayo ulogd fail2ban nginx-light apache2-utils dnsutils telnet ghostscript poppler-utils zip unzip unrar-free p7zip-full full multitail tee mc

Cwangcisa

Ngoku siza kwenza umsebenzisi womsebenzi. Ukusebenza njengengcambu kwiserver akukhuselekanga, ke siza kuqala senze umsebenzisi okhethekileyo:

umsebenzisi we-adduser usermod -aG sudo umqhubi

Umyalelo wokuqala wenza umsebenzisi womsebenzisi, owesibini uyongeza kwiqela sudo, eya kuthi ivumele ukuqhuba usetyenziso njengengcambu.

Lungisa iimvume zabasebenzisi abakhulu

Ukusebenza rhoqo siya kusebenzisa umsebenzisi umqhubi eyadalwa ngaphambili, kufuneka sihlengahlengise ukhetho lokuphumeza umyalelo njenge-superuser, esenzela kuyo lo mthetho ulandelayo:

i-visudo

Lo myalelo ngokusisiseko uvumela ukuguqula ifayile / njl / sudoers; apho kufuneka siqulathe le migca:

Ukungagqibeki env_reset, timestamp_timeout = 0% Sudo ZONKE = (ZONKE: ZONKE) ZONKE

Kumgca wokuqala ukhetho longezwe kumaxabiso asisiseko timestamp_kuphuma ixesha ekuvumela ukuba usete ixesha lokuphelelwa (ngemizuzu) yegama eligqithisiweyo xa kusenziwa umthetho wothando. Ukungagqibeki ngu-5, kodwa ngamanye amaxesha kukhuselekile ngezizathu ezibini:

1. Ukuba singaqondanga sishiya ikhompyuter yethu ingene ngemvume ngaphambi kokuba ipaswedi iphelelwe, umntu unokuphumeza umyalelo njenge-superuser ngaphandle kwezithintelo.
2. Ukuba ngokungazi senza isicelo okanye iskripthi esineekhowudi ezinobungozi ngaphambi kokuba ipaswedi iphelelwe, isicelo sinokufikelela kwinkqubo yethu njengowongamileyo, ngaphandle kwemvume ecacileyo.

Ke ukunqanda umngcipheko, sibeke ixabiso kwi-zero, oko kukuthi, ngalo lonke ixesha kusenziwa umthetho we-sudo, kuya kufuneka kungeniswe iphasiwedi. Ukuba ixabiso elibi lisetelwe njenge -1, isiphumo kukuba igama eligqithisiweyo alinakuphelelwa, elinokuvelisa iziphumo ezichaseneyo nezinto esizifunayo.

Kumgca wesibini kuyacaciswa ukuba iqela lesudo linokwenza nawuphi na umyalelo kuyo nayiphi na ikhompyuter, eqhelekileyo, nangona inokuhlengahlengiswa. (3) Kukho abo ukuze kube lula ukubeka umgca ngolu hlobo lulandelayo ukunqanda ukuba uchwetheze igama eligqithisiweyo:

% sudo BONKE = (BONKE: BONKE) NOPASSWD: BONKE

Nangona kunjalo, njengoko besesichazile ngaphambili, oku kuyingozi, kwaye ke oko akukhuthazwa.

Khubaza ukuqala kwakhona

Ngezizathu zokhuseleko, siya kukhubaza ukuqala kwakhona usebenzisa indibaniselwano yesitshixo Ctrl + Alt Del +, ekufuneka songeze lo mgca kwifayile / njl / inittab:

ca: 12345: ctrlaltdel: / bin / echo "Ctrl + Alt + Del ikhubaziwe."

Faka endaweni ye-OpenSSH ngeDropBear

Uninzi lweVPS luza ne-OpenSSH efakiweyo, ngokuqinisekileyo iluncedo kakhulu, kodwa ngaphandle kokuba sifuna ukuxhaphaza konke ukusebenza kwe-OpenSSH, kukho ezinye iindlela ezilula zeVPS, ezinje Indawo yedrophu, edla ngokwanele ukusetyenziswa rhoqo. Nangona kunjalo, ukubuyela emuva kwesi sicelo kukuba ayizukuza neseva edityanisiweyo ye-SFTP, yiyo loo nto sifakile iphakheji ekuqaleni gesftpserver.

Ukuqwalasela iDropbear, siya kuguqula ifayile / Njl / default / dropbear ukuze iqule le migca mibini:

NO_START = 0 DROPBEAR_EXTRA_ARGS = "- w -p 127.0.0.1: 22 -I-1200 -m"

Umgca wokuqala wenza nje inkonzo, kwaye owesibini wenza izinto ezininzi:

1. Gwema ukufikelela kwengcambu.
2. Icwangcisa inkonzo ukumamela kwizibuko lama-22 lendawo ejongwayo (siza kuchaza ukuba kutheni kamva).
3. Cwangcisa ixesha lokulinda (imizuzu engama-20).

I-SSLH

Izibuko lama-22 (i-SSH) laziwa kakuhle kwaye ngokubanzi lelokuqala labaphangi abazama ukophula umthetho, ngenxa yoko siya kusebenzisa izibuko 443 (SSL) endaweni yoko. Kwenzeka ukuba eli zibuko lisetyenziselwa ukukhangela ngokukhuselekileyo kwi-HTTPS.

Ngesi sizathu siza kusebenzisa ipakethe ye-sslh, engeyiyo enye into ngaphandle kokuphindaphindeka okuhlalutya iipakethi ezifika kwizibuko le-443, kunye nokuzithuthela ngaphakathi kwinkonzo enye okanye kwenye ngokuxhomekeke ekubeni uhlobo lwezithuthi yi-SSH okanye i-SSL.

I-SSLH ayinakho ukumamela kujongano apho enye inkonzo sele imamele, yiyo loo nto ngaphambili besenza iDropbear iphulaphule kunxibelelwano lwasekhaya.

Ngoku into ekufuneka siyenzile kukubonisa i-sslh ujongano kunye nezibuko ekufuneka limamele kulo kwaye zithunyelwe phi kwiipakethi ngokuxhomekeke kuhlobo lwenkonzo, kwaye oku ke siya kuguqula ifayile yoqwalaselo / njl / emiselweyo / sslh:

I-DAEMON = / usr / sbin / sslh DAEMON_OPTS = "- umsebenzisi sslh -mamela 250.250.250.155:443 -ssh 127.0.0.1:22 -ssl 127.0.0.1:443 -ifayile / var / run / sslh / sslh .pid "RUN = ewe

Ekugqibeleni, siqala kwakhona iinkonzo:

service ssh stop && service dropbear start && rests sslh restart

Emva komyalelo wangaphambili, iseshoni yethu ekhuselekileyo iya kuphazamiseka, kwimeko leyo yanele ukungena kwakhona, kodwa ngeli xesha kunye nomsebenzi womsebenzisi kwaye usebenzisa i-port 443. Ukuba iseshoni ayiphazamiseki, kuyacetyiswa ukuba uyivale kwaye qala kwakhona. ngamaxabiso afanelekileyo.

Ukuba yonke into isebenza ngokuchanekileyo, sinokuqhubeka nokusebenza njengengcambu kwaye ukuba sinqwenela, khipha i-OpenSSH:

Isudo su - ukufaneleka -r ukucoca i-opensh-server

Ukucima umlilo

Into elandelayo esiza kuyenza yahlulahlula iigodo kwi-firewall kwifayile eyahlukileyo /var/log/firewall.log ukuququzelela olunye uhlalutyo, yiyo loo nto sifakile iphakheji ye-ulogd ekuqaleni. Ngale nto siza kuyhlela ifayile /etc/logd.conf ukulungisa icandelo elifanelekileyo:

[LOGEMU] ifayile = "/ var / log / firewall.log" sync = 1

Emva koko, siya kuguqula ifayile yokujikeleza irekhodi / njl / logrotate / ulogd ukugcina ujikelezo lwemihla ngemihla (kunye nomhla) kwaye ugcine iisalvo ezixineneyo kulawulo / var / log / ulog /:

/var/log/ulog/ * .gz / var / log / ulog / isiphelo sokubhaliweyo}

Ke siyakwenza imigaqo ye-netfilter ngokwenza oku kulandelayo:

IPT = $ (yeyiphi iptables) IPEXT = 250.250.250.155 IPEXTBLK = 250.250.0.0 / 16 IPBCAST = 255.255.255.255 $ IPT -F $ IPT -X $ IPT -Z $ IPT -A INPUT -i lo -j ACCEPT $ IPT - I-P INPUT DROP $ IPT -P PHAMBILI IDROP IPT -P ISIPHUMO YAMKELA $ IPT -A INPUT -m state -state INVALID -j ULOG --ulog-prefix IN_INVALID $ IPT -A INPUT -p igmp -j ULOG --ulog -prefix IN_IGMP $ IPT -A INPUT -m pkttype -pkt-type Broadcast -j ULOG --ulog-prefix IN_BCAST $ IPT -A INPUT -m pkttype -pkt-type multicast -j ULOG --ulog-prefix IN_MCAST $ IPT -A PHAMBILI -j ULOG -ulog-isimaphambili PHAMBILI $ IPT -N ICMP_IN $ IPT -A INPUT!  -i lo -p icmp -j ICMP_IN $ IPT -A ICMP_IN -p icmp -f -j ULOG --ulog-prefix IN_ICMP_FRAGMENTED $ IPT -A ICMP_IN -p icmp -m icmp -m ubude!  -Ubude 28: 1322 -j ULOG -ulog-isimaphambili IN_ICMP_INVALIDSIZE $ IPT -A ICMP_IN -p icmp -m icmp -m hashlimit -hashlimit-above 4 / sec --hashlimit-mode srcip --hashlimit-srcmask 24 - -hashlimit-igama icmpflood -j ULOG -ulog-isimaphambili IN_ICMP_FLOOD $ IPT -A ICMP_IN -p icmp -m icmp -m hashlimit -hashlimit-upto 64kb / min -hashlimit-mode srcip -hashlimit-srcmask 24 - I-hashlimit-igama icmpattack -j ULOG -ulog-isimaphambili IN_ICMP_FLOOD $ IPT -A ICMP_IN -p icmp -m icmp -m u32!  --u32 "0x4 & 0x3fff = 0x0" -j ULOG --ulog-isimaphambili IN_ICMP_ATTACK $ IPT -A ICMP_IN -p icmp -m icmp!  -icmp-uhlobo echo-sicelo -m state -state ENTSHA -j ULOG -ulog-isimaphambili IN_ICMP_INVALID $ IPT -A ICMP_IN -p icmp -m icmp --icmp-type echo-request -j ULOG --ulog- isimaphambili IN_ICMP $ IPT -A ICMP_IN -p icmp -m icmp --icmp-type echo-request -m limit --limit 1 / sec --limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp -icmp-type echo-reply -m limit --limit 2 / sec -limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp --icmp-type destination-unreachable -m limit - Umda 2 / umzuzwana -ukuqhawuka kwe-4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp -icmp-type-time-exceeded -m limit -limit 2 / sec -limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp -icmp-type-parameter-ingxaki -m limit -limisa 2 / sec -limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -j RETURN $ IPT -N UDP_IN $ IPT -IGalelo!  -i lo -p udp -j UDP_IN $ IPT -A UDP_IN!  -mna lo!  -p udp -f -j ULOG -ulog-isimaphambili IN_UDP_FRAGMENTED $ IPT -A UDP_IN -p udp -m udp -sport 53 -m ubude!  -Ubude 28: 576 -j ULOG -ulog-isimaphambili IN_UDP_DNS_INVALIDSIZE $ IPT -A UDP_IN -p udp -m udp -dport 53 -m -state -state NEW -j ULOG --ulog-prefix IN_UDP_DNSREQUEST $ IPT - I-UDP_IN -p udp -m udp -dport 53 -m -state -state NEW -j YENZA -Yala-nge-icmp-port-engenakufikeleleka $ IPT -A UDP_IN -p udp -m udp!  -Ngxelo 53!  -s $ IPEXTBLK!  -d $ IPBCAST -m state -state NEW -j ULOG --ulog-prefix IN_UDP $ IPT -A UDP_IN -p udp -m udp -m state -state ESTABLISHED, RELATED -j ACCEPT $ IPT -A UDP_IN -j BUYELA $ IPT -N TCP_IN $ IPT -A Igalelo!  -i lo -p tcp -j TCP_IN $ IPT -A TCP_IN!  -mna lo!  -p tcp -f -j ULOG -ulog-isimaphambili IN_TCP_FRAGMENTED $ IPT -A TCP_IN -p tcp -m tcp -sport 53 -m state -state ESTABLISHED, RELATED -m ubude!  -Ubude 513: 1500 -j ULOG -ulog-isimaphambili IN_TCP_DNS_INVALIDSIZE $ IPT -A TCP_IN -p tcp -m tcp -dport 53 -m state -state NEW -j ULOG --ulog-prefix IN_TCP_DNS $ IPT -A TCP_IN -p tcp -m tcp -dport 53 -m state -state NEW -j REJECT -Reject-with icmp-port-unreachable $ IPT -A TCP_IN -p tcp -m tcp -m multiport!  -Izikhundla 80,443 -m state -state NEW -j ULOG -ulog-prefix IN_TCP $ IPT -A TCP_IN -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -m hashlimit - hashlimit-upto 4 / sec -hashlimit-burst 16 -hashlimit-mode srcip -hashlimit-name navreq -j ACCEPT $ IPT -A TCP_IN -p tcp -m tcp -m multiport --dports 80,443 -m state - urhulumente UQINISEKILE -m indibano!  -connlimit-ngentla kwe-16 -j YAMKELA i-IPT -A ye-TCP_IN -p tcp -m tcp -m iphindaphindeke! 

Ngolungelelwaniso lwangaphambili, iVPS yethu kufuneka ikhuseleke ngokufanelekileyo, kodwa ukuba sinqwenela ukuba siyikhusele ngakumbi, esinokuthi sisebenzise eminye imigaqo ephambili.

Ayizizo zonke iVPS ezivumela ukufakelwa kweemodyuli ezongezelelweyo kwi-netfilter, kodwa iluncedo kakhulu psd, ekuvumela ukuba uphephe ukuskena kwizibuko. Ngelishwa le modyuli ayidityaniswanga kwi-netfilter ngokungagqibekanga, ke kuyafuneka ukufaka iipakeji ezithile kwaye emva koko wakhe imodyuli:

ukufaneleka -RvW fakela iptables-dev ii-xtables-addons-umthombo wemodyuli-umncedisi wemodyuli-umncedisi -verbose -text-mode auto-install xtables-addons-source

Nje ukuba oku kungasentla kwenziwe, sinokongeza umthetho onje:

iptables -I-INPUT -m psd -psd-weight-threshold 15 -psd-delay-threshold 2000 -psd-lo-port-weight 3 -psd-hi-port-weight 1 -j ULOG -ulog- isimaphambili IN_PORTSCAN

Lo mthetho ungasentla uthetha ukuba siza kwenza ikhawuntara eya kuthi inyuswe nge-3 ngalo lonke ixesha kusenziwa umzamo wokufikelela kwizibuko elingaphantsi kwe-1024 kwaye nge-1 ngalo lonke ixesha kusenziwa umzamo wokufikelela kwizibuko elingaphezulu kwe-1023, kwaye xa le counter ifikelela kwi-15 ixesha elingaphantsi kwemizuzwana engama-20, iipakeji ziya kubhaliswa ngu ulog njengomzamo kwizibuko. Iipakethi zisenokulahlwa ngaxeshanye, kodwa kule meko sizimisele ukusebenzisa isile2, Esiza kuyilungisa kamva.

Nje ukuba imigaqo yenziwe, kufuneka sithathe amanyathelo athile okulumkisa ukuze iqhubeke, kungenjalo siya kuphulukana nayo xa iseva iqalile kwakhona. Zininzi iindlela zokwenza oku; Kule tutorial siya kusebenzisa iptables-eqhubekayo iphakheji esiyifakile ekuqaleni, egcina imigaqo kuyo /etc/iptables/rules.v4 y /etc/iptables/rules.v6 ye ipv6.

iptables-gcina> /etc/iptables/rules.v4

Ngapha koko, nangona ukusetyenziswa kwe-ipv6 eCuba kungekasasazeki, sinokwenza imigaqo esisiseko:

IPT = $ (yeyiphi ip6tables) $ IPT -P INPUT DROP $ IPT -P FORWARD DROP $ IPT -P OUTPUT ACCEPT $ IPT -A INPUT -i lo -j ACCEPT $ IPT -A INPUT! -i lo -m state -state ESTABLISHED, RELATED -j YAMKELA ungaseta i-IPT

Le mithetho inokwenziwa ingapheli:

ip6tables-gcina> /etc/iptables/rules.v6

Okokugqibela kukhuseleko olukhulu, sicoca irejista ye-firewall kwaye siqale iinkonzo:

echo -n> /var/log/firewall.log service logrotate restart service ulogd restart service iptables-restist restart

Nginx

Siza kusebenzisa i-Nginx njengeseva yewebhu, kuba iiVPS zihlala zinexabiso elincitshisiweyo le-RAM xa kuthelekiswa neseva yokwenyani, kungoko ke ingumbono olungileyo wokuba nento elula ngaphezu kweApache.

Ngaphambi kokumisela i-Nginx, siza kwenza isatifikethi (akukho gama lokugqitha) lokusetyenziswa kwi-HTTPS:

cd / njl / nginx openssl genrsa -des3 -out cert.key 4096 cp -v cert.key cert.key.original openssl req -new -key cert.key -out cert.csr openssl rsa -in cert.key.original - ukuphuma kwe-cert.key kuvula i-x509 -req -iintsuku ezingama-365 -i-cert.csr -signkey cert.key -out cert.crt

Nje ukuba kwenziwe oku, siya kwenza ifayile yokuvula igama lomsebenzisi "elusuario":

htpasswd -c .htpasswd umsebenzisi

Emva koko, siya kuguqula ifayile / njl / nginx / iindawo ezikhoyo / ezingagqibekanga ukuseta ukhetho lwendawo emiselweyo. Ingakhangeleka ngoluhlobo:

umncedisi {server_name localhost; isalathiso index.html index.htm default.html default.htm; ingcambu / var / www; indawo / {# cwangcisa iodolo yokungqinisisa kunye nephepha ukuba lilayishwe, ukuba i-URI ayifunyanwa try_files $ uri $ uri / /index.html; }} umncedisi {mamela 127.0.0.1:443; igama lomncedisi_owasekhaya; isalathiso index.html index.htm default.html default.htm; ingcambu / var / www; ssl ivuliwe; ssl_certification cert.crt; ssl_certificate_key cert.key; ssl_session_outout 5m; # Yenza i-HTTPS isebenze ngaphezulu kwe-TLS (ikhuseleke ngakumbi kune-SSL) ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # nika ukhetho kwii-cipher zamandla aphakamileyo [OKUPHAKAMILEYO], # shenxisa amandla amandla aphakathi [MEDIUM] ukuya esiphelweni koluhlu, # khubaza ii-cipher zamandla asezantsi [OKUPHANTSI] (ama-40 kunye nama-56 amasuntswana) # khubaza ii-cipher nge-algorithms yokuthumela ngaphandle [ I-EXP] # khubaza i-null ciphers [eNULL], ngaphandle kokungqinisisa [i-NULL], i-SSL (iinguqulelo 2 no-3) kunye ne-DSS (vumela kuphela izitshixo ukuya kuthi ga kwi-1024 bits) ssl_ciphers Phezulu: + MEDIUM :! PHANTSI:! eNULL :! SSLv3 :! SSLv2 :! DSS; # Khetha iindlela zokubethela umncedisi (ngokungagqibekanga kusetyenziswa abathengi) ssl_prefer_server_ciphers on; indawo / {# yenza ungqinisiso lwe-auth_basic "Ngena"; umbhali_basic_user_fayile /etc/nginx/.htpasswd; # Cwangcisa iodolo yokuqinisekisa kunye nekhowudi yephepha oza kuyilayisha, ukuba i-URI zama_files $ uyi $ uri / = 404 ayifumanekanga; # vumela ukwenziwa kwesalathiso sabasebenzisi abangqinisisiweyo autoindex kwi; autoindex_exact_size off; autoindex_localtime kwi; }}

Sijonga ukuba ubumbeko luchanekile:

nginx -t

Okokugqibela, siqala inkonzo kwakhona:

Ukuqalisa kwakhona kwe-nginx yenkonzo

Ukusilela2Ban

Ngaphambi kokuba uqalise ukumisela i-Fail2Ban, ukuze sikhuseleke ngakumbi siyeke inkonzo kunye nokucoca irejista:

ukusilela2ban-umxhasi yeka echo -n> /var/log/fail2ban.log

Okulandelayo, senza ifayile yoqwalaselo /etc/fail2ban/jail.local ngalo mxholo wesiko ulandelayo:

# Ifayile yoqwalaselo ngokwesiko /etc/fail2ban/jail.local # [IINKCUKACHA] ixesha lokufumana = 43200; Iiyure ezili-12 zebantime = 86400; Usuku olu-1 lobukhulu = 3; ukuvalwa kuya kuqala ukusebenza emva kwemizamo yesi-4 [ssh] enikwe amandla = ubuxoki [nginx-auth] yenziwe = icebo lokucoca ulwelo = inyathelo le-auth isenzo = iptables-multiport [igama = NoAuthFailures, port = "http, https"] logpath = / var / log / nginx * / * impazamo * .log [nginx-badbots] yenziwe = true filter = apache-badbots action = iptables-multiport [name = BadBots, port = "http, https"] logpath = / var / log / nginx * /*access*.log bantime = 604800; Iveki enye i-maxretry = 1 [nginx-login] yenziwe = icebo lokwenyani = nginx-login isenzo = iptables-multiport [name = NoLoginFailures, port = "http, https"] logpath = / var / log / nginx * / * access *. ilog bantime = 0; Imizuzu engama-1800 [i-nginx-noscript] yenziwe = inyathelo lokwenyani = iptables-multiport [name = NoScript, port = "http, https"] filter = nginx-noscript logpath = /var/log/nginx*/*access*.log maxretry = 30 [nginx-proxy] yenziwe = inyathelo lokwenyani = iptables-multiport [name = NoProxy, port = "http, https"] filter = nginx-proxy logpath = /var/log/nginx*/*access*.log bantime = 0 ; Iveki enye i-maxretry = 604800 [firewall] yenziwe = inyathelo lokwenyani = iptables-multiport [igama = Firewall] isihluzo = firewall logpath = /var/log/firewall.log maxretry = 1

Nje ukuba kwenziwe oku, sidala isikhombisi /etc/fail2ban/filters.d/ ezi fayile zilandelayo:

# /etc/fail2ban/filter.d/nginx-auth.conf # Isihluzi seAuth # Iibhloko ze-IPs ezingaphumeleliyo ukusebenzisa ubunyani besiseko # [Inkcazo] failregex = akukho msebenzisi / igama eligqithisiweyo elinikiweyo ukuze kuqinisekiswe. * umxhasi: umsebenzisi. * akafunyanwanga. * umxhasi: umsebenzisi. * ukungafani kwephasiwedi. * umxhasi: ungayihoyi =

# /etc/fail2ban/filter.d/nginx-login.conf # Login filter # Blocks IPs ezingaphumeleliyo ukuqinisekisa ukusetyenziswa kwesicelo sewebhu kwiphepha # Skena ukungena kwelog ye-HTTP 200 + POST / iiseshini => ungene ngemvume # [Inkcazo ] ukusilelaregex = ^ -. * POST / iiseshoni HTTP / 1 \ .. "200 ngoyaba iregex =

# /etc/fail2ban/filter.d/nginx-noscript.conf # Isihluzi seNoscript # Vimba ii-IPs ukuzama ukwenza izikripthi ezinje nge .php, .pl, .exe kunye nezinye izikripthi ezihlekisayo. # Umdlalo umz. # 192.168.1.1 - - "GET /something.php # [Inkcazo] failregex = ^ -. * GET. * (\ Php | \ .asp | \ .exe | \ .pl | \ .cgi | \ scgi) ungayihoyi =

# /etc/fail2ban/filter.d/proxy.conf # Isihluzi seProxy # Vimba ii-IPs zizama ukusebenzisa iseva njengommeleli. # Umdlalo umz. # 192.168.1.1 - - "GET http://www.something.com/ # [Inkcazo] failregex = ^ *. * FUMANA http. * Ungayihoyi =

# /etc/fail2ban/filter.d/firewall.conf # Firewall filter # [Definition] failregex = ^. * IN_ (INVALID | PORTSCAN | UDP | TCP |). * I-SRC = * $ ungayihoyi =

Okokugqibela, siqala inkonzo kwaye silayishe ubumbeko:

ukusilela2ban-inkonzo -b ukusilela2ban-umxhasi ulayishe kwakhona

Uqinisekiso

Njengenyathelo lokugqibela, sinokujonga iirekhodi nge umsila -f o multitail -zilandele-zonke. Ngapha koko, esi sicelo sokugqibela sinika ithuba elikuvumela ukuba ujonge iifayile ezininzi ngaxeshanye kwaye ubonelele ngokuqaqambisa kwes syntax.

Kwimeko apho iakhawunti ye-imeyile ingaqwalaselwanga kwi-VPS, kuyacetyiswa ukuba ukhubaze umyalezo osisilumkiso ovela xa uqala i-multitail, esiza kuyiphumeza ngalo myalelo ulandelayo:

echo "jonga_imeyile: 0"> ~ / .multitailrc

Ngapha koko sinokwenza i-alias (4) ukujonga izingodo ngokukhawuleza ngomyalelo omfutshane, umzekelo, "ukubetha":

alias flog = 'multitail -landela-konke /var/log/firewall.log /var/log/fail2ban.log'

1) La ngamaxabiso obuxoki.
2) Ukwenza ezinye iinkonzo kube lula wakuba uqonde ukuba isebenza njani.
3) Ngolwazi oluthe kratya, sebenzisa i-man sudoers.
4) Ngokukhetha unokuongezwa kwifayile ye ~ / .bash_aliases