Iindlela ezilungileyo zokusebenza nge-OpenSSH

Alejandro (a.k.a KZKG^Gaara)

Imizuzu ye3

OpenSSH (Vula iShell ekhuselekileyoiseti yezicelo ezivumela unxibelelwano olofihliweyo kwinethiwekhi, usebenzisa i umgaqo SSH. Yenziwe njengenye indlela yasimahla nevulekileyo kwinkqubo Shell ekhuselekileyoIsoftware ephetheyo. « Wikipedia.

Abanye abasebenzisi banokucinga ukuba iinkqubo ezilungileyo kufuneka zisetyenziswe kuphela kwiiseva kwaye oku akunjalo. Uninzi lonikezelo lwe-GNU / Linux lubandakanya i-OpenSSH ngokuzenzekelayo kwaye kukho izinto ezimbalwa ekufuneka uzigcine engqondweni.

Khu seleko

La ngawona manqaku abalulekileyo ma-6 ekufuneka uwagcine engqondweni xa uqwalasela i-SSH:

  1. Sebenzisa iphasiwedi eyomeleleyo.
  2. Guqula izibuko elingagqibekanga le-SSH.
  3. Soloko usebenzisa ingxelo yesi-2 yenkqubo ye-SSH.
  4. Khubaza ukufikelela kwengcambu.
  5. Nciphisa ukufikelela komsebenzisi.
  6. Sebenzisa uqinisekiso olungundoqo.
  7. Ezinye iindlela

Igama eligqithisiweyo

Igama lokugqitha elilungileyo lelo liqulathe ialphanumeric okanye abalinganiswa abakhethekileyo, izithuba, oonobumba abakhulu nabancinci... njl. Apha ngaphakathi DesdeLinux Sibonise iindlela ezininzi zokwenza iipassword ezilungileyo. Ungandwendwela Oku kubhaliwe y le enye.

Guqula izibuko elingagqibekanga

Izibuko elingagqibekanga le-SSH lineminyaka engama-22 ukuyitshintsha, konke ekufuneka sikwenzile ukuhlela ifayile / njll / ssh / sshd_config. Sijonge umgca othi:

#Port 22

siyayikhulula kwaye sitshintshe ezingama-22 ngelinye inani .. umzekelo:

Port 7022

Ukwazi izibuko esingazisebenzisiyo kwikhompyuter / kwiserver esinokuyenza kwisiphelo sendlela:

$ netstat -ntap

Ngoku ukufikelela kwikhompyuter yethu okanye kwiserver kufuneka siyenze -p ngokolu hlobo lulandelayo:

$ ssh -p 7022 usuario@servidor

Sebenzisa iProtokholi 2

Ukuqinisekisa ukuba sisebenzisa inguqulelo yesi-2 yenkqubo ye-SSH, kufuneka sihlele ifayile / njll / ssh / sshd_config kwaye ujonge umgca othi:

# Umgaqo 2

Siyiyekisile kwaye sayiqala kwakhona inkonzo ye-SSH.

Sukuvumela ukufikelela njengengcambu

Ukuthintela umsebenzisi wengcambu ekubeni akwazi ukufikelela kude ngeSSH, sijonga kwifayile/ njll / ssh / sshd_config umgca:

#PermitRootLogin no

kwaye asihambisi. Ndicinga ukuba kufanelekile ukucacisa ukuba ngaphambi kokwenza oku kufuneka siqiniseke ukuba umsebenzisi wethu uneemvume eziyimfuneko zokwenza imisebenzi yezolawulo.

Nciphisa ukufikelela kubasebenzisi

Ayikhathazi ukuvumela ukufikelela nge-SSH kuphela kubasebenzisi abathile abathembekileyo, ke sibuyela kwifayile / njll / ssh / sshd_config kwaye sidibanisa umgca:

Vumela abasebenzisi i-elav usemoslinux kzkggaara

Apho ngokucacileyo, abasebenzisi elav, usemoslinux kunye ne-kzkggaara ngabo baya kuba nakho ukufikelela.

Sebenzisa uqinisekiso olungundoqo

Nangona le ndlela iyeyona icetyiswayo, kufuneka sithathe unonophelo olukhethekileyo kuba siya kungena kwiserver ngaphandle kokungena ngegama eligqithisiweyo. Oku kuthetha ukuba ukuba umsebenzisi uyakwazi ukungena kwiseshoni yethu okanye ikhompyuter yakho ibiwe, sinokuba sengxakini. Nangona kunjalo, masibone ukuba ungayenza njani.

Into yokuqala yokwenza isibini sezitshixo (esidlangalaleni nakwabucala):

ssh-keygen -t rsa -b 4096

Emva koko sidlulisa isitshixo sethu kwikhompyuter / kwiserver:

ssh-copy-id -i ~/.ssh/id_rsa.pub elav@200.8.200.7

Okokugqibela kufuneka singonwabi, kwifayile / njll / ssh / sshd_config umgca:

AuthorizedKeysFile .ssh/authorized_keys

Ezinye iindlela

Igalelo likaYukiteru

Singalinciphisa ixesha lokulinda apho umsebenzisi anokuthi angene ngempumelelo kwinkqubo ukuya kwimizuzwana engama-30

LoginGraceTime 30

Ukuthintela uhlaselo lwe-ssh ngokusebenzisa i-TCP Spoofing, ishiya i-encrypted iphila kwicala le-ssh lisebenza kangangemizuzu emi-3, sinokusebenzisa ezi ndlela zintathu.

TCPKeepAlive no ClientAliveInterval 60 ClientAliveCountMax 3

Khubaza ukusetyenziswa kwemikhombe okanye iifayili, ezithi ngenxa yezizathu zokhuseleko zibongozwa ukuba zingasetyenziswa.

UngayihoyiRhosts Ewe UngayihoyiIsiSebenziIzinto ezaziwayo ewe iiRhostsUqinisekiso akukho RhostsRSAUqinisekiso akukho

Jonga iimvume ezisebenzayo zomsebenzisi ngexesha lokungena.

StrictModes yes

Nika amandla ukwahlulwa kwamalungelo.

UsePrivilegeSeparation yes

Izigqibo:

Ngokwenza la manyathelo sinokongeza ukhuseleko kwiikhompyuter nakwiiseva zethu, kodwa akufuneki silibale ukuba kukho into ebalulekileyo: yintoni phakathi kwesihlalo kunye nebhodi yezitshixo. Kungenxa yoko le nto ndincoma ukufunda Oku kubhaliwe.

Umthombo: HowToForge


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.

  1.   yukiteru sitsho
    yenzayo 9 iminyaka

    Iposti entle kakhulu @elav kwaye ndongeza izinto ezinomdla:

    Ukungena kwiXesha leXesha 30

    Oku kusivumela ukuba sinciphise ixesha lokulinda apho umsebenzisi anokungena ngempumelelo kwinkqubo ukuya kwimizuzwana engama-30

    TCPKeepAlive akukho
    IklayentiAliveInterval 60
    UmthengiAliveCountMax 3

    Ezi ndlela zintathu ziluncedo ekuthinteleni uhlaselo lwe-ssh ngokusebenzisa i-TCP Spoofing, ishiya i-encrypted iphila kwicala le-ssh elisebenza kangangemizuzu emi-3.

    Ungayihoyi imikhosi ewe
    UngayihoyiImikhosi eyaziwayo ewe
    Ukuqinisekisa ubukho no
    Ukuqinisekiswa kweRhostsRSA akukho

    Ikhubaza ukusetyenziswa kwemikhombe okanye iifayile zeshost, ethi ngenxa yezizathu zokhuseleko zibongozwa ukuba zingasetyenziswa.

    Iindlela eziQinisekileyo ewe

    Olu khetho lusetyenziselwa ukukhangela imvume esebenzayo yomsebenzisi ngexesha lokungena.

    Sebenzisa iPrivilegeSeparation ewe

    Nika amandla ukwahlulwa kwamalungelo.

    Phendula Yukiteru
    1.    iyeva sitsho
      yenzayo 9 iminyaka

      Ewe, okwethutyana ndiza kuyilungisa iposti kwaye ndiyongeze kwiposti 😀

      Phendula u-elav
  2.   Eugenio sitsho
    yenzayo 9 iminyaka

    Ukungaphumeleli ukuze ungatshintshi umgca awusafuneki. Imigca ephawulweyo ibonisa ixabiso elisisiseko kukhetho ngalunye (funda ingcaciso ekuqaleni kwefayile uqobo). Ukufikelela kwengcambu kukhutshaziwe ngokungagqibekanga, njl. Ke ngoko, ukungaphumeleli akunampembelelo kwaphela.

    Phendula u-Eugenio
    1.    iyeva sitsho
      yenzayo 9 iminyaka

      # Isicwangciso esisetyenzisiweyo ekukhetheni i-sshd_config emiselweyo ngenqanawa
      # I-OpenSSH kukuchaza iinketho ngexabiso labo elingagqibekanga apho
      # kunokwenzeka, kodwa bayeke baphawule. Izinketho ezingahambelaniyo zibhala ngaphezulu
      # Ixabiso elisisiseko.

      Ewe, kodwa umzekelo, sazi njani ukuba sisebenzisa inguqulelo yesi-2 kuphela yomgaqo olandelwayo? Kungenxa yokuba sinokusebenzisa u-1 no-2 ngaxeshanye. Njengoko umgca wokugqibela utsho, ukungaphumeleli kolu khetho umzekelo, ubhala ngaphezulu ukhetho olungagqibekanga. Ukuba sisebenzisa uguqulelo 2 ngokungagqibekanga, kulungile, ukuba akunjalo, sisebenzisa u-YES okanye u-EWE

      Enkosi ngezimvo

      Phendula u-elav
  3.   sli sitsho
    yenzayo 9 iminyaka

    Inqaku elilunge kakhulu, bendizazi izinto ezininzi kodwa inye into engazange icace kum kukusetyenziswa kwezitshixo, ngokwenene ziyintoni kwaye ziluncedo luni, ukuba ndisebenzisa izitshixo ndingasebenzisa iipassword ??? Ukuba kunjalo, kutheni isonyusa ukhuseleko kwaye ukuba akunjalo, ndingayifumana njani kwenye i-pc?

    Phendula uSli
  4.   I-Adian sitsho
    yenzayo 9 iminyaka

    Imibuliso, ndifake i-debian 8.1 kwaye andikwazi ukunxibelelana neewindows pc ukuya kwi-debian kunye ne-WINSCP, ngaba kuya kufuneka ndisebenzise umthetho 1? naluphi na uncedo .. enkosi
    I-Adian

    Phendula uAdian
  5.   IFranksanabria sitsho
    yenzayo 9 iminyaka

    Unokuba nomdla kule vidiyo malunga nokuvula https://m.youtube.com/watch?v=uyMb8uq6L54

    Phendula uFranksanabria
  6.   Ithayile sitsho
    yenzayo 9 iminyaka

    Ndifuna ukuzama ezinye izinto apha, ezininzi ndizamile ukubulela kwiArch Wiki, ezinye ngenxa yobuvila okanye ukungazi. Ndizoyigcina xa ndiqala i-RPi yam

    Phendula kwiTile