Sawubona a bahlobo DesdeLinux, lo prometido es deuda y aquí va un post de indlela yokwandisa ukhuseleko lweenkqubo zeLinux kwaye uhlale ngaloo ndlela ikhuselekile kubangeneleli ukongeza ekukhuseleni ulwazi kwiiseva zakho, iiPC okanye iilaptops!!!!
Comenzando
Fail2ban: sisicelo esibhalwe kwiPython ukunqanda ungenelelo kwinkqubo, esebenza ngokohlwaya okanye ukuvala imidibaniso ekude ezama ukufikelela ngokunyanzelwa ngenkohlakalo.
Ukufakwa:
Fedora, RHEL, CentOS:
yum install fail2ban
Debian, Ubuntu:
apt-get install fail2ban
Ukuseta:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local nano /etc/fail2ban/jail.local
Kwindawo ebizwa ngokuthi [DEFAULT] sikhulula kwaye silungise #bantime = 3600 siyishiya ngolu hlobo:
#bantime = 3600 bantime = 604800
Kwi [sshd] inxalenye esazisa inikwe amandla = yinyani, siyishiya ngolu hlobo:
#enabled = inyaniso inikwe amandla = yinyani
Sigcina nge-CTRL+O kwaye sivale nge-CTRL+X
Siqala inkonzo:
Fedora, RHEL, CentOS:
i-systemctl yenza ukuba i-fail2ban.service systemctl iqale i-fail2ban.service
Debian, Ubuntu:
inkonzo fail2ban ukuqala
Yala ukufikelela kweengcambu usebenzisa i-ssh:
Ukukhusela umatshini wethu siza kukhanyela i-ssh ngokusebenzisa ingcambu yomsebenzisi. Ukwenza oku, sihlela ifayile /etc/ssh/sshd_config ngolu hlobo lulandelayo:
cp sshd_config sshd_config.bck nano /etc/ssh/sshd_config
Siyazikhulula kwaye sitshintshe
#Umgaqo we2 weProtocol
Siyazikhulula kwaye sitshintshe
#PermitRootLogin ewe PermitRootLogin no
Sigcina nge-CTRL+O kwaye sivale nge-CTRL+X
Siqala inkonzo:
Fedora, RHEL, CentOS:
i-systemctl yenza ukuba i-sshd.service systemctl iqale i-sshd.service
Debian, Ubuntu:
inkonzo sshd ukuqala
Yala ukufikelela kwiseva ye-ssh usebenzisa isitshixo kwaye uvumele i-ssh kuphela ngamaqhosha e-RSA
Ukuba sifuna ukudibanisa ne-PC1 kwi-Server1, into yokuqala ekufuneka siyenzile kukuvelisa isitshixo sethu kwi-PC1. Ngomsebenzisi wethu kwaye ngaphandle kweengcambu kwi-PC1 senza:
ssh-keygen -t rsa -b 8192 (oku kuvelisa ngaphezu kwesitshixo esikhuselekileyo kuba izitshixo ezisuka ku-1024 ukuya ku-2048 ziqhele ukusetyenziswa)
Nje ukuba sinesitshixo sethu silayishe kwi-Server1:
ssh-copy-id user@server_ip
Nje ukuba kwenziwe oku siza kudibanisa kwi-Server1 yethu kwaye silungise ifayile ye-nano /etc/ssh/sshd_config ngeemvume zengcambu:
ssh umsebenzisi@Server1 nano /etc/ssh/sshd_config
Sitshintsha umgca othi #PasswordAuthentication ewe kule:
#Ukuqinisekiswa kwePassword ewe
Inombolo yoQinisekiso lwegama eliyimfihlo
Sigcina nge-CTRL+O kwaye sivale nge-CTRL+X
Siqala kwakhona inkonzo ye-ssh:
Fedora, RHEL, CentOS:
i-systemctl iqalise kwakhona i-sshd.service
Debian, Ubuntu:
inkonzo sshd iqale kwakhona
Guqula izibuko lokumamela le-ssh
Kwakhona sihlela /etc/ssh/sshd_config kwaye kwinxalenye ebhekisa kwizibuko siyishiya ngolu hlobo:
# Port 22 Port 2000 (okanye naliphi na elinye inani elikhulu kuno 2000. Kwimizekelo yethu siyakusebenzisa oku.)
Sigcina nge-CTRL+O kwaye sivale nge-CTRL+X
Siqala kwakhona inkonzo ye-ssh:
Fedora, RHEL, CentOS:
i-systemctl iqalise kwakhona i-sshd.service
Debian, Ubuntu:
inkonzo sshd iqale kwakhona
Ukuba usebenzisa fail2ban, kuyimfuneko ukutshintsha uqwalaselo malunga ne sshd ngokulungelelanisa izibuko.
nano /etc/fail2ban/jail.local [sshd] port = ssh, 2000 [sshd-ddos] port = ssh, 2000 [dropbear] port = ssh, 2000 [selinux-ssh] port = ssh, 2000
Sigcina nge-CTRL+O kwaye sivale nge-CTRL+X
Siqalisa kwakhona inkonzo:
Fedora, RHEL, CentOS:
i-systemctl iqalisa kwakhona i-fail2ban.service
Debian, Ubuntu:
inkonzo fail2ban iqala kwakhona
Firewall
Fedora, RHEL, CentOS:
Kwezi nkqubo, iSelinux kunye nee-Iptables zenziwe zisebenze ngokungagqibekanga kwaye ndincoma ukuba uzigcine ngolo hlobo. Uvula njani izibuko ngee-Iptables? Makhe sibone indlela yokuvula izibuko elitsha 2000 le-ssh port esalitshintshileyo ngaphambili:
Vula:
nano /etc/sysconfig/iptables
kwaye silungisa umgca ubhekisa kokungagqibekanga ssh izibuko 22 kwaye uyishiye ngolu hlobo:
#-A Igalelo -m imo --state ENTSHA -m tcp -p tcp --dport 22 -j YAMKELE -A Igalelo -p tcp -m imo --state ENTSHA -m tcp --dport 2000 -j YAMKELE
Sigcina nge-CTRL+O kwaye sivale nge-CTRL+X
Siqalisa kwakhona inkonzo:
i-systemctl iqalisa kwakhona ii-iptables
Debian, Ubuntu:
Kwi-Debian okanye Ubuntu kunye ne-derivatives sine-firewall ye-UFW eya kwenza ubomi bethu bube lula kuba ilawula i-Netfilter ngokulula kakhulu.
Ukufakwa:
apt-fumana ukufaka ufw ufw vumela
Ukubona ubume bezibuko ezivulekileyo senza:
ubume ufw
Ukuvula izibuko (kumzekelo wethu iya kuba yi-ssh port entsha 2000):
ufw vumela i2000
Ukukhanyela izibuko (kwimeko yethu izakuba lizibuko elingagqibekanga 22 le ssh):
ufw khanyela 22 ufw cima khanyela 22
Nantso ke zihlobo. Ngale ndlela baya kugcina oomatshini bakho bekhuselekile. Ungalibali ukuphawula kwaye kude kube lixesha elizayo :D.
kunye nenkqubo yoguqulelo oluntsonkothileyo efana nale: https://www.dyne.org/software/tomb/
Kwaye nabasebenzisi bekheji ekhayeni labo ukuba banxibelelana nge-tty:
http://olivier.sessink.nl/jailkit/index.html#intro
https://operativoslinux.wordpress.com/2015/02/21/enjaular-usuarios-en-linux/ (indlela elula)
Kungcono kwaye kukhuseleke ngakumbi ukufihla inkqubo yefayile yonke.
Kwisifundo esilandelayo malunga nokhuseleko kwiLinux ndiza kuyithathela ingqalelo :D.
Kuya kuba kuhle ukuthetha malunga nokwenza lukhuni i-kernel ngokusebenzisa i-sysctl, ukuvula i-random heap kunye ne-Exec-Shield kwiinkozo ezixhasayo, ukuthintela ukufikelela kwi-dmesg kunye nenkqubo yefayile ye-proc, iqhuba i-daemon yophicotho, eyenza i-SYN yokukhusela i-TCP, thintela ukufikelela kwi-/dev/mem, khubaza i-TCP/IP iinketho zokupakisha ezinokuba yingozi okanye zinciphise ukhuseleko lwenkqubo (ukuqondisa kwakhona, i-echo, indlela yomthombo), sebenzisa i-pam_cracklib ukwenzela ukuba abasebenzisi bavelise iiphasiwedi ezinamandla, ukubaluleka kokusetyenziswa kwenkqubo ye-MAC njengeTomoyo. , I-AppArmor kunye ne-SELinux.
iluncedo kakhulu !!!! kanye into ebendiyijonga enkosi 🙂
Wamkelekile sihlobo :).
Ukuba iApache isetyenzisiwe, akulimazi ukongeza imithetho nge-mod_rewrite ukunqanda i-bots. Iluncedo kakhulu
http://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/
Kwaye kwi nginx ngaba kukho nabuphi na ubuqhetseba okanye uqwalaselo?
kwi-debian 8 ifayile /etc/ssh/sshd_config sele ineProtocol yesi-2 esebenzayo kwaye umsebenzi wePermitRootLogin unokhetho olungenalo igama-lokugqithisa (ungangenisa kuphela ingcambu ngeqhosha lesiqinisekiso kunye nekhompyuter eneqhosha labucala)
ps kwi-debian 8 firewalld ifikile eyishiya incinci ukuya ku-ufw
Ngaba uyibonile i-ferm? Ndiyayithanda indlela echazwa ngayo imithetho.
http://ferm.foo-projects.org/download/examples/webserver.ferm
Ewe, ndiyavuya kuba iDebian 8 isebenzisa i-firewalld kuba ilunge kakhulu ...
Lumka nge-fail2ban kuba umhlaseli wenza iipakethi nge-IP yePC yendawo kwaye wenza iDOS ibe lula kakhulu.
Indoda, i-IP yePC yendawo kunye ne-IP ye-loop ayibandakanywanga kuluhlu lwe-Fail2ban.
Kungenjalo, sinokuba neempawu zobuxoki.
Iingcebiso ezilungileyo kwaye zisebenza kakhulu…Ngokuqinisekileyo, kwindawo yeseva kwaye ukuba sibamba iwebhusayithi, kubandakanya amanyathelo ongezelelweyo…. Okwangoku sigcina iprojekthi ebizwa ngokuba yiJackTheStripper engeyonto ngaphandle kweBhash Script elungiselela kwaye ikhusele iseva ye-GNU/Linux ilandela ezona ndlela zintle zokhuseleko kwizicelo zewebhu... unokufunda malunga neprojekthi apha. http://www.jsitech.com/jackthestripper ....
Iskripthi esihle nangona ndithanda ukugcina ixabiso le-kernel.randomize_va_space = 2
Into entle kukuba ngaphambi kokuyiqhuba, ungayiguqula kancinane kwiimfuno zakho... Ngokuzithoba...
Sawubona, ngokuqinisekileyo isithuba sam simalunga ne-insured eyisiseko kwaye ngamnye kufuneka azikhusele ngakumbi okanye ngaphantsi kuxhomekeke kwiinkonzo abazifakile kwiinkqubo zabo, njenge-LAMP okanye i-FTP, i-SFTP, i-BIND kunye ne-long etcetera :)...
Kwisithuba esilandelayo ngokhuseleko ndiza kuxoxa ngezi zihloko.
Enkosi ngoluvo oluhle :).
@petercheco, izikhokelo zakho zigqwesile, isikhokelo sofihlo kwinkqubo yeFreeeBSD siya kuba silungile, andazi ukuba uzakwenza nini icandelo lesibini kwiFreeBSD, kuqwalaselo lwedesktop kunye nokwenza ngokwezifiso, kwiFirewall, ekudaleni nasekuqwalaseleni inethiwekhi engenazingcingo.
Molo mhlobo,
Ndixakeke kancinci njengoko kubonisiwe kukungafumaneki kokupapashwa, kodwa ndiza kuyigcina engqondweni kwisithuba esilandelayo seFreeBSD.
Umbuliso :).
Indlela ebekwe ngayo kwizimvo, andazi ukuba uthetha ngantoni, akukho mntu xD
Inqaku elihle!
Ngaba esi senzo sokhuseleko sithetha ukunciphisa isixhobo ngandlela ithile?
Hayi... Ukusetyenziswa okuqhelekileyo kwenkqubo akukhawulelwanga nangayiphi na indlela.
Kwaye into enomdla (ebuhlungu) kukuba, njengoko sibonile nje ngoomatshini beLenovo, ukuba i-firmware ye-bios iphazamisekile nge-malware, akukho nto uyenzayo.
Logama nje usebenzisa iWindows efakwe ngaphambili ngumenzi...
impazamo: khumbula ukuba bayifakile kwi-firmware ye-bios, oko kukuthi, iqala ngenkqubo kuyo yonke i-reboot, phambi kwenkqubo yokusebenza, phambi kweedemon, phambi kwayo nantoni na, kwaye ayikuvumeli ukuba wenze nantoni na ngokuchasene nayo. Ukuhlaselwa kuncinci okunokwenziwa. Yiyo loo nto umbono we-UEFI ulungile ngokomgaqo.
Inqaku elinika umdla, ndiza kulifunda ngocoselelo ngale mvakwemini. Enkosi.
Wamkelekile :). Ndiyavuya.
Inqaku eligqwesileyo, ndonwabile ukulifunda imvakwemini yonke. Ndiyalibulela ixesha olithathayo ukuchaza yonke into ngocoselelo,
Izibingelelo ezivela eChile
Carlos
Molo Carlos,
Ndiyabulela kakhulu :).
Kwimishini ye-Lenovo, ukuba i-firmware ye-bios ibonakala ingenelela nge-malware, oomatshini (i-Laptop PCs-Desktop Computers) bahlala beza bafakelwa iWindows ngumenzi, kunikwe oku ngasentla ... ingaba iposi isebenza ... Peter-Czech?
Ngaphandle kokwenza konke oku kuyasebenza, kuba i-malware yenzelwe iWindows, hayi iLinux.
Izinto ezininzi kunye namaqhinga alahlekileyo kwiiptables, ezifana ne-dizzying nmap ukuze zonke izibuko zivuleke, zixoka ukuba yi-Windows PC esebenzisa i-ttl kunye nobukhulu befestile, i-scanlogd, i-apache mod security, grsec, selinux okanye into enjalo. Faka esikhundleni i-ftp nge-sftp, nciphisa inani loqhagamshelwano nge-IP nganye kwinkonzo nganye
Ngemizekelo onike yona, umsebenzisi omtsha uya kuphambana ukuyifunda ... Awukwazi ukubeka yonke into kwisithuba esinye. Ndiza kwenza amangenelo amaninzi :).
Ndifumana impazamo kwi-archlinux ngeli xesha xa ndinikezela ngenkonzo yokuqala, ndiyinika imeko kwaye oku kuza:
Isimo se-sudo systemctl fail2ban
● fail2ban.service – Fail2Ban Service
Ilayishiwe: ilayishiwe (/usr/lib/systemd/system/fail2ban.service; yenziwe yasebenza; ukusetwa kwangaphambili komthengisi: kuvaliwe)
Iyasebenza: ayiphumelelanga (Isiphumo: umda wokuqalisa) ukusukela ngo-Fri 2015-03-20 01:10:01 CLST; 1s edluleyo
Amaxwebhu: indoda:fail2ban(1)
Inkqubo: 1695 ExecStart=/usr/bin/fail2ban-client -x qala (ikhowudi=iphumile, isimo=255)
Mar 20 01:10:01 Gundam systemd[1]: Ayiphumelelanga ukuqalisa iNkonzo yeFail2Ban.
Mar 20 01:10:01 Gundam systemd[1]: Iyunithi fail2ban.service ingene kwimeko yokusilela.
Mar 20 01:10:01 Gundam systemd[1]: fail2ban.service ayiphumelelanga.
Mar 20 01:10:01 Gundam systemd[1]: qala isicelo esiphinda-phindwa ngokukhawuleza ngenxa ye-fail2ban…
Mar 20 01:10:01 Gundam systemd[1]: Ayiphumelelanga ukuqalisa iNkonzo yeFail2Ban.
Mar 20 01:10:01 Gundam systemd[1]: Iyunithi fail2ban.service ingene kwimeko yokusilela.
Mar 20 01:10:01 Gundam systemd[1]: fail2ban.service ayiphumelelanga.
Inqaku: Eminye imigca idlulisiwe, sebenzisa -l ukubonisa ngokupheleleyo.
uncedo oluthile? D:
Molo, ukuba uyenzile fail2ban nge systemctl yenza ukuba fail2ban.service kunye ne systemctl iqale fail2ban.service, ingxaki izakuba kuqwalaselo lwentolongo olenzileyo. Nceda ujonge intolongo yakho kwaye uqinisekise ukuba yonke into ihamba kakuhle.
Un saludo
IPetercheco
Okokuqala, isifundo esihle. Zininzi izinto ezingekhoyo kodwa ugxile kwizinto ezisisiseko.
shini-kire, khangela eyakho /var/log/fail2ban.log
Ukubulisa
Enkosi @Maykel Franco :).
Kulungile kusasa,
kufuneka fail2ban ifakwe kwiPC yasekhaya okanye ingaba ingaphezulu yeeseva???
Enkosi kuwe.
Okufana neeseva kodwa ukuba ukwi-wifi efikelelekayo ngabantu abaninzi kunawe kulungile...
Molo mhlobo ndicinga ukuba sisithuba esilungileyo sokhuseleko kwindawo ye-firewall kwi-Gnu/Linux distros.Ndikubhalela le nkcazo kuba ndiyenza ku-Ubuntu 14.04 ukuhanjiswa ndisazi ukuba sele iku-15.04. Kwenzekani Le ngxaki ilandelayo ndifaka i-nano /etc/fail2ban/jail.local njengengcambu kwaye andinayo umboniso kwinxalenye ye-sshd kwaye ndiyigcina kwindawo ebizwa ngokuthi [DEFAULT] sikhulula kwaye siguqule #bantime = 3600 kwaye
Kwi [sshd] inxalenye esazisa inikwe amandla = yinyani, siyishiya ngolu hlobo:
#enabled = yinyaniso
inikwe amandla = yinyani
Oko akubonakali kwi-sshd, enokuthi kungenxa yokuba ndisebenza kwinguqulelo yangaphambili, enkosi.