Kule ngoku, isithuba sesithandathu nesokugqibela, ukusuka kuthotho lwethu lwezithuba Ukufunda i-SSH siya kujongana ngendlela ebonakalayo, uqwalaselo kunye nokusetyenziswa kwe iinketho ezikhankanyiweyo kwi Ifayile yoqwalaselo ye-OpenSSH eziphathwayo kwicala le iseva ye-ssh, oko kukuthi, ifayile "Uqwalaselo lwe-SSHD" (sshd_config). Nto leyo, ebesithetha ngayo kwisavenge sangaphambili.
Ngaloo ndlela sinokukwazi ngokufutshane, ngendlela elula kwaye ethe ngqo, ezinye ze ezona zenzo zilungileyo (iingcebiso kunye neengcebiso) nini cwangcisa iseva ye-SSHekhaya naseofisini.
Kwaye, ngaphambi kokuqala isihloko sanamhlanje, malunga neyona nto ingcono "Iindlela ezilungileyo zokusebenzisa kuqwalaselo lwe-SSH Server", siya kushiya amanye amakhonkco kwiimpapasho ezinxulumeneyo, ukuze sizifunde kamva:
Iinkqubo ezilungileyo kwiSeva ye-SSH
Zeziphi izenzo ezilungileyo ezisebenzayo xa uqwalasela iSeva ye-SSH?
Okulandelayo, kwaye ngokusekelwe kwiinketho kunye neeparamitha del Ifayile yoqwalaselo ye-SSHD (sshd_config), ebonwe ngaphambili kwisithuba sangaphambili, ezi ziya kuba ezinye ezona zenzo zilungileyo ukwenza malunga noqwalaselo lwefayile exeliweyo, ukuya inshurensi okusemandleni ethu imidibaniso ekude, engenayo nephumayo, kwiseva ye-SSH enikiweyo:
Chaza abasebenzisi abanokungena kwi-SSH ngokhetho Vumela abasebenzisi
Ukusukela ukuba olu khetho okanye iparameter iqhele ukungaqukwa ngokungagqibekanga kwifayile exeliweyo, inokufakwa ekupheleni kwayo. Ukusebenzisa i-a uluhlu lweepateni zegama lomsebenzisi, zahlulwe zizithuba. Ngoko ke, ukuba kuchaziwe, ukungena, ngoku kuphela okufanayo kuyakuvunyelwa kwigama lomsebenzisi kunye negama lenginginya elihambelana nepateni enye eqwalaselweyo.
Umzekelo, njengoko kubonwa ngezantsi:
AllowUsers *patron*@192.168.1.0/24 *@192.168.1.0/24 *.midominio.com *@1.2.3.4
AllowGroups ssh
Xelela i-SSH ukuba yeyiphi ujongano lwenethiwekhi yendawo omamele kuyo ngokhetho lwe- ListenAddress
Ukwenza oku, kufuneka uvule (unganikezi) ifayile ukhetho Idilesi yokumamela, evelaengagqibekanga nge ixabiso "0.0.0.0", kodwa isebenza ngokwenene ZONKE imo, oko kukuthi, mamela kuzo zonke iindawo zenethiwekhi ezikhoyo. Ke ngoko, ixabiso elixeliweyo kufuneka limiselwe ngendlela yokuba lichazwe ukuba yeyiphi okanye iidilesi ze-IP zasekhaya ziyakusetyenziswa yinkqubo yesshd ukumamela izicelo zoqhagamshelwano.
Umzekelo, njengoko kubonwa ngezantsi:
ListenAddress 129.168.2.1 192.168.1.*
Cwangcisa ukungena kwe-SSH ngokusebenzisa izitshixo kunye nokhetho Ukuqinisekiswa Kwegama Lokugqithisa
Ukwenza oku, kufuneka uvule (unganikezi) ifayile ukhetho Ukuqinisekiswa Kwegama Lokugqithisa, evelaengagqibekanga nge ewe ixabiso. Kwaye ke, seta elo xabiso njenge "Hayi", ukwenzela ukuba kufuneke ukusetyenziswa kwezitshixo zikawonke-wonke kunye nezabucala ukufezekisa ugunyaziso lokufikelela kumatshini othile. Ukufezekisa ukuba ngabasebenzisi abakude kuphela abanokungena, ukusuka kwikhompyuter okanye kwiikhompyuter, ezigunyaziswe ngaphambili. Umzekelo, njengoko kubonwa ngezantsi:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PubkeyAuthentication yes
Khubaza ukungena kwengcambu nge-SSH ngokhetho PermitRootLogin
Ukwenza oku, kufuneka uvule (unganikezi) ifayile PermitRootLogin ukhetho, evelaengagqibekanga nge ixabiso elithi "hibit-password".. Nangona kunjalo, ukuba kufunwa ukuba ngokupheleleyo, Umsebenzisi wengcambu akavumelekanga ukuba aqalise iseshoni ye-SSH, ixabiso elifanelekileyo lokuseta li "Hayi". Umzekelo, njengoko kubonwa ngezantsi:
PermitRootLogin no
Guqula izibuko le-SSH elingagqibekanga ngokhetho lweSibuko
Ukwenza oku, kufuneka uvule (unganikezi) ifayile izibuko ukhetho, eza ngokungagqibekanga nge ixabiso "22". Nangona kunjalo, kubalulekile ukutshintsha izibuko elikhankanyiweyo ukuya kulo naliphi na elinye elikhoyo, ukuze kuncitshiswe kwaye kuthintelwe inani lohlaselo, i-manual okanye i-brute force, enokwenziwa ngezibuko elaziwayo elixeliweyo. Kubalulekile ukuqiniseka ukuba eli zibuko litsha liyafumaneka kwaye linokusetyenziswa zezinye izicelo eziza kudibanisa kumncedisi wethu. Umzekelo, njengoko kubonwa ngezantsi:
Port 4568
Ezinye iinketho eziluncedo zokuseta
Ekugqibeleni, kwaye emva koko Inkqubo ye-SSH ibanzi kakhulu, kwaye kwisavenge sangaphambili sele sijongane nokhetho ngalunye ngokweenkcukacha ezithe vetshe, ngezantsi siza kubonisa kuphela ezinye iinketho ezingaphezulu, ezinamaxabiso athile anokufaneleka kwiimeko ezininzi zosetyenziso kunye nezahlukeneyo.
Kwaye oku kulandelayo:
- Isibhengezo /etc/issue
- IklayentiAliveInterval 300
- UmthengiAliveCountMax 0
- Ukungena kwiXesha leXesha 30
- LogLevel ULWAZI
- MaxAuthTries 3
- MaxSessions 0
- Ubukhulu bokuQalisa 3
- AllowEmptyPasswords Hayi
- PrintMotd ewe
- PrintLastLog ewe
- Iindlela ezingqongqo Ewe
- SyslogFacility I-AUTH
- X11 Ukudlulisela ewe
- X11DisplayOffset 5
QaphelaQaphela: Nceda uqaphele ukuba, kuxhomekeke kwinqanaba lamava kunye nobuchule be IiSysAdmins kunye neemfuno zokhuseleko lweqonga lobuchwephesha ngalinye, uninzi lwezi khetho zinokuhluka ngokufanelekileyo nangengqiqo ngeendlela ezahlukeneyo. Ukongeza, ezinye iindlela eziphambili kakhulu okanye ezintsonkothileyo zinokwenziwa, njengoko ziluncedo okanye ziyimfuneko kwiindawo ezahlukeneyo zokusebenza.
Ezinye izenzo ezilungileyo
Phakathi kwezinye izenzo ezilungileyo zokuphumeza kwi-SSH Server Siyakwazi ukukhankanya oku kulandelayo:
- Cwangcisa isaziso se-imeyile yesilumkiso kuzo zonke okanye uqhagamshelo oluthile lwe-SSH.
- Khusela ufikelelo lwe-SSH kwiiseva zethu kuhlaselo olukhohlakeleyo usebenzisa isixhobo seFail2ban.
- Ngamaxesha athile jonga ngesixhobo seNmap kwiiseva ze-SSH kunye nabanye, ukukhangela amazibuko angagunyaziswanga okanye afunekayo avulekileyo.
- Ukuqinisa ukhuseleko lweqonga le-IT ngokufaka i-IDS (iNkqubo yokuHlola i-Intrusion) kunye ne-IPS (iNkqubo yokuThintela ukungena).
Isishwankathelo
Ngamafutshane, kunye nale ntlawulo yamva nje "Ukufunda iSSH" sigqibe umxholo ochazayo kuyo yonke into enxulumene nayo OpenSSH. Ngokuqinisekileyo, ngexesha elifutshane, siza kube sisabelana ngolwazi olubaluleke ngakumbi malunga ne Umgaqo-nkqubo weSSH, kwaye malunga neyakho ukusetyenziswa kwe console mediante Ukushicilela kweShell. Ngoko siyathemba ukuba unjalo "izenzo ezilungileyo kwiSeva ye-SSH", bongeze ixabiso elininzi, kokubini ngokobuqu nangobuchule, xa usebenzisa i-GNU/Linux.
Ukuba uyayithanda le post, qiniseka ukuba uphawule ngayo kwaye wabelane ngayo nabanye. Kwaye khumbula, ndwendwela wethu «iphepha lasekhaya» ukuphonononga ezinye iindaba, kunye nokujoyina ijelo lethu elisemthethweni le- ITelegram ye DesdeLinux, Bucala ngasekunene iqela ngolwazi oluthe vetshe ngesihloko sanamhlanje.
Ndijonge phambili kwinxalenye yesibini yeli nqaku apho wandisa ngakumbi kwinqaku lokugqibela:
Ukuqinisa ukhuseleko lweqonga le-IT ngokufaka i-IDS (iNkqubo yokuHlola i-Intrusion) kunye ne-IPS (iNkqubo yokuThintela ukungena).
Gracias !!
Molo, Lhoqvso. Ndiza kulinda ukuzaliseka kwayo. Enkosi ngokusindwendwela, ufunde umxholo wethu kunye nokuphawula.