Yebo, bengikulungiselela lokhu okuthunyelwe ibhulogi yami isikhathi esithile bangiphakamisela yona ku- DesdeLinux, futhi ngenxa yokushoda kwesikhathi, ubengakwazi noma ethanda. Uma ngivila ngandlela thile 😀. Kepha manje batelekile, njengoba sisho eCuba ...
0- Gcina amasistimu ethu evuselelwa ngezibuyekezo zakamuva zokuphepha.
0.1- Uhlu Olubalulekile Lwe-imeyiliUmeluleki Wezokuphepha weSlackware, Umeluleki wezokuphepha we-Debian, kimi]
1- Zero ukufinyelela ngokomzimba kumaseva ngabasebenzi abangagunyaziwe.
1.1- Sebenzisa iphasiwedi ku- I-BIOS amaseva ethu
1.2- Ayikho ibhuthi ngeCD / DVD
1.3- Iphasiwedi ku-GRUB / Lilo
2- Inqubomgomo yephasiwedi enhle, izinhlamvu zamagama nezinye.
2.1- Ukuguga kwamaphasiwedi [Ukuguga kwephasiwedi] ngomyalo we “chage”, kanye nenombolo yezinsuku phakathi kokushintshwa kwephasiwedi nosuku lokugcina lokushintsha.
2.2- Gwema ukusebenzisa amaphasiwedi wangaphambilini:
ku /etc/pam.d/common-password
password sufficient pam_unix.so use_auth ok md5 shadow remember 10
Ngakho-ke ushintsha iphasiwedi futhi ikukhumbuza amaphasiwedi wokugcina ayi-10 umsebenzisi abenawo.
3- Inqubomgomo yokuphatha / yokuhlukanisa kahle yenethiwekhi yethu [ama-routers, switch, vlans] kanye ne-firewall, kanye nemithetho yokuhlunga INPUT, OUTPUT, FORWARD [NAT, SNAT, DNAT]
4- Nika amandla ukusetshenziswa kwamagobolondo [/ etc / shells]. Abasebenzisi akudingeki bangene ohlelweni bathola / bin / false noma / bin / nologin.
5- Vimba abasebenzisi lapho ukungena ngemvume kwehluleka [i-faillog], kanye nokulawula i-akhawunti yomsebenzisi wesistimu.
ipasswd -l pepe -> vimba iposi lomsebenzisi ipasswd -v pepe -> vulela iposi lomsebenzisi
6- Nika amandla ukusetshenziswa kwe- "Sudo", UNGALOKOTHI ungene ngemvume njengezimpande nge-ssh, "NEVER". Eqinisweni kufanele uhlele ukumiswa kwe-ssh ukufeza le nhloso. Sebenzisa izinkinobho zomphakathi / eziyimfihlo kumaseva wakho ngeSudo.
7- Sebenzisa ezinhlelweni zethu “Isimiso selungelo elincane".
8- Bheka izinsizakalo zethu ngezikhathi ezithile [netstat -lptun], zeseva ngayinye yethu. Faka amathuluzi wokuqapha angasisiza kulo msebenzi [Nagios, Cacti, Munin, Monit, Ntop, Zabbix].
9- Faka ama-IDS, Snort / AcidBase, Snotby, Barnyard, OSSEC.
10- UNmap ungumngani wakho, yisebenzise ukuhlola ama-subnet / subnet akho.
11- Imikhuba emihle yokuphepha ku-OpenSSH, i-Apache2, i-Nginx, i-MySQL, i-PostgreSQL, i-Postfix, i-squid, i-Samba, i-LDAP [leyo esetshenziswa kakhulu] kanye nenye insizakalo oyidingayo kunethiwekhi yakho.
12- Bethela konke ukuxhumana ngenkathi kungenzeka ezinhlelweni zethu, i-SSL, i-gnuTLS, i-StarTTLS, ukugaya, njll. Futhi uma uphatha imininingwane ebucayi, bhala ngemfihlo i-hard drive yakho !!!
13- Vuselela amaseva ethu eposi ngemithetho yakamuva yezokuphepha, yokuvinjelwa kanye neye-antispam.
14- Ukungena ngemvume komsebenzi ezinhlelweni zethu nge-logwatch kanye nokuhlolwa kokuhlola.
15- Ulwazi nokusetshenziswa kwamathuluzi anjenge top, sar, vmstat, free, phakathi kwabanye.
sar -> umbiko womsebenzi wohlelo vmstat -> izinqubo, inkumbulo, isistimu, i / o, umsebenzi we-cpu, njll iostat -> cpu i / o isimo mpstat -> isimo se-multiprocessor nokusetshenziswa pmap -> ukusetshenziswa kwememori ngezinqubo zamahhala -> iptraf memory -> Ithrafikhi ngesikhathi sangempela se-ethstatus yethu yenethiwekhi -> i-ethernet yezibalo ezisekelwa kukhonsoli eqapha i-etherape -> inethiwekhi yokuqhafaza yenethiwekhi ss -> isimo sesokhethi [i-tcp socket info, udp, amasokhethi aluhlaza, amasokhethi eDCCP] tcpdump -> Ukuhlaziywa okuningiliziwe kwe-traffic vnstat -> Ukuqapha ithrafikhi yenethiwekhi ye-interface ekhethiwe mtr -> ithuluzi lokuxilonga nokuhlaziywa kokugcwala kakhulu kumanethiwekhi ethtool -> izibalo mayelana namakhadi enethiwekhi
Okwamanje kuphelele. Ngiyazi ukuthi kukhona iziphakamiso zokuphepha eziyinkulungwane neyodwa kulolu hlobo lwendawo, kepha lezi yizo ezingithinte kakhulu, noma ukuthi kwesinye isikhathi kuye kwadingeka ngisebenzise / ngivivinye umzimba endaweni engiyiphethe .
Ukwanga futhi ngethemba lokuthi kuzokusebenzela 😀
Ngiyakumema emibhalweni ukuthi usitshele ngeminye imithetho esetshenzisiwe ngaphandle kwaleyo esivele ishiwo, ukukhulisa ulwazi lwabafundi bethu 😀
Ngingeza kahle:
1.- Sebenzisa imithetho ye-sysctl ukuvimbela ukufinyelela kwe-dmesg, / proc, i-SysRQ, unikeze i-PID1 kungqangi, unike amandla ukuvikelwa kwama-symlink aqinile futhi athambile, ukuvikelwa kwezitaki ze-TCP / IP kuzo zombili i-IPv4 ne-IPv6, yenza kusebenze i-VDSO ephelele ukuze kusetshenziswe izinkomba ngokuphelele nokwabiwa kwesikhala sememori nokuthuthukisa amandla ngokuqhamuka kokuchichima kwesibambi.
2.- Dala izindonga zomlilo zohlobo lwe-SPI (Stateful Package Inspect) ukuvikela ukuxhumana okungadalwanga noma obekuvunyelwe ngaphambilini ekubeni nokufinyelela ohlelweni.
3.- Uma ungenazo izinsizakalo ezivumela ukuxhumana ngamalungelo aphakeme ukusuka endaweni ekude, mane ubuyise ukufinyelela kuzo usebenzisa i-access.conf, noma, uma wehluleka lokho, vumela ukufinyelela kumsebenzisi othile noma iqembu elithile kuphela.
4.- Sebenzisa imikhawulo enzima ukuvimbela ukufinyelela kumaqembu athile noma abasebenzisi ekulimazeni uhlelo lwakho. Iwusizo kakhulu ezindaweni lapho kukhona umsebenzisi wangempela osebenzayo ngaso sonke isikhathi.
5.- I-TCPWrappers ingumngani wakho, uma usohlelweni oluyisekelayo, ukuyisebenzisa ngeke kulimaze, ngakho-ke ungaphika ukufinyelela kunoma yimuphi umphathi ngaphandle kokuthi kwakulungiselelwe ngaphambilini ohlelweni.
6.- Dala okhiye be-SSH RSA okungenani ama-bits angama-2048 noma okungcono ngamabhithi angama-4096 ngezinkinobho ze-alphanumeric zezinhlamvu ezingaphezu kwe-16.
7.- Ubhaleka kangakanani emhlabeni? Ukuhlola izimvume zokufundwa kokubhalwa kwezinkomba zakho akukubi nakancane futhi kuyindlela engcono yokugwema ukufinyelela okungagunyaziwe ezindaweni zabasebenzisi abaningi, ingasaphathwa eyokuthi kwenza kube nzima kakhulu ukufinyelela okuthile okungagunyaziwe ukuthola ukufinyelela olwazini olwenza akekho omunye umuntu obonayo.
8. - Beka noma yikuphi ukwahlukanisa kwangaphandle okungakufaneli, ngezinketho noexec, nosuid, nodev.
9.- Sebenzisa amathuluzi afana ne-rkhunter ne-chkrootkit ukuhlola ngezikhathi ezithile ukuthi isistimu ayinayo i-rootkit noma i-malware efakiwe. Isinyathelo esihlakaniphile uma ungomunye walabo abafaka izinto kusuka kumakhosombe angavikelekile, avela kuma-PPAs, noma bamane baphile ngokuhlanganisa ikhodi kusuka kumasayithi angathembekile.
Uhmmm, okumnandi… Amazwana amahle, engeza abafana… 😀
Faka isicelo sokulawulwa kokufinyelela okugunyaziwe nge-SElinux?
i-athikili enhle kakhulu
Ngiyabonga mngani 😀
Sawubona futhi uma ngingumsebenzisi ojwayelekile, kufanele ngisebenzise i-su noma i-Sudo?
Ngisebenzisa su ngoba angithandi iSudo, ngoba noma ngubani onephasiwedi yami yomsebenzisi angashintsha noma yini ayifunayo ohlelweni, esikhundleni salokho nge su no.
Ku-PC yakho akukhathazi ukusebenzisa i-su, ungayisebenzisa ngaphandle kwezinkinga, kumaseva, kunconywa kakhulu ukukhubaza ukusetshenziswa kwe-su nokusebenzisa i-Sudo, abaningi bathi kungenxa yeqiniso lokucwaninga ukuthi ngubani owenze lokho umyalo noSudo benza lowo msebenzi ... Mina ikakhulukazi, kwi-pc yami ngisebenzisa eyakhe, njengawe ...
Impela, angazi ngempela ukuthi isebenza kanjani kumaseva. Noma, kubonakala kimi ukuthi uSudo wayenethuba lokuthi unganikeza amalungelo kumsebenzisi wenye ikhompyutha, uma ngingaphosisi.
I-athikili ethokozisayo, ngibhala ngemfihlo amanye amafayela nge-gnu-gpg, njengaleyo yelungelo eliphansi, uma kwenzeka ufuna ukwenza, ngokwesibonelo, i-kanambambili yemvelaphi engaziwa elahlekile olwandle olukhulu lolwazi kwidiski, ngilisusa kanjani ukufinyelela emisebenzini ethile?
Ngikukweleta leyo ngxenye, yize ngicabanga ukuthi kufanele usebenzise kuphela njenge-Sudo / impande, izinhlelo ezinokwethenjelwa, okungukuthi, zivela ku-repo yakho ...
Ngikhumbula ngifunda ukuthi kunendlela yokunika amandla amandla empande kubhukwana elithile ku-GNU / Linux naku-UNIX, uma ngikuthola ngizokubeka 😀
@andrew nayi indatshana engiyishilo nosizo olwengeziwe
http://www.cis.syr.edu/~wedu/seed/Labs/Capability_Exploration/Capability_Exploration.pdf
http://linux.die.net/man/7/capabilities
https://wiki.archlinux.org/index.php/Capabilities
namakheji e-chown ukusebenzisa ama-binaries angaziwa?
Sebenzisa iSudo ngaso sonke isikhathi kungcono kakhulu.
Noma ungasebenzisa iSudo, kepha ubeke umkhawulo esikhathini lapho kukhunjulwa khona iphasiwedi.
Amathuluzi afanayo engiwasebenzisa ukuqapha i-pc, "iotop" esikhundleni se- "iostat", "htop" omuhle kakhulu "umphathi womsebenzi", "iftop" bandwidth monitoring.
abaningi bazokholwa ukuthi lokhu kuyihaba, kepha sengikubonile ukuhlaselwa ukufaka i-server kwi-botnet.
https://twitter.com/monitolinux/status/594235592260636672/photo/1
ps: Abancengi baseChina kanye nemizamo yabo yokugenca isiphakeli sami.
okuthile okulula futhi ukusebenzisa amakheji e-chown ezinsizakalweni, ngakho-ke uma ngasizathu simbe behlaselwa bebengeke balulaze uhlelo.
Ukusebenzisa umyalo we-ps nakho kuhle kakhulu ekuqapheni futhi kungaba yingxenye yezenzo zokubheka amaphutha okuphepha. ukusebenzisa i-ps -ef kuklelisa zonke izinqubo, kuyefana nokwaphezulu kepha kukhombisa umehluko othile. ukufaka i-iptraf ngelinye ithuluzi elingasebenza.
Umnikelo omuhle.
Ngingeza: i-SELinux noma i-Apparmor, ngokuya nge-distro, ihlala inikwe amandla.
Ngokwami ukubona ngabona ukuthi kuwumkhuba omubi ukukhubaza lezo zinto. Cishe ngaso sonke isikhathi siyakwenza lapho sizofaka noma silungiselela insiza, ngezaba zokuthi isebenza ngaphandle kwezinkinga, lapho empeleni okufanele sikwenze ukufunda ukubaphatha ukuvumela leyo nsizakalo.
A ukubingelela.
1.Ungayibhala kanjani lonke uhlelo lwefayela? kuyakufaneleka??
Ngabe kufanele isuswe ukubethela njalo lapho uhlelo luzobuyekezwa?
3. Ingabe ukubhala ngemfihlo lonke uhlelo lwefayela lomshini kuyefana nokubethela noma yiliphi elinye ifayela?
Wazi kanjani ukuthi uyakwazi lokhu okhuluma ngakho?
Futhi, ungafaka izinhlelo zezinyoni ngisho nabasebenzisi abaningi. Yize ukwenza lokhu kungumsebenzi owengeziwe, kepha uma kukhona okwenzekile, futhi ube nekhophi langaphambilini laleyo folda, kumane kushaya futhi kuyaculwa.
Inqubomgomo yezokuphepha ehamba phambili futhi elula kunazo zonke akumele iphazamise.
Kuzame, akunaphutha.
Ngisebenzisa i-csf futhi lapho ngivula iklayenti elifake kabi iphasiwedi yalo kokunye ukufinyelela, libambezela inqubo kepha liyakwenza. Kuyinto evamile?
Ngifuna umyalo wokuvula ku-ssh ... noma yisiphi isiphakamiso