Imikhuba emihle nge-OpenSSH

I-OpenSSH (Vula Igobolondo Eliphephile) isethi yezinhlelo zokusebenza ezivumela ukuxhumana okubethelwe ngenethiwekhi, kusetshenziswa i- umthetho ssh. Yenziwe njengenye indlela yamahhala nevulekile kuhlelo I-Shell evikelekile, okuyi-software ephathelene. « Wikipedia.

Abanye abasebenzisi bangacabanga ukuthi imikhuba emihle kufanele isetshenziswe kuphela kumaseva kanti akunjalo. Ukusabalalisa okuningi kwe-GNU / Linux kufaka i-OpenSSH ngokuzenzakalela futhi kunezinto ezimbalwa okufanele uzikhumbule.

Ukuphepha

Lawa amaphuzu abaluleke kakhulu ama-6 okufanele uwagcine engqondweni lapho ulungiselela i-SSH:

  1. Sebenzisa iphasiwedi eqinile.
  2. Shintsha imbobo ezenzakalelayo ye-SSH.
  3. Sebenzisa njalo inguqulo 2 yephrothokholi ye-SSH.
  4. Khubaza ukufinyelela kwezimpande.
  5. Khawulela ukufinyelela komsebenzisi.
  6. Sebenzisa ukufakazela ubuqiniso bokhiye.
  7. Okunye okukhethwa kukho

Iphasiwedi eqinile

Iphasiwedi enhle ileyo equkethe izinhlamvu zamagama nezinombolo ezikhethekile, izikhala, icala eliphezulu neliphansi ... njll. Lapha ku-DesdeLinux sikhombise izindlela eziningi zokukhiqiza amaphasiwedi amahle. Ungavakashela Lesi sihloko y lokhu okunye.

Shintsha imbobo ezenzakalelayo

Imbobo ezenzakalelayo ye-SSH ingu-22 ukuyiguqula, konke okumele sikwenze ukuhlela ifayili / njll / ssh / sshd_config. Sifuna umugqa othi:

#Port 22

siyayikhulula bese siguqula ezingama-22 zenye inombolo .. ngokwesibonelo:

Port 7022

Ukwazi amachweba esingawasebenzisi kukhompyutha / kuseva yethu singayisebenzisa esigungwini:

$ netstat -ntap

Manje ukufinyelela ikhompyutha noma iseva yethu kufanele sikwenze ngoku -p inketho ngokulandelayo:

$ ssh -p 7022 usuario@servidor

Sebenzisa i-Protocol 2

Ukuqinisekisa ukuthi sisebenzisa inguqulo 2 yephrothokholi ye-SSH, kufanele sihlele ifayela / njll / ssh / sshd_config bese ubheka umugqa othi:

# Isivumelwano 2

Siyayikhulula bese siqala kabusha insiza ye-SSH.

Ungavumeli ukufinyelela njengezimpande

Ukuvimbela umsebenzisi wezimpande ukuthi akwazi ukufinyelela kude nge-SSH, sibheka kufayela/ njll / ssh / sshd_config umugqa:

#PermitRootLogin no

futhi asikuvumeli. Ngicabanga ukuthi kufanelekile ukucacisa ukuthi ngaphambi kokwenza lokhu kufanele siqiniseke ukuthi umsebenzisi wethu unezimvume ezidingekayo zokwenza imisebenzi yokuphatha.

Khawulela ukufinyelela ngabasebenzisi

Futhi akulimazi ukuvumela ukufinyelela nge-SSH kuphela kubasebenzisi abathile abathembekile, ngakho-ke sibuyela kufayela / njll / ssh / sshd_config futhi sengeza umugqa:

VumelaUsers elav usemoslinux kzkggaara

Lapho kusobala ukuthi, abasebenzisi elav, usemoslinux kanye ne-kzkggaara yibo abazokwazi ukufinyelela.

Sebenzisa ukufakazela ubuqiniso bokhiye

Yize le ndlela kunconywa kakhulu, kufanele sinakekele ngokukhethekile ngoba sizofinyelela kuseva ngaphandle kokufaka iphasiwedi. Lokhu kusho ukuthi uma umsebenzisi ekwazi ukungena kuseshini yethu noma eyebiwe ikhompyutha yethu, singaba senkingeni. Noma kunjalo, ake sibone ukuthi singakwenza kanjani.

Into yokuqala ukudala izikhiye ezimbili (zomphakathi nezangasese):

ssh-keygen -t rsa -b 4096

Ngemuva kwalokho sidlulisa ukhiye wethu siye kukhompyutha / iseva:

ssh-copy-id -i ~/.ssh/id_rsa.pub elav@200.8.200.7

Ekugcineni kufanele singakhululeki, kufayela / njll / ssh / sshd_config umugqa:

AuthorizedKeysFile .ssh/authorized_keys

Okunye okukhethwa kukho

Igalelo likaYukiteru

Singasinciphisa isikhathi sokulinda lapho umsebenzisi angangena ngempumelelo ngempumelelo ohlelweni afike kumasekhondi angama-30

LoginGraceTime 30

Ukugwema ukuhlaselwa kwe-ssh ngokusebenzisa i-TCP Spoofing, kushiya uhlangothi lwe-ssh lubethelwe luphila isikhathi esingaphezu kwemizuzu emi-3, singazisebenzisa lezi zinketho ezi-3.

I-TCPKeepAlive no ClientAliveInterval 60 ClientAliveCountMax 3

Khubaza ukusetshenziswa kwama-rhosts noma ama-shosts, okuthi ngenxa yezizathu zokuphepha unxuswa ukuthi ungasetshenziswa.

ZibaIzivakashi yebo ZibaUseKaziIzivakashiYesho amaRhostsUkuqinisekiswa chaRhostsRSAUkuqinisekiswa cha

Hlola izimvume ezisebenzayo zomsebenzisi ngesikhathi sokungena ngemvume.

StrictModes yes

Nika amandla ukuhlukaniswa kwamalungelo.

UsePrivilegeSeparation yes

Iziphetho:

Ngokwenza lezi zinyathelo singangeza ukuphepha okwengeziwe kuma-computer nakumaseva ethu, kepha akumele sikhohlwe ukuthi kunesici esibalulekile: yini phakathi kwesihlalo nekhibhodi. Kungakho ngincoma ukufunda Lesi sihloko.

Umthombo: Kanjani


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Amazwana ayi-8, shiya okwakho

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe.

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   I-Yukiteru kusho

    Okuthunyelwe okuhle kakhulu @elav futhi ngifaka izinto ezithile ezithokozisayo:

    I-LoginGraceTime 30

    Lokhu kusivumela ukuthi sinciphise isikhathi sokulinda lapho umsebenzisi angangena ngempumelelo ohlelweni afike kumasekhondi angama-30

    TCPKeepAlive cha
    I-ClientAliveInterval 60
    I-ClientAliveCountMax 3

    Lezi zinketho ezintathu zilusizo impela ukugwema ukuhlaselwa kwe-ssh ngokusebenzisa i-TCP Spoofing, kushiya okubetheliwe kuphila ohlangothini lwe-ssh kusebenza isikhathi esiyimizuzu emi-3.

    ZibaIzivakashi yebo
    IgnoreUserKnownHosts yebo
    Ukuqinisekiswa kwe-Rhosts
    Ukuqinisekiswa kweRhostsRSA

    Ikhubaza ukusetshenziswa kwama-rhosts noma ama-shosts file, okuthi ngenxa yezizathu zokuphepha anconywe ukuthi angasetshenziswa.

    Ama-StrictMode yebo

    Le nketho isetshenziselwa ukuhlola izimvume ezisebenzayo zomsebenzisi ngesikhathi sokungena ngemvume.

    SebenzisaPrivilegeSeparation yebo

    Nika amandla ukuhlukaniswa kwamalungelo.

    1.    izinga kusho

      Hhayi-ke, isikhashana ngizohlela okuthunyelwe bese ngikungeza kokuthunyelwe

  2.   Eugenio kusho

    Ukungavumeli ukubeka umugqa ukuze ungashintshi umugqa akusafuneki. Imigqa ephawuliwe ikhombisa inani elizenzakalelayo lenketho ngayinye (funda ukucaciswa ekuqaleni kwefayela uqobo). Ukufinyelela kwezimpande kukhutshazwe ngokuzenzakalela, njll. Ngakho-ke, ukuyekisa ukuthula akunamthelela nakancane.

    1.    izinga kusho

      # Isu elisetshenziselwe izinketho ku-sshd_config ezenzakalelayo ethunyelwe nayo
      # I-OpenSSH ukucacisa izinketho ngenani lazo elizenzakalelayo lapho
      # kungenzeka, kepha bashiye baphawule. Izinketho ezingenamkhawulo zibhala ngaphezulu
      # inani elizenzakalelayo.

      Yebo, kepha ngokwesibonelo, sazi kanjani ukuthi sisebenzisa kuphela uhlobo 2 lwephrothokholi? Ngoba kungenzeka ukuthi sisebenzisa u-1 no-2 ngasikhathi sinye. Njengoba ulayini wokugcina usho, ukungavumeli le nketho ngokwesibonelo, kubhala ngaphezulu inketho ezenzakalelayo. Uma sisebenzisa inguqulo 2 ngokuzenzakalela, kulungile, uma kungenjalo, siyisebenzisa YEBO noma YEBO YES

      Siyabonga ngokuphawula

  3.   sli kusho

    I-athikili enhle kakhulu, bengazi izinto eziningana kepha into eyodwa engingacaceli ukusetshenziswa kwezinkinobho, empeleni ziyini futhi zinaziphi izinzuzo, uma ngisebenzisa okhiye ngingawasebenzisa amaphasiwedi ??? Uma kunjalo, kungani ikhulisa ukuphepha futhi uma kungenjalo, ngiyithola kanjani kusuka kwenye i-pc?

  4.   I-Adian kusho

    Sanibonani, ngifake i-debian 8.1 futhi angikwazi ukuxhuma kusuka ku-windows pc yami ukuya ku-debian nge-WINSCP, kuzodingeka ngisebenzise umthetho olandelwayo 1? noma yiluphi usizo .. ngiyabonga
    I-Adian

  5.   UFranksanabria kusho

    Ungaba nentshisekelo kule vidiyo mayelana ne-opensh https://m.youtube.com/watch?v=uyMb8uq6L54

  6.   Ithayela kusho

    Ngifuna ukuzama ezinye izinto lapha, eziningana esengizamile ukubonga i-Arch Wiki, ezinye ngenxa yobuvila noma ukungabi nalwazi. Ngizoyilondolozela lapho ngiqala i-RPi yami