Ngalesi sikhathi sizobona i- ithiphu emfushane futhi elula lokho kuzosisiza sithuthuke ukuphepha yokuxhumana kwethu okukude ne- ssh. |
I-OpenSSH, okuyiphakheji enikezwe izinhlelo ze-GNU / Linux ukuphatha ukuxhumana kwe-SSH, inezinketho ezahlukahlukene. Kufundwa incwadi I-SSH Igobolondo Eliphephile namakhasi ebhukwana ngithole inketho -F, etshela iklayenti le-SSH ukuthi lisebenzise ifayela lokumisa elihlukile kunalelo elitholwe ngokuzenzakalela kumkhombandlela we / etc / ssh.
Silusebenzisa kanjani lolu khetho?
Ngendlela elandelayo:
ssh -F / path / to_your / configuration / file user @ ip / Host
Isibonelo, uma sinefayela lokumisa ngokwezifiso elibizwa nge-my_config kuDeskithophu, futhi sifuna ukuxhumana nomsebenzisi uCarlos kwikhompyutha nge-IP 192.168.1.258, lapho-ke sizosebenzisa umyalo ngale ndlela elandelayo:
ssh -F ~ / Desktop / my_config carlos@192.168.1.258
Kusiza kanjani ukuphepha kokuxhumeka?
Khumbula ukuthi umhlaseli ongaphakathi kwesistimu yethu uzozama ngokushesha ukuthola amalungelo okuphatha uma engenawo, ngakho-ke kungaba lula kakhulu kuye ukwenza i-ssh ukuxhuma kuyo yonke eminye imishini kunethiwekhi. Ukugwema lokhu, singalungiselela ifayili le / etc / ssh / ssh_config ngamanani angalungile, futhi lapho sifuna ukuxhuma nge-SSH sizosebenzisa ifayili lokumisa esizobe sililondoloze endaweni esazi kuphela (noma ngaphandle isitoreji), okusho ukuthi, besingaba nokuphepha ebumnyameni. Ngale ndlela umhlaseli angadideka ukuthola ukuthi akakwazi ukuxhuma esebenzisa i-SSH nokuthi uzama ukwenza ukuxhumana ngokuya ngalokho okushiwo kufayela lokumisa okuzenzakalelayo, ngakho-ke kuzoba nzima ngaye ukubona ukuthi kwenzakalani, futhi sizomxaka kakhulu.umsebenzi.
Lokhu kungezwe ekushintsheni itheku lokulalela leseva ye-SSH, khubaza i-SSH1, ucacise ukuthi ngabaphi abasebenzisi abangaxhuma kwiseva, vumela ngokusobala ukuthi iyiphi i-IP noma uhla lwama-IP angaxhuma kwiseva namanye amathiphu esingathola kuwo http://www.techtear.com/2007/04/08/trucos-y-consejos-para-asegurar-ssh-en-linux bazosivumela ukuthi sandise ukuphepha kokuxhumana kwethu kwe-SSH.
Konke okuchazwe ngenhla kungenziwa kulayini owodwa. Ngokunambitha kwami kungaba yisicefe impela ukubhala umugqa omkhulu ngezinketho eziningi njalo lapho sizama ukungena ngemvume nge-SSH kwi-PC ekude, ngokwesibonelo okulandelayo kungaba yisampula yalokhu engikushoyo:
ssh -p 1056 -c blowfish -C -l carlos -q nami 192.168.1.258
-p Icacisa imbobo yokuxhuma kusikhungo esikude.
-c Icacisa ukuthi iseshini kufanele ibethelwe kanjani.
-C Ikhombisa ukuthi iseshini kufanele icindezelwe.
-l Ikhombisa umsebenzisi ongena ngemvume kuye kumphathi wesilawuli kude.
-q Ikhombisa ukuthi imiyalezo yokuxilonga iyacindezelwa.
-i Ikhombisa ifayili elizokhonjwa nge (key yangasese)
Kumele futhi sikhumbule ukuthi singasebenzisa umlando wesiginali ukugwema ukuthayipha wonke umyalo njalo lapho siwudinga, into umhlaseli angayisebenzisa futhi, ngakho-ke angiyikuyincoma, okungenani ekusetshenzisweni kwe Ukuxhumana kwe-SSH.
Yize inkinga yezokuphepha kungeyona yodwa inzuzo yalolu khetho, ngicabanga ezinye, njengokuthola ifayili lokumisa kuseva ngayinye esifuna ukuxhuma kuyo, ngakho-ke sizokugwema ukubhala izinketho ngaso sonke isikhathi lapho sifuna ukuxhumana i-SSH yeseva enokumiswa okuthile.
Sebenzisa inketho ye -F kungasiza kakhulu uma ngabe unamaseva amaningi anokumiswa okuhlukile. Ngaphandle kwalokho, zonke izilungiselelo kuzofanele zikhunjulwe, okungenakwenzeka. Isixazululo kungaba ukuthi kube nefayela lokumisa elilungiselelwe ngokuphelele ngokuya ngezidingo zeseva ngayinye, lisiza futhi liqinisekise ukufinyelela kulawo maseva.
Kulesi sixhumanisi http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config Ungathola ukuthi uhlela kanjani ifayela lokumiswa kwamakhasimende e-SSH.
Khumbula lokhu kungenye yezeluleko ezingamakhulu esingazithola ukuqinisekisa i-SSH, ngakho-ke uma ufuna ukuba nokuxhumana okuvikelekile okukude kufanele uhlanganise phakathi kwamathuba i-OpenSSH esinikeza wona.
Yilokho kuphela okwamanje, ngiyethemba lolu lwazi luzoba usizo kuwe bese ulinda okunye okuthunyelwe okuphathelene nokuphepha kwe-SSH ngesonto elizayo.
Ngithakazelela i unikele?
lokho? Ngicabanga ukuthi ubhekisa kokunye okuthunyelwe, ngoba angiqondi ukuthi usho ini. Lokhu okuthunyelwe kunikeza ithiphu encane ongayisebenzisa lapho usungula ukuxhumana nekhompyutha, akubhekiseli ekushintsheni noma ikuphi ukumiswa kwayo, noma ukuxazulula noma yini uma othile ekwazile ukungena. Umqondo ukwenza ukuxhumana phakathi kwamakhompyutha kuphephe, kudlule imingcele ezenzakalelayo engahle inganikeli ngezinga elifanele lokuphepha.
I-Port-knocking iyathakazelisa ukukhawulela ukuhlaselwa (ayikuvimbeli ngokuphelele, kepha iyayenza into yayo), yize ngikuthola kungakhululekile ukusebenzisa ... anginalo ulwazi oluningi ngayo.
Kunezinhlelo eziningi eziskena izingodo ukuvimba ukufinyelela nge-ip lapho kutholakala ukungena ngemvume okungalungile.
Into ephephe kunazo zonke ukusebenzisa ukungena ngemvume okungenamagama usebenzisa amafayela wokhiye.
Ukubingelela!
lokho? Ngicabanga ukuthi ubhekisa kokunye okuthunyelwe, ngoba angiqondi ukuthi usho ini. Lokhu okuthunyelwe kunikeza ithiphu encane ongayisebenzisa lapho usungula ukuxhumana nekhompyutha, akubhekiseli ekushintsheni noma ikuphi ukumiswa kwayo, noma ukuxazulula noma yini uma othile ekwazile ukungena. Umqondo ukwenza ukuxhumana phakathi kwamakhompyutha kuphephe, kudlule imingcele ezenzakalelayo engahle inganikeli ngezinga elifanele lokuphepha.
I-Port-knocking iyathakazelisa ukukhawulela ukuhlaselwa (ayikuvimbeli ngokuphelele, kepha iyayenza into yayo), yize ngikuthola kungakhululekile ukusebenzisa ... anginalo ulwazi oluningi ngayo.
Kunezinhlelo eziningi eziskena izingodo ukuvimba ukufinyelela nge-ip lapho kutholakala ukungena ngemvume okungalungile.
Into ephephe kunazo zonke ukusebenzisa ukungena ngemvume okungenamagama usebenzisa amafayela wokhiye.
Ukubingelela!
Futhi i-ssh izobheka ukumiswa okuzenzakalelayo komsebenzisi ku ~ / .ssh / config
Ngaphandle kokuthi i-daemon ilungiselelwe ukuthi ingenzeki, kepha ngokuzenzakalelayo iyakwenza.
Kubalulekile ukuthi ucabangele i-algorithm esetshenziselwa ama-hashes, ngenketho -m; Ngincoma i-hmac-sha2-512, hmac-sha2-256, hmac-ripemd160 ngokuba yiyona enikeza ukuphepha okuhle kakhulu. Qaphela, ngoba ngokuzenzakalela isebenzisa i-MD5 (noma sha1 ngethemba) !! yilezo zinto ezingaqondakali….
Noma kunjalo, umqondo omuhle kungaba ukuyiqhuba nge:
i-ssh -p PORT -c aes256-ctr -m hmac-sha2-512 -C IP
nge -c ucacisa i-algorithm yokubethela esetshenzisiwe, lapho i-ctr (imodi yokuphikisa) inconywa kakhulu (aes256-ctr kanye ne-aes196-ctr), futhi uma kungenjalo i-cbc (cipher-block chaining): aes256-cbc, aes192- cbc , i-blowfish-cbc, i-cast128-cbc
Ukubingelela!
Futhi i-ssh izobheka ukumiswa okuzenzakalelayo komsebenzisi ku ~ / .ssh / config
Ngaphandle kokuthi i-daemon ilungiselelwe ukuthi ingenzeki, kepha ngokuzenzakalelayo iyakwenza.
Kubalulekile ukuthi ucabangele i-algorithm esetshenziselwa ama-hashes, ngenketho -m; Ngincoma i-hmac-sha2-512, hmac-sha2-256, hmac-ripemd160 ngokuba yiyona enikeza ukuphepha okuhle kakhulu. Qaphela, ngoba ngokuzenzakalela isebenzisa i-MD5 (noma sha1 ngethemba) !! yilezo zinto ezingaqondakali….
Noma kunjalo, umqondo omuhle kungaba ukuyiqhuba nge:
i-ssh -p PORT -c aes256-ctr -m hmac-sha2-512 -C IP
nge -c ucacisa i-algorithm yokubethela esetshenzisiwe, lapho i-ctr (imodi yokuphikisa) inconywa kakhulu (aes256-ctr kanye ne-aes196-ctr), futhi uma kungenjalo i-cbc (cipher-block chaining): aes256-cbc, aes192- cbc , i-blowfish-cbc, i-cast128-cbc
Ukubingelela!
ebengikufuna ukuthi akekho umuntu ongafinyelela i-pc yami ayilawule kude
lapho-ke ngiyaqonda ngokusuka emazwini akho ukuthi uma ngingalivuli itheku akukho ukufinyelela okungenani ngale ndlela
mercii ngokuphendula!
Sawubona
Ngilandele amanye amaqhinga futhi nginombuzo! kusuka phakathi kokukhethwa kukho engikushintshile futhi
Itheku lokunye okuhlukile kunokwendabuko.Uma ngingavuli leyo port ku-router, kungenzeka yini ukuthi bakwazi ukuxhuma kwi-pc yami? noma izophinde iqondiswe kunoma iyiphi enye itheku?
Angidingi ukwenza ukuxhumana okukude ngakho-ke bengifuna ukwazi ukuthi yini ezosebenza kangcono uma kuvulwa itheku noma kuyishiya ivinjiwe.
Ngilinde izimpendulo!
> Into ephephe kunazo zonke ukusebenzisa ukungena ngemvume okungenamagama usebenzisa amafayela wokhiye.
Yilokho kanye ebengizokusho ... ukuthi ukuphela kwendlela yokungena ngemvume kumakhompyutha ahlukile kunokhiye osemgqeni olengiswa entanyeni yakho 😉
Umhlaseli angachitha impilo yakhe yonke ezama ukuphoqa ukuqhekeka kwephasiwedi, futhi akasoze abona ukuthi akadingi iphasiwedi kepha ifayela le-XD.
Angiyena uchwepheshe kwezokuPhepha nakumaNethiwekhi kepha ukwephula uhlelo lwakho lokuphepha ngokungena ngemvume okungenaziphazamiso kungwenela ukumane wenze iskripthi sokukopisha ukhiye wakho ogcinwe ku-pendrive lapho uyifaka, ngakho-ke ngemizuzwana ube uzokwazi ukufinyelela ngokhiye wakho wokude kuseva (futhi-ke, ngaphandle kwesidingo sephasiwedi), inkinga nge-passwords ukuthi ikwenza uzizwe uvikelekile ngamanga, ngoba njengoba ubona ngemigqa embalwa kuskripthi kungaba Kulula kakhulu ukulawula amaseva wakho akude. Khumbula ukuthi umhlaseli ngeke achithe isikhathi noma izinsizakusebenza ezama ukuqhekeza amaphasiwedi uma kunendlela emfushane yokwephula ukuphepha kwakho. Ngincoma ukuthi usebenzise okungenani izinketho ezingama-20 i-SSH evumela ukuzilungisa futhi lokhu kungeza okuthile okufana ne-TCP Wrappers, i-Firewall enhle futhi nalapho iseva yakho ibingeke ivikelwe nge-100%, isitha esibi kunazo zonke ezindabeni zokuphepha kufanele sithembeke.
Kuyathakazelisa, yize ngingaqiniseki ngenzuzo yangempela, ngoba sikhuluma ngokwenza nje izinto zibe nzima kancane lapho umhlaseli esevele ejoyine iqembu, futhi engeza ubunzima obengeziwe kubaphathi.
Ngithola inqubo ye-honeypot ilusizo kakhulu ukwazisa (futhi uthathe isenzo?) Mayelana nomsebenzi osolisayo, noma uhlobo oluthile lwebhokisi lesanti elivimbela izenzo zomhlaseli.
Noma bengizobheka ezinye izinhlobo zamasu avimbela ukungena, njengokushaywa kwe-port.
Futhi, ngiyabonga ngokwabelana kwakho nangokuvula impikiswano.