Izinyathelo zokuvikela i-VPS yethu

Lokhu kufundisa kukhombisa ukuthi ungayilungiselela kanjani futhi uvikele i-Virtual Private Server (VPS) nge-Debian GNU / Linux. Ngaphambi kokuthi siqale, kunezinto ezithile ezicatshangwayo:

1. Uneleveli eliphakathi nendawo yokujwayela i-GNU / Linux.
2. Kukhona iVPS yokusetshenziswa komuntu siqu esingafinyelela kuyo ngeSSH.
3. I-VPS ine-ipv4 250.250.250.155 yangaphandle ezinikezele futhi umhlinzeki wethu ungumnikazi webhlokhi engu-250.250.0.0/16. (1)
4. Ku-VPS yethu sizoba nezinsizakalo ze-http, https kanye ne-ssh kuphela ezinikezwe ukufinyelela kusuka ngaphandle.
5. I-DNS yangaphandle ngeke inikwe amandla ngoba kuvame ukwenziwa kuphaneli yomhlinzeki wethu. (2)
6. Izosebenza njenge-superuser.

Ukufakwa

Njengesinyathelo sokuqala, ake sivuselele iseva bese sifaka amaphakheji esizowadinga:

# aptitude update & aptitude safe-upgrade # aptitude -RvW install dropbear gesftpserver sslh iptables-persistent ulogd fail2ban nginx-light apache2-utils dnsutils telnet ghostscript poppler-utils zip unzip unrar-free p7zip-full less multitail tee mc mc

Isethaphu

Manje sizokwakha umsebenzisi womsebenzi. Ukusebenza njengezimpande kuseva akuphephile, ngakho-ke sizoqala sakhe umsebenzisi okhethekile:

umsebenzisi we-adduser usermod -aG sudo opharetha

Umyalo wokuqala udala umsebenzisi we-opharetha, owesibili uyengeza eqenjini sudo, ezovumela izinhlelo zokusebenza ezisebenzayo njengezimpande.

Lungisa izimvume zabasebenzisi abakhulu

Ngokusebenza njalo sizosebenzisa umsebenzisi opharetha okwenziwe ngaphambilini, sidinga ukulungisa izinketho zokwenza umyalo njenge-superuser, esisebenzisa umyalo olandelayo:

ngithanda

Lo myalo ngokuyisisekelo uvumela ukuguqulwa kwefayela / njll / ama-sudoers; lapho kufanele siqukathe khona le migqa:

Okuzenzakalelayo env_reset, timestamp_timeout = 0% Sudo ALL = (BONKE: BONKE) BONKE

Kulayini wokuqala inketho ingezwa kumanani wokuzenzakalelayo i-timestamp_timeout okukuvumela ukuthi usethe isikhathi sokuphelelwa yisikhathi (ngemizuzu) yephasiwedi lapho kwenziwa umyalo weSudo. Okuzenzakalelayo kungu-5, kepha lokhu kwesinye isikhathi akuphephile ngezizathu ezimbili:

1. Uma singahlosile sishiya ikhompyutha yethu ingene ngemvume ngaphambi kokuba iphasiwedi iphelelwe yisikhathi, othile angenza umyalo njenge-superuser ngaphandle kwemingcele.
2. Uma ngokungazi senza uhlelo noma umbhalo oqukethe ikhodi enonya ngaphambi kokuba iphasiwedi iphelelwe yisikhathi, uhlelo lokusebenza lungafinyelela ohlelweni lwethu njengomphathi omkhulu, ngaphandle kwemvume yethu ecacile.

Ngakho-ke ukuze sigweme izingozi, sibeke inani laba ngu-zero, okungukuthi, isikhathi ngasinye lapho kwenziwa umyalo weSudo, iphasiwedi kuzofanele ifakwe. Uma inani elibi lisethwe njengo -1, umphumela ukuthi iphasiwedi ayiphelelwa yisikhathi, okuzoveza umphumela ohlukile walokho esikufunayo.

Kulayini wesibili kuyacaciswa ukuthi iqembu leSudo lingenza noma imuphi umyalo kunoma iyiphi ikhompyutha, ejwayelekile, yize ingalungiswa. (3) Kukhona labo abafuna umugqa ngokulandelayo ukuze bagweme ukuthayipha iphasiwedi:

% Sudo BONKE = (BONKE: BONKE) I-NOPASSWD: KONKE

Kodwa-ke, njengoba sichazile ngaphambili, lokhu kuyingozi, ngakho-ke akunconyiwe.

Khubaza ukuqala kabusha

Ngezizathu zokuphepha, sizokhubaza ukuqala kabusha sisebenzisa inhlanganisela yokhiye Ctrl + Del + Alt, okumele sengeze lo mugqa kufayela / njll / inittab:

ca: 12345: ctrlaltdel: / bin / echo "Ctrl + Alt + Del ikhutshaziwe."

Faka esikhundleni se-OpenSSH ngeDropBear

Iningi leVPS liza ne-OpenSSH efakiwe, okuwusizo impela, kepha ngaphandle kokuthi sidinga ukuxhaphaza konke ukusebenza kwe-OpenSSH, kunezinye izindlela ezilula zeVPS, njenge I-Dropbear, evame ukwanela ukusetshenziswa njalo. Kodwa-ke, ukubuyela emuva kwalolu hlelo ukuthi akuveli neseva edidiyelwe ye-SFTP, yingakho sifake iphakethe ekuqaleni gesftpserver.

Ukumisa iDropbear, sizoguqula ifayela / etc / default / dropbear ukuze iqukathe le migqa emibili:

NO_START = 0 DROPBEAR_EXTRA_ARGS = "- w -p 127.0.0.1:22 -I 1200 -m"

Ulayini wokuqala umane unike amandla insiza, bese owesibili wenza izinto eziningana:

1. Gwema ukufinyelela kwezimpande.
2. Kwenza insizakalo ilalele ethekwini 22 esibonakalayo sendawo (sizochaza ukuthi kungani kamuva).
3. Isetha isikhathi sokulinda (imizuzu engama-20).

I-SSLH

IPort 22 (SSH) iyaziwa futhi imvamisa ingeyokuqala lapho kubaduni abazama ukwephula, ngakho-ke sizosebenzisa i-port 443 (SSL) esikhundleni salokho. Kwenzeka ukuthi leli chweba lisetshenziselwe ukuphequlula okuphephile nge-HTTPS.

Kungakho sizosebenzisa iphakheji ye-sslh, okungeyona into ephindaphindayo ehlaziya amaphakethe afika ethekwini 443, bese ibahambisa ngaphakathi iye kwelinye isevisi noma kwenye kuye ngokuthi uhlobo lwethrafikhi yi-SSH noma i-SSL.

I-SSLH ayikwazi ukulalela kusixhumi esibonakalayo lapho enye insiza isivele isilalele, yingakho phambilini senza iDropbear yalalela kusixhumi esibonakalayo sasendaweni.

Manje okudingeka sikwenze ukukhombisa i-sslh interface kanye nechweba okufanele lilalele ngalo nokuthi liqondise kabusha kuphi amaphakethe ngokuya ngohlobo lwensizakalo, futhi kulokhu sizoguqula ifayela lokumisa / njll / okuzenzakalelayo / sslh:

I-DAEMON = / usr / sbin / sslh DAEMON_OPTS = "- umsebenzisi sslh - lalela 250.250.250.155:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile / var / run / sslh / sslh .pid "RUN = yebo

Ekugcineni, siqala kabusha izinsiza:

service ssh stop && service dropbear start && restart sslh qala kabusha

Ngemuva komyalo wangaphambilini, iseshini yethu ephephile kungenzeka iphazanyiswe, lapho-ke kwanele ukungena ngemvume futhi, kepha kulokhu nomsebenzisi womsebenzi nokusebenzisa itheku 443. Uma iseshini ingaphazanyiswa, noma kunjalo kufanele ivalwe futhi iqalwe futhi ngamanani afanele.

Uma konke kusebenza kahle, singaqhubeka nokusebenza njengezimpande futhi uma sifisa, khipha i-OpenSSH:

Sudo su - ukufaneleka -r purge openssh-server

Isicishamlilo

Into elandelayo esizoyenza ukuhlukanisa izingodo kusuka ku-firewall kuya kufayela elihlukile /var/log/firewall.log ukwenza lula ukuhlaziywa okuqhubekayo, yingakho sifake iphakethe le-ulogd ekuqaleni. Ngenxa yalokhu sizohlela ifayela /etc/logd.conf ukulungisa isigaba esifanele:

[LOGEMU] file = "/ var / log / firewall.log" sync = 1

Okulandelayo, sizoguqula ifayela lokujikeleza irekhodi / njll / logrotate / ulogd ukugcina ukujikeleza nsuku zonke (nosuku) bese ugcine ama-salvoes acindezelwe enkombeni / var / log / ulog /:

/var/log/ulog/*.log /var/log/firewall.log {daily dateext missingok compress delaycompress sharedscripts dala ama-640 root adm postrotate /etc/init.d/ulogd reload mv /var/log/firewall.log-* .gz / var / log / ulog / endcript}

Ngemuva kwalokho sizokwakha imithetho ye-netfilter ngokwenza okulandelayo:

IPT = $ (okuyinto iptables) IPEXT = 250.250.250.155 IPEXTBLK = 250.250.0.0 / 16 IPBCAST = 255.255.255.255 $ IPT -F $ IPT -X $ IPT -Z $ IPT -A INPUT -i lo -j ACCEPT $ IPT - P INPUT DROP $ IPT -P FORWARD DROP $ IPT -P OUTPUT ACCEPT $ IPT -A INPUT -m state --state INVALID -j ULOG --ulog-prefix IN_INVALID $ IPT -A INPUT -p igmp -j ULOG --ulog -prefix IN_IGMP $ IPT -A INPUT -m pkttype --pkt-type ukusakaza -j ULOG --ulog-prefix IN_BCAST $ IPT -A INPUT -m pkttype --pkt-type multicast -j ULOG --ulog-prefix IN_MCAST $ IPT -A PHAMBILI -j ULOG --ulog-prefix FORWARD $ IPT -N ICMP_IN $ IPT -A INPUT!  -i lo -p icmp -j ICMP_IN $ IPT -A ICMP_IN -p icmp -f -j ULOG --ulog-prefix IN_ICMP_FRAGMENTED $ IPT -A ICMP_IN -p icmp -m icmp -m ubude!  --length 28: 1322 -j ULOG --ulog-prefix IN_ICMP_INVALIDSIZE $ IPT -A ICMP_IN -p icmp -m icmp -m hashlimit --hashlimit-above 4 / sec --hashlimit-mode srcip --hashlimit-srcmask 24 - -hashlimit-name icmpflood -j ULOG --ulog-prefix IN_ICMP_FLOOD $ IPT -A ICMP_IN -p icmp -m icmp -m hashlimit --hashlimit-upto 64kb / min --hashlimit-mode srcip --hashlimit-srcmask 24 - i-hashlimit-igama icmpattack -j ULOG --ulog-prefix IN_ICMP_FLOOD $ IPT -A ICMP_IN -p icmp -m icmp -m u32!  --u32 "0x4 & 0x3fff = 0x0" -j ULOG --ulog-prefix IN_ICMP_ATTACK $ IPT -A ICMP_IN -p icmp -m icmp!  --icmp-type echo-request -m state --state NEW -j ULOG --ulog-prefix IN_ICMP_INVALID $ IPT -A ICMP_IN -p icmp -m icmp --icmp-type echo-request -j ULOG --ulog- Isiqalo IN_ICMP $ IPT -A ICMP_IN -p icmp -m icmp --icmp-type echo-request -m limit --limit 1 / sec --limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp - I -impmp-type echo-reply -m limit --limit 2 / sec --limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp --icmp-type ukuphela-engenakufinyeleleka -m umkhawulo - umkhawulo 2 / sec --limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp --icmp-type time-exceeded -m limit --limit 2 / sec --limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -p icmp -m icmp --icmp-type parameter-problem -m limit --limit 2 / sec --limit-burst 4 -j ACCEPT $ IPT -A ICMP_IN -j RETURN $ IPT -N UDP_IN $ IPT -A UKUFAKA!  -i lo -p udp -j UDP_IN $ IPT -A UDP_IN!  -I lo!  -p udp -f -j ULOG --ulog-prefix IN_UDP_FRAGMENTED $ IPT -A UDP_IN -p udp -m udp --sport 53 -m ubude!  --length 28: 576 -j ULOG --ulog-prefix IN_UDP_DNS_INVALIDSIZE $ IPT -A UDP_IN -p udp -m udp --dport 53 -m -state --state NEW -j ULOG --ulog-prefix IN_UDP_DNSREQUEST $ IPT - I-UDP_IN -p udp -m udp --dport 53 -m -state --state NEW -j REJECT --ject-with icmp-port-unreachable $ IPT -A UDP_IN -p udp -m udp!  --isport 53!  -s $ IPEXTBLK!  -d $ IPBCAST -m state --state NEW -j ULOG --ulog-prefix IN_UDP $ IPT -A UDP_IN -p udp -m udp -m state --state ESTABLISHED, RELATED -j ACCEPT $ IPT -A UDP_IN -j BUYISELA $ IPT -N TCP_IN $ IPT -A INPUT!  -i lo -p tcp -j TCP_IN $ IPT -A TCP_IN!  -I lo!  -p tcp -f -j ULOG --ulog-prefix IN_TCP_FRAGMENTED $ IPT -A TCP_IN -p tcp -m tcp --sport 53 -m state --state ESTABLISHED, RELATED -m length!  --length 513: 1500 -j ULOG --ulog-prefix IN_TCP_DNS_INVALIDSIZE $ IPT -A TCP_IN -p tcp -m tcp --dport 53 -m state --state NEW -j ULOG --ulog-prefix IN_TCP_DNS $ IPT -A TCP_IN -p tcp -m tcp --dport 53 -m state --state NEW -j REJECT --ject-with icmp-port-unreachable $ IPT -A TCP_IN -p tcp -m tcp -m multiport!  --dports 80,443 -m state --state NEW -j ULOG --ulog-prefix IN_TCP $ IPT -A TCP_IN -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -m hashlimit - hashlimit-upto 4 / sec --hashlimit-burst 16 --hashlimit-mode srcip --hashlimit-name navreq -j ACCEPT $ IPT -A TCP_IN -p tcp -m tcp -m multiport --dports 80,443 -m state - isimo SISEKELWE -m connlimit!  --connlimit-ngenhla kwe-16 -j YAMUKELA $ IPT -A TCP_IN -p tcp -m tcp -m multiport! 

Ngokucushwa kwangaphambilini, i-VPS yethu kufanele ivikeleke ngokufanele, kepha uma sifisa ukuthi singayivikela kancane, esingasebenzisa kuyo imithetho ethuthuke kakhulu.

Akuwona wonke ama-VPS avumela ukufakwa kwamamojula angeziwe we-netfilter, kepha okuwusizo kakhulu psd, ekuvumela ukuthi uvikele ukuskenwa ethekwini. Ngeshwa le module ayihlanganisiwe kwi-netfilter ngokuzenzakalela, ngakho-ke kuyadingeka ukufaka amaphakheji athile bese wakhe imodyuli:

ukufaneleka -RvW faka i-iptables-dev xtables-addons-source module-Assistant module-Assistant --verbose --text-mode auto-install xtables-addons-source

Lapho okungenhla sekuqediwe, singangeza umthetho onjengalo:

iptables -A INPUT -m psd --psd-weight-threshold 15 --psd-delay-threshold 2000 --psd-lo-port-weight 3 --psd-hi-ports-weight 1 -j ULOG --ulog- Isiqalo IN_PORTSCAN

Umthetho odlule ngokuyisisekelo usho ukuthi sizokwakha ikhawunta ezokwanda ngo-3 isikhathi ngasinye lapho kwenziwa umzamo wokufinyelela ichweba elingaphansi kuka-1024 futhi ngo-1 njalo lapho kwenziwa umzamo wokufinyelela ethekwini eliphakeme kuno-1023, futhi lapho le counter ifinyelela ku-15 in isikhathi esingaphansi kwemizuzwana engama-20, amaphakheji azobhaliswa ngu ulog njengomzamo wokuthekelisa. Amaphakethe asengalahlwa ngasikhathi sinye, kepha kulokhu sihlose ukuwasebenzisa ihlulekile2ban, esizoyilungisa ngokuhamba kwesikhathi.

Lapho nje imithetho seyakhiwe, kufanele sithathe izinyathelo ezithile zokuyiphikelela, kungenjalo sizoyilahla lapho siqala kabusha iseva. Kunezindlela eziningi zokufeza lokhu; Kulesi sifundo sizosebenzisa amaphakethe we-iptables-siphikelela esiwafake ekuqaleni, okugcina imithetho ku- /etc/iptables/rules.v4 y /etc/iptables/rules.v6 okwe-ipv6.

iptables-save> /etc/iptables/rules.v4

Eqinisweni, yize ukusetshenziswa kwe-ipv6 eCuba kungakabi banzi, singakha imithetho ethile eyisisekelo:

IPT = $ (which ip6tables) $ IPT -P INPUT DROP $ IPT -P FORWARD DROP $ IPT -P OUTPUT ACCEPT $ IPT -A INPUT -i lo -j YAMUKELA $ IPT -A INPUT! -i lo -m state --state ESTABLISHED, RELATED -j ACCEPT unset IPT

Le mithetho nayo ingenziwa iphikelele:

ip6tables-save> /etc/iptables/rules.v6

Ekugcineni ukuthola ukuphepha okukhulu, sihlanza irejista ye-firewall bese siqala kabusha izinsiza:

echo -n> /var/log/firewall.log service logrotate restart service ulogd restart service iptables-restart restart

Nginx

Sizosebenzisa i-Nginx njengeseva yewebhu, ngoba ama-VPSs ngokuvamile anenani elincishisiwe le-RAM uma kuqhathaniswa neseva yangempela, ngakho-ke ngokuvamile kulula ukuba nokuthile okulula kuno-Apache.

Ngaphambi kokumisa i-Nginx, sizokwakha isitifiketi (asikho iphasiwedi) esizosetshenziswa ngaphezu kwe-HTTPS:

cd / njll / nginx openssl genrsa -des3 -out cert.key 4096 cp -v cert.key cert.key.original openssl req -new -key cert.key -out cert.csr openssl rsa -in cert.key.original - ukuphuma kwe-cert.key openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.crt

Uma lokhu sekwenziwe, sizokwakha ifayela lephasiwedi lomsebenzisi "elusuario":

htpasswd -c .htpasswd umsebenzisi

Okulandelayo, sizoguqula ifayela / njll / nginx / amasayithi atholakalayo / okuzenzakalelayo ukusetha okuncamelayo kwesayithi okuzenzakalelayo. Kungabonakala kanjena:

iseva {server_name localhost; inkomba index.html index.htm default.html default.htm; impande / var / www; indawo / {# setha i-oda lokuqinisekisa nekhasi elizolayishwa, uma i-URI ingatholakali try_files $ uri $ uri / /index.html; }} iseva {lalela i-127.0.0.1: 443; igama leseva_i-localhost; inkomba index.html index.htm default.html default.htm; impande / var / www; ssl ivuliwe; ssl_certificate cert.crt; ssl_certificate_key cert.key; ssl_session_timeout 5m; # Nika amandla i-HTTPS ngaphezulu kwe-TLS kuphela (iphephe kakhulu kune-SSL) ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # naka izintandokazi ezinamandla amakhulu [OKUPHAKEME], # hambisa ama-cipher wamandla amaphakathi [MEDIUM] ekugcineni kohlu, # khubaza ama-cipher amandla amancane [LOW] (izingcezu ezingama-40 no-56) # khubaza ama-cipher nge ukuthekelisa ama-algorithms [EXP] # khubaza ama-null ciphers [eNULL], ngaphandle kokufakazela ubuqiniso [i-aNULL], i-SSL (izinguqulo 2 no-3) ne-DSS (vumela kuphela okhiye abafika kuma-bits ayi-1024) ssl_ciphers HIGH: + MEDIUM :! LOW :! EXP: ! aNULL :! eNULL :! SSLv3 :! SSLv2 :! DSS; # Khetha izindlela zokubethela zeseva (ngokuzenzakalela kusetshenziswa amaklayenti) ssl_prefer_server_ciphers on; indawo / {# vumela ukuqinisekiswa kwe-auth_basic "Ukungena"; i-auth_basic_user_file /etc/nginx/.htpasswd; # setha i-oda lokuqinisekisa nekhodi yekhasi elizolayishwa, uma i-URI zama_files $ uri $ uri / = 404 ingatholakali; # vumela ukwenziwa kwenkomba yabasebenzisi abagunyaziwe autoindex ku; autoindex_exact_size off; autoindex_localtime ivuliwe; }}

Sibheka ukuthi ukucushwa kulungile:

nginx-t

Ekugcineni, siqala kabusha insiza:

ukuqala kabusha kwe-service nginx

I-Fail2Ban

Ngaphambi kokuqala ukumisa iFail2Ban, ngokuvikeleka okukhulu simisa insizakalo futhi sihlanze irejista:

i-fail2ban-client stop echo -n> /var/log/fail2ban.log

Okulandelayo, sakha ifayela lokumisa /etc/fail2ban/jail.local nokuqukethwe okuyisiko okulandelayo:

# Ifayela lokumisa ngokwezifiso /etc/fail2ban/jail.local # [DEFAULT] isikhathi sokuthola = 43200; Amahora ayi-12 ebantime = 86400; 1 day maxretry = 3; ukuvinjelwa kuzoqala ukusebenza ngemuva komzamo wesi-4 [ssh] enikwe amandla = amanga [nginx-auth] inikwe amandla = isihlungi seqiniso = isenzo se-nginx-auth = iptables-multiport [name = NoAuthFailures, port = "http, https"] logpath = / var / log / nginx * / * iphutha * .log [nginx-badbots] inikwe amandla = isihlungi seqiniso = isenzo se-apache-badbots = iptables-multiport [name = BadBots, port = "http, https"] logpath = / var / log / nginx * /*access*.log bantime = 604800; Isonto eli-1 i-maxretry = 0 [nginx-login] inikwe amandla = isihlungi seqiniso = isenzo se-nginx-login = iptables-multiport [name = NoLoginFailures, port = "http, https"] logpath = / var / log / nginx * / * access *. log bantime = 1800; Imizuzu engama-30 [nginx-noscript] inikwe amandla = isenzo sangempela = iptables-multiport [name = NoScript, port = "http, https"] filter = nginx-noscript logpath = /var/log/nginx*/*access*.log maxretry = 0 [nginx-proxy] inikwe amandla = isenzo sangempela = iptables-multiport [name = NoProxy, port = "http, https"] filter = nginx-proxy logpath = /var/log/nginx*/*access*.log bantime = 604800 ; Isonto eli-1 i-maxretry = 0 [i-firewall] inikwe amandla = isenzo sangempela = i-iptables-multiport [igama = i-Firewall] isihlungi = i-firewall logpath = /var/log/firewall.log maxretry = 0

Uma lokhu sekwenziwe, sakha enkombeni /etc/fail2ban/filters.d/ amafayela alandelayo:

# /etc/fail2ban/filter.d/nginx-auth.conf # Isihlungi se-Auth # Amabhulokhi e-IP ahluleka ukufakazela ubuqiniso besisekelo # [Incazelo] failregex = akekho umsebenzisi / iphasiwedi enikeziwe yokuqinisekisa okuyisisekelo. * iklayenti: umsebenzisi. * akatholakalanga ku. * iklayenti: umsebenzisi. * ukungafani kwephasiwedi. * iklayenti: unganaki =

# /etc/fail2ban/filter.d/nginx-login.conf # Login filter # Blocks IPs ehluleka ukugunyaza ukusebenzisa ukungena ngemvume kohlelo lokusebenza lwewebhu ekhasini # Skena ilogi yokungena ye-HTTP 200 + POST / sessions => ukungena ngemvume ku # [Incazelo ] ukuhlulekaregex = ^ -. * POST / amaseshini HTTP / 1 \ .. "200 ignoreregex =

# / njll # Ukufana isb # 2 - - "GET /something.php # [Definition] failregex = ^ -. * GET. * (\. Php | \ .asp | \ .exe | \ .pl | \ .cgi | \ scgi) indiva iregex =

# /etc/fail2ban/filter.d/proxy.conf # Isihlungi sommeleli # Vimba ama-IPs azama ukusebenzisa iseva njengommeleli. # Ukufana isb # 192.168.1.1 - - "THOLA http://www.something.com/ # [Incazelo] failregex = ^ -. * THOLA http. * Unganaki =

# /etc/fail2ban/filter.d/firewall.conf # Isihlungi se-Firewall # [Incazelo] failregex = ^. * IN_ (INVALID | PORTSCAN | UDP | TCP |). * I-SRC = . * $ ignoreregex =

Ekugcineni, siqala insizakalo futhi silayishe ukucushwa:

fail2ban-service -b fail2ban-client reload

Ukuqinisekisa

Njengesinyathelo sokugcina, singabuka amarekhodi nge umsila -f o multitail –landela-konke. Eqinisweni, uhlelo lokugcina lunikeza ithuba lokuthi likuvumela ukuthi ubuke amafayela amaningi ngasikhathi sinye futhi unikeze ukugqamisa okuyisisekelo kwe-syntax.

Uma kwenzeka i-akhawunti ye-imeyili ingalungiselelwe ku-VPS, kungakuhle ukukhubaza umlayezo oyisixwayiso ovela lapho uqala i-multitail, esizokwenzela yona umyalo olandelayo

echo "hlola_mail: 0"> ~ / .multitailrc

Eqinisweni, singenza i-alias (4) ukubuka izingodo ngokushesha ngomyalo omfushane, ngokwesibonelo, "ukubhaxabula":

alias flog = 'multitail --follow-all /var/log/firewall.log /var/log/fail2ban.log'

1) Lawa ngamanani aqanjiwe.
2) Ukunika amandla amanye amasevisi kulula uma uqonda ukuthi kusebenza kanjani.
3) Ngemininingwane engaphezulu, sebenzisa ama-man sudoers.
4) Ngokuzithandela ungangezwa kufayela le- ~ / .bash_aliases