Yadda zaka Amintar da Harden OpenSSH Server
Idan ya zo ga samun damar na'urori masu nisa kamar su sabobin, masu ba da hanya, da masu sauyawa, yarjejeniyar ta SSH ta zo da shawarar sosai saboda an ba ta ikon ɓoye zirga-zirga da kuma kiyaye duk wanda zai yi ƙoƙari ya saurari abin da ke cikin haɗinku.
Kasance haka zalika, saitunan tsoho na SSH ba ma'asumai bane kuma ana buƙatar ƙarin tweaks don sanya yarjejeniyar ta kasance amintacciya. A cikin wannan jagorar, muna bincika hanyoyi daban-daban waɗanda zaku iya amfani dasu don amintar da ƙaddamar da shigarwar OpenSSH akan sabar.
1. Saita Tabbacin kalmar sirri ta SSH
Ta hanyar tsoho, SSH na buƙatar masu amfani su samar da kalmomin shigarsu yayin shiga. Amma ga abin da ya faru: masu fashin kwamfuta za su iya yin tunanin kalmomin shiga ko ma su yi mummunan hari ta amfani da kayan aikin hacking na musamman da samun damar zuwa tsarinku. Don kasancewa a gefen aminci, ana ƙarfafa ƙarfafa yin amfani da amincin kalmar sirri ta SSH.
Mataki na farko shine ƙirƙirar maɓallin SSH wanda ya ƙunshi maɓallin jama'a da maɓallin keɓaɓɓe. Maballin keɓaɓɓe yana zaune akan tsarin bakuncin ku yayin da aka kwafa keɓaɓɓiyar jama'a zuwa uwar garken nesa.
Da zarar an kwafe mabuɗin jama'a cikin nasara, yanzu zaka iya SSH zuwa cikin sabar ta nesa ba tare da ka samar da kalmar sirri ba.
Mataki na gaba shine musaki kalmar sirri ta kalmar sirri, Don cimma wannan, kuna buƙatar gyara fayil ɗin daidaitawa na SSH.
$ sudo vim /etc/ssh/sshd_config
A cikin fayil ɗin sanyi, gungura kuma gano umarnin mai zuwa. Rashin jin daɗi kuma canza zaɓi ee zuwa a'a
PasswordAuthentication no
To sake kunnawa da SSH daemon.
# sudo systemctl restart sshd
A wannan gaba, zaku sami damar zuwa sabar nesa ta amfani da ingantaccen maɓallin SSH.
2. Kashe Neman Masu Haɗin Kalmar wucewa na SSH
Wata hanyar da aka ba da shawarar don karfafa tsaron sabarku ita ce ta hana ayyukan SSH daga masu amfani ba tare da kalmomin shiga ba. Wannan yana da ɗan ban mamaki amma wani lokacin masu gudanar da tsarin na iya ƙirƙirar asusun masu amfani kuma su manta da sanya kalmomin shiga - wanda mummunan ra'ayi ne.
Don ƙin karɓar buƙatu daga masu amfani ba tare da kalmar sirri ba, kuma, koma kan fayil ɗin sanyi a /etc/ssh/sshd_config kuma tabbatar cewa kuna da umarnin da ke ƙasa:
PermitEmptyPasswords no
Sannan sake kunna sabis na SSH don canjin da za'ayi.
$ sudo systemctl restart sshd
3. Kashe SSH Root Logins
Babu damuwa menene zai iya faruwa idan dan gwanin kwamfuta yayi kokarin zaluntar tushen kalmar sirri. Bada izinin shigarwa daga nesa yana da mummunan ra'ayi wanda zai iya cutar da tsarinka.
Saboda wannan dalili, ana ba da shawarar koyaushe ka katse hanyar shiga nesa ta SSH kuma maimakon haka ka tsaya ga mai amfani da tushen ba na yau da kullun ba. Har yanzu, koma kan fayil ɗin sanyi kuma gyara wannan layin kamar yadda aka nuna.
PermitRootLogin no
Da zarar kun gama, sake kunna sabis na SSH don canjin da za'a aiwatar.
$ sudo systemctl restart sshd
Daga yanzu, za a kashe shigarwar tushen nesa.
4. Yi amfani da ladabin SSH 2
SSH ta zo ne a cikin sigar biyu: SSH yarjejeniya 1 da ladabi 2. An gabatar da yarjejeniyar SSH 2 a cikin 2006 kuma ya fi aminci fiye da yarjejeniya ta 1 godiya ga ƙarfinta mai ƙarfi na bincike, ɓoyayyen ɓoyayye da kuma matakan algorithms mai ƙarfi.
Ta hanyar tsoho, SSH yana amfani da yarjejeniya 1. Don canza wannan zuwa tabbataccen ladabi na 2, ƙara layin da ke ƙasa zuwa fayil ɗin daidaitawa:
Protocol 2
Kamar koyaushe, sake kunna SSH don canje-canjen ya fara aiki.
$ sudo systemctl restart sshd
Idan aka ci gaba, SSH zai yi amfani da Protocol 2 ta tsohuwa.
Don gwada idan yarjejeniyar SSH ta 1 tana da goyan baya, gudanar da umarnin:
$ ssh -1 [email
Za ku sami kuskuren da ke karanta\"An daina tallata yarjejeniyar SSH v.1".
A wannan yanayin, umarnin shine:
$ ssh -1 [email
Allyari akan haka, a sauƙaƙe za ku iya tantance alamar -2 kawai don tabbatar da cewa layinhantsaki 2 shine tsoffin yarjejeniya da ake amfani da ita.
$ ssh -2 [email
5. Kafa SSH Connection Lokaci-lokaci Idle Value
Barin PC dinka ba tare da kulawa ba na tsawan lokaci tare da rashin aikin SSH na iya haifar da haɗarin tsaro. Wani zai iya wucewa kawai ya karɓi zaman SSH ɗinka ya yi duk abin da suka ga dama. Don magance matsalar, yana da hankali, saboda haka, don saita iyakance lokacin hutu wanda idan ya wuce, za a rufe zaman SSH.
Har yanzu, buɗe fayil ɗin daidaitawa na SSH ɗinka kuma gano umarnin "ClientAliveInterval". Sanya ƙimar da ta dace, alal misali, Na sanya iyaka zuwa sakan 180.
ClientAliveInterval 180
Wannan yana nuna cewa za a bar zaman SSH idan ba a yi rijista ba bayan minti 3 wanda yayi daidai da sakan 180.
Sannan sake kunna SSH daemon don aiwatar da canje-canjen da aka yi.
$ sudo systemctl restart sshd
6. Iyakance damar SSH ga Wasu Masu amfani
Don ƙarin matakan tsaro, zaku iya ayyana masu amfani waɗanda ke buƙatar yarjejeniyar SSH don shiga da aiwatar da ayyuka masu nisa akan tsarin. Wannan yana hana duk wasu masu amfani da zasu iya ƙoƙarin shiga tsarin ku ba tare da yardar ku ba.
Kamar koyaushe, buɗe fayil ɗin sanyi kuma sanya ƙa'idodin "AllowUsers" sannan sunayen masu amfani da kuke son bayarwa. A cikin misalin da ke ƙasa, Na ba wa masu amfani damar 'tecmint' da 'james' don samun damar isa ga tsarin ta hanyar SSH. Duk wani mai amfani da yayi ƙoƙarin samun damar nesa za a toshe shi.
AllowUsers tecmint james
Bayan haka sake sake SSH don canje-canje don ci gaba.
$ sudo systemctl restart sshd
7. Sanya iyaka ga kokarin Kalmar shiga
Wata hanyar da zaku iya ƙara tsaro na tsaro ita ce ta iyakance yawan ƙoƙarin shiga SSH kamar yadda bayan yawan yunƙurin gazawa, haɗin ya faɗi. Don haka sake komawa kan fayil ɗin daidaitawa kuma gano umarnin\"MaxAuthTries" kuma ayyana ƙima don iyakar adadin ƙoƙari.
A cikin wannan misalin, an saita iyaka zuwa ƙoƙari 3 kamar yadda aka nuna.
MaxAuthTries 3
Kuma a ƙarshe, sake farawa sabis na SSH kamar yadda yake a cikin al'amuran da suka gabata.
Hakanan kuna iya samun waɗannan abubuwan masu alaƙa da SSH masu amfani:
- Yadda ake Shigar da Server na OpenSSH 8.0 daga Tushen cikin Linux
- Yadda ake Shigar da gazawar2Ban don Kare SSH akan CentOS/RHEL 8
- Yadda za a Canza tashar SSH a cikin Linux
- Yadda Ake Kirkirar Toshe ta SSH ko Fitar da Port a cikin Linux
- Hanyoyi 4 don Saurin Haɗin SSH a cikin Linux
- Yadda ake Neman Duk ailedoƙarin shiga SSH da bai yi nasara ba a cikin Linux
- Yadda za a cire haɗin Rashin aiki ko Haɗin SSH Haɗi a Linux
Hakan ya kasance jerin wasu matakan da zaku iya ɗauka don tabbatar da haɗin haɗin SSH ɗinku na nesa. Yana da mahimmanci a ƙara cewa koyaushe ya sanya kalmomin sirri masu ƙarfi ga masu amfani waɗanda ke da damar isa ga hana hana kai hare-hare. Fatan mu ne cewa kun sami wannan jagorar mai haske. Muna maraba da ra'ayoyinku.