20 CentOS Sabar Sabar Tukwici na Tsaro na Hardening - Kashi na 1
Wannan koyaswar ya ƙunshi shawarwarin tsaro na gabaɗaya don CentOS 8/7 waɗanda za a iya amfani da su don taurare tsarin. Nasihun jerin abubuwan da aka yi niyya ana amfani da su galibi akan nau'ikan sabar sabar-ƙarfe iri-iri ko akan injuna (na zahiri ko kama-da-wane) waɗanda ke ba da sabis na cibiyar sadarwa.
Koyaya, ana iya samun nasarar amfani da wasu nasihu akan injuna na gaba ɗaya ma, kamar Kwamfutoci, Laptop, da kwamfutoci masu girman kati guda (Raspberry Pi).
- Ƙarancin Shigarwa na CentOS 8
- Ƙarancin Shigarwa na CentOS 7
1. Kariyar Jiki
Kulle damar shiga dakunan uwar garken ku, yi amfani da kulle kulle da sa ido na bidiyo. Yi la'akari da cewa duk wani damar jiki zuwa ɗakunan uwar garke na iya fallasa injin ku ga matsalolin tsaro masu tsanani.
Ana iya canza kalmomin shiga BIOS ta hanyar sake saita masu tsalle a kan uwa ko ta hanyar cire haɗin baturin CMOS. Har ila yau, mai kutse zai iya satar faifai ko kuma haɗa sabbin faifan diski kai tsaye zuwa mahaɗar uwayen uwa (SATA, SCSI, da sauransu), ta tashi tare da Linux live distro, da clone ko kwafin bayanai ba tare da barin wata alama ta software ba.
2. Rage Tasirin Leken asiri
Idan akwai mahimman bayanai masu mahimmanci, ya kamata ku yi amfani da kariya ta zahiri ta ci gaba kamar sanyawa da kulle uwar garken cikin mafita na MATSALOLI domin rage tasirin leƙen asiri na tsarin ta hanyar rediyo ko fiɗar wutar lantarki.
3. Amintaccen BIOS/UEFI
Fara tsarin taurara injin ku ta hanyar tabbatar da saitunan BIOS/UEFI, musamman saita kalmar sirri ta BIOS/UEFI kuma kashe na'urorin kafofin watsa labarai na boot (CD, DVD, kashe tallafin USB) don hana duk wani mai amfani mara izini daga canza saitunan BIOS ko canza tsarin. fifikon na'urar taya da tayar da na'ura daga matsakaiciyar matsakaici.
Domin yin amfani da irin wannan canjin ga injin ku kuna buƙatar tuntuɓar jagorar masana'antar uwa don takamaiman umarni.
4. Amintaccen Boot Loader
Saita kalmar sirri ta GRUB don hana masu amfani da mugayen lalata su lalata tsarin taya na kernel ko gudu matakan, gyara sigogin kernel ko fara tsarin zuwa yanayin mai amfani guda ɗaya don cutar da tsarin ku kuma sake saita kalmar sirri don samun iko mai gata.
5. Yi amfani da Rarraba Disk Partitions
Lokacin shigar da CentOS akan tsarin da aka yi niyya azaman sabar samarwa suna amfani da ɓangarorin da aka keɓe ko keɓaɓɓun faifan diski don ɓangarori masu zuwa na tsarin:
/(root) /boot /home /tmp /var
6. Yi amfani da LVM da RAID don Ragewa da Girman Tsarin Fayil
Bangaren /var shine wurin da ake rubuta saƙonnin log zuwa faifai. Wannan ɓangaren tsarin na iya girma da girma a kan sabar zirga-zirgar zirga-zirgar ababen hawa waɗanda ke fallasa ayyukan cibiyar sadarwa kamar sabar yanar gizo ko sabar fayil.
Don haka, yi amfani da babban bangare don/var ko la'akari da kafa wannan bangare ta amfani da juzu'i na ma'ana (LVM) ko haɗa faifai na zahiri da yawa zuwa na'urar RAID 0 mafi girma ɗaya don ɗaukar bayanai masu yawa. Don bayanai, sake yin la'akari da yin amfani da shimfidar LVM a saman matakin RAID 1.
Don saita LVM ko RAID akan faifai, bi jagororin mu masu amfani:
- Saita Ma'ajiyar Disk tare da LVM a cikin Linux
- Ƙirƙiri diski na LVM Ta amfani da vgcreate, lvcreate da lvextend
- Haɗa Disk da yawa cikin Babban Ma'ajiya Mai Ma'ana ɗaya
- Ƙirƙiri RAID 1 Amfani da Disk guda biyu a cikin Linux
7. Gyara Zaɓuɓɓukan fstab don Tsare ɓangarori na Bayanai
Rarraba ɓangarorin da aka yi niyya don adana bayanai da hana aiwatar da shirye-shirye, fayilolin na'ura ko bit ɗin saiti akan waɗannan nau'ikan ɓangarori ta ƙara waɗannan zaɓuɓɓukan zuwa fayil fstab kamar yadda aka kwatanta a kan abin da ke ƙasa:
/dev/sda5 /nas ext4 defaults,nosuid,nodev,noexec 1 2
Don hana haɓaka-gata da aiwatar da rubutun sabani ƙirƙira keɓantaccen bangare don /tmp kuma sanya shi azaman nosuid, nodev, da noexec.
/dev/sda6 /tmp ext4 defaults,nosuid,nodev,noexec 0 0
8. Encrypt da Hard Disks a matakin block tare da LUKS
Don kare snooping bayanai masu mahimmanci a yanayin samun dama ga na'ura mai wuyar gaske. Ina ba ku shawara ku koyi yadda ake ɓoye faifai ta hanyar karanta labarinmu Rufe bayanan Hard Disk na Linux tare da LUKS.
9. Yi amfani da PGP da Public-Key Cryptography
Domin rufaffen fayafai, yi amfani da PGP da Public-Key Cryptography ko OpenSSL umarnin don rufawa da yanke mahimman fayiloli tare da kalmar wucewa kamar yadda aka nuna a cikin wannan labarin Sanya Rufaffen Ma'ajiyar Tsarin Linux.
10. Shigar da Mafi ƙarancin Kunshin da ake buƙata
Guji shigar da shirye-shirye marasa mahimmanci ko mara amfani, aikace-aikace, ko ayyuka don guje wa raunin fakitin. Wannan na iya rage haɗarin cewa ƙaddamar da wani software na iya haifar da yin sulhu da wasu aikace-aikace, sassan tsarin, ko ma tsarin fayil, a ƙarshe yana haifar da lalata bayanai ko asarar bayanai.
11. Sabunta tsarin akai-akai
Sabunta tsarin akai-akai. Ci gaba da aiki tare da kernel Linux tare da sabbin facin tsaro da duk shigar software na zamani tare da sabbin nau'ikan ta hanyar ba da umarnin da ke ƙasa:
# yum update
12. Kashe Ctrl+Alt+Del
Domin hana masu amfani sake kunna uwar garken da zarar sun sami damar shiga madannai ta zahiri ko ta hanyar Aikace-aikacen Console Mai Nisa ko na'urar wasan bidiyo mai kama-da-wane (KVM, Virtualizing software interface) ya kamata ka musaki maɓallin Ctrl+Alt+Del jerin ta aiwatar da umarnin da ke ƙasa.
# systemctl mask ctrl-alt-del.target
13. Cire Fakitin Software mara amfani
Shigar da ƙaramin software da ake buƙata don injin ku. Kar a taɓa shigar da ƙarin shirye-shirye ko ayyuka. Shigar da fakiti daga amintattun ma'ajiya ko na hukuma kawai. Yi amfani da ƙaramar shigarwa na tsarin idan an ƙaddara na'ura don gudanar da rayuwarta gaba ɗaya a matsayin uwar garke.
Tabbatar da shigar da fakiti ta amfani da ɗayan umarni masu zuwa:
# rpm -qa
Yi jerin gida na duk fakitin da aka shigar.
# yum list installed >> installed.txt
Tuntuɓi lissafin don software mara amfani kuma share fakitin ta hanyar ba da umarnin da ke ƙasa:
# yum remove package_name
14. Sake kunna Systemd Services bayan Daemon Updates
Yi amfani da misalin umarni na ƙasa don sake kunna sabis na tsarin don amfani da sabbin sabuntawa.
# systemctl restart httpd.service
15. Cire Ayyuka marasa Bukata
Gano sabis ɗin da ke saurare akan takamaiman tashar jiragen ruwa ta amfani da umarnin ss mai zuwa.
# ss -tulpn
Don jera duk ayyukan da aka shigar tare da matsayin fitarwa suna ba da umarnin da ke ƙasa:
# systemctl list-units -t service
Misali, ƙaramar shigarwa ta CentOS tana zuwa tare da Postfix daemon wanda aka shigar ta tsohuwa wanda ke gudana da sunan master a ƙarƙashin tashar jiragen ruwa 25. Cire sabis na hanyar sadarwa na Postfix idan ba za a yi amfani da injin ku azaman sabar saƙo ba.
# yum remove postfix
16. Rufe bayanan da aka watsa
Kar a yi amfani da ka'idoji marasa tsaro don isa ga nesa ko canja wurin fayil kamar Telnet, FTP, ko wasu manyan ƙa'idodin rubutu masu haske kamar SMTP, HTTP, NFS, ko SMB waɗanda, ta tsohuwa, baya ɓoye wuraren tantancewa ko aika bayanai.
Yi amfani da scp kawai don canja wurin fayil, da SSH ko VNC akan ramukan SSH don haɗin na'ura mai nisa ko samun damar GUI.
Domin ramin na'urar wasan bidiyo ta VNC ta hanyar SSH yi amfani da misalin da ke ƙasa wanda ke tura tashar tashar VNC 5901 daga na'ura mai nisa zuwa injin ku:
# ssh -L 5902:localhost:5901 remote_machine
A kan na'ura na gida suna gudanar da umarnin da ke ƙasa don haɗa kama-da-wane zuwa wurin ƙarshen nesa.
# vncviewer localhost:5902
17. Binciken tashar tashar sadarwa
Gudanar da binciken tashar jiragen ruwa na waje ta amfani da kayan aikin Nmap daga tsarin nesa akan LAN. Ana iya amfani da irin wannan nau'in sikanin don tabbatar da raunin hanyar sadarwa ko gwada dokokin Tacewar zaɓi.
# nmap -sT -O 192.168.1.10
18. Fakitin Tace Firewall
Yi amfani da kayan aikin wuta don kare tsarin tashar jiragen ruwa, buɗe ko rufe takamaiman tashoshin sabis, musamman sanannun tashoshin jiragen ruwa (<1024).
Shigar, farawa, kunna, da lissafin dokokin Tacewar zaɓi ta hanyar ba da umarni na ƙasa:
# yum install firewalld # systemctl start firewalld.service # systemctl enable firewalld.service # firewall-cmd --list-all
19. Duba Fakitin Protocol tare da Tcpdump
Yi amfani da tcpdump utility don ɓata fakitin cibiyar sadarwa a cikin gida kuma bincika abubuwan da ke cikin su don zirga-zirgar shakku (tashoshin mashigai, ka'idojin TCP/IP, layin zirga-zirga biyu, buƙatun ARP da ba a saba gani ba).
Don ingantaccen bincike na fayil ɗin da aka kama tcpdump yi amfani da ingantaccen shirin kamar Wireshark.
# tcpdump -i eno16777736 -w tcpdump.pcap
20. Hana hare-haren DNS
Bincika abubuwan da ke cikin mai warwarewar ku, yawanci /etc/resolv.conf fayil, wanda ke bayyana adireshin IP na sabar DNS da ya kamata a yi amfani da shi don neman sunayen yanki, don guje wa hare-haren mutum-a-tsakiyar, zirga-zirgar da ba dole ba. tushen sabobin DNS, spoof ko ƙirƙirar harin DOS.
Wannan shine kashi na farko. A kashi na gaba za mu tattauna wasu shawarwarin tsaro don CentOS 8/7.