5 Mafi kyawun Ayyuka don Hana Hare-Hare-Haren Ƙarfin Ƙarfi na SSH


Sabar da ke tafiyar da SSH yawanci makasudi ne mai laushi don hare-haren ƙarfi. Masu satar bayanai na ci gaba da fitowa da sabbin kayan aikin software da bots don sarrafa hare-haren bama-bamai wanda ke kara kara hadarin kutse.

A cikin wannan jagorar, mun bincika wasu nasihu waɗanda za ku iya aiwatarwa don kiyaye sabar SSH ɗinku daga hare-hare masu ƙarfi akan abubuwan Debian.

Kashe Tabbatar da Kalmar wucewa ta SSH kuma Kunna Tabbacin Maɓallin SSH

Hanyar tantancewa ta tsohuwa don SSH ita ce sunan mai amfani/kalmar wucewa. Amma kamar yadda muka gani, tantance kalmar sirri yana da saurin kai hare-hare. Don kasancewa a gefen aminci, ana ba da shawarar aiwatar da ingantaccen maɓalli na SSH inda aka sami damar tabbatarwa ta hanyar maɓalli na SSH na jama'a da masu zaman kansu. Maɓallin keɓaɓɓen ya kasance a kan PC ɗin abokin ciniki yayin da maɓallin jama'a ke kwafi zuwa uwar garken.

Yayin tantancewar maɓallin SSH, uwar garken yana bincika ko PC ɗin abokin ciniki ya mallaki maɓalli na sirri. Idan cak ɗin ya yi nasara, ana ƙirƙiri zaman harsashi ko kuma an aiwatar da umarnin da aka aika zuwa uwar garken nesa cikin nasara. Muna da cikakken jagora kan yadda ake saita ingantaccen tushen maɓalli na SSH.

Ko da bayan kafa ingantaccen tushen Maɓalli, uwar garken naku har yanzu yana da sauƙi ga hare-haren ƙarfi saboda sauƙi cewa amincin kalmar sirri har yanzu yana aiki. Wannan yana buƙatar kashe shi.

Don haka, gyara tsohuwar fayil ɗin sanyi na SSH.

$ sudo vim /etc/ssh/sshd_config

Saita sigar tantance kalmar wucewa zuwa no kamar yadda aka nuna.

PasswordAuthentication no

Sannan ajiye fayil ɗin kuma sake saka SSH don amfani da canje-canje.

$ sudo systemctl reload ssh

Aiwatar da Kayan Kariyar Kutse na Fail2ban

An rubuta shi cikin Python, Fail2ban shine tsarin rigakafin kutsawa mai buɗe ido wanda ke bincika fayilolin log ɗin sabis don gazawar tantancewa da kuma hana IPs waɗanda suka kasa yin rajistan tantance kalmar sirri akai-akai na takamaiman adadin lokaci.

Fail2ban yana lura da fayilolin log ɗin uwar garken koyaushe don yunƙurin kutse da sauran munanan ayyuka, Bayan ƙayyadaddun adadin gazawar tantancewa - a mafi yawan lokuta, ƙoƙarin shiga 3 ya gaza - Fail2ban yana toshe mai watsa shiri ta atomatik shiga sabar, kuma ana ajiye mai watsa shiri a cikin ' Jail' na wani takamaiman lokaci.

Yin haka, Fail2ban yana rage ƙimar ƙoƙarin tantance kalmar sirri da ba daidai ba. Duba jagorar mu kan yadda zaku iya girka da daidaita Fail2ban akan Linux don kare sabar ku daga harin Bruteforce.

Iyaka Mafi Girman Ƙoƙarin Tabbatarwar SSH

Wata hanya mai sauƙi ta kiyaye uwar garken ku daga hare-haren ƙarfi shine ta iyakance adadin ƙoƙarin shiga SSH. Ta hanyar tsoho, an saita wannan zuwa 3, amma idan ta kowane hali an saita wannan zuwa mafi girman ƙima, saita shi zuwa ƙoƙarin haɗin gwiwa 3 a mafi yawan.

Misali, don saita iyakar ƙoƙarin haɗin gwiwa zuwa 3 saita ma'aunin MaxAuthTries zuwa 3 kamar yadda aka nuna.

MaxAuthTries = 3

Har yanzu, ajiye canje-canje kuma sake loda sabis ɗin SSH.

$ sudo systemctl reload ssh

Aiwatar da TCP Wrappers don Iyakance Samun SSH Daga Abokan ciniki

TCP wrappers wani ɗakin karatu ne wanda ke ba da jerin abubuwan da suka dace (ACL) wanda ke hana damar yin amfani da sabis na TCP ta abokan ciniki masu nisa dangane da adiresoshin IP ɗin su.

Mai watsa shiri mai nisa daga samun damar sabis akan tsarin. TCP wrappers suna amfani da /etc/hosts.allow da /etc/hosts.deny fayilolin sanyi (a cikin wannan tsari) don sanin ko an ƙyale abokin ciniki na nesa don samun damar takamaiman sabis ko a'a.

Yawancin lokaci, ana yin sharhin waɗannan fayilolin kuma ana ba da izinin duk runduna ta cikin Layer na TCP. Dokokin ba da damar yin amfani da sabis ɗin da aka ba ana sanya su a cikin fayil ɗin /etc/hosts.allow kuma ɗauka fifiko akan dokoki a cikin fayil ɗin /etc/hosts.deny.

Mafi kyawun aiki yana ba da shawarar toshe duk haɗin da ke shigowa. Don haka, buɗe fayil ɗin /etc/hosts.deny.

$ sudo vim /etc/hosts.deny

Ƙara layi mai zuwa.

ALL: ALL

Ajiye canje-canje kuma fita fayil.

Sannan shiga cikin /etc/hosts.allow fayil.

$ sudo vim /etc/hosts.allow

Sanya runduna ko yanki waɗanda zasu iya haɗawa zuwa uwar garken ta hanyar SSH kamar yadda aka nuna. A cikin wannan misalin, muna ƙyale runduna masu nisa guda biyu kawai su haɗa zuwa uwar garken (173.82.227.89 da 173.82.255.55) kuma musan sauran.

sshd: 173.82.227.89 173.82.255.55
sshd: ALL: DENY

Ajiye canje-canje kuma fita fayil ɗin sanyi.

Don gwada shi, gwada haɗawa zuwa uwar garken daga mai watsa shiri wanda baya cikin waɗanda kuka ba da izinin shiga. Ya kamata ku sami kuskuren izini kamar yadda aka nuna.

$ ssh [email 

kex_exchange_identification: read: Connection reset by peer
Connection reset by 173.82.235.7 port 22
lost connection

Aiwatar da Tabbatar da Factor Biyu SSH

Tabbatar da Factor Biyu yana ba da ƙarin matakan tsaro zuwa ingantaccen kalmar sirri, ta haka zai sa uwar garken ku ya fi tsaro daga hare-haren ƙarfi. Maganin Tabbatar da Factor Biyu da ake amfani da shi sosai shine Google Authenticator App kuma muna da ingantaccen jagora akan yadda zaku iya saita Tabbatar da Factor Biyu.

Wannan shine taƙaitaccen ayyuka mafi kyau guda 5 waɗanda zaku iya aiwatarwa don hana SSH Brute Force harin shiga da tabbatar da amincin sabar ku. Hakanan zaka iya karanta Yadda ake tsaro da taurare uwar garken OpenSSH.