LFCA - Nasihu Masu Amfani don Amintaccen Bayani da Linux - Sashe na 18
Tun lokacin da aka sake shi a farkon shekarun casa'in, Linux ta sami farin jini daga al'umman fasaha ta hanyar kwanciyar hankali, da iyawa, da keɓancewa, da kuma babbar al'umma ta masu buɗe ido da ke buɗe ido waɗanda ke aiki ba dare ba rana don samar da gyaran ƙwaro da ci gaba ga tsarin aiki. Gabaɗaya, Linux shine tsarin zaɓin aiki don girgije na jama'a, sabobin, da manyan kwamfutoci, kuma kusa da 75% na sabobin samar da intanet da ke gudana akan Linux.
Baya ga yin amfani da intanet, Linux ya sami hanyar zuwa duniyar dijital kuma bai ragu ba tun daga lokacin. Yana iko da ɗimbin na'urori masu ƙima waɗanda suka haɗa da wayoyin komai da ruwanka na Android, Allunan, agogon hannu, wayoyi masu kyau da sauransu.
Shin Linux ɗin yana da Amintacce?
Linux sanannen sananne ne saboda matakan tsaro mafi girma kuma yana ɗaya daga cikin dalilan da yasa ya sanya zaɓin da aka fi so a cikin yanayin kasuwancin. Amma ga wata hujja, babu tsarin aiki wanda yake amintacce 100%. Yawancin masu amfani sunyi imani da cewa Linux wani tsarin aiki ne mai wauta, wanda shine zato na ƙarya. A zahiri, kowane tsarin aiki tare da haɗin intanet yana da saukin kai ga yiwuwar keta doka da hare-haren malware.
A farkon shekarunsa, Linux yana da ƙaramar ƙaramar ƙirar fasaha da haɗarin wahala daga hare-haren malware yana da nisa. A yau Linux suna da iko da babbar intanet, kuma wannan ya haifar da haɓakar yanayin barazanar. Barazanar hare-haren malware ya zama gaske fiye da kowane lokaci.
Misalin cikakken misali na harin malware akan tsarin Linux shine Erebus ransomware, malware-ɓoyayyen fayil wanda ya shafi kusan 153 Linux sabobin NAYANA, wani kamfani na yanar gizo na Koriya ta Kudu.
Saboda wannan dalili, yana da hankali don ƙara taurara tsarin aiki don ba shi tsaro da ake buƙata don kiyaye bayananku.
Neman Tukwici na Server na Linux
Tabbatar da sabar Linux ba ta da rikitarwa kamar yadda zaku iya tunani. Mun tattara jerin mafi kyawun manufofin tsaro waɗanda kuke buƙatar aiwatarwa don ƙarfafa tsaron tsarinku da kiyaye amincin bayanai.
A cikin matakan farko na keta haddin Equifax, masu fashin kwamfuta sun ba da sananniyar sanannen rauni - Apache Struts - a kan tashar yanar gizo ta korafin abokin ciniki na Equifax.
Apache Struts sigar buɗaɗɗiyar tushe ce don ƙirƙirar aikace-aikacen gidan yanar gizo na zamani da kyau waɗanda Gidauniyar Apache ta haɓaka. Gidauniyar ta fito da facin gyara matsalar a ranar 7 ga Maris, 2017, kuma ta fitar da sanarwa game da hakan.
An sanar da Equifax game da raunin kuma an ba su shawara don yin amfani da aikace-aikacen su, amma abin takaici, raunin ya kasance ba a bayyana shi ba har zuwa Yuli na wannan shekarar a lokacin da lokacin ya yi latti. Maharan sun sami damar isa ga hanyar sadarwar kamfanin kuma sun fitar da miliyoyin bayanan abokan ciniki na sirri daga bayanan. A lokacin da Equifax ya sami iska game da abin da ke faruwa, watanni biyu sun riga sun wuce.
Don haka, menene za mu iya koya daga wannan?
Masu amfani da lahani ko masu fashin baƙi za su bincika sabar ku koyaushe don yiwuwar raunin software wanda za su iya amfani da shi don keta tsarin ku. Don kasancewa a gefen aminci, koyaushe sabunta software ɗinka zuwa nau'ikansa na yanzu don amfani da faci ga kowane yanayin rauni.
Idan kuna gudanar da tsarin Ubuntu ko tsarin Debian, mataki na farko yawanci shine sabunta jerin kunshinku ko wuraren ajiyar ku kamar yadda aka nuna.
$ sudo apt update
Don bincika duk fakitin tare da wadatarwar sabuntawa, gudanar da umurnin:
$ sudo apt list --upgradable
Haɓaka aikace-aikacen software ɗinku zuwa sifofin su na yanzu kamar yadda aka nuna:
$ sudo apt upgrade
Kuna iya haɗa waɗannan biyun a cikin umarni ɗaya kamar yadda aka nuna.
$ sudo apt update && sudo apt upgrade
Don RHEL & CentOS haɓaka haɓaka aikace-aikacenku ta hanyar tafiyar da umarni:
$ sudo dnf update ( CentOS 8 / RHEL 8 ) $ sudo yum update ( Earlier versions of RHEL & CentOS )
Wani ingantaccen zaɓi shine saita saitunan ɗaukakawa ta atomatik don CentOS/RHEL.
Duk da goyon bayan da yake bayarwa ga dubunnan ladabi na nesa, sabis na gado kamar rlogin, telnet, TFTP da FTP na iya haifar da babbar matsalar tsaro ga tsarin ku. Waɗannan tsofaffi ne, tsofaffi, da ladabi marasa aminci inda ake aika bayanai a cikin rubutu bayyananne. Idan wadannan suna nan, kayi la'akari da cire su kamar yadda aka nuna.
Don tsarin Ubuntu/Debian, aiwatar da:
$ sudo apt purge telnetd tftpd tftpd-hpa xinetd rsh-server rsh-redone-server
Don tsarin RHEL/CentOS, aiwatar da:
$ sudo yum erase xinetd tftp-server telnet-server rsh-server ypserv
Da zarar ka cire duk ayyukan da ba su da tsaro to yana da mahimmanci a binciki sabar ka don buɗe tashoshin jiragen ruwa da rufe duk wata tashar jiragen ruwa da ba a amfani da su wanda ƙila za a iya amfani da wurin shigarwa ta hanyar masu satar bayanai.
A ce kana so ka toshe tashar 7070 a kan bangon UFW. Umurnin wannan zai kasance:
$ sudo ufw deny 7070/tcp
Bayan haka sai a sake loda Firewall don canje-canjen ya fara aiki.
$ sudo ufw reload
Don Firewalld, gudanar da umarnin:
$ sudo firewall-cmd --remove-port=7070/tcp --permanent
Kuma ka tuna sake loda bango.
$ sudo firewall-cmd --reload
Bayan haka bincika dokokin bango kamar yadda aka nuna:
$ sudo firewall-cmd --list-all
Yarjejeniyar SSH yarjejeniya ce ta nesa wacce zata baka damar haɗi da na'urori a kan hanyar sadarwa da aminci. Duk da yake ana ɗaukarsa amintacce, saitunan da aka faro basu isa ba kuma ana buƙatar wasu ƙarin tweaks don ƙara hana masu amfani da ƙeta daga keta tsarin ku.
Muna da cikakkiyar jagora kan yadda za a taurara yarjejeniya ta SSH. Anan ne manyan abubuwan da suka dace.
- Sanya shiga ba tare da kalmar shiga ba ba tare da kalmar sirri ba & kunna ingancin maɓallin sirri/na sirri.
- Kashe hanyar shiga nesa ta SSH.
- Kashe shigarwar SSH daga masu amfani tare da kalmomin shiga marasa amfani.
- A kashe ingancin kalmar wucewa gaba ɗaya kuma a tsaya ga tabbataccen maɓallin SSH/keɓaɓɓen sirri.
- Iyakance samun dama ga takamaiman masu amfani da SSH.
- Sanya iyaka ga yunƙurin kalmar sirri.
Fail2ban tsari ne na rigakafin kutse wanda yake kiyaye uwar garken ka daga harin ta'addancin. Yana kare tsarin Linux ɗinka ta hanyar hana IP ɗin da ke nuna mummunan aiki kamar su ƙoƙarin shiga da yawa. Daga cikin akwatin, ana jigilar shi da matattara don shahararrun ayyuka kamar su Apache webserver, vsftpd da SSH.
Muna da jagora kan yadda za a saita Fail2ban don ƙara ƙarfafa yarjejeniyar SSH.
Sake amfani da kalmomin shiga ko amfani da kalmomin shiga mara kyau kuma masu sauki suna matukar lalata tsaron tsarinka. Kuna aiwatar da manufar kalmar sirri, yi amfani da pam_cracklib don saita ko saita ƙarfin ƙarfin kalmar sirri.
Ta amfani da tsarin PAM, zaka iya ayyana ƙarfin kalmar sirri ta hanyar gyara /etc/pam.d/system-auth file. Misali, zaka iya saita mahimmancin kalmar sirri da hana sake amfani da kalmomin shiga.
Idan kana gudanar da gidan yanar gizo, koyaushe ka tabbatar ka amintar da yankinka ta hanyar amfani da takardar shaidar SSL/TLS don ɓoye bayanan da aka musayar tsakanin masu amfani da burauzar da kuma yanar gizo.
Da zarar ka ɓoye shafinka, kayi la'akari kuma da hana ladabi ɓoyayyen ɓoye. A lokacin rubuta wannan jagorar, sabuwar yarjejeniya ita ce TLS 1.3, wanda shine yarjejeniya mafi amfani da yadu. Sifofin farko kamar su TLS 1.0, TLS 1.2, da SSLv1 zuwa SSLv3 suna da alaƙa da sanannun yanayin rauni.
[Kuna iya son: Yadda Ake Kunna TLS 1.3 a cikin Apache da Nginx]
Wannan shine taƙaitaccen wasu matakan da zaku iya ɗauka don tabbatar da tsaro data da sirrin tsarin Linux.