5 Mafi Kyawun Ayyuka don Amintarwa da Kare Sabis na SSH

SSH (Secure Shell) yarjejeniya ce ta hanyar buɗe tushen hanyar sadarwa wacce ake amfani da ita don haɗa sabar Linux ko ta nesa don canza fayiloli, yin ajiyar nesa, aiwatar da umarnin nesa da sauran ayyukan da suka shafi hanyar sadarwa ta hanyar scp ko sftp tsakanin sabobin biyu waɗanda ke haɗuwa akan amintaccen tashar kan hanyar sadarwa.

A cikin wannan labarin, zan nuna muku wasu kayan aiki da dabaru masu sauki wadanda zasu taimaka muku wajen tsaurara tsaron uwar garken ssh. Anan zaku sami wasu bayanai masu amfani kan yadda ake amintarwa da hana ssh server daga zaluncin karfi da harin ƙamus.

1. DenyHosts

DenyHosts shine tushen tushen kariya na kutsawa ta hanyar kutsawa don sabobin SSH an rubuta shi a cikin yaren shirye-shiryen Python wanda aka tsara shi don gudanar da masu gudanar da tsarin Linux da masu amfani don saka idanu da nazarin rajistan ayyukan uwar garken SSH don yunƙurin shiga shiga da aka sani kamar ƙamus na tushen kamus da zalunci tilasta hari. Rubutun yana aiki ta hanyar dakatar da adiresoshin IP bayan saiti da yawa na yunƙurin shiga da kuma hana irin waɗannan hare-haren daga samun damar sabar.

  1. Yana lura da/var/log/amintacce don nemo duk nasarar shiga da rashin nasarar shiga kuma tace su.
  2. Yana lura da duk yunƙurin shiga mai amfani da mai cin zarafin.
  3. Yana kula da kowane mai amfani da babu shi (misali. xyz) lokacin da yunƙurin shiga ya gaza.
  4. Yana lura da kowane mai amfani, mai masauki da yunƙurin shiga (Idan yawan gazawar shiga) ya hana waɗanda ke karɓar adireshin IP ta ƙara ƙari a cikin /etc/hosts.deny fayil.
  5. Optionally aika saƙonnin imel na sababbin runduna da aka toshe da kuma hanyoyin da ake tuhuma.
  6. Hakanan yana kula da duk ƙoƙarce-ƙoƙarcen shiga mai amfani mara amfani da mara nasara a cikin fayiloli daban, don haka ya sauƙaƙe don gano wane mai amfani ko mara amfani da ake kaiwa hari. Don haka, cewa zamu iya share wannan asusun ko canza kalmar wucewa ko hana kwasfa ga wannan mai amfani.

Kara karantawa: Shigar da DenyHosts don toshe harin SS Server na RHL/CentOS/Fedora

2. Kasa2Ban

Fail2ban ɗayan shahararren tsarin buɗe kutse ne wanda aka rubuta shi cikin yaren yada shirye-shirye. Yana aiki ta hanyar bincika fayilolin log kamar/var/log/secure, /var/log/auth.log,/var/log/pwdfail da dai sauransu don yawan ƙoƙarin shiga shiga da yawa. Fail2ban yayi amfani da shi don sabunta Netfilter/iptables ko TCP Wrapper’s hosts.deny file, don ƙin karɓar adireshin IP na mai kawo hari don tsayayyen lokaci. Hakanan yana da damar cire adireshin IP ɗin da aka katange na wani lokaci da masu gudanarwa suka sanya. Koyaya, wasu minutesan mintuna na unban sun isa su dakatar da irin wannan mummunan harin.

  1. An yi layi da yawa kuma ana daidaita shi sosai.
  2. Tallafi don juya fayilolin log kuma zai iya ɗaukar sabis da yawa kamar (sshd, vsftpd, apache, da sauransu).
  3. Yana sa ido kan fayilolin shiga kuma ya nemi samfuran da aka sani da waɗanda ba a sani ba.
  4. Yana amfani da Netfilter/Iptables da TCP Wrapper (/etc/hosts.deny) teburin don dakatar da maharan IP.
  5. Yana gudanar da rubutun lokacin da aka gano tsarin da aka bayar don adireshin IP ɗin sama da sau X.

Kara karantawa: Shigar da Fail2ban don Kare Hare-haren Server na SSH a cikin RHEL/CentOS/Fedora

3. Kashe Rogin Login

Ta hanyar tsoffin tsarin Linux ana tsara su don ba da damar ssh nesa ta nesa ga kowa ciki har da tushen mai amfani kanta, wanda ke ba kowa damar shiga kai tsaye zuwa tsarin kuma sami damar shiga. Duk da cewa ssh uwar garken yana ba da hanya mafi aminci don musaki ko kunna tushen shiga, yana da kyau koyaushe a hana musanya tushen, kiyaye sabobin kaɗan amintacce.

Akwai mutane da yawa da suke ƙoƙari su lalata tushen asusun ta hanyar hare-haren SSH ta hanyar samar da sunaye da kalmomin shiga daban-daban, ɗaya bayan ɗaya. Idan kai mai gudanar da tsarin ne, zaka iya bincika rajistan ayyukan uwar garken ssh, a inda zaka samu adadin yunkurin shiga da aka kasa yi. Babban dalilin da ya sa adadin yunƙurin shiga ba shi da ƙarfi yana da isassun kalmomin shiga kuma hakan yana da ma'ana ga masu satar bayanai/maharan su gwada.

Idan kuna da kalmomin shiga masu karfi, to tabbas kuna da aminci, duk da haka yana da kyau a kashe hanyar shiga sai a sami akasuwa daban-daban domin shiga ciki, sannan a yi amfani da sudo ko su don samun damar shiga duk lokacin da ake bukata.

Kara karantawa: Yadda za a Kashe Shigar Tushen SSH kuma Iyakance SSH Samun dama

4. Nuna Banner SSH

Wannan ɗayan tsofaffin siffofi ne waɗanda aka samo daga farkon aikin ssh, amma ban taɓa ganin kowa yayi amfani da shi ba. Duk da haka ina jin mahimmancin fasalinsa mai amfani wanda nayi amfani dashi ga duk sabobin Linux.

Wannan ba don wata manufar tsaro bane, amma babban amfanin wannan banner shine cewa ana amfani dashi don nuna saƙonnin gargaɗi na ssh zuwa samun izini na Majalisar UNinkin Duniya da maraba da saƙonni ga masu amfani da izini kafin kalmar sirri da kuma bayan mai amfani ya shiga.

Kara karantawa: Yadda ake Nuna saƙonnin banki na SSH & MOTD

5. Shiga Kalmar wucewa ta SSH

Shigar da kalmar wucewa ta SSH tare da maballin SSH zai kafa dangantakar aminci tsakanin sabobin Linux guda biyu wanda ke sa canja wurin fayil da aiki tare ya fi sauƙi. Wannan yana da matukar amfani idan kuna ma'amala da tsarukan atomatik masu nisa, aiwatar da rubutun nesa, canja wurin fayil, sarrafa rubutun nesa da sauransu ba tare da shigar da passwrod kowane lokaci ba.

Kara karantawa: Yadda za a Kafa Shiga Kalmar wucewa ta SSH