Linux Hardenining: tukwici don kare ɓoyayyen ku da sanya shi amintacce

Isaac

14 minti

Hardening Linux tuxs biyu, daya mara kariya daya kuma a cikin kayan yaki

An buga labarai da yawa akan Rarraba Linux mafi aminci, kamar TAILS (wanda ke tabbatar da sirrinka da rashin sanin sunan ka a yanar gizo), Whonix (Linux don rashin tsaro da tsaro) da sauran ɓarna da nufin amintattu. Amma ba shakka, ba duk masu amfani bane suke son amfani da waɗannan rarrabawar ba. Abin da ya sa a cikin wannan labarin za mu ba da jerin shawarwari don «Linux hardening«, Wato, sanya distro dinka (duk abin da yake) zama mafi aminci.

Red Hat, SUSE, CentOS, openSUSE, Ubuntu, Debian, Arch Linux, Linux Mint, ... wane irin bambanci yake da shi. Duk wani rarraba zai iya zama mai lafiya a matsayin mafi aminci idan ka sanshi cikin zurfin kuma ka san yadda zaka kiyaye kanka daga haɗarin da ke barazanar ka. Kuma saboda wannan zaku iya yin aiki akan matakan da yawa, ba kawai a matakin software ba, har ma a matakin kayan aiki.

Tsarin zomaye na aminci:

Kewaya mara tsaro na kayan aiki

A wannan sashin zan baku wasu na asali masu sauki da sauki waɗanda ba sa buƙatar ilimin kwamfuta don fahimtar su, suna da hankali kawai amma wani lokacin ba ma aiwatar da su saboda rashin kulawa ko rashin kulawa:

  • Kada a loda bayanai na sirri ko na sirri zuwa gajimare. Girgije, ba tare da la'akari da ko kyauta ne ko a'a ba ko kuma ya fi tsaro ko ƙasa, kayan aiki ne mai kyau don zubar da bayananka a duk inda kuka tafi. Amma gwada kar a loda bayanan da ba kwa son "rabawa" ga masu kallo. Wannan nau'in bayanan da suka fi dacewa yakamata a ɗauke su cikin matsakaici na sirri, kamar katin SD ko pendrive.
  • Idan kayi amfani da kwamfuta don shiga yanar gizo da aiki tare da mahimman bayanai, misali, yi tunanin cewa kun shiga cikin mahaɗan BYOD kuma sun ɗauki wasu bayanan kasuwancin ku. To, a cikin waɗannan nau'ikan yanayi, kar kayi aiki ta yanar gizo, yi kokarin katsewa (me yasa kake son a haɗa ka da aiki misali tare da LibreOffice da ke yin rubutu?). Kwamfuta da aka cire haɗin ita ce mafi aminci, ka tuna da hakan.
  • Mai dangantaka da na sama, kar a bar mahimman bayanai a kan rumbun kwamfutarka na gida yayin aiki ta kan layi. Ina baku shawarar cewa kuna da rumbun adanawa na waje ko wani nau'in ƙwaƙwalwar ajiya (katin ƙwaƙwalwar ajiya, mashinan alkalami, da sauransu) waɗanda kuke da waɗannan bayanan a ciki. Ta haka ne zamu sanya shinge tsakanin kayan haɗin da muka haɗa da ƙwaƙwalwar "ba a haɗa ta ba" inda mahimman bayanai suke.
  • Yi kwafin ajiya na bayanan da kuke ɗauka mai ban sha'awa ko ba ku so su rasa. Lokacin da suke amfani da rauni don shiga kwamfutarka da haɓaka gata, mai kawo harin zai iya sharewa ko sarrafa duk wani bayani ba tare da cikas ba. Wannan shine dalilin da ya sa ya fi kyau a sami madadin.
  • Karka bar bayanai game da raunin rauninka a cikin majallu ko tsokaci akan yanar gizo. Idan misali kana da matsalar tsaro a kwamfutarka kuma tana da kofofin budewa da kake son rufewa, kada ka bar matsalarka a cikin wani dandalin neman taimako, saboda ana iya amfani da shi akanka. Wani da yake da mummunar niyya zai iya amfani da wannan bayanin don neman cikakken wanda aka azabtar da shi. Zai fi kyau ka sami wani kwararren ma'aikacin da zai taimake ka ka magance su. Hakanan ya zama ruwan dare ga kamfanoni su sanya tallace-tallace a kan Intanet kamar su "Ina neman masanin tsaro na IT" ko "Ana buƙatar ma'aikata ga sashin tsaro." Wannan na iya nuna yiwuwar rauni a cikin kamfanin da aka ambata kuma mai aikata laifuka ta hanyar yanar gizo na iya amfani da waɗannan rukunin yanar gizon don neman waɗanda ke fama da sauƙi ... Hakanan ba kyau a gare ku ku bar bayani game da tsarin da kuka yi amfani da shi da sigar, wani na iya amfani da amfani don amfani rashin lafiyar wannan sigar. A takaice dai, gwargwadon yadda maharin bai san da kai ba, zai yi wuya shi ya kai harin. Ka tuna cewa maharan galibi suna aiwatar da wani tsari ne gabanin harin da ake kira "tattara bayanai" kuma ya ƙunshi tattara bayanai game da wanda aka azabtar wanda za a iya amfani da shi akan su.
  • Ci gaba da sabunta kayan aikinka Tare da sabbin abubuwan sabuntawa da faci, ka tuna cewa a lokuta da yawa, waɗannan ba kawai inganta ayyuka bane, suna kuma gyara kwari da yanayin rauni don kada ayi amfani dasu.
  • Yi amfani da kalmomin shiga masu ƙarfi. Kada a taɓa sanya sunayen da ke cikin ƙamus ko kalmomin shiga kamar 12345, tunda tare da hare-haren ƙamus za a iya cire su da sauri. Hakanan, kar a bar kalmomin shiga ta tsohuwa, tunda ana iya gano su cikin sauki. Hakanan kada ayi amfani da ranakun haihuwa, sunayen dangi, dabbobin gida ko kuma abubuwan dandano. Waɗannan nau'ikan kalmomin shiga za a iya sauƙaƙe su ta hanyar injiniyar zamantakewar jama'a. Zai fi kyau a yi amfani da dogon kalmar sirri tare da lambobi, manyan haruffa da ƙananan haruffa, da alamu. Hakanan, kada ayi amfani da kalmomin shiga na komai don komai, ma'ana, idan kuna da asusun imel da kuma zaman tsarin aiki, kar ayi amfani da guda daya duka. Wannan wani abu ne wanda a cikin Windows 8 sun bugu har ƙasa, tunda kalmar shiga don shiga iri ɗaya ce da asusunku na Hotmail / Outlook. Amintaccen kalmar sirri tana daga nau'in: "auite3YUQK && w-". Ta hanyar tsananin karfi za a iya cimma shi, amma lokacin da aka keɓe shi ya sa ba shi da daraja ...
  • Kar a girka fakiti daga inda ba a sani ba kuma idan zai yiwu. Yi amfani da fakitin lambar tushe daga gidan yanar gizon hukuma na shirin da kuke son shigarwa. Idan fakitin abin tambaya ne, Ina ba da shawara cewa kayi amfani da yanayin sandbox kamar Glimpse. Abin da zaku cimma shine duk aikace-aikacen da kuka girka a Haske na iya gudana daidai, amma yayin ƙoƙarin karanta ko rubuta bayanai, ana nuna shi ne kawai a cikin yanayin sandbox, keɓe tsarin ku daga matsaloli.
  • Amfani tsarin gata kamar yadda kadan-wuri. Kuma lokacin da kuke buƙatar gata don aiki, ana ba da shawarar kuyi amfani da "sudo" zai fi dacewa kafin "su".

Sauran ƙarin ƙarin ƙwarewar fasaha:

Tsaron Kwamfuta, kulle kulle akan madannin kwamfuta

Baya ga shawarar da aka gani a cikin sashin da ya gabata, ana kuma ba da shawarar sosai da ku bi waɗannan matakan don sa hankalinku ya zama mafi aminci. Ka tuna cewa rarraba naka na iya zama lafiya kamar yadda kake soIna nufin, da karin lokacin da kuke ciyarwa don daidaitawa da tsaro, mafi kyau.

Dakunan tsaro a cikin Linux da Firewall / UTM:

Amfani SELinux ko AppArmor don ƙarfafa Linux. Waɗannan tsarin suna da ɗan rikitarwa, amma kuna iya ganin littattafan da zasu taimaka muku sosai. AppArmor na iya takurawa har da aikace-aikacen da suka dace da amfani da sauran ayyukan aiwatarwa da ba'a so. An saka AppArmor a cikin kwayar Linux kamar na sigar 2.6.36. Ana adana fayil ɗin saitin sa a /etc/apparmor.d

Rufe duk tashar jiragen ruwa da baku amfani da su akai-akai. Zai zama abin sha'awa koda kuwa kuna da Firewall na zahiri, wannan shine mafi kyau. Wani zaɓi shine sadaukar da tsoho ko kayan aikin da ba a yi amfani da su ba don aiwatar da UTM ko Firewall don hanyar sadarwar ku ta gida (zaku iya amfani da rarraba kamar IPCop, m0n0wall, ...). Hakanan zaka iya saita kayan aiki don tace abin da baka so. Don rufe su zaka iya amfani da "iptables / netfilter" wanda ke haɗa kwayar Linux kanta. Ina ba ku shawarar tuntuɓar littattafan kan netfilter da iptables, tunda suna da matukar wahala kuma ba za a iya bayanin su a wata kasida ba. Kuna iya ganin tashoshin da kuka buɗe ta buga a cikin tashar:

netstat -nap

Kariyar jiki na kayan aikinmu:

Hakanan zaku iya kare kayan aikinku ta jiki idan baku amince da wani a kusa da ku ba ko kuma dole ne ku bar kayan aikinku a wani wuri tsakanin sauran mutane. Don wannan zaka iya kashe butar daga wasu hanyoyi fiye da rumbun kwamfutarka a cikin BIOS / UEFI da kalmar sirri suna kare BIOS / UEFI don haka ba zasu iya gyaggyara shi ba tare da shi ba. Wannan zai hana wani ɗaukar USB da za a iya ɗorawa ko rumbun kwamfutar waje tare da tsarin aiki da aka shigar da kuma iya samun damar bayananka daga gare ta, ba tare da ko da shiga cikin distro ɗinku ba. Don kare shi, sami dama ga BIOS / UEFI, a cikin sashin Tsaro zaku iya ƙara kalmar sirri.

Zaka iya yin hakan tare da GRUB, kalmar sirri-kare shi:

grub-mkpasswd-pbkdf2

Shigar da kalmar wucewa don GRUB kuna so kuma za'a sanya shi a cikin SHA512. Bayan haka sai kwafa kalmar sirri da aka rufeta (wacce ta bayyana a cikin "Your PBKDF2 shine") don amfani daga baya:

sudo nano /boot/grub/grub.cfg

Createirƙiri mai amfani a farkon kuma sanya zane kalmar sirri. Misali, idan kalmar sirri da aka kwafa a baya ta kasance "grub.pbkdf2.sha512.10000.58AA8513IEH723":

set superusers=”isaac”
password_pbkdf2 isaac grub.pbkdf2.sha512.10000.58AA8513IEH723

Kuma adana canje-canje ...

Kadan software = karin tsaro:

Rage girman adadin fakitin da aka sanya. Kawai shigar da wadanda kake bukata kuma idan zaka daina amfani da daya, zai fi kyau ka cire ta. Thearancin software da kake dashi, ƙananan ƙarancin rauni. Ka tuna da shi. Haka nake baku shawara game da sabis ko ɗimbin wasu shirye-shiryen da suke gudana lokacin da tsarin ya fara. Idan baku yi amfani da su ba, saka su cikin yanayin "kashe".

A goge bayanai cikin aminci:

Lokacin da ka share bayani na faifai, katin ƙwaƙwalwar ajiya ko bangare, ko kawai fayil ko kundin adireshi, yi shi cikin aminci. Ko da kana tunanin ka goge shi, za'a iya dawo dashi cikin sauki. Kamar yadda jiki ba shi da amfani a jefa takardu tare da bayanan sirri a cikin kwandon shara, saboda wani zai iya cire shi daga cikin akwatin ya gan shi, don haka dole ne ku lalata takardar, abu ɗaya ya faru a cikin sarrafa kwamfuta. Misali, zaka iya cike memori da bazuwar ko batattun bayanai don sake rubuta bayanan da baka son tonawa. Don wannan zaka iya amfani da shi (don yin aiki dole ne ka tafiyar da shi tare da dama da maye gurbin / dev / sdax tare da na'urar ko bangare da kake son aiki a cikin lamarinka ...):

dd if=/dev/zeo of=/dev/sdax bs=1M
dd if=/dev/unrandom of=/dev/sdax bs=1M

Idan abin da kuke so shi ne share takamaiman fayil har abada, zaka iya amfani da "shred". Misali, kaga cewa kana so ka goge wani file da ake kira passwords.txt a inda kake da rubutattun kalmomin shiga. Zamu iya amfani da shred da sake rubutawa misali sau 26 a sama don tabbatar da cewa ba za'a iya dawo dashi ba bayan sharewa:

shred -u -z -n 26 contraseñas.txt

Akwai kayan aikin kamar HardWipe, Eraser ko Secure Delete da zaku girka musu Tunawa "goge" (har abada), SWAP partitions, RAM, da sauransu.

Asusun mai amfani da kalmomin shiga:

Inganta tsarin kalmar sirri tare da kayan aikin kamar S / KEY ko SecurID don ƙirƙirar makircin kalmar sirri mai kuzari. Tabbatar babu ɓoyayyen kalmar sirri a cikin adireshin / sauransu / passwd. Dole ne mu fi kyau amfani da / sauransu / inuwa. Don wannan zaku iya amfani da "pwconv" da "grpconv" don ƙirƙirar sababbin masu amfani da ƙungiyoyi, amma tare da ɓoyayyen kalmar sirri. Wani abu mai ban sha'awa shine ka gyara fayil din / sauransu / tsoho / passwd don ƙare kalmomin shiga naka kuma tilasta maka ka sabunta su lokaci-lokaci. Don haka idan sun sami kalmar sirri, ba zai dawwama ba, tunda za ku sauya shi akai-akai. Tare da fayil /etc/login.defs zaka iya ƙarfafa tsarin kalmar sirri. Gyara shi, neman shigar PASS_MAX_DAYS da PASS_MIN_DAYS don tantance mafi karancin kuma mafi yawan kwanaki da kalmar sirri zata iya wucewa kafin karewar su. PASS_WARN_AGE yana nuna sako don sanar da kai cewa kalmar wucewa zata kare a cikin kwanaki X nan bada jimawa ba. Ina ba ku shawara da ku ga littafin aiki a kan wannan fayil ɗin, tunda shigarwar suna da yawa sosai.

da asusun da ba a amfani da su kuma suna nan cikin / sauransu / passwd, dole ne su sami Shell m / bin / karya. Idan wani ne, canza shi zuwa wannan. Wannan hanyar ba za a iya amfani da su don samun kwasfa ba. Har ila yau, yana da ban sha'awa a canza canjin hanyar a cikin tashar mu ta yadda kundin adireshin na yanzu "." Bai bayyana ba. Wato, dole ta canza daga "./user/local/sbin/:/usr/local/bin:/usr/bin:/bin" zuwa "/ mai amfani / local / sbin /: / usr / local / bin: / usr / bin: / bin ”.

Zai bada shawarar kayi amfani da shi Kerberos azaman hanyar ingantaccen hanyar sadarwa.

PAM (Module Ingantaccen Module) wani abu ne kamar Microsoft Active Directory. Yana bayar da tsari na ingantaccen tsari na yau da kullun tare da fa'idodi bayyananne. Kuna iya duba kundin adireshin /etc/pam.d/ kuma bincika bayani akan yanar gizo. Yana da matukar yawa bayani a nan ...

Kula da gata na kundin adireshi daban-daban. Misali, / tushen dole ne ya kasance na tushen mai amfani da rukunin tushe, tare da izinin "drwx - - - - - -". Kuna iya samun bayanai akan yanar gizo game da waɗanne izini kowane kundin adireshi a cikin bishiyar lilon Linux yakamata ya samu. Tsarin daban zai iya zama mai haɗari.

Boye bayananku:

Boye abinda ke cikin kundin adireshi ko bangare inda kake da bayanai masu dacewa. Don wannan zaka iya amfani da LUKS ko tare da eCryptFS. Misali, kaga muna son ɓoyewa / gidan mai amfani mai suna isaac:

sudo apt-get install ecryptfs-utils
ecryptfs-setup-private
ecryptfs-migrate-home -u isaac

Bayan abin da ke sama, nuna kalmar wucewa ko kalmar wucewa lokacin da aka tambaye ku ...

Don ƙirƙirar a kundin adireshiMisali da ake kira "masu zaman kansu" kuma za mu iya amfani da eCryptFS. A cikin wannan kundin adireshin za mu iya sanya abubuwan da muke son ɓoyewa don cire shi daga ra'ayin wasu:

mkdir /home/isaac/privado
chmod 700 /home/isaac/privado
mount -t ecryptfs /home/isaa/privado

Zai yi mana tambayoyi game da sigogi daban-daban. Na farko, zai bamu damar zabi tsakanin kalmomin shiga, OpenSSL, ... kuma dole ne mu zabi 1, ma'ana, "passphrase". Sannan mu shigar da kalmar sirri da muke so sau biyu don tantancewa. Bayan haka, mun zaɓi nau'in ɓoyayyen ɓoye da muke so (AES, Blowfish, DES3, CAST, ...). Zan zabi na farko, AES sannan zamu gabatar da nau'ikan maballin (16, 32 ko 64). Kuma a ƙarshe mun amsa tambaya ta ƙarshe tare da "eh". Yanzu zaku iya hawa da saukar da wannan kundin adireshin don amfani da shi.

idan kana so kawai ɓoye takamaiman fayiloli, zaka iya amfani da scrypt ko PGP. Misali, wani file da ake kira passwords.txt, zaka iya amfani da wadannan umarni dan rufawa da kuma warware su bi da bi (a kowane yanayi zai nemi kalmar sirri):

scrypt <contraseñas.txt>contraseñas.crypt
scrypt <contraseñas.crypt>contraseñas.txt

Tabbatar da mataki biyu tare da Authenticator na Google:

Google AUthenticator a tashar Ubutnu

.Ara mataki biyu a cikin tsarin ku. Don haka, koda an saci kalmar sirri, ba za su samu damar shiga tsarin ba. Misali, don Ubuntu da Yanayinta na haɗin kai za mu iya amfani da LightDM, amma ana iya fitar da ƙa'idodin zuwa wasu ɓarnatarwa. Kuna buƙatar kwamfutar hannu ko wayo don wannan, a ciki dole ne ku girka Google Authenticator daga Wurin Adana. Bayan haka a PC, abu na farko da zaka yi shine shigar da Google Authenticator PAM ka fara shi:

sudo apt-get install libpam-google-authenticator
google-authenticator

Lokacin da kuka tambaye mu idan maɓallan tabbatarwa zasu dogara ne akan lokaci, muna amsa eh tare da y. Yanzu yana nuna mana lambar QR don a gane mu tare Google Authenticator Daga wayarka ta hannu, wani zabin shine ka shigar da maballin sirri kai tsaye daga manhajar (ita ce ta bayyana a kwamfutar kamar "Sabon sirrinka shine:"). Kuma zai bamu jerin lambobi idan har bamu dauke wayar komai tare da mu ba kuma zaiyi kyau mu sanya su cikin tunani idan kwari. Kuma muna ci gaba da ba da amsa ta hanyar yon gwargwadon abubuwan da muke so.

Yanzu muna buɗewa (tare da Nano, gedit, ko editan rubutun da kuka fi so) the fayil din daidaitawa tare da:

sudo gedit /etc/pam.d/lightdm

Kuma mun ƙara layin:

auth required pam_google_authenticator.so nullok

Mun adana kuma lokacin da ka shiga, zai tambaye mu madannin tabbaci cewa wayar mu zata samar mana.

Idan wata rana Shin kuna son cire tabbacin mataki-XNUMX, kawai dai ka share layin "auth ake bukata pam_google_authenticator.so nullok" daga file /etc/pam.d/lightdm
Ka tuna, hankali da hankali shine mafi kyawun aboki. Yanayin GNU / Linux amintacce ne, amma duk kwamfutar da aka haɗa da hanyar sadarwa ba ta da aminci, komai kyawun tsarin aiki da kuke amfani da shi. Idan kuna da wasu tambayoyi, matsaloli ko shawarwari, zaku iya barin naku sharhi. Ina fatan zai taimaka…


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   Nuria m
    sa 8 shekaru

    Sannu da kyau, duba nayi tsokaci; Na sanya google-authenticator akan Raspbian ba tare da wata matsala ba kuma aikace-aikacen wayar hannu sun yi rijista da kyau kuma sun bani lambar, amma lokacin da na sake farawa rasberi da sake kunna tsarin ba zai tambaye ni in shigar da lambar tabbatarwa sau biyu ba don shigar da sunan mai amfani da kalmar wucewa.

    Godiya mai yawa. Duk mafi kyau.

    Amsa wa Nuria