Linux Hardenining: matipi ekuchengetedza yako distro uye nekuita kuti ive yakachengeteka

Kuomesa Linux tuxs mbiri, imwe isina dziviriro uye imwe muzvombo

Zvinyorwa zvakawanda zvakaburitswa pa Kugoverwa kweLinux yakachengeteka zvakanyanya, senge TAILS (iyo inovimbisa kuvanzika kwako uye kusazivikanwa pawebhu), Whonix (a Linux for paranoid paranoid) uye mamwe ma distros anoitirwa kuchengetedza. Asi zvirokwazvo, havazi vese vashandisi vanoda kushandisa izvi kugoverwa. Ndicho chikonzero nei muchinyorwa chino tichizopa akateedzana ezvinokurudzirwa zve «Linux Kuomesa«, Ndokunge, ita yako distro (chero zvazvingave) ive yakachengeteka.

Red Hat, SUSE, CentOS, openSUSE, Ubuntu, Debian, Arch Linux, Linux Mint,… unoita musiyano upi. Chero kugovera kunogona kuve kwakachengeteka seyakachengeteka kwazvo kana iwe uchizviziva zvakadzama uye uchiziva nzira yekuzvidzivirira kubva kungozi dzinokutyisidzira. Uye kune izvi zvinokwanisika kuita pamatanho mazhinji, kwete chete padanho re software, asi zvakare padanho rehardware.

Tsuro dzekuchengetedza.

Hardware chengetedzo padlocked redunhu

Muchikamu chino ini ndichakupa imwe matipi akakosha uye akapusa izvo zvisingade ruzivo rwemakomputa kuti uzvinzwisise, zvinongova kungwara asi kuti dzimwe nguva hatizvite nekuda kwekushaya hanya kana kushaya hanya.

  • Usatakure data rako kana rekunzwisisa kune iro gore. Gore, zvisinei nekuti nderemahara here kana kwete uye rakachengeteka zvakanyanya, chishandiso chakanaka chekurasa data rako chero kwaunoenda. Asi edza kusaisa data rausingade "kugovana" nevanoona. Rudzi urwu rwe data rinonzwisisika rinofanira kutakurwa mune yakasarudzika yepamoyo, senge SD kadhi kana pendrive.
  • Kana iwe ukashandisa komputa kuwana iyo Internet uye uchishanda nedhata rakakosha, semuenzaniso, fungidzira kuti wabatana neYODOD craze uye wakatora imwe bhizinesi data kumba. Zvakanaka, mune aya mamiriro ezvinhu, usashande online, edza kubviswa (nei iwe uchida kuve nekubatana kuti ushande semuenzaniso neLibreOffice kugadzirisa chinyorwa?). Komputa yakabviswa ndiyo yakachengeteka, yeuka izvozvo.
  • Inoenderana nezviri pamusoro, usasiye rakakosha dhata pane yemuno hard drive kana uchishanda online. Ini ndinokurudzira kuti uve neyekunze hard drive kana imwe mhando yekurangarira (memori makadhi, pen zvinotyaira, nezvimwewo) mauri uine iyi ruzivo. Nekudaro isu tichaisa chipingamupinyi pakati pemidziyo yedu yakabatana uye iyo "isina kubatana" ndangariro panokosha data.
  • Gadzira makopi ekuchengetedza yeiyo data iwe yaunofunga inonakidza kana yausingade kurasikirwa nayo. Kana ivo vachishandisa kusagadzikana kupinda mukomputa yako uye vachiwedzera mikana, anorwisa anozokwanisa kudzima kana kushandisa chero dhata pasina zvipingaidzo. Ndokusaka zvirinani kuve ne backup.
  • Usasiye data nezve ako asina kusimba mapoinzi mumaforamu kana kutaura pawebhu. Kana semuenzaniso uine matambudziko ekuchengeteka pakombuta yako uye ine akavhurika madoko aunoda kuvhara, usasiye dambudziko rako muforamu yekubatsira, nekuti rinogona kushandiswa kupokana newe. Mumwe munhu ane vavariro dzakaipa anogona kushandisa ruzivo irworwo kutsvaga munhu wavo akakwana. Zvirinani kuti iwe utsvage akavimbika technician kuti akubatsire iwe kuzvigadzirisa. Zvakajairika kuti makambani aise kushambadza paInternet senge "Ndiri kutsvaga nyanzvi yekuchengetedza IT" kana "Vashandi vanodiwa kudhipatimendi rekuchengetedza. Izvi zvinogona kuratidza kushomeka kunogona kuitika mukambani yakataura uye cybercriminal inogona kushandisa aya marudzi emapeji kutsvaga avo vari nyore ... Izvo zvakare hazvina kunaka kuti iwe usiye ruzivo nezve iyo system yaunoshandisa uye shanduro, mumwe munhu anogona kushandisa zvihwitsi kuti ashandise. kusagadzikana kweshanduro iyoyo. Muchidimbu, kana iye ari kurwisa asingazive nezvako, zvinonyanya kuomera iye kurwisa. Ramba uchifunga kuti varwisi vanowanzoita maitiro kusati kwaitika kurwisa kunodaidzwa kunzi "kuunganidzwa kweruzivo" uye kunosanganisira kuunganidza ruzivo nezveiye akabatwa uyo anogona kushandiswa kupokana navo.
  • Chengetedza midziyo yako yakagadziridzwa Nezvazvino kuvandudzwa uye zvigamba, yeuka kuti pane dzakawanda zviitiko, izvi hazvingogadzirise mashandiro, zvakare zvinogadzirisa madhiragi uye kusagadzikana kuitira kuti zvisashandiswe.
  • Shandisa mapassword akasimba. Usambofa wakaisa mazita ari muduramazwi kana mapassword akaita se12345, nekuti nekurwiswa kweduramazwi vanogona kubviswa nekukurumidza. Zvakare, usasiye mapassword nekukasira, nekuti iwo anoonekwa nyore. Zvakare usashandise mazuva ekuberekwa, mazita ehama, mhuka dzinovaraidza kana nezve zvaunofarira. Idzo mhando dzemaphasiwedi dzinogona kufungidzirwa zviri nyore nehukama enjiniya. Zvakanakisa kushandisa password refu nenhamba, mabhii makuru nemadiki, uye zviratidzo. Zvakare, usashandise tenzi mapassword ezvese zvinhu, ndiko kuti, kana iwe uine email account uye chikamu cheanoshanda system, usashandise zvakafanana kune ese ari maviri. Ichi chinhu chiri muWindows 8 chavakakwenya kusvika pasi, sezvo password yekupinda mukati yakafanana neayo Hotmail / Outlook account. A password yakachengeteka ndeye mhando: "auite3YUQK && w-". Nesimba rehutsinye zvinogona kuwanikwa, asi iyo nguva yakatsaurirwa kwairi inoita kuti isakosha.
  • Usaise mapakeji kubva kunzvimbo dzisingazivikanwe uye kana zvichibvira. Shandisa iyo sosi kodhi mapakeji kubva kune yepamutemo webhusaiti yechirongwa iwe chaunoda kuisa. Kana mapakeji asina chokwadi, ini ndinokurudzira kuti iwe ushandise sandbox nharaunda seGlimpse. Izvo iwe zvauchazadzikise ndezvekuti ese maapplication aunomisa muGlimpse anogona kumhanya zvakajairika, asi kana uchiedza kuverenga kana kunyora data, zvinongoratidzwa mukati meiyo sandbox nharaunda, uchiparadzanisa yako system kubva kumatambudziko.
  • Shandisa ropafadzo dzesisitimu zvishoma sezvazvinogona. Uye kana iwe uchida rombo rebasa, zvinokurudzirwa kuti ushandise "Sudo" kunyanya pamberi pe "su".

Zvimwe zvishoma zvishoma matipi ehunyanzvi:

Komputa Kuchengetedzwa, kukiya pane keyboard

Pamusoro pezano rakaonekwa muchikamu chakapfuura, zvinokurudzirwawo kuti uteedzere nhanho dzinotevera kuti distro yako inyatso chengeteka. Ramba uchifunga kuti kugovera kwako kunogona zvakachengeteka sezvaunodaNdiri kureva, iyo yakawanda nguva yaunoshandisa kugadzirisa uye kuchengetedza, zvirinani.

Security suites muLinux uye Firewall / UTM:

Shandisa SELinux kana AppArmor kusimbisa yako Linux. Aya masisitimu akaomesesa, asi iwe unogona kuona zvinyorwa zvinokubatsira zvakanyanya. AppArmor inogona kudzora kunyangwe zvikumbiro zvine hungwaru kune zviitwa uye zvimwe zvisingadiwe maitiro maitiro. AppArmor yakaverengerwa muLinux kernel senge vhezheni 2.6.36. Yayo yekumisikidza faira inochengetwa mu /etc/apparmor.d

Vhara zviteshi zvese zvausingashandise kazhinji. Zvingave zvinonakidza kunyangwe iwe uine chaiwo Firewall, ndizvo zvakanakisa. Imwe sarudzo ndeyekutsaurira chishandiso chekare kana chisingashandiswe kuita UTM kana Firewall yeyako netiweki yekumba (unogona kushandisa migove yakadai seIPCop, m0n0wall, ...). Iwe unogona zvakare kumisikidza iptables kusefa izvo zvausingade. Kuti uvavhare unogona kushandisa "iptables / netfilter" inosanganisa iyo Linux kernel pachayo. Ini ndinokurudzira iwe ubvunze emanyorero pane netfilter uye iptables, sezvo iwo akaomesesa uye asingakwanise kutsanangurwa muchinyorwa. Unogona kuona zviteshi zvawakavhura nekutaipa mune iyo terminal:

netstat -nap

Kuchengetedzwa kwemuviri kwemidziyo yedu:

Iwe unogona zvakare kudzivirira panyama michina yako kana ukasavimba nemumwe munhu akakukomberedza kana iwe unofanirwa kusiya michina yako kumwe kunhu kunogona kusvika kune vamwe vanhu. Kune izvi unogona kudzima bhuti kubva kune dzimwe nzira pane yako hard drive mu BIOS / UEFI uye password chengetedza iyo BIOS / UEFI saka havagone kuchishandura pasina iyo. Izvi zvinodzivirira mumwe munhu kutora bootable USB kana yekunze hard drive ine anoshanda system akaisirwa uye nekukwanisa kuwana yako data kubva pairi, pasina kana kutombopinda mune yako distro. Kuti uichengetedze, pinda iyo BIOS / UEFI, muchikamu chechengetedzo unogona kuwedzera password.

Iwe unogona kuita zvakafanana ne GRUB, password-inodzivirira iyo:

grub-mkpasswd-pbkdf2

Pinda iyo password yeGRUB iwe unoda uye ichave yakanyorwa muSHA512. Wobva wateedzera password yakavharidzirwa (iyo inowoneka mu "Yako PBKDF2 iri") yekushandisa gare gare:

sudo nano /boot/grub/grub.cfg

Gadzira mushandisi pakutanga uye isa iyo encrypted pasiwedhi. Semuenzaniso, kana iyo password yakambokopwa kare yaive "grub.pbkdf2.sha512.10000.58AA8513IEH723":

set superusers=”isaac”
password_pbkdf2 isaac grub.pbkdf2.sha512.10000.58AA8513IEH723

Uye chengetedza shanduko ...

Pasina software = zvimwe chengetedzo:

Deredza nhamba yemapakeji akaiswa. Ingoisa izvo zvaunoda uye kana uchizorega kushandisa imwe, zvakanak kuibvisa. Iyo shoma software yauinayo, kushomeka kushoma. Rangarira icho. Izvozvowo ini ndinokuraira iwe nemasevhisi kana madhimoni ezvimwe zvirongwa zvinomhanya kana sisitimu yatanga. Kana ukasashandisa, zviise mu "off" mode.

Chengetedza zvakachengeteka ruzivo:

Paunodzima ruzivo ye diski, memori kadhi kana chikamu, kana kungori faira kana dhairekitori, zviite zvakachengeteka. Kunyangwe iwe uchifunga kuti waidzima, inogona kupora zviri nyore. Kungofanana nemuviri hazvibatsiri kukanda gwaro rine data rako wega mumarara, nekuti mumwe munhu anogona kuriburitsa mumudziyo wobva wariona, saka unofanirwa kuparadza bepa, chinhu chimwe chete ichi chinoitika mukomputa. Semuenzaniso, unogona kuzadza ndangariro neakasarudzika kana null data kuti unyorwe data rausingade kufumura. Kune izvi iwe unogona kushandisa (kuti ishande iwe unofanirwa kuimhanya neropafadzo uye kutsiva / dev / sdax nechishandiso kana chidimbu chaunoda kuita pane yako ...):

dd if=/dev/zeo of=/dev/sdax bs=1M
dd if=/dev/unrandom of=/dev/sdax bs=1M

Kana zvauri kuda zviripo bvisa yakatarwa faira zvachose, unogona kushandisa "shred". Semuenzaniso, fungidzira kuti iwe unoda kudzima iyo faira inonzi passwords.txt paunenge uine system password mapassword akanyorwa. Tinogona kushandisa shred uye kunyora pamusoro semuenzaniso makumi maviri nematanhatu pamusoro kuvimbisa kuti haigone kudzorerwa mushure mekudzimwa:

shred -u -z -n 26 contraseñas.txt

Kune zvishandiso zvakaita seHardWipe, Eraser kana Yakachengeteka Delete iyo iwe yaunogona kuisa kune "Pukuta" (zvachose bvisa) ndangariro, SWAP zvikamu, RAM, nezvimwe.

Maakaundi evashandisi uye mapassword:

Natsiridza iyo password system nemidziyo senge S / KEY kana SecurID kugadzira inesimba password password. Ita shuwa kuti hapana password yakanyorwa mukati me / etc / passwd dhairekitori. Tinofanira kushandisa zvirinani / etc / shadow. Kune izvi unogona kushandisa "pwconv" uye "grpconv" kugadzira vashandisi vatsva nemapoka, asi uine password yakavanzwa. Chimwe chinhu chinonakidza kugadzirisa iyo / etc / default / passwd faira kuti upedze mapassword ako uye nekumanikidza iwe kuti uvamise nguva nenguva. Saka kana vakawana password, haizogara nekusingaperi, nekuti iwe unozoichinja kazhinji. Ne iyo /etc/login.defs faira iwe unogona zvakare kusimbisa iyo password system. Rigadzirise, uchitsvaga iyo PASS_MAX_DAYS uye PASS_MIN_DAYS yekupinda kudoma iwo mashoma uye akakurisa mazuva ayo password inogona kugara isati yapera. PASS_WARN_AGE inoratidza meseji yekukuzivisa iwe kuti password ichapera mumazuva X munguva pfupi. Ini ndinokuraira kuti iwe uone bhuku remafaira pane iyi faira, nekuti zvinyoro zvakawandisa.

ari maakaunzi asiri kushandiswa uye ivo varipo mu / etc / passwd, ivo vanofanirwa kuve neiyo Shell inoshanduka / bin / nhema. Kana iri imwe, chinja iyi. Nenzira iyoyo ivo havagone kushandiswa kuwana goko. Izvo zvakare zvinonakidza kugadzirisa iyo PATH inoshanduka mune yedu terminal kuti dhairekitori razvino "." Irege kuoneka. Ndokunge, inofanirwa kuchinja kubva ku "./user/local/sbin/: usr/local/bin / usr / bin: / bin ”.

Zvinokurudzirwa kuti ushandise Kerberos senge network sisitimu nzira.

PAM (Inogoneka Yekusimbisa Module) icho chinhu chakadai seMicrosoft Active Directory. Inopa yakajairika, inochinja sisitimu yekusimbisa ine yakajeka yakajeka. Iwe unogona kutarisa iyo /etc/pam.d/ dhairekitori uye nekutsvaga ruzivo pawebhu. Zvakanyatsojeka kutsanangura apa ...

Chengeta zveropafadzo ye madhairekitori akasiyana. Semuenzaniso, / mudzi unofanirwa kuve wemudzidzi wemidzi uye neboka remidzi, ine "drwx - - - - - -" mvumo. Iwe unogona kuwana ruzivo pawebhu nezve izvo zvinotendera dhairekitori yega yega muLinux dhairekitori muti unofanirwa kuve nawo Kugadziriswa kwakasiyana kunogona kuve nenjodzi.

Encrypt yako data:

Inonyora zvirimo mune dhairekitori kana chikamu kwaunenge uine ruzivo rwakakodzera. Kune izvi unogona kushandisa LUKS kana neCryptFS. Semuenzaniso, fungidzira isu tinoda kunyorera / imba yemushandisi anonzi isaac:

sudo apt-get install ecryptfs-utils
ecryptfs-setup-private
ecryptfs-migrate-home -u isaac

Mushure mezviri pamusoro, ratidza passphrase kana password kana wabvunzwa ...

Kugadzira a dhairekitori repachivandeSemuenzaniso inonzi "yakavanzika" tinogona zvakare kushandisa eCryptFS. Mune dhairekitori iro tinokwanisa kuisa zvinhu izvo zvatinoda kunyorera kuti zvibvise kubva pakuona kwevamwe:

mkdir /home/isaac/privado
chmod 700 /home/isaac/privado
mount -t ecryptfs /home/isaa/privado

Izvo zvichatibvunza mibvunzo nezve akasiyana parameter. Kutanga, ichatibvumidza isu kusarudza pakati pemapassword, OpenSSL, ... uye isu tinofanirwa kusarudza 1, ndokuti, "passphrase". Ipapo isu tinopinda password isu yatinoda kaviri kuti tiongorore. Mushure meizvozvo, isu tinosarudza mhando yekunyorwa kwatinoda (AES, Blowfish, DES3, CAST, ...). Ini ndaizosarudza yekutanga, AES uye tobva tazivisa iyo byte mhando yekiyi (16, 32 kana 64). Uye pakupedzisira tinopindura mubvunzo wekupedzisira na "hongu". Iye zvino unogona kukwira uye kudzikisa dhairekitori iri kuti urishandise.

Kana uchingoda encrypt chaiyo mafaira, unogona kushandisa scrypt kana PGP. Semuenzaniso, iyo faira inonzi passwords.txt, unogona kushandisa inotevera mirairo kunyorera uye kudonhedza zvichiteerana (mune mbiri zviitiko zvinokumbira iwe password):

scrypt <contraseñas.txt>contraseñas.crypt
scrypt <contraseñas.crypt>contraseñas.txt

Nhanho-mbiri yekuongorora neGoogle Authenticator:

Google AUthenticator muUbutnu terminal

Wedzera maviri-nhanho kusimbiswa mune yako system. Nekudaro, kunyangwe password yako yakabiwa, ivo havazowana mukana kune yako system. Semuenzaniso, yeUbuntu nenzvimbo yayo yeUbatanidzwa tinogona kushandisa LightDM, asi misimboti inogona kutumirwa kune mamwe ma distros. Iwe uchazoda piritsi kana smartphone yeizvi, mairi unofanira kuisa Google Authenticator kubva kuGoogle Store. Zvino paPC, chinhu chekutanga kuita kuisa Google Authenticator PAM uye woitangisa.

sudo apt-get install libpam-google-authenticator
google-authenticator

Paunotibvunza kana kiyi dzekuvimbisa dzichienderana nenguva, tinopindura tichisimbisa ne y. Iye zvino zvinotiratidza kodhi yeQR yekuzivikanwa nayo Google Authenticator Kubva pane yako smartphone, imwe sarudzo ndeyekuisa iyo yakavanzika kiyi yakananga kubva kuapp (ndiyo yakaonekwa paPC se "Chakavanzika chako chitsva chiri:"). Uye ichatipa akateedzana emakodhi kuitira kana tikasatakura iyo smartphone nesu uye kuti zvingave zvakanaka kuva nazvo mupfungwa kuitira nhunzi. Uye isu tinoramba tichipindura neon zvinoenderana nezvatinoda.

Iye zvino tinovhura (pamwe nano, gedit, kana yako yaunofarira mavara edhita) iyo gadziriso faira na:

sudo gedit /etc/pam.d/lightdm

Uye isu tinowedzera mutsetse:

auth required pam_google_authenticator.so nullok

Isu tinochengetedza uye inotevera nguva yaunopinda mairi, inotibvunza isu iyo kiyi yekuongorora iyo nharembozha yedu ichagadzira kwatiri.

Kana rimwe zuva unoda kubvisa nhanho-mbiri yekuongorora, iwe unongofanirwa kudzima mutsara "auth inodiwa pam_google_authenticator.so nullok" kubva kufaira /etc/pam.d/lightdm
Rangarira, kungwara uye kungwarira ndiyo shamwari yakanakisa. Iyo GNU / Linux nharaunda yakachengeteka, asi chero komputa yakabatana kunetiweki haisisina kuchengetedzeka, kunyangwe hazvo mashandiro ehurongwa aunoshandisa. Kana iwe uine chero mibvunzo, matambudziko kana mazano, unogona kusiya yako tsanangura. Ndinovimba zvinobatsira…


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Mhinduro, siya zvako

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   Nuria akadaro

    Mhoro zvakanaka, tarisa ndinopindura; Ini ndaisa google-authenticator pane Raspbian pasina dambudziko uye iyo mobile application inonyoresa zvakanaka uye inondipa iyo kodhi, asi kana uchitangazve rasipiberi uye uchitangazve sisitimu haina kundikumbira kuti ndipinze iyo mbiri yekusimbisa kodhi Inongotaridza kwandiri chete kuisa zita rekushandisa uye password.

    Kutenda kwazvo. Shuwiro yakanakisa.