I-Linux Hardenining: Iingcebiso zokuKhusela i-Distro yakho kunye nokuKwenza ukuba ikhuseleke ngakumbi

Amanqaku amaninzi apapashiwe Ulwabiwo lweLinux ezikhuselekileyo, ezinje nge TAILS (eqinisekisa imfihlo yakho kunye nokungaziwa kwiwebhu), iWhonix (iLinux yokhuseleko paranoid) kunye nezinye i-distros ezijolise kukhuseleko Kodwa ke, ayingabo bonke abasebenzisi abafuna ukusebenzisa olu lwabiwo. Kungenxa yoko le nto kweli nqaku siza kunika uthotho lweengcebiso nge «Ukuqina kweLinux«, Oko kukuthi, yenza i-distro yakho (nokuba yeyiphi na) ikhuseleke ngakumbi.

I-Red Hat, i-SUSE, i-CentOS, i-OpenSUSE, i-Ubuntu, i-Debian, i-Arch Linux, i-Linux Mint, ... wenza mahluko mni. Nakuphi na ukuhanjiswa kungakhuseleka njengeyona ikhuselekileyo ukuba uyazi ngokunzulu kwaye uyazi ukuba ungazikhusela njani kwiingozi ezikoyikisayo. Kwaye oku, kunokwenzeka ukuba usebenze kumanqanaba amaninzi, hayi kwinqanaba lesoftware kuphela, kodwa nakwinqanaba lehardware.

Imivundla yokhuseleko oluqhelekileyo:

Kweli candelo ndiza kukunika ezinye iingcebiso ezisisiseko kwaye zilula ezingadingi ulwazi lwekhompyuter ukuziqonda, ziyingqondo eqhelekileyo kodwa ngamanye amaxesha asizenzi ngenxa yokungakhathali okanye ukungakhathali:

• Sukufaka idatha yobuqu okanye ethe-ethe kwilifu. Ilifu, nokuba likhululekile okanye cha kwaye likhuselekile okanye lingaphantsi, sisixhobo esihle sokuba idatha yakho ifumaneke naphi na apho uya khona. Kodwa zama ukungafaki idatha ongafuniyo "ukwabelana" ngayo nabantu ababukeleyo. Olu hlobo lwedatha ebuthathaka ngakumbi kufuneka lwenziwe ngendlela yobuqu, njengekhadi le-SD okanye ipendrive.
• Ukuba usebenzisa ikhompyuter ukufikelela kwi-Intanethi kwaye usebenze ngedatha ebalulekileyo, umzekelo, cinga ukuba ujoyine i-crade ye-BYOD kwaye weza nedatha yekhaya. Ewe, kwezi meko zeemeko, musa ukusebenza kwi-intanethi, zama ukunqanyulwa (kutheni ufuna ukuba uqhagamshelwe ekusebenzeni ngokomzekelo ngeLibreOffice yokuhlela isicatshulwa?). Ikhompyuter eqhawuliweyo yeyona ikhuselekileyo, khumbula oko.
• Inxulumene noku kungasentla, ungashiyi idatha ebalulekileyo kwihard drive yendawo xa usebenza kwi-Intanethi. Ndikucebisa ukuba ube ne-hard drive yangaphandle okanye olunye uhlobo lweememori (iimemori khadi, ukuqhuba kweepeni, njl.njl.) Onolu lwazi. Yiyo ke le nto siza kubeka umqobo phakathi kwezixhobo zethu ezixhumeneyo kunye nememori "engadityaniswanga" apho kukho idatha ebalulekileyo.
• Yenza ikopi yogcino yedatha ocinga ukuba inomdla okanye awufuni kuphulukana nayo. Xa besebenzisa ubungozi ekungeneni ikhompyuter yakho kwaye bandise amalungelo, umhlaseli uya kuba nakho ukucima okanye ukusebenzisa nayiphi na idatha ngaphandle kwezithintelo. Kungenxa yoko le nto kungcono ukuba ne-backup.
• Musa ukushiya idatha malunga namanqaku akho abuthathaka kwiiforamu okanye izimvo kwiwebhu. Ukuba umzekelo uneengxaki zokhuselo kwikhompyuter yakho kwaye inezibuko ezivulekileyo ofuna ukuzivala, ungashiyi ingxaki yakho kwiforum yoncedo, kuba inokusetyenziswa ngokuchasene nawe. Umntu oneenjongo ezimbi unokusebenzisa olo lwazi ukukhangela ixhoba lakhe elifanelekileyo. Kungcono ufumane itekhnoloji ethembekileyo yokukunceda uzisombulule. Kuqhelekile ukuba iinkampani zithumele kwiintengiso ze-Intanethi ezinje "Ndifuna ingcali yezokhuseleko ye-IT" okanye "Abasebenzi bayadingeka kwisebe lezokhuseleko." Oku kungabonisa ubuthathaka obunokubakho kwinkampani ekuthethwa ngayo kwaye umntu osebenzisa i-cybercriminal angasebenzisa ezi ntlobo zamaphepha ukukhangela amaxhoba alula ... Ukuba semngciphekweni kwale nguqulo. Ngamafutshane, okukhona umhlaseli engazi ngawe, kokukhona kuya kusiba nzima kuye ukuba ahlasele. Gcina ukhumbula ukuba abahlaseli bahlala beqhuba inkqubo ngaphambi kohlaselo olubizwa ngokuba "kukuqokelelwa kolwazi" kwaye kubandakanya ukuqokelela ulwazi malunga nexhoba elinokusetyenziswa ngokuchasene nabo.
• Gcina izixhobo zakho zihlaziywa Ngohlaziyo lwamva nje kunye neepatches, khumbula ukuba kwizihlandlo ezininzi, ezi aziphuculi ukusebenza kuphela, zikwalungisa ii-bugs kunye nokuba semngciphekweni ukuze zingasetyenziswa.
• Sebenzisa ipassword eyomeleleyo. Ungaze ubeke amagama akwisichazi-magama okanye amagama agqithisiweyo anjenge-12345, kuba ngohlaselo lwesichazi-magama banokususwa ngokukhawuleza. Kwakhona, musa ukushiya iipassword ngokungagqibekanga, kuba ziyafumaneka ngokulula. Ungayisebenzisi imihla yokuzalwa, amagama ezihlobo, izilwanyana zasekhaya okanye malunga nezinto ozithandayo. Ezo ntlobo zeepassword zinokuqikelelwa ngokulula yinjineli yentlalo. Kungcono ukusebenzisa iphasiwedi ende enamanani, oonobumba abakhulu kunye noonobumba abancinci, kunye neesimboli. Kwakhona, musa ukusebenzisa iipassword eziyintloko kuyo yonke into, oko kukuthi, ukuba uneakhawunti ye-imeyile kunye neseshoni yenkqubo yokusebenza, musa ukusebenzisa efanayo kuzo zombini. Le nto ikwiWindows 8 abayijijeleyo ukuya ezantsi, kuba igama lokugqitha lokungena lifana neakhawunti yakho yeHotmail / Outlook. Igama eligqithisiweyo elikhuselekileyo lolu hlobo: "auite3YUQK && w-". Ngamandla angenangqondo anokufezekiswa, kodwa ixesha elinikezelwe kuyo liyenza ukuba ingakufanelekeli ...
• Sukufaka iiphakheji kwimithombo engaziwayo kwaye ukuba kunokwenzeka. Sebenzisa iiphakheji zemithombo yeekhowudi kwiwebhusayithi esemthethweni yenkqubo ofuna ukuyifaka. Ukuba iipakeji ziyathandabuza, ndincoma ukuba usebenzise indawo yesanti enjengeGlimpse. Into oza kuyiphumeza kukuba zonke izicelo ozifakayo kwiGlimpse zinokuqhuba ngesiqhelo, kodwa xa uzama ukufunda okanye ukubhala idatha, kubonakala kuphela kwindawo yebhokisi yesanti, ukwahlula inkqubo yakho kwiingxaki.
• Sebenzisa amalungelo enkqubo kancinci kangangoko. Kwaye xa ufuna amalungelo omsebenzi, kuyacetyiswa ukuba usebenzise u "sudo" ngokukhethekileyo ngaphambi kwe "su".

Ezinye iingcebiso zobuchwephesha:

Ukongeza kwingcebiso ebonwe kwicandelo elidlulileyo, kuyacetyiswa kakhulu ukuba ulandele la manyathelo alandelayo ukwenza i-distro yakho ikhuseleke nangakumbi. Gcina ukhumbula ukuba ukuhanjiswa kwakho kunokuba njalo ndikhuselekile njengoko ufunaNdiyathetha, ixesha elininzi olichitha ekuqwalaseleni nasekukhuseleni, kungcono.

Iindawo zokukhusela kwiLinux kunye neFirewall / UTM:

Sebenzisa SELinux okanye AppArmor ukomeleza iLinux yakho. Ezi nkqubo zintsonkothile, kodwa ungabona iincwadana ezinokukunceda kakhulu. I-AppArmor inokuthintela nokuba zicelo ezibuthathaka kuxhaphazo kunye nezinye izinto ezingafunekiyo zenkqubo. IArmArmor ibandakanyiwe kwiKernel kernel njengakwinguqulo 2.6.36. Ifayile yoqwalaselo igcinwe kwi /etc/apparmor.d

Vala onke amazibuko ongawasebenzisiyo rhoqo. Kuya kuba lunomdla nokuba unayo i-Firewall ebonakalayo, yeyona nto ilungileyo. Olunye ukhetho kukunikezela ngesixhobo esidala okanye esingasetyenziswanga ukwenza i-UTM okanye iFirewall yenethiwekhi yakho yasekhaya (ungasebenzisa ulwabiwo olunje nge-IPCop, m0n0wall, ...). Unokucwangcisa iptables ukucoca into ongayifuni. Ukuzivala ungasebenzisa "iptables / netfilter" edibanisa i-kernel yeLinux uqobo. Ndikucebisa ukuba ubonane nencwadana yemigaqo kwi-netfilter kunye nee-iptables, kuba zinzima kwaye azinakucaciswa kwinqaku. Ungazibona izibuko ozivulileyo ngokuchwetheza kwisiphelo sendlela:

netstat -nap

Ukukhuselwa ngokwasemzimbeni kwezixhobo zethu:

Unokukhusela kwakhona ikhompyuter yakho kwimeko apho ungathembi mntu okujikelezileyo okanye kufuneka ushiye ikhompyuter yakho kwenye indawo kufikelela abanye abantu. Ngale nto unokukhubaza ukuqala kwezinye iindlela ngaphandle kwehard drive yakho I-BIOS / UEFI kunye negama eligqithisiweyo likhusela i-BIOS / UEFI ukuze bangabi nako ukuyiguqula ngaphandle kwayo. Oku kuya kuthintela umntu ukuba angathathi i-USB esebenzayo okanye i-hard drive yangaphandle enesistim yokusebenza efakiweyo kwaye akwazi ukufikelela kwidatha yakho kuyo, ngaphandle kokungena kwi-distro yakho. Ukuyikhusela, fikelela kwi-BIOS / UEFI, kwicandelo lezoKhuseleko ungongeza iphasiwedi.

Unokwenza okufanayo nge I-GRUB, ikhusela ngephasiwedi:

grub-mkpasswd-pbkdf2

Ngenisa i iphasiwedi yeGRUB uyafuna kwaye iya kufakwa kwikhowudi kwi-SHA512. Emva koko khuphela iphasiwedi ebhaliweyo (leyo ibonakala kwi "PBKDF2 yakho") ukuyisebenzisa kamva:

sudo nano /boot/grub/grub.cfg

Yenza umsebenzisi ekuqaleni kwaye ubeke ifayile ye- igama eligqithisiweyo. Umzekelo, ukuba igama eligqithisiweyo ebelikopishwe ngaphambili belingu "grub.pbkdf2.sha512.10000.58AA8513IEH723":

set superusers=”isaac”
password_pbkdf2 isaac grub.pbkdf2.sha512.10000.58AA8513IEH723

Kwaye ugcine utshintsho ...

Isoftware encinci = ukhuseleko ngakumbi:

Nciphisa inani leephakeji ezifakiweyo. Faka kuphela ezo uzifunayo kwaye ukuba uza kuyeka ukusebenzisa enye, kungcono ukuyikhupha. Isoftware encinci onayo, ubuthathaka obuncinci. Yikhumbule. Ndikwacebisa ngeenkonzo okanye iidemoni zeenkqubo ezithile ezisebenzayo xa kuqala inkqubo. Ukuba awuzisebenzisi, zifake kwi "off" mode.

Cima ngokukhuselekileyo ulwazi:

Xa ucima ulwazi wediski, imemori khadi okanye isahlulelo, okanye ifayile okanye isikhombisi, yenze ngokukhuselekileyo. Nokuba ucinga ukuba uyicimile, inokufunyanwa ngokulula. Njengomzimba awuloncedo ukuphosa uxwebhu ngedatha yobuqu enkunkumeni, kuba umntu angayikhupha kwisikhongozeli ayibone, ke kuya kufuneka ulitshabalalise iphepha, kwenzeka into efanayo kwikhompyuter. Umzekelo, ungagcwalisa imemori ngokungacwangciswanga okanye ngedatha yokubhala ngaphezulu kwedatha ongafuni kuyibhengeza. Ngale nto ungayisebenzisa (ukuze isebenze kufuneka uyiqhube ngamalungelo kwaye ubeke endaweni yakho / i-dev / sdax ngesixhobo okanye ulwahlulo ofuna ukwenza kulo kwimeko yakho ...):

dd if=/dev/zeo of=/dev/sdax bs=1M
dd if=/dev/unrandom of=/dev/sdax bs=1M

Ukuba ufuna ntoni cima ifayile ethile ngonaphakade, ungasebenzisa "ukukrazula". Umzekelo, khawufane ucinge ukuba ufuna ukucima ifayile ebizwa ngokuba zii-passwords.txt apho ubhale khona ipassword yenkqubo. Singasebenzisa ukukrola kunye nokubhala ngaphezulu amaxesha angama-26 ngaphezulu ukuqinisekisa ukuba ayinakufunyanwa emva kokucinywa:

shred -u -z -n 26 contraseñas.txt

Kukho izixhobo ezinje ngeHardWipe, i-Eraser okanye uKhuseleko oluKhuselekileyo onokuzifaka kuyo "Sula" (susa umphelo) iinkumbulo, Izahlulo ze-SWAP, i-RAM, njl.

Iiakhawunti zomsebenzisi kunye neephasiwedi:

Ukuphucula inkqubo yegama eligqithisiweyo ngezixhobo ezinjenge-S / KEY okanye i-SecurID ukwenza iskimu segama eligqithisiweyo. Qiniseka ukuba akukho gama libhalwe ngokufihlakeleyo kulawulo lwe / etc / passwd. Kuya kufuneka sisebenzise ngcono / etc / shadow. Kule nto ungasebenzisa "pwconv" kunye ne "grpconv" ukwenza abasebenzisi kunye namaqela amatsha, kodwa ngegama eligqithisiweyo. Enye into enomdla kukuhlela / njl / / default / passwd fayile ukuphelisa amagama akho okugqithisa kwaye unyanzele ukuba uwahlaziye rhoqo. Ke ukuba bafumana iphasiwedi, ayizukuhlala naphakade, kuba uya kuyitshintsha rhoqo. Ngefayile /etc/login.defs ungomeleza inkqubo yegama eligqithisiweyo. Hlela, ukhangele i-PASS_MAX_DAYS kunye ne-PASS_MIN_DAYS yokungena ukuze uchaze ubuncinci kunye neyona mihla iphezulu iphasiwedi inokuhlala ngaphambi kokuphelelwa. PASS_WARN_AGE ibonisa umyalezo ukukwazisa ukuba igama eligqithisiweyo lizakuphelelwa kwiintsuku ezili-X kungekudala. Ndikucebisa ukuba ubone incwadana malunga nale fayile, kuba amangenelo maninzi kakhulu.

Las iiakhawunti ezingasetyenziswanga kwaye bakho / etc / passwd, Kuya kufuneka babe ne-Shell variable / bin / false. Ukuba yenye, yitshintshele kule. Ngale ndlela azinakusetyenziselwa ukufumana iqokobhe. Kukwanomdla ukuguqula indlela eyahlukileyo ye-PATH kwisiphelo sethu ukuze ulawulo lwangoku "." Lungaveli. Oko kukuthi, kufuneka itshintshe ekubeni "./user/local/sbin/: usr/local/bin : / usr / bin: / bin ”.

Kuya kucetyiswa ukuba usebenzise I-Kerberos njengendlela yokuqinisekisa inethiwekhi.

I-PAM (Imodyuli yoQinisekiso yokuQinisekiswa) yinto efana ne-Microsoft Active Directory. Inika iskimu esiqinisekileyo, esiguqukayo sokungqinisisa kunye nezibonelelo ezicacileyo. Ungajonga kwi /etc/pam.d/ ulawulo kwaye ukhangele ulwazi kwiwebhu. Kubanzi ukucacisa apha ...

Gcina iliso kumalungelo yemikhombandlela eyahlukeneyo. Umzekelo, / ingcambu kufuneka ibe yeyomsebenzisi wengcambu kunye neqela leengcambu, kunye "nedrwx - - - - - -" iimvume. Unokufumana ulwazi kwiwebhu malunga nokuba zeziphi iimvume kulawulo ngalunye kumthi wolawulo lweLinux. Ukucwangciswa okwahlukileyo kunokuba yingozi.

Bethela idatha yakho:

Ubhala imixholo yolawulo okanye isahlulelo apho unolwazi olufanelekileyo. Kule nto ungasebenzisa i-LUKS okanye nge-eCryptFS. Umzekelo, cinga ukuba sifuna ukubethela / kwikhaya lomsebenzisi ogama lingu-isaac:

sudo apt-get install ecryptfs-utils
ecryptfs-setup-private
ecryptfs-migrate-home -u isaac

Emva koku kungasentla, bonisa ibinzana lokugqitha okanye igama eliyimfihlo xa ubuzwa.

Ukwenza a ulawulo lwabucalaUmzekelo obizwa ngokuba "wabucala" sinokusebenzisa i-eCryptFS. Kweso sikhombisi sinokubeka izinto esifuna ukubethela ukuze sizisuse kwimbono yabanye:

mkdir /home/isaac/privado
chmod 700 /home/isaac/privado
mount -t ecryptfs /home/isaa/privado

Iya kusibuza imibuzo malunga neeparameter ezahlukeneyo. Kuqala kuyakusivumela sikhethe phakathi kwephasiwedi, i-OpenSSL, ... kwaye kufuneka sikhethe 1, oko kukuthi, "ibinzana lokugqitha". Emva koko sifaka iphasiwedi esiyifunayo kabini ukuqinisekisa. Emva koko, sikhetha uhlobo lwe-encryption esiyifunayo (AES, Blowfish, DES3, CAST, ...). Ndingakhetha eyokuqala, i-AES kwaye emva koko sazise uhlobo lwe-byte yesitshixo (16, 32 okanye 64). Kwaye ekugqibeleni siphendula umbuzo wokugqibela ngo "ewe". Ngoku unganyusa kwaye wehlise esi sikhombisi ukuze usisebenzise.

Ukuba ufuna nje bhala iifayile ezithile, ungasebenzisa i-scrypt okanye i-PGP. Umzekelo, ifayile ebizwa ngokuba yipassword.txt, ungasebenzisa le miyalelo ilandelayo ukubethela kunye nokususa ukuguqulela ngokulandelelana (kuzo zombini iimeko iya kukucela iphasiwedi):

scrypt <contraseñas.txt>contraseñas.crypt
scrypt <contraseñas.crypt>contraseñas.txt

Ukuqinisekiswa kwamanyathelo amabini kunye nesiQinisekisi sikaGoogle:

Yongeza ukuqinisekiswa kwamanyathelo amabini kwinkqubo yakho. Ke, nokuba iphasiwedi ibiwe, abayi kuba nakho ukufikelela kwinkqubo yakho. Umzekelo, Ubuntu kunye nokusingqongileyo kobunye singasebenzisa i-LightDM, kodwa imigaqo inokuthunyelwa kwelinye i-distros. Uzakufuna ithebhulethi okanye i-smartphone yoku, kuyo kufuneka ufake isiQinisekisi sikaGoogle kwiVenkile yokudlala. Ke kwi-PC, into yokuqala yokwenza kukufaka isiQinisekisi seGoogle PAM kwaye uyiqale:

sudo apt-get install libpam-google-authenticator
google-authenticator

Xa usibuza ukuba izitshixo zokuqinisekisa ziya kusekelwa ngexesha, siphendula ngokuqinisekileyo nge a kunye. Ngoku isibonisa ikhowudi ye-QR ukuba yamkelwe nayo Google Authenticator Ukusuka kwi-smartphone yakho, enye inketho kukufaka isitshixo semfihlo ngqo kwi-app (yile yavela kwi-PC njenge "Imfihlo yakho entsha yile:"). Kwaye iya kusinika uthotho lweekhowudi ukuba asiyiphathi i-smartphone kuthi kwaye kuya kuba kuhle ukuba sizazi engqondweni xa kunokwenzeka iimpukane. Kwaye siyaqhubeka nokuphendula yon yon ngokokhetho lwethu.

Ngoku sivula (nge-nano, gedit, okanye umhleli wombhalo owuthandayo) i ifayile yoqwalaselo no:

sudo gedit /etc/pam.d/lightdm

Kwaye sidibanisa umgca:

auth required pam_google_authenticator.so nullok

Songa kwaye kwixa elizayo xa ungena, iya kusicela ukuba sisebenzise iqhosha lokuqinisekisa ukuba iselfowuni yethu iya kusenzela.

Ukuba ngenye imini Ngaba ufuna ukususa inyathelo elingamanyathelo amabini, kufuneka ucime umgca "u-auth ofunekayo pam_google_authenticator.so nullok" kwifayile /etc/pam.d/lightdm
Khumbula, ingqiqo kunye nokulumkisa ngowona mlingane ubalaseleyo. Indawo ye-GNU / Linux ikhuselekile, kodwa nayiphi na ikhompyuter exhunywe kwinethiwekhi ayisakhuselekanga, nokuba yeyiphi na inkqubo oyisebenzisayo. Ukuba unemibuzo, iingxaki okanye iingcebiso, ungashiya ifayile yakho ye- izimvo. Ndiyathemba iyanceda…