I-Linux Hardenining: amathiphu wokuvikela i-distro yakho futhi uyenze iphephe kakhulu

Izindatshana eziningi zishicilelwe ku- Ukusatshalaliswa kweLinux iphephe kakhulu, njenge-TAILS (eqinisekisa ubumfihlo bakho nokungaziwa kuwebhu), i-Whonix (i-Linux yezokuphepha) nezinye i-distros ezihlose ukuphepha. Kepha-ke, akubona bonke abasebenzisi abafuna ukusebenzisa lokhu kusatshalaliswa. Kungakho kule ndatshana sizonikeza uchungechunge lwezincomo ze- «Ukuqina kweLinux«, Okusho ukuthi, yenza i-distro yakho (noma ngabe yini) iphephe kakhulu.

I-Red Hat, i-SUSE, i-CentOS, i-OpenSUSE, i-Ubuntu, i-Debian, i-Arch Linux, i-Linux Mint, ... kwenza mehluko muni. Noma ikuphi ukusatshalaliswa kungaphepha iphephe kakhulu uma uyazi ngokujula futhi wazi ukuthi ungazivikela kanjani ezingozini ezikusongelayo. Futhi ngalokhu ungasebenza emazingeni amaningi, hhayi kuphela ezingeni lesoftware, kepha nasezingeni le-Hardware.

Onogwaja bokuphepha abajwayelekile:

Kulesi sigaba ngizokunikeza okunye amathiphu ayisisekelo futhi alula kakhulu ezingadingi ulwazi lwekhompyutha ukuziqonda, zingukuqonda okuvamile kepha kwesinye isikhathi asizenzi ngenxa yokunganaki noma ukunganaki:

• Ungafaki idatha yomuntu siqu noma ebucayi efwini. Ifu, kungakhathalekile ukuthi likhululekile noma cha nokuthi liphephe kakhudlwana, liyithuluzi elihle lokulahla idatha yakho nomaphi lapho uya khona. Kepha zama ukungafaki idatha ongafuni "ukuyaba" nabantu ababukele. Lolu hlobo lwedatha ebucayi kakhulu kufanele lwenziwe ngendlela yokuxhumana yomuntu siqu, njengekhadi le-SD noma i-pendrive.
• Uma usebenzisa ikhompyutha ukufinyelela i-Inthanethi futhi usebenza ngemininingwane ebalulekile, isibonelo, cabanga ukuthi ujoyine umkhuba we-BYOD futhi uthathe idatha ethile yebhizinisi wayisa ekhaya. Yebo, kulezi zinhlobo zezimo, ungasebenzi ku-inthanethi, zama ukunqanyulwa (kungani ufuna ukuxhumeka ukuze usebenze ngokwesibonelo ngeLibreOffice ukuhlela umbhalo?). Ikhompyutha exhunyiwe iphephe kakhulu, khumbula lokho.
• Kuhlobene nalokhu okungenhla, ungashiyi idatha ebalulekile ku-hard drive yendawo lapho usebenza ku-inthanethi. Ngincoma ukuthi ube ne-hard drive yangaphandle noma olunye uhlobo lwememori (imemori khadi, amapeni wokushayela, njll.) Onalo lolu lwazi. Ngakho-ke sizobeka umgoqo phakathi kwemishini yethu exhunyiwe nokuthi imemori "engaxhunyiwe" lapho kunemininingwane ebalulekile.
• Yenza amakhophi wesipele yedatha oyibona ithakazelisa noma ungafuni ukuyilahla. Lapho basebenzisa ubungozi ukufaka ikhompyutha yakho futhi bakhuphule amalungelo, umhlaseli uzokwazi ukusula noma aphathe noma iyiphi idatha ngaphandle kwezithiyo. Kungakho kungcono ukuba nesipele.
• Ungashiyi idatha emayelana namaphuzu akho abuthakathaka ezinkundleni noma ukuphawula kuwebhu. Uma ngokwesibonelo unezinkinga zokuphepha kukhompyutha yakho futhi inamachweba avulekile ofuna ukuwavala, ungashiyi inkinga yakho kwisithangami sosizo, ngoba ingasetshenziswa ngokumelene nawe. Umuntu onezinhloso ezimbi angasebenzisa lolo lwazi ukusesha isisulu sakhe esiphelele. Kungcono ukuthi uthole uchwepheshe owethembekile ozokusiza ukuwaxazulula. Kujwayelekile futhi ukuthi izinkampani zifake izikhangiso kwi-Intanethi njengokuthi "Ngifuna uchwepheshe wezokuphepha we-IT" noma "Abasebenzi bayadingeka emnyangweni wezokuphepha." Lokhu kungakhombisa ubuthakathaka obungahle bube khona enkampanini eshiwo futhi i-cybercriminal ingasebenzisa lezi zinhlobo zamakhasi ukubheka izisulu ezilula ... ukuba sengozini kwaleyo nguqulo. Ngamafuphi, lapho umhlaseli engazi ngawe, kuzoba nzima kakhulu ngaye ukuhlasela. Khumbula ukuthi abahlaseli bavame ukwenza inqubo ngaphambi kokuhlaselwa okubizwa ngokuthi "ukuqoqwa kolwazi" futhi kuqukethe ukuqoqa ulwazi mayelana nomuntu ohlukunyezwayo olungasetshenziswa ngokumelene nabo.
• Gcina imishini yakho ivuselelwa Ngezibuyekezo zakamuva nezimagqabhagqabha, khumbula ukuthi ezikhathini eziningi, lokhu akugcini nje ngokuthuthukisa ukusebenza, futhi kulungisa izimbungulu nokuba sengozini ukuze kungaxhashazwa.
• Sebenzisa amaphasiwedi aqinile. Ungalokothi ubeke amagama asesichazamazwini noma kumaphasiwedi afana no-12345, ngoba ngokuhlaselwa kwesichazamazwi kungasuswa ngokushesha. Futhi, ungashiyi amaphasiwedi ngokwakhona, ngoba atholakala kalula. Futhi ungasebenzisi izinsuku zokuzalwa, amagama ezihlobo, izilwane ezifuywayo noma ngokuthanda kwakho. Lezo zinhlobo zamaphasiwedi zingaqagelwa kalula ngabunjiniyela bezenhlalo. Kungcono ukusebenzisa iphasiwedi ende enezinombolo, izinhlamvu ezinkulu nezinhlamvu ezincane, nezimpawu. Ungasebenzisi amaphasiwedi ayinhloko kuyo yonke into, okungukuthi, uma une-akhawunti ye-imeyili kanye neseshini yohlelo lokusebenza, ungasebenzisi okufanayo kubo bobabili. Lokhu yinto ku-Windows 8 abayikhuphule phansi, ngoba iphasiwedi ukungena kuyo ifana ne-akhawunti yakho ye-Hotmail / Outlook. Iphasiwedi evikelekile yohlobo: "auite3YUQK && w-". Ngamandla angenangqondo kungafinyelelwa, kepha isikhathi esinikezelwe kuyo senza kungakufanelekeli ...
• Musa ukufaka amaphakheji avela emithonjeni engaziwa futhi uma kungenzeka. Sebenzisa amaphakheji ekhodi yomthombo kusuka kuwebhusayithi esemthethweni yohlelo ofuna ukulifaka. Uma amaphakheji engabazeka, ngincoma ukuthi usebenzise imvelo ye-sandbox efana ne-Glimpse. Okuzozuza ukuthi zonke izinhlelo ozifaka ku-Glimpse zingasebenza ngokujwayelekile, kepha lapho uzama ukufunda noma ukubhala idatha, kubonakala kuphela ngaphakathi kwemvelo ye-sandbox, kuhlukanisa uhlelo lwakho ezinkingeni.
• Sebenzisa amalungelo wesistimu ngokuncane ngangokunokwenzeka. Futhi lapho udinga amalungelo womsebenzi othile, kunconywa ukuthi usebenzise i- "sudo" okungcono ngaphambi kwe- "su".

Amanye amathiphu wezobuchwepheshe athe xaxa:

Ngaphezu kweseluleko esibonwe esigabeni esedlule, kunconywa kakhulu ukuthi ulandele lezi zinyathelo ezilandelayo ukwenza i-distro yakho iphephe nakakhulu. Khumbula ukuthi ukusatshalaliswa kwakho kungaba uphephe ngendlela ofuna ngayoNgisho, isikhathi esiningi osichitha ekulungiseleleni nasekuvikeleni, siba ngcono.

Amasudi okuphepha ku-Linux naku-Firewall / UTM:

Sebenzisa SELinux noma i-AppArmor ukuqinisa i-Linux yakho. Lezi zinhlelo ziyinkimbinkimbi ngandlela thile, kepha ungabona imanuwali ezokusiza kakhulu. I-AppArmor ingakhawulela ngisho nezinhlelo zokusebenza ezizwelayo ekusetshenzisweni nakwezinye izenzo zenqubo ezingafuneki. I-AppArmor ifakiwe ku-Linux kernel kusukela enguqulweni 2.6.36. Ifayela layo lokumisa ligcinwa ku- /etc/apparmor.d

Vala wonke amachweba ongawasebenzisi njalo. Kungaba okuthokozisayo noma ngabe une-Firewall ebonakalayo, lokho kungcono kakhulu. Enye indlela ukunikela ngemishini yakudala noma engasetshenziswanga ukusebenzisa i-UTM noma iFirewall yenethiwekhi yakho yasekhaya (ungasebenzisa ukwabiwa okufana ne-IPCop, m0n0wall, ...). Ungahlela futhi ama-iptable ukuhlunga ongakufuni. Ukuwavala ungasebenzisa i- "iptables / netfilter" ehlanganisa i-Linux kernel uqobo. Ngincoma ukuthi ubheke amabhukwana ku-netfilter nakuma-iptables, ngoba anzima kakhulu futhi awuchazwanga ku-athikili. Ungabona amachweba owavulile ngokuthayipha ukuphela:

netstat -nap

Ukuvikelwa ngokomzimba kwemishini yethu:

Ungayivikela futhi ikhompyutha yakho uma ungathembi umuntu oseduze kwakho noma kufanele ushiye ikhompyutha yakho kwenye indawo lapho abanye abantu bengayithola. Ngalokhu ungakhubaza i-boot kwezinye izindlela ngaphandle kwe-hard drive yakho kufayela le- I-BIOS / UEFI ne-password kuvikela i-BIOS / UEFI ukuze bangakwazi ukuyiguqula ngaphandle kwayo. Lokhu kuzovimbela umuntu ukuthi athathe i-USB ebhuthayo noma i-hard drive yangaphandle efakwe isistimu yokusebenza futhi akwazi ukufinyelela kwimininingwane yakho, ngaphandle kokungena ngemvume ku-distro yakho. Ukuyivikela, finyelela ku-BIOS / UEFI, esigabeni sokuphepha ungangeza iphasiwedi.

Ungenza okufanayo nge I-GRUB, iyivikela ngephasiwedi:

grub-mkpasswd-pbkdf2

Faka ifayela le- iphasiwedi ye-GRUB ufuna futhi izofakwa ku-SHA512. Bese ukopisha iphasiwedi ebethelwe (leyo evela ku- “PBKDF2 yakho”) ukuze isetshenziswe kamuva:

sudo nano /boot/grub/grub.cfg

Dala umsebenzisi ekuqaleni bese ufaka ifayela le- iphasiwedi ebethelwe. Isibonelo, uma iphasiwedi ekopishwe ngaphambilini bekuthi "grub.pbkdf2.sha512.10000.58AA8513IEH723":

set superusers=”isaac”
password_pbkdf2 isaac grub.pbkdf2.sha512.10000.58AA8513IEH723

Futhi ugcine izinguquko ...

Isoftware encane = ukuphepha okwengeziwe:

Nciphisa inani lamaphakeji afakiwe. Faka kuphela ozidingayo futhi uma uzoyeka ukusebenzisa eyodwa, kungcono ukuyikhipha. Uma une-software encane, uba sengcupheni encane. Khumbula. Okufanayo ngikweluleka ngezinsizakalo noma amademoni ezinhlelo ezithile ezisebenza lapho uhlelo luqala. Uma ungazisebenzisi, zifake kumodi "yokuvala".

Susa imininingwane ngokuphephile:

Lapho ususa imininingwane wediski, imemori khadi noma ukwahlukanisa, noma ifayili noma umkhombandlela, kwenze ngokuphepha. Noma ucabanga ukuthi uyisusile, ingatholwa kalula. Njengoba nje kungasizi ngalutho ukuphonsa idokhumenti enedatha yomuntu siqu kudoti, ngoba othile angayikhipha esitsheni ayibone, ngakho-ke kufanele uchithe iphepha, kwenzeka into efanayo lapho kwenziwa ikhompyutha. Isibonelo, ungagcwalisa inkumbulo ngemininingwane engahleliwe noma engekho ukuze ubhale ngaphezulu idatha ongafuni ukuyiveza. Ngalokhu ungakusebenzisa (ukuze kusebenze kufanele ukusebenzise ngamalungelo futhi ufake esikhundleni / i-dev / sdax ngedivayisi noma ukwahlukanisa ofuna ukukusebenzisela wena ...):

dd if=/dev/zeo of=/dev/sdax bs=1M
dd if=/dev/unrandom of=/dev/sdax bs=1M

Uma okufunayo susa ifayili elithile unomphela, ungasebenzisa i- "shred". Isibonelo, cabanga ukuthi ufuna ukususa ifayela elibizwa nge- passwords.txt lapho ubhale khona amaphasiwedi wohlelo. Singasebenzisa ukukhipha nokubhala ngaphezulu izikhathi ezingama-26 ngaphezulu ukuqinisekisa ukuthi ayikwazi ukubuyiselwa ngemuva kokususwa:

shred -u -z -n 26 contraseñas.txt

Kunamathuluzi afana ne-HardWipe, Eraser noma i-Secure Delete ongayifaka kuwo Izinkumbulo "Sula" (unomphela), Ukwahlukaniswa kwe-SWAP, i-RAM, njll.

Ama-akhawunti womsebenzisi namaphasiwedi:

Thuthukisa uhlelo lwephasiwedi ngamathuluzi afana ne-S / KEY noma i-SecurID ukudala uhlelo lwephasiwedi olunamandla. Qiniseka ukuthi ayikho iphasiwedi ebethelwe kumkhombandlela we / etc / passwd. Kufanele sisebenzise kangcono / etc / shadow. Ngalokhu ungasebenzisa i- "pwconv" ne- "grpconv" ukudala abasebenzisi namaqembu amasha, kepha nge-password efihliwe. Enye into ethokozisayo ukuhlela ifayela le- / etc / default / passwd Ukuphelelwa yisikhathi ngama-password akho bese ukuphoqa ukuthi uwavuselele ngezikhathi ezithile. Ngakho-ke uma bethola iphasiwedi, ngeke ihlale unomphela, ngoba uzoyishintsha njalo. Ngefayela le- /etc/login.defs futhi ungaqinisa uhlelo lwephasiwedi. Hlela, ubheke okufakwayo kwe-PASS_MAX_DAYS ne-PASS_MIN_DAYS ukucacisa ubuncane nezinsuku eziphezulu iphasiwedi engazihlala ngaphambi kokuphelelwa yisikhathi. I-PASS_WARN_AGE ibonisa umyalezo wokukwazisa ukuthi iphasiwedi izophelelwa yisikhathi ezinsukwini ezingu-X kungekudala. Ngikweluleka ukuthi ubone imanuwali kuleli fayela, ngoba okufakiwe kuningi kakhulu.

I-Las ama-akhawunti angasetshenziswanga futhi bakhona ku / etc / passwd, kufanele babe ne-Shell variable / bin / false. Uma kungenye, yishintshe ibe lena. Ngaleyo ndlela ngeke zisetshenziselwe ukuthola igobolondo. Kuyathakazelisa futhi ukuguqula ukuguquguquka kwe-PATH esigungwini sethu ukuze umkhombandlela wamanje "." Ungaveli. Okusho ukuthi, kufanele iguquke isuke ku- “./user/local/sbin/:/usr/local/bin:/usr/bin:/bin” iye ku “/ user / local / sbin /: / usr / local / bin: / usr / bin: / bin ”.

Kunganconywa ukuthi usebenzise i- I-Kerberos njengendlela yokuqinisekisa inethiwekhi.

I-PAM (Imodyuli Yokufakazela Ukuxhuma) kuyinto efana ne-Microsoft Active Directory. Inikeza uhlelo olujwayelekile, oluguquguqukayo lokuqinisekisa olunezinzuzo ezicacile. Ungabheka umkhombandlela we /etc/pam.d/ bese useshe imininingwane kuwebhu. Kubanzi impela ukuchaza lapha ...

Gcina iso kumalungelo yezinkomba ezihlukile. Isibonelo, impande kufanele ibe ngeyomsebenzisi wezimpande neqembu lempande, ngezimvume ze- "drwx - - - - - -". Ungathola imininingwane kuwebhu mayelana nokuthi yiziphi izimvume isiqondisi ngasinye esihlahleni somhlahlandlela we-Linux okufanele sibe naso. Ukucushwa okwehlukile kungaba yingozi.

Bethela idatha yakho:

Ibhala ngemibhalo okuqukethwe kwesiqondisi noma ukwahlukanisa lapho unemininingwane efanele khona. Ngalokhu ungasebenzisa i-LUKS noma nge-eCryptFS. Isibonelo, ake ucabange ukuthi sifuna ukubethela / ikhaya lomsebenzisi ogama lakhe lingu-isaac:

sudo apt-get install ecryptfs-utils
ecryptfs-setup-private
ecryptfs-migrate-home -u isaac

Ngemuva kwalokhu okungenhla, bonisa umushwana wokungena noma iphasiwedi uma ubuzwa ...

Ukwakha a isiqondisi sangaseseIsibonelo esibizwa ngokuthi "okuyimfihlo" singasebenzisa futhi i-eCryptFS. Kuleso sikhombisi singabeka izinto esifuna ukubethela ukuze sizisuse ekubukeni kwabanye:

mkdir /home/isaac/privado
chmod 700 /home/isaac/privado
mount -t ecryptfs /home/isaa/privado

Izosibuza imibuzo mayelana nemingcele ehlukene. Okokuqala, kuzosivumela sikhethe phakathi kwamaphasiwedi, i-OpenSSL, ... futhi kufanele sikhethe 1, okungukuthi, "umushwana wokungena". Ngemuva kwalokho sifaka iphasiwedi esiyifuna kabili ukuqinisekisa. Ngemuva kwalokho, sikhetha uhlobo lokubethela esilifunayo (i-AES, i-Blowfish, i-DES3, i-CAST, ...). Ngingakhetha eyokuqala, i-AES bese sethula uhlobo lwe-byte lokhiye (16, 32 noma 64). Futhi ekugcineni siphendula umbuzo wokugcina ngo "yebo". Manje usungakhweza futhi wehlise lo mkhombandlela ukuze uwusebenzise.

Uma ufuna nje ngemfihlo amafayela athile, ungasebenzisa i-scrypt noma i-PGP. Isibonelo, ifayela elibizwa nge-passwords.txt, ungasebenzisa imiyalo elandelayo ukubhala ngemfihlo nokubethela ngokulandelana (kuzona zombili izimo kuzokucela iphasiwedi)

scrypt <contraseñas.txt>contraseñas.crypt
scrypt <contraseñas.crypt>contraseñas.txt

Ukuqinisekiswa kwezinyathelo ezimbili nge-Google Authenticator:

Faka ukuqinisekiswa okuyizinyathelo ezimbili kusistimu yakho. Ngakho-ke, noma ngabe iphasiwedi yakho yebiwe, ngeke bakwazi ukufinyelela ohlelweni lwakho. Isibonelo, ku-Ubuntu nemvelo yayo yobumbano singasebenzisa i-LightDM, kepha imigomo ingathunyelwa kwamanye ama-distros. Uzodinga ithebhulethi noma i-smartphone yalokhu, kuyo kufanele ufake isiqinisekisi seGoogle kusuka ku-Google Play Isitolo. Ngemuva kwalokho kwi-PC, into yokuqala ukufaka i-Google Authenticator PAM bese uyiqala:

sudo apt-get install libpam-google-authenticator
google-authenticator

Uma usibuza ukuthi okhiye bokuqinisekisa bazosuselwa esikhathini, siphendula ngokuqiniseka nge-a. Manje isikhombisa ikhodi ye-QR ezokwaziwa ngayo I-Google Authenticator Kusuka ku-smartphone yakho, enye inketho ukufaka ukhiye oyimfihlo ngqo kusuka kuhlelo lokusebenza (yiwo ovele kwi-PC ngokuthi "Imfihlo yakho entsha ngu:"). Futhi izosinika uchungechunge lwamakhodi uma kwenzeka singayiphathi i-smartphone nathi futhi kungaba kuhle ukuyikhumbula uma kwenzeka izimpukane. Futhi siyaqhubeka nokuphendula nawe ngokuya ngokuthanda kwethu.

Manje sesivula (nge-nano, gedit, noma umhleli wombhalo wakho owuthandayo) the ifayela lokumisa no:

sudo gedit /etc/pam.d/lightdm

Futhi sengeza umugqa:

auth required pam_google_authenticator.so nullok

Songa futhi ngokuzayo lapho ungena ngemvume, izosicela ifayili le- ukhiye wokuqinisekisa ukuthi iselula yethu izosikhiqizela yona.

Uma usuku olulodwa ufuna ukususa ukuqinisekiswa okuzinyathelo ezimbili, kufanele ususe umugqa "i-auth edingekayo pam_google_authenticator.so nullok" kufayela /etc/pam.d/lightdm
Khumbula, ukusebenzisa ingqondo nokuqapha kuyisihlobo esingcono kakhulu. Imvelo ye-GNU / Linux ivikelekile, kepha noma iyiphi ikhompiyutha exhunywe kunethiwekhi ayisaphephile, noma ngabe uhlelo olusebenzisayo lusebenza kahle kangakanani. Uma unemibuzo, izinkinga noma iziphakamiso, ungashiya i- i-comentario. Ngiyethemba kuyasiza…