1. Bảo mật máy chủ Ubuntu

sudo apt-get update -y && sudo apt-get upgrade -y
sudo apt-get autoremove
sudo apt-get autoclean
 sudo adduser test  # Tạo tk với tên user là test
 sudo usermod -aG sudo test # add user test vào nhóm sudo
 sudo su - test # đăng nhập user test

III. Đổi Port máy chủ Linux

sudo systemctl restart ssh
sudo ufw allow <PORT_NUMBER>/tcp
sudo ufw reload
ssh test@server.public.ip.address -p <PORT_NUMBER>
# Mã hóa RSA
  ssh-keygen -t rsa -b 4096
# Mã Hóa ed25519
 ssh-keygen -t ed25519
ssh-copy-id -i $HOME/.ssh/<keyname>.pub test@server.public.ip.address
 ssh test@server.public.ip.address
 sudo nano /etc/ssh/sshd_config
     - Tìm đến dòng ChallengeResponseAuthentication và sửa thành no
     - Tìm đến dòng PasswordAuthentication và sửa thành no
     - Tìm đến dòng PermitRootLogin và sửa thành prohibit-password
     - Tìm đến dòng PermitEmptyPasswords và sửa thành no
sudo systemctl restart ssh
 ssh -i <path to your SSH_key_name> cardano@server.public.ip.address -p <PORT_NUMBER>
sudo passwd -l root
sudo passwd -u root
sudo apt-get update 
sudo apt-get install libpam-google-authenticator 
-  Do you want authentication tokens to be time-based (y/n) Y
-  Do you want me to update your "~/.google_authenticator" file (y/n) Y
-  Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) Y
-  By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between the authentication server and client. Suppose you
experience problems with poor time synchronization. In that case, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the eight previous codes, the current
code, and the eight next codes). This will permit a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) N
-  If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than three login attempts every 30s.
Do you want to enable rate-limiting (y/n) Y
sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ba
sudo nano /etc/pam.d/sshd
sudo nano /etc/ssh/sshd_config
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes.
sudo systemctl restart sshd.service
sudo nano /etc/ssh/sshd_config
# Thêm dòng sau vào cuối tập tin
AuthenticationMethods publickey,password publickey,keyboard-interactive
sudo nano /etc/pam.d/sshd
# Standard Un*x authentication.
#@include common-auth
# Lưu và đóng tệp, sau đó khởi động lại SSH.
sudo systemctl restart sshd.service
sudo apt-get install fail2ban -y
sudo nano /etc/fail2ban/jail.local

enabled = true
port = 2222
filter = sshd
bantime = 3600m
logpath = /var/log/auth.log
maxretry = 3
# whitelisted IP addresses phân biệt bởi dấu cách
ignoreip = ....duckdns.org ....duckdns.org xxx.duckdns.org xxx.xxx.xxx.xxyz

# Tạo services
sudo systemctl enable fail2ban
# Khởi động lại
sudo systemctl restart fail2ban
# Check Status
sudo systemctl status fail2ban
sudo iptables -L -n
sudo fail2ban-client status
fail2ban-client set YOURJAILNAMEHERE (vi du sshd) unbanip **IP**
sudo fail2ban-client set sshd unbanip xxx.xxx.xxx.xxx

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *

Nội dung