{"id":232188,"date":"2023-01-22T15:50:00","date_gmt":"2023-01-22T12:50:00","guid":{"rendered":"https:\/\/wordpress.mediadoma.com\/?p=232188"},"modified":"2022-11-10T07:59:53","modified_gmt":"2022-11-10T04:59:53","slug":"kaitske-linuxi-server-keelates-kaugjuurdepaeaesu-ssh-ja-ftp-ja-mysql-andmebaas","status":"publish","type":"post","link":"https:\/\/wordpress.mediadoma.com\/et\/kaitske-linuxi-server-keelates-kaugjuurdepaeaesu-ssh-ja-ftp-ja-mysql-andmebaas\/","title":{"rendered":"Kaitske Linuxi server, keelates kaugjuurdep\u00e4\u00e4su (SSH ja FTP ja MySQL andmebaas)"},"content":{"rendered":"\n<p>Selles <a href=\"https:\/\/helloacm.com\/staying-protected-national-cyber-security-awareness\/\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">postituses<\/a> teame, kui oluline on turvalisus. Kui haldate oma serverit (VPS, pilvemajutus v\u00f5i spetsiaalne server), peab teil olema <strong>juurjuurdep\u00e4\u00e4s<\/strong>. Juur on nagu <strong>Windowsi administraatori<\/strong> <strong>konto<\/strong>, kuid ainult v\u00f5imsam (saate teha p\u00f5him\u00f5tteliselt k\u00f5ike).<\/p>\n<p>T\u00f5en\u00e4oliselt pole m\u00f5tet Linuxi s\u00fcsteemis juurkontot \u00fcmber nimetada <strong>(<\/strong> v\u00f5i seda peita), kuna paljud rakendused\/programmid, n\u00e4iteks <strong>sendmail eeldavad, et<\/strong> <strong>juurkonto<\/strong> on olemas v\u00f5i hakkavad asjad katki minema, kui <strong>juur<\/strong> ei leitud (Windowsis saate <strong>administraatori<\/strong> konto \u00fcmber nimetada). K\u00fcll aga peab teil olema ja soovitatakse omada tavalist kasutajakontot (v\u00e4hem v\u00f5imsat), mis tegeleb igap\u00e4evaste t\u00f6\u00f6dega, nii et te ei kahjusta s\u00fcsteemi, kui teete aeg-ajalt vigu.<\/p>\n<h3>SSH<\/h3>\n<p>Tavakasutaja loomiseks k\u00e4ivitage k\u00e4sk <strong>sudo adduser nuser<\/strong>, kus <strong>nuser<\/strong> on kasutajakonto, mille tahame lisada. J\u00e4rgige parooli m\u00e4\u00e4ramiseks juhiseid v\u00f5i saate <strong>passwd nuseri<\/strong> hiljem v\u00e4ljastada.<\/p>\n<p>Kontrollige veelkord, kas saate SSH-ga sisse logida ja l\u00fclituda <strong>root<\/strong> -le, kasutades <strong>su<\/strong>. Kui need on kinnitatud ja peate redigeerima faili aadressil <strong>\/etc\/ssh\/sshd_config<\/strong> oma lemmiktekstiredaktoriga (nt vim). Seej\u00e4rel otsige \u00fcles rida <strong>PermitRootLogin jah<\/strong> ja muutke see v\u00e4\u00e4rtuseks <strong>PermitRootLogin no<\/strong>. Taask\u00e4ivitage ssh-server j\u00e4rgmiselt:<\/p>\n<p>Siis, kui logite uuesti sisse, kasutades <strong>juurkasutajat<\/strong>, keelatakse see alati, mis muudab s\u00fcsteemi pisut turvaliseks (nagu teate, on palju IP-sid, mis sunnivad ja \u00fcritavad teie juurkontot h\u00e4kkida).<\/p>\n<h3>FTP (vsFTP)<\/h3>\n<p>FTP ei ole nii turvaline, kuid kui soovite seda kasutada, kasutage vajadusel SFTP-d v\u00f5i <strong>SSL\/TLS<\/strong> -i. Linuxi populaarne FTP-server on <strong>vsFTP<\/strong> ja p\u00e4rast selle installimist veenduge, et keelaksite ka juurlogimise.<\/p>\n<p><strong>VsFTP<\/strong> konfiguratsioon asub failis <strong>\/etc\/vsftp.conf<\/strong> ja peate veenduma, et j\u00e4rgmised v\u00e4\u00e4rtused on m\u00e4\u00e4ratud (saab lisada):<\/p>\n<pre><code>anonymous_enable=NO \u00a0# no anonymous login plz\nlocal_enable=YES\nwrite_enable=YES\nuserlist_enable=YES\nuserlist_deny=NO\nuserlist_file=\/etc\/vsftpd.users<\/code><\/pre>\n<p>Ja looge fail aadressil <strong>\/etc\/vsftpd.users<\/strong>, kui seda seal veel pole, ja lisage faili ridade kaupa lubatud kasutajad. Taask\u00e4ivitage vsFTP j\u00e4rgmiselt:<\/p>\n<pre><code>sudo service vsftpd restart<\/code><\/pre>\n<p>Ja kui logite sisse <strong>root&#8217;iga<\/strong>, keelab see selle s\u00f5numiga:<\/p>\n<pre><code>Connecting to: XXXXXXXXX\n220 (vsFTPd 3.0.2)\nUSER root\n530 Permission denied.\n220 (vsFTPd 3.0.2)\nUSER root\n530 Permission denied.\nCertificate: \nCan't connect\nLastError: 0<\/code><\/pre>\n<h3>MySQL andmebaas<\/h3>\n<h4>Keela juursisselogimine kaugjuhtimisega<\/h4>\n<p>Eemaldage oma MySQL-i andmebaasist kaugjuurdelogimine, kuna on endiselt suur oht, et teie juurkontole p\u00e4\u00e4seb juurde teisest masinast, pigem kohalikult. Kui teil on aga spetsiaalne server, mis toimib andmebaasina, on see teine \u200b\u200b\u200b\u200blugu, sel juhul peate tugevdama juurparooli ja v\u00f5ib-olla kasutama tavalisi kontosid oma WordPressis v\u00f5i muudel veebisaitidel. Veenduge, et te neid konfiguratsioonifaile (nt wp-config.php) lihtsalt ei paljastaks. Lihtsalt muutke need failid kirjutamisk\u00f5lbmatuks.<\/p>\n<p>Logige MySQL-i k\u00e4surealt sisse ja k\u00e4ivitage kaugjuurdep\u00e4\u00e4su eemaldamiseks kaks j\u00e4rgmist k\u00e4sku.<\/p>\n<pre><code>DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');\nflush privileges;<\/code><\/pre>\n<h4>Keela k\u00f5ik sisselogimised eemalt<\/h4>\n<p>Kui soovite keelata k\u00f5ik kaugsisselogimised ja lubate ainult kohalikke \u00fchendusi, v\u00f5ite lihtsalt lisada <strong>v\u00f5rgu vahelej\u00e4tmise<\/strong> (v\u00f5i rea kommenteerimise t\u00fchistada) faili <strong>[mysqld]<\/strong> jaotises <strong>\/etc\/mysql\/my.cnf<\/strong>.<\/p>\n<pre><code>[mysqld]\nport=3306\nskip-networking<\/code><\/pre>\n<p>Seej\u00e4rel peate MySQLd deemoni taask\u00e4ivitama.<\/p>\n<pre><code>sudo service mysqld restart<\/code><\/pre>\n<h3>Linuxi serverite soovitatavad turbekonfiguratsioonid<\/h3>\n<ul>\n<li><a href=\"https:\/\/helloacm.com\/why-and-how-to-turn-off-ping-icmp-for-servers\/\" target=\"_blank\" rel=\"noopener nofollow\" class=\"external external_icon\">Miks ja kuidas ping (ICMP) Linuxi serverites v\u00e4lja l\u00fclitada?<\/a><\/li>\n<\/ul>\n<p><div id=\"PostUnique_PostSource\" style=\"padding-top: 50px\">:  <a target=\"_blank\" rel=\"noopener nofollow\" href=\"\/\/helloacm.com\" class=\"external external_icon\">helloacm.com<\/a><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaitske Linuxi server, keelates kaugjuurdep\u00e4\u00e4su (SSH ja FTP ja MySQL andmebaas)<\/p>\n","protected":false},"author":1,"featured_media":224526,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wp_rev_ctl_limit":""},"categories":[718,1065,1029],"tags":[1165],"class_list":["post-232188","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-arendaja","category-arvuti","category-ohutus","tag-affiai-et"],"_links":{"self":[{"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/posts\/232188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/comments?post=232188"}],"version-history":[{"count":0,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/posts\/232188\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/media\/224526"}],"wp:attachment":[{"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/media?parent=232188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/categories?post=232188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.mediadoma.com\/et\/wp-json\/wp\/v2\/tags?post=232188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}