1. N\u00e3o permitir acesso com usu\u00e1rio root<\/strong><\/p>\n Nunca deixe o acesso feito ao seu servidor Linux ser feito via usu\u00e1rio root<\/em>. Prefira, sempre, acessar com um usu\u00e1rio comum e assumir acesso root apenas depois de entrar em seu servidor, usando o comando sudo su, ou com o comando sudo -i (se nosso usu\u00e1rio comum estiver no arquivo de sudoers), ou com o comando su (se n\u00e3o estiver). Com o comando su, ser\u00e1 necess\u00e1rio a senha do usu\u00e1rio root; com o comando sudo, basta a senha do usu\u00e1rio.<\/p>\n Antes de bloquear o acesso SSH<\/strong> do usu\u00e1rio root<\/strong>, voc\u00ea deve ter acesso com algum usu\u00e1rio comum. Se n\u00e3o tiver um usu\u00e1rio comum, crie com os seguintes passos:<\/p>\n [sourcecode] Para bloquear o acesso como root, voc\u00ea deve editar o arquivo \/etc\/ssh\/sshd_config. \u00c9 preciso editar o arquivo sshd_config<\/em><\/strong> e n\u00e3o o arquivo ssh_config<\/em><\/strong>.<\/p>\n [sourcecode] A linha com o conte\u00fado PermitRootLogin yes<\/strong> deve ser alterada para PermitRootLogin<\/strong>. Depois, n\u00e3o se esque\u00e7a de gravar e sair do arquivo de configura\u00e7\u00e3o e, em seguida, reiniciar o servi\u00e7o de SSH.<\/p>\n [sourcecode] 2. Mudar porta do servi\u00e7o SSH<\/strong><\/p>\n Apesar de o bypass ser uma mudan\u00e7a muito f\u00e1cil de ser realizada, o simples fato de alterar a porta padr\u00e3o em que o servi\u00e7o roda j\u00e1 dificulta a a\u00e7\u00e3o de rob\u00f4s mais simples. Consequentemente, cada passo que voc\u00ea adicionar para dificultar um acesso n\u00e3o autorizado, j\u00e1 ajuda. Um paralelo que se pode fazer \u00e9 imaginar dois carros id\u00eanticos, um trancado e com alarme, e outro aberto e com as chaves no contato.<\/p>\n O que tem maior probabilidade de ser furtado \u00e9 o que der menos trabalho ao criminoso, ou seja: o que j\u00e1 est\u00e1 aberto e com chaves no contato.<\/p>\n Para mudar a porta padr\u00e3o do servi\u00e7o de SSH, basta alterar a diretiva Port no arquivo \/etc\/ssh\/sshd_config, citado no dica anterior. Para alterar, por exemplo, para o servi\u00e7o de SSH responder na porta 2222, basta fazer a altera\u00e7\u00e3o no arquivo e reiniciar o servi\u00e7o.<\/p>\n [sourcecode] # What ports, IPs and protocols we listen for root@cpro36320:~# service ssh restart 3. Colocar mensagem para inibir acesso a<\/strong><\/p>\n Esta \u00e9 uma t\u00e9cnica que n\u00e3o surte muito efeito, mas assusta um atacante inexperiente.<\/p>\n No arquivo \/etc\/ssh\/sshd_config, citado anteriormente, deve-se “descomentar” e definir a op\u00e7\u00e3o Banner<\/strong>:<\/p>\n [sourcecode] No arquivo \/etc\/issue.net, colocamos o texto<\/strong> e ascii art<\/strong>, se tivermos.<\/p>\n [sourcecode] Em seguida, pode reiniciar o servi\u00e7o SSH e tentar acessar para visualizar a mensagem:<\/p>\n [sourcecode] * Documentation: \u00a0https:\/\/help.ubuntu.com\/ 4. Bloquear ataques de bruteforce<\/strong><\/p>\n Para bloquear ataques de bruteforce, existe algumas ferramentas como denyhosts<\/em> e fail2ban<\/em>, que bloqueiam, temporariamente, o endere\u00e7o IP do atacante para qualquer tentativa de acesso via ssh. O fail2ban<\/em> pode ser configurado para bloquear acesso a outros servi\u00e7os como apache, asterisk e mysql-auth, entre outros. Tamb\u00e9m, voc\u00ea pode personalizar as a\u00e7\u00f5es a serem tomadas, mais do que simplesmente bloquear o atacante no iptables, como enviar e-mails e notificac\u00f5es de alertas, por exemplo.<\/p>\n Voc\u00ea pode instalar o fail2ban. <\/strong>Para isso, utilize o gerenciador de pacotes de nossa distribui\u00e7\u00e3o Linux.<\/p>\n Para CentOS<\/strong>, RedHat<\/strong>, Fedora<\/strong> e similares:<\/p>\n [sourcecode] Para Debian<\/strong>, Ubuntu<\/strong>, Mint<\/strong> e similares:<\/p>\n [sourcecode] O arquivo de configura\u00e7\u00e3o do fail2ban<\/strong> fica em \/etc\/fail2ban\/jail.conf. Devemos ter aten\u00e7\u00e3o aos seguintes par\u00e2metros:<\/p>\n Essas configura\u00e7\u00f5es s\u00e3o para qualquer servi\u00e7o e ficam dentro de [DEFAULT]. As diretivas espec\u00edficas para acesso SSH est\u00e3o agrupadas pela marca\u00e7\u00e3o [ssh] e, dentre elas, destacam-se as seguintes:<\/p>\n O mais interessante \u00e9 que voc\u00ea pode ver os endere\u00e7os IPs<\/strong> sendo bloqueados e desbloqueados no log<\/strong>:<\/p>\n [sourcecode] 5. Acesso por meio de chave (sem configurar uma senha)<\/strong><\/p>\n Esta t\u00e9cnica consiste em gerar um par de chaves<\/strong> (uma chave p\u00fablica<\/strong> e uma chave privada) e enviar a chave p\u00fablica<\/strong> para o servidor. Ao acessar o servidor, n\u00e3o ser\u00e1 mais necess\u00e1rio digitar nossa senha.<\/p>\n Primeiro passo \u00e9 gerar um par de chaves em nossa m\u00e1quina local, caso ainda n\u00e3o tenhamos. Basta executar o seguinte comando e seguir as instru\u00e7\u00f5es da tela tais como onde gravar o arquivo da chave e senha para criptografar e gerar a chave.<\/p>\n [sourcecode] Com a chave gerada, agora voc\u00ea pode envi\u00e1-la para o servidor. Ser\u00e1 necess\u00e1rio digitar a sua senha criada ao gerar as chaves:<\/p>\n [sourcecode] Number of key(s) added: \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a01<\/p>\n Now try logging into the machine, with: \u00a0\u00a0"ssh ‘cpro36320.publiccloud.com.br’" [wsilva@localhost ~]$ Teste acessando um servidor<\/strong><\/p>\n [sourcecode] * Documentation: \u00a0https:\/\/help.ubuntu.com\/ 6. Redes privadas<\/strong><\/p>\n Uma t\u00e9cnica muito eficaz \u00e9 colocar os servidores em uma rede privada inacess\u00edvel, nessa mesma rede deixamos um servidor exclusivo para acesso chamado bastion<\/strong>. O acesso a qualquer servidor \u00e9 feito via bastion<\/strong>.<\/p>\n 7. E se os servidores n\u00e3o s\u00e3o Windows?<\/strong><\/p>\n Algumas dicas se baseiam em t\u00e9cnicas que podem ser aplicadas tamb\u00e9m em servidores Windows, por\u00e9m, devemos ter aten\u00e7\u00e3o com outras brechas de seguran\u00e7a.<\/p>\n Mantenha seus servidores sempre atualizados<\/strong><\/p>\n Sempre instale as atualiza\u00e7\u00f5es de seguran\u00e7a disponibilizadas pela Microsoft, pelo menos uma vez por m\u00eas<\/strong>, elas normalmente corrigem falhas que podem ser exploradas por atacantes mal intencionados.<\/p>\n Basta ir em “Control Panel”<\/strong>, “System and Security”<\/strong>, “Windows Update”<\/strong> para verificar se existe alguma atualiza\u00e7\u00e3o dispon\u00edvel. Voc\u00ea pode aproveitar para checar o que ser\u00e1 alterado com a atualiza\u00e7\u00e3o. Isso o ajuda a se previnir e instalar as atualiza\u00e7\u00f5es dispon\u00edveis.<\/p>\n <\/p>\n Bloqueie o acesso remoto para administradores<\/strong><\/p>\n Usu\u00e1rios administradores t\u00eam muitos privil\u00e9gios. N\u00e3o \u00e9 seguro acessar o servidor diretamente com esse tipo de usu\u00e1rio. Assim como no Linux \u00e9 recomendado bloquear o acesso, se necess\u00e1rio, fa\u00e7a login com um usu\u00e1rio comum e execute os programas que precisa como administrador. Lembre-se que \u00e9 poss\u00edvel o acesso por meio do painel de administra\u00e7\u00e3o da Locaweb.<\/p>\n No Windows, para remover esse privil\u00e9gio de acesso remoto, devemos acessar “Computer Configuration”<\/strong>, “Windows Settings”<\/strong>, “Security Settings”<\/strong>, “Local Policies”<\/strong>, “User Rights Assignment”<\/strong>.<\/p>\n <\/p>\n Utilize firewalls<\/strong><\/p>\n Execute as tarefas do servidor com o firewall habilitado. Somente libere as portas que s\u00e3o necess\u00e1rias para que a aplica\u00e7\u00e3o relacionada ao servidor seja acessada.<\/p>\n Voc\u00ea pode acessar o Firewall do Windows 2012 Server<\/strong> pelo “Server Manager<\/strong>“, “Tools<\/strong>“, “Windows Firewall with Advanced Security<\/strong>“.<\/p>\n
\nroot@cpro36320:~# adduser wsilva
\nAdding user `wsilva’ …
\nAdding new group `wsilva’ (1000) …
\nAdding new user `wsilva’ (1000) with group `wsilva’ …
\nCreating home directory `\/home\/wsilva’ …
\nCopying files from `\/etc\/skel’ …
\nEnter new UNIX password:
\nRetype new UNIX password:
\npasswd: password updated successfully
\nChanging the user information for wsilva
\nEnter the new value, or press ENTER for the default
\nFull Name []: Wellington
\nRoom Number []:
\nWork Phone []:
\nHome Phone []:
\nOther []:
\nIs the information correct? [Y\/n] Y
\nroot@cpro36320:~#
\n[\/sourcecode]<\/p>\n
\nroot@cpro36320:~# vim \/etc\/ssh\/sshd_config
\n[\/sourcecode]<\/p>\n
\nroot@cpro36320:~# sudo service ssh restart
\nssh stop\/waiting
\nssh start\/running, process 30751
\nroot@cpro36320:~#
\n[\/sourcecode]<\/p>\n
\nroot@cpro36320:~# vim \/etc\/ssh\/sshd_config<\/p>\n
\nPort 2222
\n# Port 22<\/p>\n
\nssh stop\/waiting
\nssh start\/running, process 28867
\nroot@cpro36320:~#
\n[\/sourcecode]<\/p>\n
\nroot@cpro36320:~# vim \/etc\/ssh\/sshd_config
\nBanner \/etc\/issue.net
\n[\/sourcecode]<\/p>\n
\nroot@cpro36320:~# cat \/etc\/issue.net
\n################################################################
\n# All connections are monitored here. \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#
\n# Disconnect IMMEDIATELY if you are not an authorized user. \u00a0\u00a0\u00a0#
\n# LAWS will be applied in case of RULES VIOLATION. \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#
\n################################################################
\n[\/sourcecode]<\/p>\n
\nroot@cpro36320:~# service ssh restart
\nssh stop\/waiting
\nssh start\/running, process 29877
\nroot@cpro36320:~#
\nroot@cpro36320:~# exit
\nexit
\nwsilva@cpro36320:~$ exit
\nlogout
\nConnection to cpro36320.publiccloud.com.br closed.
\n[wsilva@localhost ~]$ ssh wsilva@cpro36320.publiccloud.com.br
\n################################################################
\n# All connections are monitored here \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#
\n# Disconnect IMMEDIATELY if you are not an authorized user. \u00a0\u00a0\u00a0#
\n# Laws will be applied in case of rules violation. \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#
\n################################################################
\nWelcome to Ubuntu 14.04.4 LTS (GNU\/Linux 3.13.0-79-generic x86_64)
\n[\/sourcecode]<\/p>\n
\nLast login: Mon Mar 27 16:18:22 2016 from 200.205.195.2<\/p>\n
\nroot@cpro36320:~# yum install fail2ban
\n[\/sourcecode]<\/p>\n
\nroot@cpro36320:~# apt-get install fail2ban
\n[\/sourcecode]<\/p>\n\n
\n
\nroot@cpro36320:~# tail -f \/var\/log\/fail2ban.log
\n2016-03-27 14:43:05,638 fail2ban.server : INFO \u00a0\u00a0Exiting Fail2ban
\n2016-03-27 14:43:06,214 fail2ban.server : INFO \u00a0\u00a0Changed logging target to \/var\/log\/fail2ban.log for Fail2ban v0.8.11
\n2016-03-27 14:43:06,215 fail2ban.jail \u00a0\u00a0: INFO \u00a0\u00a0Creating new jail ‘ssh’
\n2016-03-27 14:43:06,276 fail2ban.jail \u00a0\u00a0: INFO \u00a0\u00a0Jail ‘ssh’ uses pyinotify
\n2016-03-27 14:43:06,325 fail2ban.jail \u00a0\u00a0: INFO \u00a0\u00a0Initiated ‘pyinotify’ backend
\n2016-03-27 14:43:06,328 fail2ban.filter : INFO \u00a0\u00a0Added logfile = \/var\/log\/auth.log
\n2016-03-27 14:43:06,329 fail2ban.filter : INFO \u00a0\u00a0Set maxRetry = 3
\n2016-03-27 14:43:06,330 fail2ban.filter : INFO \u00a0\u00a0Set findtime = 600
\n2016-03-27 14:43:06,331 fail2ban.actions: INFO \u00a0\u00a0Set banTime = 600
\n2016-03-27 14:43:06,391 fail2ban.jail \u00a0\u00a0: INFO \u00a0\u00a0Jail ‘ssh’ started
\n2016-03-27 14:45:41,838 fail2ban.actions: WARNING [ssh] Ban 58.218.211.11
\n2016-03-27 14:55:41,014 fail2ban.actions: WARNING [ssh] Unban 58.218.211.11
\n2016-03-27 14:56:45,047 fail2ban.actions: WARNING [ssh] Ban 188.214.58.170
\n2016-03-27 15:06:45,227 fail2ban.actions: WARNING [ssh] Unban 188.214.58.170
\n2016-03-27 15:22:03,276 fail2ban.actions: WARNING [ssh] Ban 188.214.58.170
\n2016-03-27 15:22:25,331 fail2ban.actions: WARNING [ssh] Ban 58.218.204.30
\n2016-03-27 15:32:03,483 fail2ban.actions: WARNING [ssh] Unban 188.214.58.170
\n2016-03-27 15:32:20,533 fail2ban.actions: WARNING [ssh] Ban 188.214.58.170
\n2016-03-27 15:32:25,568 fail2ban.actions: WARNING [ssh] Unban 58.218.204.30
\n2016-03-27 15:42:20,739 fail2ban.actions: WARNING [ssh] Unban 188.214.58.170
\n2016-03-27 15:45:02,145 fail2ban.actions: WARNING [ssh] Ban 125.88.146.116
\n2016-03-27 15:55:02,322 fail2ban.actions: WARNING [ssh] Unban 125.88.146.116
\n2016-03-27 16:20:09,796 fail2ban.actions: WARNING [ssh] Ban 125.88.146.116
\n2016-03-27 16:30:09,977 fail2ban.actions: WARNING [ssh] Unban 125.88.146.116
\n2016-03-27 16:29:44,572 fail2ban.actions: WARNING [ssh] Ban 46.172.71.249
\n2016-03-27 16:39:44,749 fail2ban.actions: WARNING [ssh] Unban 46.172.71.249
\n[\/sourcecode]<\/p>\n
\n[wsilva@localhost ~]$ ssh-keygen
\nGenerating public\/private rsa key pair.
\nEnter file in which to save the key (\/Users\/wsilva\/.ssh\/id_rsa): \/Users\/wsilva\/.ssh\/id_rsa_teste
\nEnter passphrase (empty for no passphrase):
\nEnter same passphrase again:
\nYour identification has been saved in \/Users\/wsilva\/.ssh\/id_rsa_teste.
\nYour public key has been saved in \/Users\/wsilva\/.ssh\/id_rsa_teste.pub.
\nThe key fingerprint is:
\nSHA256:wELug3EAUQ\/w2pRf8YY\/5hwKXBWdOx2Mf1\/RMdfVjdM wsilva@localhost
\nThe key’s randomart image is:
\n+—[RSA 2048]—-+
\n|+=+ . . oo + \u00a0\u00a0=X|
\n| . B . = \u00a0+ o o.E|
\n| \u00a0= = * o \u00a0+ . ..|
\n| + B + + \u00a0o o . .|
\n|. o * \u00a0\u00a0S \u00a0. . ..|
\n| \u00a0\u00a0\u00a0\u00a0o = o \u00a0\u00a0\u00a0\u00a0\u00a0.|
\n| \u00a0\u00a0\u00a0\u00a0\u00a0. o \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0|
\n| \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0|
\n| \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0|
\n+—-[SHA256]—–+
\n[wsilva@localhost ~]$
\n[\/sourcecode]<\/p>\n
\n[wsilva@localhost ~]$ ssh-copy-id -i \/Users\/wsilva\/.ssh\/id_rsa_teste.pub cpro36320.publiccloud.com.br
\n\/usr\/local\/bin\/ssh-copy-id: INFO: Source of key(s) to be installed: "\/Users\/wsilva\/.ssh\/id_rsa_teste.pub"
\n\/usr\/local\/bin\/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
\n\/usr\/local\/bin\/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
\n################################################################
\n# All connections are monitored here \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#
\n# Disconnect IMMEDIATELY if you are not an authorized user. \u00a0\u00a0\u00a0#
\n# Laws will be applied in case of rules violation. \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#
\n################################################################
\nwsilva@cpro36320.publiccloud.com.br’s password:<\/p>\n
\nand check to make sure that only the key(s) you wanted were added.<\/p>\n
\n[\/sourcecode]<\/p>\n
\n[wsilva@localhost ~]$ ssh wsilva@cpro36320.publiccloud.com.br
\n################################################################
\n# All connections are monitored here \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#
\n# Disconnect IMMEDIATELY if you are not an authorized user. \u00a0\u00a0\u00a0#
\n# Laws will be applied in case of rules violation. \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#
\n################################################################
\nWelcome to Ubuntu 14.04.4 LTS (GNU\/Linux 3.13.0-79-generic x86_64)
\n[\/sourcecode]<\/p>\n
\nLast login: Mon Mar 27 16:30:22 2016 from 200.205.195.2
\nwsilva@cpro36320:~$<\/p>\n![\"Untitled-2\"](\"http:\/\/blog.locaweb.com.br\/wp-content\/uploads\/2016\/06\/Untitled-2.jpg\")
<\/a><\/p>\n![\"Windows](\"http:\/\/blog.locaweb.com.br\/wp-content\/uploads\/2016\/05\/Windows-Update.jpg\")
<\/a><\/p>\n![\"Select](\"http:\/\/blog.locaweb.com.br\/wp-content\/uploads\/2016\/05\/Select-Update.jpg\")
<\/a><\/p>\n![\"Local](\"http:\/\/blog.locaweb.com.br\/wp-content\/uploads\/2016\/05\/Local-Group.jpg\")
<\/a><\/p>\n![\"Select](\"http:\/\/blog.locaweb.com.br\/wp-content\/uploads\/2016\/05\/Select-Users.jpg\")
<\/a><\/p>\n
![\"Dashboard\"](\"http:\/\/blog.locaweb.com.br\/wp-content\/uploads\/2016\/05\/Dashboard.jpg\")
<\/a><\/p>\n![\"Windows](\"http:\/\/blog.locaweb.com.br\/wp-content\/uploads\/2016\/05\/Windows-firewall.jpg\")
<\/a><\/p>\n