日韩无码专区无码一级三级片|91人人爱网站中日韩无码电影|厨房大战丰满熟妇|AV高清无码在线免费观看|另类AV日韩少妇熟女|中文日本大黄一级黄色片|色情在线视频免费|亚洲成人特黄a片|黄片wwwav色图欧美|欧亚乱色一区二区三区

RELATEED CONSULTING
相關(guān)咨詢(xún)
選擇下列產(chǎn)品馬上在線溝通
服務(wù)時(shí)間:8:30-17:00
你可能遇到了下面的問(wèn)題
關(guān)閉右側(cè)工具欄

新聞中心

這里有您想知道的互聯(lián)網(wǎng)營(yíng)銷(xiāo)解決方案
面對(duì)Logjam攻擊你該如何保護(hù)Debian或Ubuntu服務(wù)器?

本教程介紹了保護(hù)你的Ubuntu或Debian Linux服務(wù)器,以應(yīng)對(duì)最近發(fā)現(xiàn)的Logjam攻擊所需要采取的幾個(gè)步驟。Logjam是一種針對(duì)Diffie-Hellman密鑰交換技術(shù)發(fā)起的攻擊,而這項(xiàng)技術(shù)應(yīng)用于諸多流行的加密協(xié)議,比如HTTPS、TLS、SMTPS、SSH及其他協(xié)議。

10余年的曲靖網(wǎng)站建設(shè)經(jīng)驗(yàn),針對(duì)設(shè)計(jì)、前端、開(kāi)發(fā)、售后、文案、推廣等六對(duì)一服務(wù),響應(yīng)快,48小時(shí)及時(shí)工作處理。成都全網(wǎng)營(yíng)銷(xiāo)推廣的優(yōu)勢(shì)是能夠根據(jù)用戶(hù)設(shè)備顯示端的尺寸不同,自動(dòng)調(diào)整曲靖建站的顯示方式,使網(wǎng)站能夠適用不同顯示終端,在瀏覽器中調(diào)整網(wǎng)站的寬度,無(wú)論在任何一種瀏覽器上瀏覽網(wǎng)站,都能展現(xiàn)優(yōu)雅布局與設(shè)計(jì),從而大程度地提升瀏覽體驗(yàn)。成都創(chuàng)新互聯(lián)公司從事“曲靖網(wǎng)站設(shè)計(jì)”,“曲靖網(wǎng)站推廣”以來(lái),每個(gè)客戶(hù)項(xiàng)目都認(rèn)真落實(shí)執(zhí)行。

必須以根用戶(hù)的身份在外殼上執(zhí)行下列步驟。

生成獨(dú)特的DH組

想確保服務(wù)器安全,第一個(gè)步驟是利用openssl命令,生成獨(dú)特的DH組。我將在/etc/ssl/private/目錄中創(chuàng)建文件。如果你的服務(wù)器上沒(méi)有這個(gè)目錄,那么用下列命令創(chuàng)建該文件:

mkdir -p /etc/ssl/private
chmod 710 /etc/ssl/private

現(xiàn)在,我要?jiǎng)?chuàng)建dhparams.pem文件,并設(shè)置安全權(quán)限:

cd /etc/ssl/private
openssl dhparam -out dhparams.pem 2048
chmod 600 dhparams.pem

Apache

首先,我要根據(jù)來(lái)自weakdh.org的建議,添加一個(gè)安全密碼組。使用編輯工具打開(kāi)文件/etc/apache2/mods-available/ssl.conf:

nano /etc/apache2/mods-available/ssl.conf

然后更改或添加這幾行:

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSLHonorCipherOrder     on

請(qǐng)注意:SSLCipherSuide只有一行長(zhǎng),所以不要添加換行符!

第二部分是在apache中設(shè)置DH組。SSLOpenSSLConfCmd配置選項(xiàng)只出現(xiàn)在apache 2.4.8或更新的版本上,它還需要openssl 1.0.2或更新的版本,于是我們首先要測(cè)試我們的apache和openssl版本是否支持它:

apache2 -v

我的Debian 7服務(wù)器上的輸出結(jié)果如下:

root@server1:/etc/apache2# apache2 -v
Server version: Apache/2.2.22 (Debian)
Server built: Dec 23 2014 22:48:29

現(xiàn)在我要測(cè)試openssl:

openssl version

我系統(tǒng)上的輸出結(jié)果如下:

root@server1:/# openssl version
OpenSSL 1.0.1e 11 Feb 2013

因而我可以在該服務(wù)器上設(shè)置DH組。第一個(gè)和第二個(gè)部分彼此獨(dú)立,第一個(gè)部分是已經(jīng)被禁用的可保護(hù)服務(wù)器的弱密碼,它沒(méi)有DH組也可以工作。如果你的apache版本高于2.4.8,OpenSSL版本高于1.0.2,那么再次編輯/etc/apache2/mods-available/ssl.conf文件:

nano /etc/apache2/mods-available/ssl.conf

添加這一行:

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"

然后重啟apache:

service apache2 restart

Nginx

編輯nginx配置文件/etc/nginx/nginx.conf

nano /etc/nginx/nginx.conf

添加或更換httpd { .... }這部分里面的下列設(shè)置:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/private/dhparams.pem;

然后重啟nginx:

service nginx restart

Postfix

運(yùn)行下面這些命令,設(shè)置安全密碼組和DH組:

postconf -e "smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA"
postconf -e "smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem"

然后重啟postfix:

service postfix restart

Dovecot

編輯dovecot配置文件/etc/dovecot/dovecot.conf

nano /etc/dovecot/dovecot.conf

然后緊跟ssl_protocols這一行添加這一行:

ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

至于其他參數(shù),我們需要知道dovecot版本。在外殼上運(yùn)行這個(gè)命令,以獲得dovecot版本方面的信息: dovecot --version

如果版本是2.2.6或更高,那么添加這額外的一行:

ssl_prefer_server_ciphers = yes

如果版本是2.2.7或更高,那么添加這第三行:

ssl_dh_parameters_length = 2048

最后重啟dovecot

service dovecot restart

Pure-ftpd

保護(hù)Debian和Ubuntu上的pure-ftpd的安全來(lái)得有點(diǎn)復(fù)雜,因?yàn)?usr/sbin/pure-ftpd-wrapper腳本并不直接參數(shù)-J參數(shù)選項(xiàng),pure-ftpd使用該參數(shù)選項(xiàng)來(lái)設(shè)置SSL密碼組。第一步是在封裝器腳本中添加對(duì)-J選項(xiàng)的支持。打開(kāi)文件:

nano /usr/sbin/pure-ftpd-wrapper

然后向下滾動(dòng),找到這一行:

'TLS' => ['-Y %d', \&parse_number_1],

現(xiàn)在緊跟'TLSCipherSuite' => ['-J %s', \&parse_string]后面添加這新的一行。

然后使用nano命令,創(chuàng)建文件/etc/pure-ftpd/conf/TLSCipherSuite;如果該文件已存在,則編輯它:

nano /etc/pure-ftpd/conf/TLSCipherSuite

然后輸入下列密碼列表:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

如果該文件已經(jīng)存在,并且含有一些密碼,那么將密碼換成上述密碼。然后保存文件,重啟pure-ftpd:

service pure-ftpd-mysql restart

鏈接:

https://weakdh.org/

英文:How to protect your Debian or Ubuntu Server against the Logjam attack


文章題目:面對(duì)Logjam攻擊你該如何保護(hù)Debian或Ubuntu服務(wù)器?
網(wǎng)頁(yè)網(wǎng)址:http://www.5511xx.com/article/ccieoej.html