Ebook Syafi
Koleksi
Admin
← Kembali ke Upgrade Kerjaya Dengan Homelab
Edit Bab
Tajuk Bab
Urutan
Jenis
Syarat & Amaran
Mukadimah
Bab/Chapter
Penutup
Kandungan HTML
<h1 id="bab-9-keselamatan-lanjutan-dan-amalan-terbaik">Bab 9: Keselamatan Lanjutan dan Amalan Terbaik</h1> <figure><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 820 470" width="820" height="470"> <defs> <linearGradient id="sc-bg" x1="0%" y1="0%" x2="100%" y2="100%"> <stop offset="0%" style="stop-color:#f8fafc"/> <stop offset="100%" style="stop-color:#fff1f2"/> </linearGradient> <filter id="sc-shadow"> <feDropShadow dx="0" dy="8" stdDeviation="10" flood-color="#0f172a" flood-opacity="0.13"/> </filter> </defs> <rect width="820" height="470" rx="18" fill="url(#sc-bg)"/> <text x="410" y="36" font-family="Arial, Helvetica, sans-serif" font-size="20" font-weight="bold" fill="#1e293b" text-anchor="middle">Kitaran Keselamatan Homelab</text> <text x="410" y="58" font-family="Arial, Helvetica, sans-serif" font-size="11" fill="#64748b" text-anchor="middle">Keselamatan ialah kitaran hardening, pemantauan, backup, dan respons insiden</text> <g stroke="#94a3b8" stroke-width="4" fill="none" stroke-linecap="round"> <path d="M410 105 C540 105 655 190 655 235"/> <path d="M655 235 C655 330 520 385 410 385"/> <path d="M410 385 C270 385 165 300 165 235"/> <path d="M165 235 C165 150 265 105 410 105"/> </g> <g filter="url(#sc-shadow)"> <rect x="330" y="88" width="160" height="64" rx="18" fill="#1d4ed8"/> <text x="410" y="116" font-family="Arial, Helvetica, sans-serif" font-size="16" font-weight="bold" fill="#ffffff" text-anchor="middle">Hardening</text> <text x="410" y="136" font-family="Arial, Helvetica, sans-serif" font-size="11" fill="#dbeafe" text-anchor="middle">SSH, UFW, sysctl, AppArmor</text> </g> <g filter="url(#sc-shadow)"> <rect x="560" y="203" width="170" height="64" rx="18" fill="#0f766e"/> <text x="645" y="231" font-family="Arial, Helvetica, sans-serif" font-size="16" font-weight="bold" fill="#ffffff" text-anchor="middle">Pemantauan</text> <text x="645" y="251" font-family="Arial, Helvetica, sans-serif" font-size="11" fill="#ccfbf1" text-anchor="middle">Lynis, Wazuh, log, alert</text> </g> <g filter="url(#sc-shadow)"> <rect x="325" y="345" width="170" height="64" rx="18" fill="#ea580c"/> <text x="410" y="373" font-family="Arial, Helvetica, sans-serif" font-size="16" font-weight="bold" fill="#ffffff" text-anchor="middle">Backup</text> <text x="410" y="393" font-family="Arial, Helvetica, sans-serif" font-size="11" fill="#ffedd5" text-anchor="middle">Restic, config backup, verify restore</text> </g> <g filter="url(#sc-shadow)"> <rect x="90" y="203" width="190" height="64" rx="18" fill="#dc2626"/> <text x="185" y="231" font-family="Arial, Helvetica, sans-serif" font-size="16" font-weight="bold" fill="#ffffff" text-anchor="middle">Respons Insiden</text> <text x="185" y="251" font-family="Arial, Helvetica, sans-serif" font-size="11" fill="#fee2e2" text-anchor="middle">Asingkan, nilai, pulih, dokumentasi</text> </g> <g filter="url(#sc-shadow)"> <circle cx="410" cy="236" r="56" fill="#334155"/> <text x="410" y="230" font-family="Arial, Helvetica, sans-serif" font-size="16" font-weight="bold" fill="#ffffff" text-anchor="middle">Kurangkan</text> <text x="410" y="250" font-family="Arial, Helvetica, sans-serif" font-size="16" font-weight="bold" fill="#ffffff" text-anchor="middle">risiko</text> </g> </svg> <figcaption>Kitaran keselamatan homelab</figcaption></figure> <p>Okay, kalau anda dah sampai bab ni, maknanya anda dah buat asas keselamatan dari bab sebelumnya. Bagus! Sekarang kita nak naik level satu tahap lagi.</p> <p>Bab ni akan cover hardening yang lebih mendalam, audit keselamatan, SSL dalaman, dan yang paling penting — apa nak buat kalau homelab anda benar-benar kena hack. Saya harap anda tak perlukan bahagian incident response tu, tapi lebih baik sedia payung sebelum hujan.</p> <p><strong>Apa yang anda akan belajar:</strong></p> <ul> <li>Amalan Linux Hardening, audit, SSL dalaman, dan incident response</li> <li>Cara naik taraf tahap keselamatan tanpa ganggu operasi homelab</li> <li>Cara tambah kawalan keselamatan lanjutan secara terancang</li> </ul> <blockquote> <p><strong>Nota Beginner:</strong> Hardening yang terlalu agresif boleh menyebabkan anda lock diri sendiri. Dalam homelab, keselamatan perlu seimbang dengan kebolehselenggaraan. Jangan sampai server anda “terlalu selamat” sehingga anda sendiri tak boleh masuk!</p> </blockquote> <h3 id="laluan-paling-mudah-untuk-beginner">Laluan Paling Mudah untuk Beginner</h3> <ul> <li>Hardening hanya berguna kalau anda masih boleh masuk semula ke server selepas ubah config.</li> <li><strong>WAJIB</strong> simpan akses konsol atau IPMI sebelum ubah SSH, firewall, atau user policy.</li> <li>Pilih satu amalan hardening, uji, dokumentasikan, kemudian baru teruskan ke yang seterusnya. Satu masa satu perubahan.</li> </ul> <h2 id="langkah-1-pengerasan-linux-linux-hardening">Langkah 1: Pengerasan Linux (Linux Hardening)</h2> <h3 id="pengerasan-ssh">Pengerasan SSH</h3> <p>SSH adalah sasaran utama penyerang. Saya pernah tengok log server yang baru online 5 minit — dah ada ratusan percubaan brute force. Jadi, pastikan SSH anda dikonfigurasikan dengan selamat:</p> <div class="sourceCode" id="cb1"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="co"># /etc/ssh/sshd_config - Konfigurasi disyorkan</span></span> <span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-3"><a href="#cb1-3" aria-hidden="true" tabindex="-1"></a><span class="co"># Lumpuhkan log masuk root</span></span> <span id="cb1-4"><a href="#cb1-4" aria-hidden="true" tabindex="-1"></a><span class="ex">PermitRootLogin</span> no</span> <span id="cb1-5"><a href="#cb1-5" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-6"><a href="#cb1-6" aria-hidden="true" tabindex="-1"></a><span class="co"># Hanya benarkan pengesahan kunci</span></span> <span id="cb1-7"><a href="#cb1-7" aria-hidden="true" tabindex="-1"></a><span class="ex">PasswordAuthentication</span> no</span> <span id="cb1-8"><a href="#cb1-8" aria-hidden="true" tabindex="-1"></a><span class="ex">PubkeyAuthentication</span> yes</span> <span id="cb1-9"><a href="#cb1-9" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-10"><a href="#cb1-10" aria-hidden="true" tabindex="-1"></a><span class="co"># Tukar port SSH (keselamatan melalui kekaburan)</span></span> <span id="cb1-11"><a href="#cb1-11" aria-hidden="true" tabindex="-1"></a><span class="ex">Port</span> 2222</span> <span id="cb1-12"><a href="#cb1-12" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-13"><a href="#cb1-13" aria-hidden="true" tabindex="-1"></a><span class="co"># Hadkan pengguna yang boleh log masuk</span></span> <span id="cb1-14"><a href="#cb1-14" aria-hidden="true" tabindex="-1"></a><span class="ex">AllowUsers</span> admin</span> <span id="cb1-15"><a href="#cb1-15" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-16"><a href="#cb1-16" aria-hidden="true" tabindex="-1"></a><span class="co"># Tetapkan masa tamat</span></span> <span id="cb1-17"><a href="#cb1-17" aria-hidden="true" tabindex="-1"></a><span class="ex">ClientAliveInterval</span> 300</span> <span id="cb1-18"><a href="#cb1-18" aria-hidden="true" tabindex="-1"></a><span class="ex">ClientAliveCountMax</span> 2</span> <span id="cb1-19"><a href="#cb1-19" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-20"><a href="#cb1-20" aria-hidden="true" tabindex="-1"></a><span class="co"># Lumpuhkan pemajuan X11</span></span> <span id="cb1-21"><a href="#cb1-21" aria-hidden="true" tabindex="-1"></a><span class="ex">X11Forwarding</span> no</span> <span id="cb1-22"><a href="#cb1-22" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-23"><a href="#cb1-23" aria-hidden="true" tabindex="-1"></a><span class="co"># Lumpuhkan pemajuan TCP (melainkan perlu)</span></span> <span id="cb1-24"><a href="#cb1-24" aria-hidden="true" tabindex="-1"></a><span class="ex">AllowTcpForwarding</span> no</span> <span id="cb1-25"><a href="#cb1-25" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-26"><a href="#cb1-26" aria-hidden="true" tabindex="-1"></a><span class="co"># Gunakan protokol 2 sahaja</span></span> <span id="cb1-27"><a href="#cb1-27" aria-hidden="true" tabindex="-1"></a><span class="ex">Protocol</span> 2</span> <span id="cb1-28"><a href="#cb1-28" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-29"><a href="#cb1-29" aria-hidden="true" tabindex="-1"></a><span class="co"># Hadkan percubaan pengesahan</span></span> <span id="cb1-30"><a href="#cb1-30" aria-hidden="true" tabindex="-1"></a><span class="ex">MaxAuthTries</span> 3</span> <span id="cb1-31"><a href="#cb1-31" aria-hidden="true" tabindex="-1"></a></span> <span id="cb1-32"><a href="#cb1-32" aria-hidden="true" tabindex="-1"></a><span class="co"># Lumpuhkan kata laluan kosong</span></span> <span id="cb1-33"><a href="#cb1-33" aria-hidden="true" tabindex="-1"></a><span class="ex">PermitEmptyPasswords</span> no</span></code></pre></div> <div class="sourceCode" id="cb2"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Mulakan semula SSH</span></span> <span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> systemctl restart sshd</span> <span id="cb2-3"><a href="#cb2-3" aria-hidden="true" tabindex="-1"></a></span> <span id="cb2-4"><a href="#cb2-4" aria-hidden="true" tabindex="-1"></a><span class="co"># PENTING: Pastikan anda mempunyai akses konsol (IPMI/KVM)</span></span> <span id="cb2-5"><a href="#cb2-5" aria-hidden="true" tabindex="-1"></a><span class="co"># sebelum menukar konfigurasi SSH, sekiranya anda terkunci!</span></span></code></pre></div> <blockquote> <p><strong>Nota Beginner:</strong> Sebelum restart SSH, buka satu terminal lain dan pastikan anda boleh SSH dengan setting baru. Jangan tutup terminal lama dulu! Kalau setting baru ada masalah, anda masih ada terminal lama yang connected.</p> </blockquote> <h3 id="konfigurasi-firewall-mendalam-ufw">Konfigurasi Firewall Mendalam (UFW)</h3> <p>UFW (Uncomplicated Firewall) memang betul-betul uncomplicated. Tapi jangan pandang rendah — ia sangat berkesan:</p> <div class="sourceCode" id="cb3"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Tetapan lalai</span></span> <span id="cb3-2"><a href="#cb3-2" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw default deny incoming</span> <span id="cb3-3"><a href="#cb3-3" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw default allow outgoing</span> <span id="cb3-4"><a href="#cb3-4" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw default deny routed</span> <span id="cb3-5"><a href="#cb3-5" aria-hidden="true" tabindex="-1"></a></span> <span id="cb3-6"><a href="#cb3-6" aria-hidden="true" tabindex="-1"></a><span class="co"># Benarkan perkhidmatan tertentu sahaja</span></span> <span id="cb3-7"><a href="#cb3-7" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw allow from 10.0.0.0/24 to any port 22 <span class="co"># SSH dari LAN sahaja</span></span> <span id="cb3-8"><a href="#cb3-8" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw allow from 10.0.0.0/24 to any port 8006 <span class="co"># Proxmox dari LAN sahaja</span></span> <span id="cb3-9"><a href="#cb3-9" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw allow 80/tcp <span class="co"># HTTP (untuk Let's Encrypt)</span></span> <span id="cb3-10"><a href="#cb3-10" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw allow 443/tcp <span class="co"># HTTPS</span></span> <span id="cb3-11"><a href="#cb3-11" aria-hidden="true" tabindex="-1"></a></span> <span id="cb3-12"><a href="#cb3-12" aria-hidden="true" tabindex="-1"></a><span class="co"># Hadkan kadar (rate limiting) untuk SSH</span></span> <span id="cb3-13"><a href="#cb3-13" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw limit ssh</span> <span id="cb3-14"><a href="#cb3-14" aria-hidden="true" tabindex="-1"></a></span> <span id="cb3-15"><a href="#cb3-15" aria-hidden="true" tabindex="-1"></a><span class="co"># Aktifkan logging</span></span> <span id="cb3-16"><a href="#cb3-16" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw logging on</span> <span id="cb3-17"><a href="#cb3-17" aria-hidden="true" tabindex="-1"></a></span> <span id="cb3-18"><a href="#cb3-18" aria-hidden="true" tabindex="-1"></a><span class="co"># Aktifkan firewall</span></span> <span id="cb3-19"><a href="#cb3-19" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw enable</span> <span id="cb3-20"><a href="#cb3-20" aria-hidden="true" tabindex="-1"></a></span> <span id="cb3-21"><a href="#cb3-21" aria-hidden="true" tabindex="-1"></a><span class="co"># Semak status</span></span> <span id="cb3-22"><a href="#cb3-22" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> ufw status verbose</span></code></pre></div> <h3 id="apparmor-dan-selinux">AppArmor dan SELinux</h3> <p><strong>AppArmor</strong> (Ubuntu/Debian) — biasanya dah aktif secara default:</p> <div class="sourceCode" id="cb4"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa status AppArmor</span></span> <span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> apparmor_status</span> <span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a></span> <span id="cb4-4"><a href="#cb4-4" aria-hidden="true" tabindex="-1"></a><span class="co"># Senarai profil</span></span> <span id="cb4-5"><a href="#cb4-5" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> aa-status</span> <span id="cb4-6"><a href="#cb4-6" aria-hidden="true" tabindex="-1"></a></span> <span id="cb4-7"><a href="#cb4-7" aria-hidden="true" tabindex="-1"></a><span class="co"># AppArmor biasanya sudah aktif pada Ubuntu</span></span> <span id="cb4-8"><a href="#cb4-8" aria-hidden="true" tabindex="-1"></a><span class="co"># Ia mengehadkan keupayaan aplikasi individu</span></span></code></pre></div> <p><strong>Pengerasan Kernel — Tambahan yang saya cadangkan:</strong></p> <p>Ini setting sysctl yang boleh kuatkan keselamatan di peringkat kernel. Copy paste je, tapi pastikan anda faham setiap baris:</p> <div class="sourceCode" id="cb5"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb5-1"><a href="#cb5-1" aria-hidden="true" tabindex="-1"></a><span class="co"># /etc/sysctl.conf - Pengerasan kernel</span></span> <span id="cb5-2"><a href="#cb5-2" aria-hidden="true" tabindex="-1"></a></span> <span id="cb5-3"><a href="#cb5-3" aria-hidden="true" tabindex="-1"></a><span class="co"># Cegah serangan spoofing IP</span></span> <span id="cb5-4"><a href="#cb5-4" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.conf.all.rp_filter</span> = 1</span> <span id="cb5-5"><a href="#cb5-5" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.conf.default.rp_filter</span> = 1</span> <span id="cb5-6"><a href="#cb5-6" aria-hidden="true" tabindex="-1"></a></span> <span id="cb5-7"><a href="#cb5-7" aria-hidden="true" tabindex="-1"></a><span class="co"># Abaikan permintaan ICMP broadcast</span></span> <span id="cb5-8"><a href="#cb5-8" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.icmp_echo_ignore_broadcasts</span> = 1</span> <span id="cb5-9"><a href="#cb5-9" aria-hidden="true" tabindex="-1"></a></span> <span id="cb5-10"><a href="#cb5-10" aria-hidden="true" tabindex="-1"></a><span class="co"># Lumpuhkan pemajuan IP (melainkan sebagai router)</span></span> <span id="cb5-11"><a href="#cb5-11" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.ip_forward</span> = 0</span> <span id="cb5-12"><a href="#cb5-12" aria-hidden="true" tabindex="-1"></a></span> <span id="cb5-13"><a href="#cb5-13" aria-hidden="true" tabindex="-1"></a><span class="co"># Cegah serangan SYN flood</span></span> <span id="cb5-14"><a href="#cb5-14" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.tcp_syncookies</span> = 1</span> <span id="cb5-15"><a href="#cb5-15" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.tcp_max_syn_backlog</span> = 2048</span> <span id="cb5-16"><a href="#cb5-16" aria-hidden="true" tabindex="-1"></a></span> <span id="cb5-17"><a href="#cb5-17" aria-hidden="true" tabindex="-1"></a><span class="co"># Log paket martian (paket dengan alamat sumber yang tak masuk akal)</span></span> <span id="cb5-18"><a href="#cb5-18" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.conf.all.log_martians</span> = 1</span> <span id="cb5-19"><a href="#cb5-19" aria-hidden="true" tabindex="-1"></a></span> <span id="cb5-20"><a href="#cb5-20" aria-hidden="true" tabindex="-1"></a><span class="co"># Lumpuhkan redirect ICMP</span></span> <span id="cb5-21"><a href="#cb5-21" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.conf.all.accept_redirects</span> = 0</span> <span id="cb5-22"><a href="#cb5-22" aria-hidden="true" tabindex="-1"></a><span class="ex">net.ipv4.conf.all.send_redirects</span> = 0</span> <span id="cb5-23"><a href="#cb5-23" aria-hidden="true" tabindex="-1"></a></span> <span id="cb5-24"><a href="#cb5-24" aria-hidden="true" tabindex="-1"></a><span class="co"># Aplikasikan tetapan</span></span> <span id="cb5-25"><a href="#cb5-25" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> sysctl <span class="at">-p</span></span></code></pre></div> <blockquote> <p><strong>Nota Beginner:</strong> Kalau anda guna server sebagai router atau VPN gateway, JANGAN lumpuhkan <code>ip_forward</code>. Anda perlukan ia untuk routing. Setting ni hanya untuk server biasa.</p> </blockquote> <h3 id="pengurusan-pengguna-dan-kebenaran">Pengurusan Pengguna dan Kebenaran</h3> <p>Jangan sesekali guna root untuk kerja harian. Cipta pengguna admin yang berasingan:</p> <div class="sourceCode" id="cb6"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb6-1"><a href="#cb6-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Cipta pengguna bukan root untuk pengurusan</span></span> <span id="cb6-2"><a href="#cb6-2" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> adduser admin</span> <span id="cb6-3"><a href="#cb6-3" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> usermod <span class="at">-aG</span> sudo admin</span> <span id="cb6-4"><a href="#cb6-4" aria-hidden="true" tabindex="-1"></a></span> <span id="cb6-5"><a href="#cb6-5" aria-hidden="true" tabindex="-1"></a><span class="co"># Tetapkan dasar kata laluan</span></span> <span id="cb6-6"><a href="#cb6-6" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> apt install libpam-pwquality <span class="at">-y</span></span> <span id="cb6-7"><a href="#cb6-7" aria-hidden="true" tabindex="-1"></a></span> <span id="cb6-8"><a href="#cb6-8" aria-hidden="true" tabindex="-1"></a><span class="co"># /etc/security/pwquality.conf</span></span> <span id="cb6-9"><a href="#cb6-9" aria-hidden="true" tabindex="-1"></a><span class="ex">minlen</span> = 12</span> <span id="cb6-10"><a href="#cb6-10" aria-hidden="true" tabindex="-1"></a><span class="ex">dcredit</span> = <span class="at">-1</span></span> <span id="cb6-11"><a href="#cb6-11" aria-hidden="true" tabindex="-1"></a><span class="ex">ucredit</span> = <span class="at">-1</span></span> <span id="cb6-12"><a href="#cb6-12" aria-hidden="true" tabindex="-1"></a><span class="ex">lcredit</span> = <span class="at">-1</span></span> <span id="cb6-13"><a href="#cb6-13" aria-hidden="true" tabindex="-1"></a><span class="ex">ocredit</span> = <span class="at">-1</span></span></code></pre></div> <h2 id="langkah-2-audit-dan-pematuhan-keselamatan">Langkah 2: Audit dan Pematuhan Keselamatan</h2> <h3 id="lynis-audit-keselamatan">Lynis — Audit Keselamatan</h3> <p>Anda dah buat semua hardening tadi, tapi macam mana nak tahu kalau cukup? Lynis akan scan sistem anda dan bagi skor:</p> <div class="sourceCode" id="cb7"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb7-1"><a href="#cb7-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Pasang Lynis</span></span> <span id="cb7-2"><a href="#cb7-2" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> apt install lynis <span class="at">-y</span></span> <span id="cb7-3"><a href="#cb7-3" aria-hidden="true" tabindex="-1"></a></span> <span id="cb7-4"><a href="#cb7-4" aria-hidden="true" tabindex="-1"></a><span class="co"># Jalankan audit penuh</span></span> <span id="cb7-5"><a href="#cb7-5" aria-hidden="true" tabindex="-1"></a><span class="fu">sudo</span> lynis audit system</span> <span id="cb7-6"><a href="#cb7-6" aria-hidden="true" tabindex="-1"></a></span> <span id="cb7-7"><a href="#cb7-7" aria-hidden="true" tabindex="-1"></a><span class="co"># Contoh output:</span></span> <span id="cb7-8"><a href="#cb7-8" aria-hidden="true" tabindex="-1"></a><span class="co"># Hardening index : 72 [############## ]</span></span> <span id="cb7-9"><a href="#cb7-9" aria-hidden="true" tabindex="-1"></a><span class="co"># Tests performed : 256</span></span> <span id="cb7-10"><a href="#cb7-10" aria-hidden="true" tabindex="-1"></a><span class="co"># Warnings : 3</span></span> <span id="cb7-11"><a href="#cb7-11" aria-hidden="true" tabindex="-1"></a><span class="co"># Suggestions : 15</span></span></code></pre></div> <p>Saya cadangkan sasarkan skor 70+ untuk permulaan. Jangan obsess nak dapat 100 — tu memang tak realistik untuk homelab.</p> <p><strong>Kategori yang diperiksa oleh Lynis:</strong> - Konfigurasi kernel - Pengurusan pengguna dan kumpulan - Sistem fail dan kebenaran - Perkhidmatan rangkaian - Konfigurasi firewall - Kemas kini perisian - Konfigurasi SSH - Dan banyak lagi</p> <h3 id="openvas-imbasan-kerentanan">OpenVAS — Imbasan Kerentanan</h3> <p>OpenVAS (kini Greenbone) mengimbas rangkaian anda untuk kerentanan yang diketahui. Macam “pen test” automatik untuk homelab anda:</p> <div class="sourceCode" id="cb8"><pre class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb8-1"><a href="#cb8-1" aria-hidden="true" tabindex="-1"></a><span class="fu">services</span><span class="kw">:</span></span> <span id="cb8-2"><a href="#cb8-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">openvas</span><span class="kw">:</span></span> <span id="cb8-3"><a href="#cb8-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">image</span><span class="kw">:</span><span class="at"> greenbone/openvas-scanner:latest</span></span> <span id="cb8-4"><a href="#cb8-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">container_name</span><span class="kw">:</span><span class="at"> openvas</span></span> <span id="cb8-5"><a href="#cb8-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">ports</span><span class="kw">:</span></span> <span id="cb8-6"><a href="#cb8-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="st">"9392:9392"</span></span> <span id="cb8-7"><a href="#cb8-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">volumes</span><span class="kw">:</span></span> <span id="cb8-8"><a href="#cb8-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> openvas-data:/var/lib/openvas</span></span> <span id="cb8-9"><a href="#cb8-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">restart</span><span class="kw">:</span><span class="at"> unless-stopped</span></span> <span id="cb8-10"><a href="#cb8-10" aria-hidden="true" tabindex="-1"></a></span> <span id="cb8-11"><a href="#cb8-11" aria-hidden="true" tabindex="-1"></a><span class="fu">volumes</span><span class="kw">:</span></span> <span id="cb8-12"><a href="#cb8-12" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">openvas-data</span><span class="kw">:</span></span></code></pre></div> <blockquote> <p><strong>Nota Beginner:</strong> Jalankan imbasan kerentanan hanya pada rangkaian yang anda miliki. Mengimbas rangkaian tanpa kebenaran adalah <strong>menyalahi undang-undang</strong>. Dalam homelab, scan rangkaian sendiri je.</p> </blockquote> <h2 id="langkah-3-pengurusan-sijil-ssltls">Langkah 3: Pengurusan Sijil SSL/TLS</h2> <h3 id="memahami-sijil-ssl">Memahami Sijil SSL</h3> <p>Ini jenis-jenis sijil yang anda perlu tahu:</p> <pre><code>Jenis Sijil: 1. Self-signed — Percuma, amaran pelayar, untuk dalaman sahaja 2. Let's Encrypt — Percuma, dipercayai, perlu domain awam 3. Wildcard — Satu sijil untuk *.domain.com 4. CA peribadi — Untuk rangkaian dalaman tanpa amaran</code></pre> <h3 id="mencipta-ca-peribadi">Mencipta CA Peribadi</h3> <p>Untuk perkhidmatan dalaman yang tidak mempunyai domain awam, anda boleh jadi “CA” sendiri. Semua peranti yang install sijil CA anda akan trust sijil-sijil yang anda keluarkan:</p> <div class="sourceCode" id="cb10"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb10-1"><a href="#cb10-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Cipta CA (Certificate Authority) peribadi</span></span> <span id="cb10-2"><a href="#cb10-2" aria-hidden="true" tabindex="-1"></a><span class="fu">mkdir</span> <span class="at">-p</span> ~/ssl <span class="kw">&&</span> <span class="bu">cd</span> ~/ssl</span> <span id="cb10-3"><a href="#cb10-3" aria-hidden="true" tabindex="-1"></a></span> <span id="cb10-4"><a href="#cb10-4" aria-hidden="true" tabindex="-1"></a><span class="co"># Cipta kunci peribadi CA</span></span> <span id="cb10-5"><a href="#cb10-5" aria-hidden="true" tabindex="-1"></a><span class="ex">openssl</span> genrsa <span class="at">-out</span> ca-key.pem 4096</span> <span id="cb10-6"><a href="#cb10-6" aria-hidden="true" tabindex="-1"></a></span> <span id="cb10-7"><a href="#cb10-7" aria-hidden="true" tabindex="-1"></a><span class="co"># Cipta sijil CA</span></span> <span id="cb10-8"><a href="#cb10-8" aria-hidden="true" tabindex="-1"></a><span class="ex">openssl</span> req <span class="at">-new</span> <span class="at">-x509</span> <span class="at">-sha256</span> <span class="at">-key</span> ca-key.pem <span class="dt">\</span></span> <span id="cb10-9"><a href="#cb10-9" aria-hidden="true" tabindex="-1"></a> <span class="at">-out</span> ca-cert.pem <span class="at">-days</span> 3650 <span class="dt">\</span></span> <span id="cb10-10"><a href="#cb10-10" aria-hidden="true" tabindex="-1"></a> <span class="at">-subj</span> <span class="st">"/CN=Homelab CA/O=Homelab/C=MY"</span></span> <span id="cb10-11"><a href="#cb10-11" aria-hidden="true" tabindex="-1"></a></span> <span id="cb10-12"><a href="#cb10-12" aria-hidden="true" tabindex="-1"></a><span class="co"># Cipta sijil untuk perkhidmatan</span></span> <span id="cb10-13"><a href="#cb10-13" aria-hidden="true" tabindex="-1"></a><span class="ex">openssl</span> genrsa <span class="at">-out</span> server-key.pem 2048</span> <span id="cb10-14"><a href="#cb10-14" aria-hidden="true" tabindex="-1"></a></span> <span id="cb10-15"><a href="#cb10-15" aria-hidden="true" tabindex="-1"></a><span class="ex">openssl</span> req <span class="at">-new</span> <span class="at">-key</span> server-key.pem <span class="dt">\</span></span> <span id="cb10-16"><a href="#cb10-16" aria-hidden="true" tabindex="-1"></a> <span class="at">-out</span> server.csr <span class="dt">\</span></span> <span id="cb10-17"><a href="#cb10-17" aria-hidden="true" tabindex="-1"></a> <span class="at">-subj</span> <span class="st">"/CN=*.lab.local/O=Homelab/C=MY"</span></span> <span id="cb10-18"><a href="#cb10-18" aria-hidden="true" tabindex="-1"></a></span> <span id="cb10-19"><a href="#cb10-19" aria-hidden="true" tabindex="-1"></a><span class="co"># Tanda sijil dengan CA</span></span> <span id="cb10-20"><a href="#cb10-20" aria-hidden="true" tabindex="-1"></a><span class="ex">openssl</span> x509 <span class="at">-req</span> <span class="at">-sha256</span> <span class="dt">\</span></span> <span id="cb10-21"><a href="#cb10-21" aria-hidden="true" tabindex="-1"></a> <span class="at">-in</span> server.csr <span class="dt">\</span></span> <span id="cb10-22"><a href="#cb10-22" aria-hidden="true" tabindex="-1"></a> <span class="at">-CA</span> ca-cert.pem <span class="at">-CAkey</span> ca-key.pem <span class="dt">\</span></span> <span id="cb10-23"><a href="#cb10-23" aria-hidden="true" tabindex="-1"></a> <span class="at">-CAcreateserial</span> <span class="at">-out</span> server-cert.pem <span class="dt">\</span></span> <span id="cb10-24"><a href="#cb10-24" aria-hidden="true" tabindex="-1"></a> <span class="at">-days</span> 365 <span class="dt">\</span></span> <span id="cb10-25"><a href="#cb10-25" aria-hidden="true" tabindex="-1"></a> <span class="at">-extfile</span> <span class="op"><(</span><span class="bu">printf</span> <span class="st">"subjectAltName=DNS:*.lab.local,DNS:lab.local"</span><span class="op">)</span></span></code></pre></div> <p><strong>Pasang sijil CA pada peranti supaya tak ada amaran “Not Secure”:</strong> - <strong>Windows:</strong> Import <code>ca-cert.pem</code> ke Trusted Root CAs - <strong>macOS:</strong> Import ke Keychain → System → Always Trust - <strong>Linux:</strong> Salin ke <code>/usr/local/share/ca-certificates/</code> → <code>update-ca-certificates</code> - <strong>Android/iOS:</strong> Import melalui tetapan keselamatan</p> <blockquote> <p><strong>Nota Beginner:</strong> Proses ni nampak complicated, tapi anda hanya perlu buat sekali. Selepas tu, semua service dalaman anda boleh guna HTTPS tanpa amaran pelayar.</p> </blockquote> <h2 id="langkah-4-strategi-backup-keselamatan">Langkah 4: Strategi Backup Keselamatan</h2> <h3 id="backup-disulitkan">Backup Disulitkan</h3> <p>Backup pun kena protect. Bayangkan kalau seseorang dapat akses ke backup drive anda — semua data anda terdedah. Restic menyulitkan backup secara lalai, jadi anda dah selamat:</p> <div class="sourceCode" id="cb11"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb11-1"><a href="#cb11-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Restic menyulitkan backup secara lalai</span></span> <span id="cb11-2"><a href="#cb11-2" aria-hidden="true" tabindex="-1"></a><span class="co"># Pastikan kata laluan repositori disimpan dengan selamat</span></span> <span id="cb11-3"><a href="#cb11-3" aria-hidden="true" tabindex="-1"></a></span> <span id="cb11-4"><a href="#cb11-4" aria-hidden="true" tabindex="-1"></a><span class="bu">export</span> <span class="va">RESTIC_REPOSITORY</span><span class="op">=</span><span class="st">"/mnt/backup/encrypted"</span></span> <span id="cb11-5"><a href="#cb11-5" aria-hidden="true" tabindex="-1"></a><span class="bu">export</span> <span class="va">RESTIC_PASSWORD</span><span class="op">=</span><span class="st">"kata_laluan_sangat_panjang_dan_rawak"</span></span> <span id="cb11-6"><a href="#cb11-6" aria-hidden="true" tabindex="-1"></a></span> <span id="cb11-7"><a href="#cb11-7" aria-hidden="true" tabindex="-1"></a><span class="co"># Cipta repositori</span></span> <span id="cb11-8"><a href="#cb11-8" aria-hidden="true" tabindex="-1"></a><span class="ex">restic</span> init</span> <span id="cb11-9"><a href="#cb11-9" aria-hidden="true" tabindex="-1"></a></span> <span id="cb11-10"><a href="#cb11-10" aria-hidden="true" tabindex="-1"></a><span class="co"># Backup</span></span> <span id="cb11-11"><a href="#cb11-11" aria-hidden="true" tabindex="-1"></a><span class="ex">restic</span> backup /data/penting</span> <span id="cb11-12"><a href="#cb11-12" aria-hidden="true" tabindex="-1"></a></span> <span id="cb11-13"><a href="#cb11-13" aria-hidden="true" tabindex="-1"></a><span class="co"># Sahkan integriti backup</span></span> <span id="cb11-14"><a href="#cb11-14" aria-hidden="true" tabindex="-1"></a><span class="ex">restic</span> check</span></code></pre></div> <h3 id="backup-konfigurasi-keselamatan">Backup Konfigurasi Keselamatan</h3> <p>Ini skrip yang saya guna untuk backup semua config keselamatan. Kalau perlu rebuild server, semua setting dah ada:</p> <div class="sourceCode" id="cb12"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb12-1"><a href="#cb12-1" aria-hidden="true" tabindex="-1"></a><span class="co">#!/bin/bash</span></span> <span id="cb12-2"><a href="#cb12-2" aria-hidden="true" tabindex="-1"></a><span class="co"># backup-security-configs.sh</span></span> <span id="cb12-3"><a href="#cb12-3" aria-hidden="true" tabindex="-1"></a><span class="va">BACKUP_DIR</span><span class="op">=</span><span class="st">"/mnt/backup/security"</span></span> <span id="cb12-4"><a href="#cb12-4" aria-hidden="true" tabindex="-1"></a><span class="va">DATE</span><span class="op">=</span><span class="va">$(</span><span class="fu">date</span> +%Y%m%d<span class="va">)</span></span> <span id="cb12-5"><a href="#cb12-5" aria-hidden="true" tabindex="-1"></a></span> <span id="cb12-6"><a href="#cb12-6" aria-hidden="true" tabindex="-1"></a><span class="fu">mkdir</span> <span class="at">-p</span> <span class="st">"</span><span class="va">$BACKUP_DIR</span><span class="st">/</span><span class="va">$DATE</span><span class="st">"</span></span> <span id="cb12-7"><a href="#cb12-7" aria-hidden="true" tabindex="-1"></a></span> <span id="cb12-8"><a href="#cb12-8" aria-hidden="true" tabindex="-1"></a><span class="co"># Backup konfigurasi penting</span></span> <span id="cb12-9"><a href="#cb12-9" aria-hidden="true" tabindex="-1"></a><span class="fu">cp</span> /etc/ssh/sshd_config <span class="st">"</span><span class="va">$BACKUP_DIR</span><span class="st">/</span><span class="va">$DATE</span><span class="st">/"</span></span> <span id="cb12-10"><a href="#cb12-10" aria-hidden="true" tabindex="-1"></a><span class="fu">cp</span> /etc/fail2ban/jail.local <span class="st">"</span><span class="va">$BACKUP_DIR</span><span class="st">/</span><span class="va">$DATE</span><span class="st">/"</span></span> <span id="cb12-11"><a href="#cb12-11" aria-hidden="true" tabindex="-1"></a><span class="fu">cp</span> <span class="at">-r</span> /etc/ufw <span class="st">"</span><span class="va">$BACKUP_DIR</span><span class="st">/</span><span class="va">$DATE</span><span class="st">/"</span></span> <span id="cb12-12"><a href="#cb12-12" aria-hidden="true" tabindex="-1"></a><span class="fu">cp</span> /etc/sysctl.conf <span class="st">"</span><span class="va">$BACKUP_DIR</span><span class="st">/</span><span class="va">$DATE</span><span class="st">/"</span></span> <span id="cb12-13"><a href="#cb12-13" aria-hidden="true" tabindex="-1"></a></span> <span id="cb12-14"><a href="#cb12-14" aria-hidden="true" tabindex="-1"></a><span class="co"># Senarai pengguna dan kumpulan</span></span> <span id="cb12-15"><a href="#cb12-15" aria-hidden="true" tabindex="-1"></a><span class="fu">getent</span> passwd <span class="op">></span> <span class="st">"</span><span class="va">$BACKUP_DIR</span><span class="st">/</span><span class="va">$DATE</span><span class="st">/passwd.bak"</span></span> <span id="cb12-16"><a href="#cb12-16" aria-hidden="true" tabindex="-1"></a><span class="fu">getent</span> group <span class="op">></span> <span class="st">"</span><span class="va">$BACKUP_DIR</span><span class="st">/</span><span class="va">$DATE</span><span class="st">/group.bak"</span></span> <span id="cb12-17"><a href="#cb12-17" aria-hidden="true" tabindex="-1"></a></span> <span id="cb12-18"><a href="#cb12-18" aria-hidden="true" tabindex="-1"></a><span class="co"># Peraturan firewall</span></span> <span id="cb12-19"><a href="#cb12-19" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables-save</span> <span class="op">></span> <span class="st">"</span><span class="va">$BACKUP_DIR</span><span class="st">/</span><span class="va">$DATE</span><span class="st">/iptables.rules"</span></span> <span id="cb12-20"><a href="#cb12-20" aria-hidden="true" tabindex="-1"></a></span> <span id="cb12-21"><a href="#cb12-21" aria-hidden="true" tabindex="-1"></a><span class="bu">echo</span> <span class="st">"Backup keselamatan selesai: </span><span class="va">$DATE</span><span class="st">"</span></span></code></pre></div> <h2 id="langkah-5-pelan-tindak-balas-insiden">Langkah 5: Pelan Tindak Balas Insiden</h2> <h3 id="apabila-homelab-anda-dikompromi">Apabila Homelab Anda Dikompromi</h3> <p>Saya harap anda tak perlukan bahagian ni. Tapi kalau anda mengesyaki homelab anda telah dikompromi, ikut langkah-langkah ini. <strong>Jangan panik</strong> — panik buat keputusan jadi lebih teruk.</p> <p><strong>Langkah 1: Jangan Panik, Dokumentasikan</strong> - Tulis apa yang anda perhatikan - Catat masa dan tarikh - Screenshot kalau boleh</p> <p><strong>Langkah 2: Asingkan — Potong Akses Internet</strong></p> <div class="sourceCode" id="cb13"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb13-1"><a href="#cb13-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Putuskan sambungan dari internet (di firewall)</span></span> <span id="cb13-2"><a href="#cb13-2" aria-hidden="true" tabindex="-1"></a><span class="co"># JANGAN padamkan kuasa — bukti dalam RAM akan hilang</span></span></code></pre></div> <p><strong>Langkah 3: Nilai Kerosakan</strong></p> <div class="sourceCode" id="cb14"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb14-1"><a href="#cb14-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa pengguna yang log masuk</span></span> <span id="cb14-2"><a href="#cb14-2" aria-hidden="true" tabindex="-1"></a><span class="fu">who</span></span> <span id="cb14-3"><a href="#cb14-3" aria-hidden="true" tabindex="-1"></a><span class="fu">last</span></span> <span id="cb14-4"><a href="#cb14-4" aria-hidden="true" tabindex="-1"></a><span class="ex">lastlog</span></span> <span id="cb14-5"><a href="#cb14-5" aria-hidden="true" tabindex="-1"></a></span> <span id="cb14-6"><a href="#cb14-6" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa proses mencurigakan</span></span> <span id="cb14-7"><a href="#cb14-7" aria-hidden="true" tabindex="-1"></a><span class="fu">ps</span> auxf</span> <span id="cb14-8"><a href="#cb14-8" aria-hidden="true" tabindex="-1"></a><span class="fu">netstat</span> <span class="at">-tunapl</span></span> <span id="cb14-9"><a href="#cb14-9" aria-hidden="true" tabindex="-1"></a></span> <span id="cb14-10"><a href="#cb14-10" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa fail yang baru diubah suai</span></span> <span id="cb14-11"><a href="#cb14-11" aria-hidden="true" tabindex="-1"></a><span class="fu">find</span> / <span class="at">-mtime</span> <span class="at">-1</span> <span class="at">-type</span> f <span class="dv">2</span><span class="op">></span>/dev/null</span> <span id="cb14-12"><a href="#cb14-12" aria-hidden="true" tabindex="-1"></a></span> <span id="cb14-13"><a href="#cb14-13" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa crontab untuk semua pengguna</span></span> <span id="cb14-14"><a href="#cb14-14" aria-hidden="true" tabindex="-1"></a><span class="cf">for</span> user <span class="kw">in</span> <span class="va">$(</span><span class="fu">cut</span> <span class="at">-f1</span> <span class="at">-d:</span> /etc/passwd<span class="va">)</span><span class="kw">;</span> <span class="cf">do</span></span> <span id="cb14-15"><a href="#cb14-15" aria-hidden="true" tabindex="-1"></a> <span class="fu">crontab</span> <span class="at">-l</span> <span class="at">-u</span> <span class="st">"</span><span class="va">$user</span><span class="st">"</span> <span class="dv">2</span><span class="op">></span>/dev/null</span> <span id="cb14-16"><a href="#cb14-16" aria-hidden="true" tabindex="-1"></a><span class="cf">done</span></span> <span id="cb14-17"><a href="#cb14-17" aria-hidden="true" tabindex="-1"></a></span> <span id="cb14-18"><a href="#cb14-18" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa kunci SSH yang tidak dikenali</span></span> <span id="cb14-19"><a href="#cb14-19" aria-hidden="true" tabindex="-1"></a><span class="fu">cat</span> ~/.ssh/authorized_keys</span></code></pre></div> <p><strong>Langkah 4: Bersihkan dan Pulihkan</strong> - Pulihkan dari backup yang bersih (sebab tu backup penting!) - Tukar <strong>SEMUA</strong> kata laluan — semua, tanpa pengecualian - Kemas kini semua perisian - Semak dan perketatkan peraturan firewall</p> <p><strong>Langkah 5: Belajar dari Insiden</strong> - Kenal pasti bagaimana pencerobohan berlaku - Perkuatkan kawalan keselamatan di bahagian yang lemah - Dokumentasikan insiden dan penyelesaian — supaya tak berulang</p> <blockquote> <p><strong>Nota Beginner:</strong> Kalau anda rasa homelab anda kena hack, perkara pertama yang perlu dibuat ialah cabut kabel internet dari router. Ini halang penyerang daripada terus akses dan halang data daripada terus bocor.</p> </blockquote> <h2 id="langkah-6-pemantauan-keselamatan-berterusan">Langkah 6: Pemantauan Keselamatan Berterusan</h2> <p>Ini skrip yang anda boleh jalankan setiap hari secara automatik. Ia akan check beberapa perkara penting dan hantar laporan:</p> <h3 id="skrip-semakan-harian-automatik">Skrip Semakan Harian (Automatik)</h3> <div class="sourceCode" id="cb15"><pre class="sourceCode bash"><code class="sourceCode bash"><span id="cb15-1"><a href="#cb15-1" aria-hidden="true" tabindex="-1"></a><span class="co">#!/bin/bash</span></span> <span id="cb15-2"><a href="#cb15-2" aria-hidden="true" tabindex="-1"></a><span class="co"># daily-security-check.sh</span></span> <span id="cb15-3"><a href="#cb15-3" aria-hidden="true" tabindex="-1"></a><span class="co"># Jalankan melalui cron setiap hari</span></span> <span id="cb15-4"><a href="#cb15-4" aria-hidden="true" tabindex="-1"></a></span> <span id="cb15-5"><a href="#cb15-5" aria-hidden="true" tabindex="-1"></a><span class="va">REPORT</span><span class="op">=</span><span class="st">""</span></span> <span id="cb15-6"><a href="#cb15-6" aria-hidden="true" tabindex="-1"></a></span> <span id="cb15-7"><a href="#cb15-7" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa kemas kini keselamatan</span></span> <span id="cb15-8"><a href="#cb15-8" aria-hidden="true" tabindex="-1"></a><span class="va">UPDATES</span><span class="op">=</span><span class="va">$(</span><span class="ex">apt</span> list <span class="at">--upgradable</span> <span class="dv">2</span><span class="op">></span>/dev/null <span class="kw">|</span> <span class="fu">grep</span> <span class="at">-c</span> security<span class="va">)</span></span> <span id="cb15-9"><a href="#cb15-9" aria-hidden="true" tabindex="-1"></a><span class="va">REPORT</span><span class="op">+=</span><span class="st">"Kemas kini keselamatan tertunda: </span><span class="va">$UPDATES</span><span class="st">\n"</span></span> <span id="cb15-10"><a href="#cb15-10" aria-hidden="true" tabindex="-1"></a></span> <span id="cb15-11"><a href="#cb15-11" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa log masuk gagal</span></span> <span id="cb15-12"><a href="#cb15-12" aria-hidden="true" tabindex="-1"></a><span class="va">FAILED</span><span class="op">=</span><span class="va">$(</span><span class="fu">grep</span> <span class="st">"Failed password"</span> /var/log/auth.log <span class="kw">|</span> <span class="fu">wc</span> <span class="at">-l</span><span class="va">)</span></span> <span id="cb15-13"><a href="#cb15-13" aria-hidden="true" tabindex="-1"></a><span class="va">REPORT</span><span class="op">+=</span><span class="st">"Percubaan log masuk gagal: </span><span class="va">$FAILED</span><span class="st">\n"</span></span> <span id="cb15-14"><a href="#cb15-14" aria-hidden="true" tabindex="-1"></a></span> <span id="cb15-15"><a href="#cb15-15" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa penggunaan cakera</span></span> <span id="cb15-16"><a href="#cb15-16" aria-hidden="true" tabindex="-1"></a><span class="va">DISK</span><span class="op">=</span><span class="va">$(</span><span class="fu">df</span> / <span class="kw">|</span> <span class="fu">awk</span> <span class="st">'NR==2 {print $5}'</span><span class="va">)</span></span> <span id="cb15-17"><a href="#cb15-17" aria-hidden="true" tabindex="-1"></a><span class="va">REPORT</span><span class="op">+=</span><span class="st">"Penggunaan cakera /: </span><span class="va">$DISK</span><span class="st">\n"</span></span> <span id="cb15-18"><a href="#cb15-18" aria-hidden="true" tabindex="-1"></a></span> <span id="cb15-19"><a href="#cb15-19" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa perkhidmatan Docker</span></span> <span id="cb15-20"><a href="#cb15-20" aria-hidden="true" tabindex="-1"></a><span class="va">DOWN</span><span class="op">=</span><span class="va">$(</span><span class="ex">docker</span> ps <span class="at">--filter</span> <span class="st">"status=exited"</span> <span class="at">--format</span> <span class="st">"{{.Names}}"</span> <span class="kw">|</span> <span class="fu">tr</span> <span class="st">'\n'</span> <span class="st">', '</span><span class="va">)</span></span> <span id="cb15-21"><a href="#cb15-21" aria-hidden="true" tabindex="-1"></a><span class="va">REPORT</span><span class="op">+=</span><span class="st">"Kontena tidak aktif: </span><span class="va">${DOWN</span><span class="op">:-</span>Tiada<span class="va">}</span><span class="st">\n"</span></span> <span id="cb15-22"><a href="#cb15-22" aria-hidden="true" tabindex="-1"></a></span> <span id="cb15-23"><a href="#cb15-23" aria-hidden="true" tabindex="-1"></a><span class="co"># Periksa sijil SSL</span></span> <span id="cb15-24"><a href="#cb15-24" aria-hidden="true" tabindex="-1"></a><span class="va">EXPIRY</span><span class="op">=</span><span class="va">$(</span><span class="bu">echo</span> <span class="kw">|</span> <span class="ex">openssl</span> s_client <span class="at">-connect</span> localhost:443 <span class="dv">2</span><span class="op">></span>/dev/null <span class="kw">|</span> <span class="dt">\</span></span> <span id="cb15-25"><a href="#cb15-25" aria-hidden="true" tabindex="-1"></a> <span class="ex">openssl</span> x509 <span class="at">-noout</span> <span class="at">-enddate</span> <span class="dv">2</span><span class="op">></span>/dev/null <span class="kw">|</span> <span class="fu">cut</span> <span class="at">-d</span><span class="op">=</span> <span class="at">-f2</span><span class="va">)</span></span> <span id="cb15-26"><a href="#cb15-26" aria-hidden="true" tabindex="-1"></a><span class="va">REPORT</span><span class="op">+=</span><span class="st">"Sijil SSL tamat: </span><span class="va">$EXPIRY</span><span class="st">\n"</span></span> <span id="cb15-27"><a href="#cb15-27" aria-hidden="true" tabindex="-1"></a></span> <span id="cb15-28"><a href="#cb15-28" aria-hidden="true" tabindex="-1"></a><span class="co"># Hantar laporan</span></span> <span id="cb15-29"><a href="#cb15-29" aria-hidden="true" tabindex="-1"></a><span class="bu">echo</span> <span class="at">-e</span> <span class="st">"</span><span class="va">$REPORT</span><span class="st">"</span> <span class="kw">|</span> <span class="ex">curl</span> <span class="at">-d</span> @- http://ntfy.lab.local/security-report</span></code></pre></div> <h2 id="langkah-7-keselamatan-fizikal">Langkah 7: Keselamatan Fizikal</h2> <p>Ramai orang lupa bab ni. Apa guna hardening SSH kalau seseorang boleh cabut hard disk anda dan bawa balik rumah?</p> <h3 id="perlindungan-fizikal">Perlindungan Fizikal</h3> <pre><code>1. Lokasi selamat - Bilik berkunci jika boleh - Jauh dari kawasan lalu lintas tinggi 2. BIOS/UEFI - Tetapkan kata laluan BIOS - Lumpuhkan boot dari USB/CD 3. Penyulitan cakera penuh - LUKS untuk Linux - BitLocker untuk Windows - Melindungi data jika perkakasan dicuri 4. Label dan inventori - Senarai semua perkakasan - Nombor siri dicatat - Foto setup untuk dokumentasi</code></pre> <blockquote> <p><strong>Nota Beginner:</strong> Kalau homelab anda di bilik tidur, keselamatan fizikal mungkin bukan isu besar. Tapi kalau anda simpan data sensitif, sekurang-kurangnya pastikan cakera dienkripsi dengan LUKS.</p> </blockquote> <h3 id="checklist-siap-bab-ini">Checklist Siap Bab Ini</h3> <ul class="task-list"> <li><label><input type="checkbox" />Saya tahu perubahan hardening mana yang mahu dibuat dahulu.</label></li> <li><label><input type="checkbox" />Saya sudah sediakan kaedah pemulihan sebelum ubah setting kritikal.</label></li> <li><label><input type="checkbox" />Saya akan uji setiap perubahan satu demi satu.</label></li> </ul> <h2 id="ringkasan">Ringkasan</h2> <p>Bab keselamatan lanjutan ni memang berat sikit, tapi anda dah sampai penghujung. Tahniah! Jom recap:</p> <ul> <li><strong>Pengerasan SSH, firewall, dan kernel Linux</strong> — kuatkan barisan pertahanan</li> <li><strong>Audit keselamatan dengan Lynis dan OpenVAS</strong> — tahu di mana kelemahan anda</li> <li><strong>Pengurusan sijil SSL/TLS dan CA peribadi</strong> — HTTPS untuk semua, termasuk service dalaman</li> <li><strong>Backup disulitkan</strong> — lindungi data walaupun backup jatuh ke tangan salah</li> <li><strong>Pelan tindak balas insiden</strong> — sedia sebelum diperlukan</li> <li><strong>Pemantauan keselamatan berterusan</strong> — automatikkan semakan harian</li> <li><strong>Keselamatan fizikal</strong> — jangan lupa dunia nyata</li> </ul> <p>Keselamatan adalah perjalanan, bukan destinasi. Tak ada satu hari pun anda boleh kata “dah selamat 100%.” Tapi dengan asas yang kukuh dan pemantauan yang konsisten, homelab anda akan jauh lebih selamat daripada kebanyakan setup di luar sana.</p> <p>Seterusnya, kita akan masuk ke automasi dan pemantauan — bab yang akan buat hidup anda jauh lebih senang!</p>
💾 Kemaskini
Batal