{"id":3568,"date":"2025-12-28T15:13:20","date_gmt":"2025-12-28T12:13:20","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/vps-guvenlik-sertlestirme-kontrol-listesi-sshd_config-fail2ban-ve-root-erisimini-kapatmak\/"},"modified":"2025-12-28T15:13:20","modified_gmt":"2025-12-28T12:13:20","slug":"vps-guvenlik-sertlestirme-kontrol-listesi-sshd_config-fail2ban-ve-root-erisimini-kapatmak","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/vps-guvenlik-sertlestirme-kontrol-listesi-sshd_config-fail2ban-ve-root-erisimini-kapatmak\/","title":{"rendered":"VPS G\u00fcvenlik Sertle\u015ftirme Kontrol Listesi: sshd_config, fail2ban ve Root Eri\u015fimini Kapatmak"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#VPS_Guvenlik_Sertlestirme_Neden_Bu_Kadar_Onemli\"><span class=\"toc_number toc_depth_1\">1<\/span> VPS G\u00fcvenlik Sertle\u015ftirme Neden Bu Kadar \u00d6nemli?<\/a><\/li><li><a href=\"#VPS_Guvenlik_Sertlestirme_Kontrol_Listesi_Buyuk_Resim\"><span class=\"toc_number toc_depth_1\">2<\/span> VPS G\u00fcvenlik Sertle\u015ftirme Kontrol Listesi: B\u00fcy\u00fck Resim<\/a><\/li><li><a href=\"#sshd_config_ile_SSH_Erisimini_Sertlestirmek\"><span class=\"toc_number toc_depth_1\">3<\/span> sshd_config ile SSH Eri\u015fimini Sertle\u015ftirmek<\/a><ul><li><a href=\"#Temel_sshd_config_Sertlestirme_Parametreleri\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Temel sshd_config Sertle\u015ftirme Parametreleri<\/a><\/li><li><a href=\"#SSH_Portunu_Degistirmek_Guvenlik_mi_Gurultu_Azaltma_mi\"><span class=\"toc_number toc_depth_2\">3.2<\/span> SSH Portunu De\u011fi\u015ftirmek: G\u00fcvenlik mi, G\u00fcr\u00fclt\u00fc Azaltma m\u0131?<\/a><\/li><li><a href=\"#AllowUsers_AllowGroups_ile_Erisimi_Daraltmak\"><span class=\"toc_number toc_depth_2\">3.3<\/span> AllowUsers \/ AllowGroups ile Eri\u015fimi Daraltmak<\/a><\/li><li><a href=\"#SSH_Anahtari_Zorunlu_Kilmak\"><span class=\"toc_number toc_depth_2\">3.4<\/span> SSH Anahtar\u0131 Zorunlu K\u0131lmak<\/a><\/li><\/ul><\/li><li><a href=\"#Root_Erisimini_Kapatmak_ve_Saglikli_Yetki_Modeli_Kurmak\"><span class=\"toc_number toc_depth_1\">4<\/span> Root Eri\u015fimini Kapatmak ve Sa\u011fl\u0131kl\u0131 Yetki Modeli Kurmak<\/a><ul><li><a href=\"#Adim_1_Yetkili_Bir_Admin_Kullanici_Olusturmak\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Ad\u0131m 1: Yetkili Bir Admin Kullan\u0131c\u0131 Olu\u015fturmak<\/a><\/li><li><a href=\"#Adim_2_sudo_Yetkilerini_Ince_Ayar_Yapmak\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Ad\u0131m 2: sudo Yetkilerini \u0130nce Ayar Yapmak<\/a><\/li><li><a href=\"#Adim_3_Root_SSH_Erisimini_Kapatmak\"><span class=\"toc_number toc_depth_2\">4.3<\/span> Ad\u0131m 3: Root SSH Eri\u015fimini Kapatmak<\/a><\/li><\/ul><\/li><li><a href=\"#fail2ban_ile_Brute-Force_Saldirilarini_Otomatik_Bloklamak\"><span class=\"toc_number toc_depth_1\">5<\/span> fail2ban ile Brute-Force Sald\u0131r\u0131lar\u0131n\u0131 Otomatik Bloklamak<\/a><ul><li><a href=\"#fail2ban_Nasil_Calisir\"><span class=\"toc_number toc_depth_2\">5.1<\/span> fail2ban Nas\u0131l \u00c7al\u0131\u015f\u0131r?<\/a><\/li><li><a href=\"#SSH_Icin_Basit_Bir_fail2ban_Jail_Ornegi\"><span class=\"toc_number toc_depth_2\">5.2<\/span> SSH \u0130\u00e7in Basit Bir fail2ban Jail \u00d6rne\u011fi<\/a><\/li><li><a href=\"#Yanlis_Pozitifler_ve_Beyaz_Liste_Yonetimi\"><span class=\"toc_number toc_depth_2\">5.3<\/span> Yanl\u0131\u015f Pozitifler ve Beyaz Liste Y\u00f6netimi<\/a><\/li><\/ul><\/li><li><a href=\"#Otomatik_Guvenlik_Guncellemeleri_Yamalar_Gecikmesin\"><span class=\"toc_number toc_depth_1\">6<\/span> Otomatik G\u00fcvenlik G\u00fcncellemeleri: Yamalar Gecikmesin<\/a><ul><li><a href=\"#UbuntuDebian_unattended-upgrades_ile_Guvenlik_Guncellemeleri\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Ubuntu\/Debian: unattended-upgrades ile G\u00fcvenlik G\u00fcncellemeleri<\/a><\/li><li><a href=\"#RHELAlmaLinuxRocky_Linux_dnf-automatic_ile_Guncellemeler\"><span class=\"toc_number toc_depth_2\">6.2<\/span> RHEL\/AlmaLinux\/Rocky Linux: dnf-automatic ile G\u00fcncellemeler<\/a><\/li><li><a href=\"#Otomatik_Guncelleme_Riskleri_Nasil_Yonetilir\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Otomatik G\u00fcncelleme Riskleri Nas\u0131l Y\u00f6netilir?<\/a><\/li><\/ul><\/li><li><a href=\"#Ek_Kontroller_Guvenlik_Duvari_Loglar_ve_Yedekler\"><span class=\"toc_number toc_depth_1\">7<\/span> Ek Kontroller: G\u00fcvenlik Duvar\u0131, Loglar ve Yedekler<\/a><ul><li><a href=\"#Guvenlik_Duvari_ile_Saldiri_Yuzeyini_Kucultmek\"><span class=\"toc_number toc_depth_2\">7.1<\/span> G\u00fcvenlik Duvar\u0131 ile Sald\u0131r\u0131 Y\u00fczeyini K\u00fc\u00e7\u00fcltmek<\/a><\/li><li><a href=\"#Log_Yonetimi_ve_Disk_Dolmasini_Onlemek\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Log Y\u00f6netimi ve Disk Dolmas\u0131n\u0131 \u00d6nlemek<\/a><\/li><li><a href=\"#Yedekleme_Guvenlik_Acigi_Kadar_Hata_Payinizi_da_Dusurur\"><span class=\"toc_number toc_depth_2\">7.3<\/span> Yedekleme: G\u00fcvenlik A\u00e7\u0131\u011f\u0131 Kadar Hata Pay\u0131n\u0131z\u0131 da D\u00fc\u015f\u00fcr\u00fcr<\/a><\/li><\/ul><\/li><li><a href=\"#DCHost_Uzerinde_Bu_Kontrol_Listesini_Nasil_Uygularsiniz\"><span class=\"toc_number toc_depth_1\">8<\/span> DCHost \u00dczerinde Bu Kontrol Listesini Nas\u0131l Uygulars\u0131n\u0131z?<\/a><\/li><li><a href=\"#Sonuc_ve_Onerilen_Yol_Haritasi\"><span class=\"toc_number toc_depth_1\">9<\/span> Sonu\u00e7 ve \u00d6nerilen Yol Haritas\u0131<\/a><\/li><\/ul><\/div>\n<h2><span id=\"VPS_Guvenlik_Sertlestirme_Neden_Bu_Kadar_Onemli\">VPS G\u00fcvenlik Sertle\u015ftirme Neden Bu Kadar \u00d6nemli?<\/span><\/h2>\n<p>Bir <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> sat\u0131n al\u0131p ilk SSH ba\u011flant\u0131s\u0131n\u0131 yapt\u0131\u011f\u0131n\u0131z anda asl\u0131nda sadece kendi projenize de\u011fil, t\u00fcm a\u011fa kar\u015f\u0131 da bir sorumluluk alm\u0131\u015f oluyorsunuz. G\u00fcvenlik taraf\u0131nda ufak bir ihmal; spam g\u00f6nderen, DDoS sald\u0131r\u0131lar\u0131na kat\u0131lan ya da veritaban\u0131 s\u0131zd\u0131ran bir sunucuya d\u00f6n\u00fc\u015fmenize yol a\u00e7abiliyor. DCHost ekibi olarak yapt\u0131\u011f\u0131m\u0131z g\u00fcvenlik denetimlerinde, ihlal ya\u015fam\u0131\u015f sunucular\u0131n \u00e7ok b\u00fcy\u00fck k\u0131sm\u0131nda ayn\u0131 temel eksikleri g\u00f6r\u00fcyoruz: varsay\u0131lan SSH ayarlar\u0131, kapat\u0131lmam\u0131\u015f root eri\u015fimi, aktif ama yap\u0131land\u0131r\u0131lmam\u0131\u015f <strong>fail2ban<\/strong> ve \u00e7al\u0131\u015fmayan otomatik g\u00fcvenlik g\u00fcncellemeleri.<\/p>\n<p>Bu yaz\u0131da, pratik bir <strong>VPS g\u00fcvenlik sertle\u015ftirme kontrol listesi<\/strong> \u00fczerinden ilerleyece\u011fiz. Odakta \u00f6zellikle \u015fu ad\u0131mlar var: <strong>sshd_config<\/strong> sertle\u015ftirmesi, <strong>root eri\u015fimini kapatmak<\/strong>, <strong>fail2ban<\/strong> ile brute-force sald\u0131r\u0131lar\u0131n\u0131 s\u0131n\u0131rlamak ve <strong>otomatik g\u00fcvenlik g\u00fcncellemeleri<\/strong>ni do\u011fru kurmak. Ad\u0131mlar\u0131n her biri tek ba\u015f\u0131na basit g\u00f6r\u00fcnebilir; fakat birlikte uyguland\u0131\u011f\u0131nda hem k\u00fc\u00e7\u00fck projeler hem de yo\u011fun trafikli uygulamalar i\u00e7in olduk\u00e7a sa\u011flam bir temel g\u00fcvenlik katman\u0131 sa\u011flar. Ayr\u0131ca, DCHost \u00fczerinde yeni a\u00e7t\u0131\u011f\u0131n\u0131z ya da mevcutta \u00e7al\u0131\u015fan VPS\/<a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a>lar\u0131n\u0131za bu kontrol listesini nas\u0131l uygulayabilece\u011finizi de ad\u0131m ad\u0131m \u00f6rneklendirece\u011fiz.<\/p>\n<h2><span id=\"VPS_Guvenlik_Sertlestirme_Kontrol_Listesi_Buyuk_Resim\">VPS G\u00fcvenlik Sertle\u015ftirme Kontrol Listesi: B\u00fcy\u00fck Resim<\/span><\/h2>\n<p>Detay ayarlara inmeden \u00f6nce, sa\u011flam bir VPS i\u00e7in olmas\u0131 gereken temel g\u00fcvenlik ad\u0131mlar\u0131n\u0131 netle\u015ftirelim. A\u015fa\u011f\u0131daki listeyi, hem yeni bir VPS kurarken hem de mevcut bir sunucuyu denetlerken checklist olarak kullanabilirsiniz:<\/p>\n<ul>\n<li>\u0130\u015fletim sistemini ve paketleri g\u00fcncellemek (\u00f6zellikle g\u00fcvenlik g\u00fcncellemeleri)<\/li>\n<li><strong>sshd_config<\/strong> dosyas\u0131n\u0131 sertle\u015ftirmek (port, kimlik do\u011frulama, root eri\u015fimi vb.)<\/li>\n<li>Do\u011frudan root giri\u015fi yerine yetkili bir kullan\u0131c\u0131 + sudo modeli kurmak<\/li>\n<li>Parola ile SSH giri\u015fini kapat\u0131p sadece <strong>SSH anahtarlar\u0131<\/strong> ile ba\u011flanmak<\/li>\n<li><strong>fail2ban<\/strong> veya benzeri bir mekanizma ile brute-force sald\u0131r\u0131lar\u0131n\u0131 s\u0131n\u0131rlamak<\/li>\n<li>G\u00fcvenlik duvar\u0131 (ufw, firewalld, iptables\/nftables) ile sadece gereken portlar\u0131 a\u00e7mak<\/li>\n<li>Da\u011f\u0131t\u0131ma uygun <strong>otomatik g\u00fcvenlik g\u00fcncellemeleri<\/strong>ni etkinle\u015ftirmek<\/li>\n<li>Log d\u00f6ng\u00fcs\u00fc ve disk takibi ile beklenmedik dolmalar\u0131 engellemek<\/li>\n<li>D\u00fczenli ve test edilmi\u015f yedekleme stratejisi (en az 3-2-1 yakla\u015f\u0131m\u0131na yak\u0131n bir yap\u0131)<\/li>\n<\/ul>\n<p>Bu yaz\u0131da odak daha \u00e7ok SSH, root, fail2ban ve g\u00fcncellemeler \u00fczerinde olacak. G\u00fcvenlik duvar\u0131 taraf\u0131nda detay ar\u0131yorsan\u0131z, DCHost blogda yay\u0131nlad\u0131\u011f\u0131m\u0131z <a href='https:\/\/www.dchost.com\/blog\/vps-sunucularda-guvenlik-duvari-yapilandirma-ufw-firewalld-ve-iptables\/'>VPS sunucularda g\u00fcvenlik duvar\u0131 yap\u0131land\u0131rma rehberi<\/a>ni mutlaka g\u00f6zden ge\u00e7irmenizi \u00f6neririz.<\/p>\n<h2><span id=\"sshd_config_ile_SSH_Erisimini_Sertlestirmek\">sshd_config ile SSH Eri\u015fimini Sertle\u015ftirmek<\/span><\/h2>\n<p>VPS\u2019inize ilk dokundu\u011funuz yer neredeyse her zaman SSH olur. Dolay\u0131s\u0131yla sald\u0131rganlar\u0131n ilk denedi\u011fi kap\u0131 da buras\u0131d\u0131r. Varsay\u0131lan ayarlarla b\u0131rak\u0131lan SSH servisi; deneme-yan\u0131lma brute-force sald\u0131r\u0131lar\u0131na, kimlik do\u011frulama hatalar\u0131na ve yanl\u0131\u015fl\u0131kla a\u00e7\u0131k b\u0131rak\u0131lm\u0131\u015f \u00f6zelliklere davetiye \u00e7\u0131kar\u0131r. \u0130yi yap\u0131land\u0131r\u0131lm\u0131\u015f bir <strong>sshd_config<\/strong> dosyas\u0131 ise sald\u0131rgan i\u00e7in maliyeti an\u0131nda y\u00fckseltir.<\/p>\n<h3><span id=\"Temel_sshd_config_Sertlestirme_Parametreleri\">Temel sshd_config Sertle\u015ftirme Parametreleri<\/span><\/h3>\n<p>\u00d6nce birka\u00e7 temel parametreye bakal\u0131m. \u00c7o\u011fu Debian\/Ubuntu tabanl\u0131 sistemde yap\u0131land\u0131rma dosyas\u0131 <code>\/etc\/ssh\/sshd_config<\/code> konumundad\u0131r (yeni s\u00fcr\u00fcmlerde <code>sshd_config.d\/<\/code> dizini de kullan\u0131labilir).<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Protokol ve temel ayarlar\nProtocol 2\nPort 22\nAddressFamily inet\nListenAddress 0.0.0.0\n\n# Root login ve parola ayarlar\u0131\nPermitRootLogin no\nPasswordAuthentication no\nChallengeResponseAuthentication no\nUsePAM yes\n\n# Kimlik do\u011frulama denemeleri\nMaxAuthTries 3\nLoginGraceTime 20\n\n# Bo\u015ftaki ba\u011flant\u0131lar\u0131 d\u00fc\u015f\u00fcrme\nClientAliveInterval 300\nClientAliveCountMax 2\n<\/code><\/pre>\n<p>Bu iskelet yap\u0131land\u0131rma, \u00e7o\u011fu k\u00fc\u00e7\u00fck ve orta \u00f6l\u00e7ekli projede gayet sa\u011fl\u0131kl\u0131 bir ba\u015flang\u0131\u00e7t\u0131r. \u00d6ne \u00e7\u0131kan noktalar:<\/p>\n<ul>\n<li><strong>Protocol 2<\/strong>: G\u00fcncel sistemlerde zaten varsay\u0131lan, ama eski al\u0131\u015fkanl\u0131klar y\u00fcz\u00fcnden h\u00e2l\u00e2 belirtilmesinde fayda var.<\/li>\n<li><strong>PermitRootLogin no<\/strong>: Root hesab\u0131yla direkt giri\u015fleri tamamen kapat\u0131r (detay\u0131n\u0131 a\u015fa\u011f\u0131da ayr\u0131 ba\u015fl\u0131kta a\u00e7aca\u011f\u0131z).<\/li>\n<li><strong>PasswordAuthentication no<\/strong>: Parola ile giri\u015fleri iptal eder, sadece SSH anahtar\u0131yla ba\u011flant\u0131ya izin verir.<\/li>\n<li><strong>MaxAuthTries 3<\/strong>: Yanl\u0131\u015f parola\/anahtar denemesini s\u0131n\u0131rlayarak brute-force sald\u0131r\u0131lar\u0131nda h\u0131zla ba\u011flant\u0131n\u0131n kesilmesini sa\u011flar.<\/li>\n<\/ul>\n<h3><span id=\"SSH_Portunu_Degistirmek_Guvenlik_mi_Gurultu_Azaltma_mi\">SSH Portunu De\u011fi\u015ftirmek: G\u00fcvenlik mi, G\u00fcr\u00fclt\u00fc Azaltma m\u0131?<\/span><\/h3>\n<p>G\u00fcvenlik camias\u0131nda s\u0131k tart\u0131\u015f\u0131lan bir ba\u015fl\u0131k: <strong>SSH portunu de\u011fi\u015ftirmek<\/strong>. Ger\u00e7ek\u00e7i olmak gerekirse, sadece portu de\u011fi\u015ftirmek size tam anlam\u0131yla ek bir g\u00fcvenlik katman\u0131 kazand\u0131rmaz; ama otomatik taramalar\u0131n ve amat\u00f6r brute-force denemelerinin \u00f6nemli bir k\u0131sm\u0131n\u0131 elemi\u015f olursunuz. Bu da log g\u00fcr\u00fclt\u00fcs\u00fcn\u00fc ve fail2ban y\u00fck\u00fcn\u00fc azalt\u0131r.<\/p>\n<p>\u00d6rne\u011fin 22 yerine 2222 gibi bir port kullanmak istiyorsan\u0131z:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Port 2222\n<\/code><\/pre>\n<p>Portu de\u011fi\u015ftirmeden \u00f6nce:<\/p>\n<ul>\n<li>G\u00fcvenlik duvar\u0131n\u0131zda yeni portu a\u00e7\u0131n.<\/li>\n<li>Eski ba\u011flant\u0131y\u0131 kapatmadan yeni bir terminal sekmesinde yeni porttan test edin.<\/li>\n<li>Sunucu \u00fczerinde \u00e7al\u0131\u015fan g\u00fcvenlik ara\u00e7lar\u0131n\u0131z\u0131n (\u00f6rn. fail2ban) konfig\u00fcrasyonunu yeni porta g\u00f6re g\u00fcncelleyin.<\/li>\n<\/ul>\n<h3><span id=\"AllowUsers_AllowGroups_ile_Erisimi_Daraltmak\">AllowUsers \/ AllowGroups ile Eri\u015fimi Daraltmak<\/span><\/h3>\n<p>SSH\u2019a ba\u011flanabilen kullan\u0131c\u0131lar\u0131 s\u0131n\u0131rland\u0131rmak, \u00f6zellikle birden fazla sistem kullan\u0131c\u0131s\u0131n\u0131n oldu\u011fu VPS\u2019lerde kritik \u00f6nem ta\u015f\u0131r. <strong>AllowUsers<\/strong> ve <strong>AllowGroups<\/strong> direktifleri ile sadece belirli hesaplar\u0131n giri\u015f yapabilmesini sa\u011flayabilirsiniz.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Sadece belirli kullan\u0131c\u0131lar SSH ile giri\u015f yapabilsin\nAllowUsers admin deploy\n\n# Ya da bir grup \u00fczerinden s\u0131n\u0131rland\u0131rma\nAllowGroups sshusers\n<\/code><\/pre>\n<p>Bu yakla\u015f\u0131m, yanl\u0131\u015fl\u0131kla \u015fifre atanm\u0131\u015f ancak hi\u00e7 kullan\u0131lmayan sistem hesaplar\u0131n\u0131n d\u0131\u015far\u0131ya a\u00e7\u0131k bir sald\u0131r\u0131 y\u00fczeyine d\u00f6n\u00fc\u015fmesini engeller. Ekipli \u00e7al\u0131\u015f\u0131yorsan\u0131z, DCHost blogda detaylar\u0131n\u0131 anlatt\u0131\u011f\u0131m\u0131z <a href='https:\/\/www.dchost.com\/blog\/ssh-anahtar-yonetimi-ve-yetki-paylasimi-kucuk-ekipler-icin-guvenli-vps-erisimi\/'>SSH anahtar y\u00f6netimi ve yetki payla\u015f\u0131m\u0131 rehberi<\/a> ile bu ayarlar\u0131 birle\u015ftirmenizi \u00f6neririz.<\/p>\n<h3><span id=\"SSH_Anahtari_Zorunlu_Kilmak\">SSH Anahtar\u0131 Zorunlu K\u0131lmak<\/span><\/h3>\n<p>Parola ile SSH eri\u015fimi, \u00f6zellikle s\u0131zd\u0131r\u0131lm\u0131\u015f parolalar ve parola tekrar kullan\u0131m al\u0131\u015fkanl\u0131klar\u0131 y\u00fcz\u00fcnden bug\u00fcn pratikte kabul edilmiyor. Yapman\u0131z gereken net ad\u0131m: <strong>PasswordAuthentication no<\/strong> ile parolay\u0131 tamamen devre d\u0131\u015f\u0131 b\u0131rakmak ve her kullan\u0131c\u0131 i\u00e7in birer SSH anahtar\u0131 tan\u0131mlamak.<\/p>\n<p>\u00d6zet ad\u0131mlar:<\/p>\n<ol>\n<li>\u0130stemci taraf\u0131nda <code>ssh-keygen -t ed25519<\/code> ile anahtar \u00e7ifti \u00fcretin.<\/li>\n<li>Olu\u015fan <code>~\/.ssh\/id_ed25519.pub<\/code> i\u00e7eri\u011fini sunucudaki ilgili kullan\u0131c\u0131n\u0131n <code>~\/.ssh\/authorized_keys<\/code> dosyas\u0131na ekleyin.<\/li>\n<li>Sunucuda <code>chmod 700 ~\/.ssh<\/code> ve <code>chmod 600 ~\/.ssh\/authorized_keys<\/code> izinlerini do\u011frulay\u0131n.<\/li>\n<li>Son olarak <code>PasswordAuthentication no<\/code> ayar\u0131n\u0131 aktif edip SSH servisini yeniden ba\u015flat\u0131n.<\/li>\n<\/ol>\n<p>Bu noktada hem brute-force hem de parola s\u0131z\u0131nt\u0131s\u0131 riskini ciddi \u00f6l\u00e7\u00fcde azaltm\u0131\u015f olursunuz.<\/p>\n<h2><span id=\"Root_Erisimini_Kapatmak_ve_Saglikli_Yetki_Modeli_Kurmak\">Root Eri\u015fimini Kapatmak ve Sa\u011fl\u0131kl\u0131 Yetki Modeli Kurmak<\/span><\/h2>\n<p>Bir\u00e7ok ihlal incelemesinde g\u00f6rd\u00fc\u011f\u00fcm\u00fcz klasik senaryo: root hesab\u0131na do\u011frudan SSH eri\u015fimi a\u00e7\u0131k, parola ile giri\u015f aktif ve parola \u00e7o\u011fu zaman zay\u0131f veya tekrar kullan\u0131lan t\u00fcrden. Bu kombinasyon, sald\u0131rgan a\u00e7\u0131s\u0131ndan \u201cen sevilen\u201d hedeftir. Sa\u011fl\u0131kl\u0131 model; <strong>do\u011frudan root yerine, yetkili kullan\u0131c\u0131 + sudo<\/strong> kullanmakt\u0131r.<\/p>\n<h3><span id=\"Adim_1_Yetkili_Bir_Admin_Kullanici_Olusturmak\">Ad\u0131m 1: Yetkili Bir Admin Kullan\u0131c\u0131 Olu\u015fturmak<\/span><\/h3>\n<p>\u00d6nce, root\u2019a e\u015fde\u011fer y\u00f6netim yapabilece\u011finiz ama do\u011frudan root olmayan bir kullan\u0131c\u0131 a\u00e7\u0131n:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">adduser admin\nusermod -aG sudo admin   # Debian\/Ubuntu\n# veya\nusermod -aG wheel admin  # RHEL\/AlmaLinux\/Rocky Linux<\/code><\/pre>\n<p>Admin kullan\u0131c\u0131n\u0131za SSH anahtar\u0131n\u0131 tan\u0131mlad\u0131ktan sonra, root ile a\u00e7\u0131k olan terminali kapatmadan <code>ssh admin@sunucu-ip<\/code> ile giri\u015f yapmay\u0131 mutlaka test edin.<\/p>\n<h3><span id=\"Adim_2_sudo_Yetkilerini_Ince_Ayar_Yapmak\">Ad\u0131m 2: sudo Yetkilerini \u0130nce Ayar Yapmak<\/span><\/h3>\n<p>Bir\u00e7ok da\u011f\u0131t\u0131mda sudoers dosyas\u0131 zaten makul varsay\u0131lanlarla gelir; yine de en az\u0131ndan \u015fu iki noktay\u0131 g\u00f6zden ge\u00e7irmekte fayda var:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">visudo\n\n# \u00d6rne\u011fin sadece admin kullan\u0131c\u0131s\u0131na tam yetki vermek i\u00e7in:\nadmin ALL=(ALL:ALL) ALL\n<\/code><\/pre>\n<p>G\u00fcvenlik seviyesi daha y\u00fcksek ortamlarda her kullan\u0131c\u0131ya tam yetki vermek yerine, belirli komutlar\u0131 <code>NOPASSWD<\/code> ile, di\u011ferlerini ise parola zorunlu olacak \u015fekilde tan\u0131mlamak m\u00fcmk\u00fcnd\u00fcr. \u00d6rne\u011fin deployment kullan\u0131c\u0131s\u0131n\u0131n sadece belirli servisleri y\u00f6netebilmesini isteyebilirsiniz.<\/p>\n<h3><span id=\"Adim_3_Root_SSH_Erisimini_Kapatmak\">Ad\u0131m 3: Root SSH Eri\u015fimini Kapatmak<\/span><\/h3>\n<p>Admin kullan\u0131c\u0131n\u0131zla SSH eri\u015fimi netle\u015ftikten sonra, art\u0131k en kritik ad\u0131m\u0131 atabilirsiniz. <code>sshd_config<\/code> i\u00e7inde:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">PermitRootLogin no\n<\/code><\/pre>\n<p>sat\u0131r\u0131n\u0131 aktif edin ve SSH servisini yeniden ba\u015flat\u0131n:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">systemctl restart ssh   # Debian\/Ubuntu\nsystemctl restart sshd  # RHEL\/AlmaLinux\/Rocky Linux<\/code><\/pre>\n<p>Bundan sonra root hesab\u0131na sadece <code>sudo su -<\/code> veya <code>sudo -i<\/code> ile ge\u00e7ebilirsiniz. B\u00f6ylece:<\/p>\n<ul>\n<li>Root parolas\u0131n\u0131n s\u0131zmas\u0131 halinde bile do\u011frudan SSH eri\u015fimi m\u00fcmk\u00fcn olmaz.<\/li>\n<li>Kim hangi komutlar\u0131 hangi kullan\u0131c\u0131yla \u00e7al\u0131\u015ft\u0131rm\u0131\u015f, <code>\/var\/log\/auth.log<\/code> \u00fczerinden \u00e7ok daha net takip edilir.<\/li>\n<\/ul>\n<p>Bu ad\u0131m\u0131, DCHost blogda anlatt\u0131\u011f\u0131m\u0131z <a href='https:\/\/www.dchost.com\/blog\/yeni-vpste-ilk-24-saat-guncelleme-guvenlik-duvari-ve-kullanici-hesaplari\/'>yeni VPS\u2019te ilk 24 saat rehberi<\/a> ile birlikte uygulad\u0131\u011f\u0131n\u0131zda, ilk g\u00fcnden itibaren olduk\u00e7a sa\u011flam bir temel kurmu\u015f olursunuz.<\/p>\n<h2><span id=\"fail2ban_ile_Brute-Force_Saldirilarini_Otomatik_Bloklamak\">fail2ban ile Brute-Force Sald\u0131r\u0131lar\u0131n\u0131 Otomatik Bloklamak<\/span><\/h2>\n<p>SSH ayarlar\u0131n\u0131z\u0131 sertle\u015ftirdiniz, parola eri\u015fimini kapatt\u0131n\u0131z, root giri\u015fini yasaklad\u0131n\u0131z. Yine de internetten s\u00fcrekli taranan bir IP adresine sahip oldu\u011funuz i\u00e7in loglar\u0131n\u0131zda h\u00e2l\u00e2 ba\u015far\u0131s\u0131z giri\u015f denemeleri g\u00f6receksiniz. \u0130\u015fte burada devreye <strong>fail2ban<\/strong> giriyor.<\/p>\n<h3><span id=\"fail2ban_Nasil_Calisir\">fail2ban Nas\u0131l \u00c7al\u0131\u015f\u0131r?<\/span><\/h3>\n<p>fail2ban, belirli log dosyalar\u0131n\u0131 izleyip \u015f\u00fcpheli davran\u0131\u015flar\u0131 (\u00f6rne\u011fin art arda ba\u015far\u0131s\u0131z SSH giri\u015f denemeleri) tespit etti\u011finde, ilgili IP adresini <strong>ge\u00e7ici olarak yasaklayan<\/strong> bir servistir. Genellikle \u015fu bile\u015fenlerle birlikte \u00e7al\u0131\u015f\u0131r:<\/p>\n<ul>\n<li>\u0130zlenen log dosyas\u0131: \u00d6rn. <code>\/var\/log\/auth.log<\/code> veya <code>\/var\/log\/secure<\/code><\/li>\n<li>Filtre kurallar\u0131 (filter.d): Log sat\u0131rlar\u0131n\u0131 Regex ile e\u015fleyen dosyalar<\/li>\n<li>Jail tan\u0131mlar\u0131 (jail.conf \/ jail.local): Hangi kurallar\u0131n hangi servis i\u00e7in, hangi e\u015fiklerde uygulanaca\u011f\u0131n\u0131 belirler<\/li>\n<li>G\u00fcvenlik duvar\u0131 entegrasyonu: ufw, iptables veya nftables \u00fczerinden IP bloklama<\/li>\n<\/ul>\n<h3><span id=\"SSH_Icin_Basit_Bir_fail2ban_Jail_Ornegi\">SSH \u0130\u00e7in Basit Bir fail2ban Jail \u00d6rne\u011fi<\/span><\/h3>\n<p>Ubuntu\/Debian i\u00e7in tipik kurulum:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">apt update\napt install fail2ban\n<\/code><\/pre>\n<p>Ard\u0131ndan, varsay\u0131lan dosyalara dokunmak yerine bir <code>\/etc\/fail2ban\/jail.local<\/code> olu\u015fturmak iyi pratiktir:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">[sshd]\nenabled = true\nport    = ssh\nfilter  = sshd\nlogpath = \/var\/log\/auth.log\nmaxretry = 5\nfindtime = 600\nbantime  = 3600\n<\/code><\/pre>\n<p>Bu yap\u0131land\u0131rma ile:<\/p>\n<ul>\n<li>10 dakika i\u00e7inde 5\u2019ten fazla ba\u015far\u0131s\u0131z giri\u015f denemesi yapan IP,<\/li>\n<li>1 saat boyunca otomatik olarak yasaklan\u0131r.<\/li>\n<\/ul>\n<p>SSH portunuzu de\u011fi\u015ftirdiyseniz <code>port = 2222<\/code> gibi g\u00fcncellemeyi unutmay\u0131n. Ayr\u0131ca g\u00fcvenlik duvar\u0131n\u0131z\u0131 daha detayl\u0131 y\u00f6netmek istiyorsan\u0131z, <a href='https:\/\/www.dchost.com\/blog\/nftables-ile-vps-guvenlik-duvari-rehberi-rate-limit-port-knocking-ve-ipv6-kurallari-nasil-tatli-tatli-kurulur\/'>nftables ile VPS g\u00fcvenlik duvar\u0131 rehberi<\/a> ile birlikte kullanmak olduk\u00e7a etkilidir.<\/p>\n<h3><span id=\"Yanlis_Pozitifler_ve_Beyaz_Liste_Yonetimi\">Yanl\u0131\u015f Pozitifler ve Beyaz Liste Y\u00f6netimi<\/span><\/h3>\n<p>\u00d6zellikle k\u00fc\u00e7\u00fck ekiplerde, geli\u015ftiricilerin yanl\u0131\u015f anahtar kullanmas\u0131 veya VPN de\u011fi\u015fimi nedeniyle kendi IP\u2019lerini engellemesi s\u0131k g\u00f6r\u00fclen bir durumdur. Bu y\u00fczden <code>ignoreip<\/code> direktifini kullanarak ofis IP\u2019lerinizi veya VPN a\u011f\u0131n\u0131z\u0131 beyaz listeye alman\u0131z mant\u0131kl\u0131d\u0131r:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">[DEFAULT]\nignoreip = 127.0.0.1 10.0.0.0\/24 1.2.3.4\n<\/code><\/pre>\n<p>Ayr\u0131ca, \u00fcretim ortam\u0131nda <strong>bantime<\/strong> s\u00fcresini \u00e7ok uzun tutmak yerine, ihlal \u015fiddetine g\u00f6re art\u0131rmak daha faydal\u0131 olur. \u00d6rne\u011fin ilk ihlalde 1 saat, tekrar eden IP\u2019ler i\u00e7in 1 g\u00fcn gibi artan cezalar tan\u0131mlayabilirsiniz.<\/p>\n<h2><span id=\"Otomatik_Guvenlik_Guncellemeleri_Yamalar_Gecikmesin\">Otomatik G\u00fcvenlik G\u00fcncellemeleri: Yamalar Gecikmesin<\/span><\/h2>\n<p>Bug\u00fcn bir\u00e7ok ihlal, asl\u0131nda aylar \u00f6nce yamalanm\u0131\u015f g\u00fcvenlik a\u00e7\u0131klar\u0131 y\u00fcz\u00fcnden ya\u015fan\u0131yor. Yani sorun \u00e7o\u011fu zaman \u201cbilinmeyen s\u0131f\u0131r\u0131nc\u0131 g\u00fcn a\u00e7\u0131klar\u0131\u201d de\u011fil, uygulanmam\u0131\u015f yamalar. Bu y\u00fczden <strong>otomatik g\u00fcvenlik g\u00fcncellemeleri<\/strong> kritik bir savunma katman\u0131.<\/p>\n<h3><span id=\"UbuntuDebian_unattended-upgrades_ile_Guvenlik_Guncellemeleri\">Ubuntu\/Debian: unattended-upgrades ile G\u00fcvenlik G\u00fcncellemeleri<\/span><\/h3>\n<p>Debian ve Ubuntu tabanl\u0131 sistemlerde <code>unattended-upgrades<\/code> paketi, \u00f6zellikle g\u00fcvenlik g\u00fcncellemelerini otomatik kurmak i\u00e7in ideal \u00e7\u00f6z\u00fcmd\u00fcr.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">apt update\napt install unattended-upgrades apt-listchanges\n<\/code><\/pre>\n<p>Ard\u0131ndan temel yap\u0131land\u0131rma i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">dpkg-reconfigure unattended-upgrades\n<\/code><\/pre>\n<p>Bu sihirbaz, g\u00fcvenlik g\u00fcncellemelerinin otomatik kurulmas\u0131n\u0131 tek ad\u0131mda etkinle\u015ftirir. Detayl\u0131 ayarlar i\u00e7in <code>\/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/code> dosyas\u0131n\u0131 g\u00f6zden ge\u00e7irin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">Unattended-Upgrade::Origins-Pattern {\n  &quot;origin=Ubuntu,codename=${distro_codename},label=Ubuntu-Security&quot;;\n};\n\nUnattended-Upgrade::Remove-Unused-Dependencies &quot;true&quot;;\nUnattended-Upgrade::Automatic-Reboot &quot;true&quot;;\nUnattended-Upgrade::Automatic-Reboot-Time &quot;03:30&quot;;\n<\/code><\/pre>\n<p>Burada kritik olan; otomatik reboot gerektiren g\u00fcncellemelerin hangi saat aral\u0131\u011f\u0131nda uygulanaca\u011f\u0131na bilin\u00e7li karar vermektir. Trafi\u011finizin d\u00fc\u015f\u00fck oldu\u011fu saatleri tercih edin ve \u00f6ncesinde mutlaka yedekleme stratejinizi netle\u015ftirin. Yedek taraf\u0131n\u0131 daha derin ele almak isterseniz, <a href='https:\/\/www.dchost.com\/blog\/3-2-1-yedekleme-stratejisi-neden-ise-yariyor-cpanel-plesk-ve-vpste-otomatik-yedekleri-nasil-kurarsin\/'>3-2-1 yedekleme stratejisi rehberimize<\/a> g\u00f6z atabilirsiniz.<\/p>\n<h3><span id=\"RHELAlmaLinuxRocky_Linux_dnf-automatic_ile_Guncellemeler\">RHEL\/AlmaLinux\/Rocky Linux: dnf-automatic ile G\u00fcncellemeler<\/span><\/h3>\n<p>RHEL ailesinde ise <code>dnf-automatic<\/code> benzer i\u015fi g\u00f6r\u00fcr:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">dnf install dnf-automatic\n<\/code><\/pre>\n<p>Sonra <code>\/etc\/dnf\/automatic.conf<\/code> dosyas\u0131n\u0131 d\u00fczenleyin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">[commands]\nupgrade_type = security\nrandom_sleep = 0\n\n[emitters]\nemail_from = root@sunucu\nemail_to = admin@ornek.com\n\n[base]\nautomatic_install = yes\n<\/code><\/pre>\n<p>Ve zamanlay\u0131c\u0131y\u0131 etkinle\u015ftirin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">systemctl enable --now dnf-automatic.timer\n<\/code><\/pre>\n<p>\u00dcretim ortamlar\u0131nda genellikle <strong>sadece g\u00fcvenlik g\u00fcncellemelerini<\/strong> otomatikle\u015ftirmek, b\u00fcy\u00fck versiyon ge\u00e7i\u015flerini ise kontroll\u00fc bak\u0131m pencerelerine b\u0131rakmak daha sa\u011fl\u0131kl\u0131 bir stratejidir.<\/p>\n<h3><span id=\"Otomatik_Guncelleme_Riskleri_Nasil_Yonetilir\">Otomatik G\u00fcncelleme Riskleri Nas\u0131l Y\u00f6netilir?<\/span><\/h3>\n<p>\u201cHer \u015feyi otomati\u011fe ba\u011flayal\u0131m\u201d yakla\u015f\u0131m\u0131 kula\u011fa ho\u015f gelse de, \u00f6zellikle karma\u015f\u0131k stack\u2019lerde beklenmedik uyumsuzluklara yol a\u00e7abilir. Bu riski azaltmak i\u00e7in:<\/p>\n<ul>\n<li>Otomatik g\u00fcncellemeyi <strong>sadece g\u00fcvenlik yamalar\u0131<\/strong> ile s\u0131n\u0131rlay\u0131n.<\/li>\n<li>\u00c7ekirdek\/g\u00fcvenlik bile\u015fenleri i\u00e7in \u00f6nce staging veya test VPS\u2019inde deneme yap\u0131n.<\/li>\n<li>G\u00fcncelleme \u00f6ncesi ve sonras\u0131 i\u00e7in basit sa\u011fl\u0131k kontrolleri (\u00f6r. HTTP 200 durumu) tan\u0131mlay\u0131n.<\/li>\n<li>G\u00fcncelleme sonras\u0131 olu\u015fabilecek performans sorunlar\u0131n\u0131 yakalamak i\u00e7in <a href='https:\/\/www.dchost.com\/blog\/vps-kaynak-kullanimi-izleme-rehberi-htop-iotop-netdata-ve-prometheus\/'>VPS kaynak kullan\u0131m\u0131 izleme rehberimizde<\/a> anlatt\u0131\u011f\u0131m\u0131z gibi temel metrikleri takip edin.<\/li>\n<\/ul>\n<h2><span id=\"Ek_Kontroller_Guvenlik_Duvari_Loglar_ve_Yedekler\">Ek Kontroller: G\u00fcvenlik Duvar\u0131, Loglar ve Yedekler<\/span><\/h2>\n<p>sshd_config, root eri\u015fimi, fail2ban ve otomatik g\u00fcncellemeler, VPS g\u00fcvenli\u011finin omurgas\u0131d\u0131r. Ancak bu omurgay\u0131 destekleyecek birka\u00e7 \u00f6nemli katman daha var.<\/p>\n<h3><span id=\"Guvenlik_Duvari_ile_Saldiri_Yuzeyini_Kucultmek\">G\u00fcvenlik Duvar\u0131 ile Sald\u0131r\u0131 Y\u00fczeyini K\u00fc\u00e7\u00fcltmek<\/span><\/h3>\n<p>Temel prensip: \u0130nternete a\u00e7\u0131k port say\u0131s\u0131 ne kadar azsa, sald\u0131r\u0131 y\u00fczeyiniz de o kadar k\u00fc\u00e7\u00fckt\u00fcr. VPS \u00fczerinde \u00e7o\u011fu zaman sadece a\u015fa\u011f\u0131daki portlar\u0131n a\u00e7\u0131k olmas\u0131 yeterlidir:<\/p>\n<ul>\n<li>SSH (\u00f6rn. 22 veya alternatif port)<\/li>\n<li>HTTP (80) ve HTTPS (443)<\/li>\n<li>Ger\u00e7ekten ihtiya\u00e7 duyulan \u00f6zel servis portlar\u0131 (\u00f6r. 3306 sadece i\u00e7 a\u011fa a\u00e7\u0131k gibi)<\/li>\n<\/ul>\n<p>Detayl\u0131 \u00f6rnekler ve ufw\/firewalld\/iptables kar\u015f\u0131la\u015ft\u0131rmas\u0131 i\u00e7in <a href='https:\/\/www.dchost.com\/blog\/vps-sunucularda-guvenlik-duvari-yapilandirma-ufw-firewalld-ve-iptables\/'>VPS g\u00fcvenlik duvar\u0131 yap\u0131land\u0131rma rehberi<\/a>ni kullanabilirsiniz.<\/p>\n<h3><span id=\"Log_Yonetimi_ve_Disk_Dolmasini_Onlemek\">Log Y\u00f6netimi ve Disk Dolmas\u0131n\u0131 \u00d6nlemek<\/span><\/h3>\n<p>G\u00fcvenlik \u00f6nlemleri artt\u0131k\u00e7a log hacmi de artar. Bu iyi bir \u015feydir; ancak y\u00f6netilmezse <strong>disk dolmas\u0131<\/strong> gibi kritik sorunlara yol a\u00e7abilir. Log dosyalar\u0131n\u0131z\u0131n sa\u011fl\u0131kl\u0131 d\u00f6nd\u00fcr\u00fclmesi ve eski loglar\u0131n s\u0131k\u0131\u015ft\u0131r\u0131larak saklanmas\u0131 i\u00e7in <code>logrotate<\/code> yap\u0131land\u0131rmas\u0131n\u0131n d\u00fczg\u00fcn oldu\u011fundan emin olun.<\/p>\n<p>Bu konuda pratik bir yol haritas\u0131 ar\u0131yorsan\u0131z, DCHost blogdaki <a href='https:\/\/www.dchost.com\/blog\/vps-disk-kullanimi-ve-logrotate-ayarlariyla-no-space-left-on-device-hatasini-onlemek\/'>VPS disk kullan\u0131m\u0131 ve logrotate ayarlar\u0131 rehberi<\/a> size ad\u0131m ad\u0131m yol g\u00f6sterecektir.<\/p>\n<h3><span id=\"Yedekleme_Guvenlik_Acigi_Kadar_Hata_Payinizi_da_Dusurur\">Yedekleme: G\u00fcvenlik A\u00e7\u0131\u011f\u0131 Kadar Hata Pay\u0131n\u0131z\u0131 da D\u00fc\u015f\u00fcr\u00fcr<\/span><\/h3>\n<p>G\u00fcvenlik sertle\u015ftirme, sald\u0131r\u0131 ihtimalini azalt\u0131r; ancak hi\u00e7bir \u00f6nlem %100 de\u011fildir. Yanl\u0131\u015f bir komutla <code>sshd_config<\/code> dosyas\u0131n\u0131 bozman\u0131z veya hatal\u0131 bir firewall kural\u0131yla kendinizi kilitlemeniz de m\u00fcmk\u00fcnd\u00fcr. Bu y\u00fczden d\u00fczenli <strong>VPS snapshot<\/strong>lar\u0131 ve harici depolamaya al\u0131nan dosya\/veritaban\u0131 yedekleri, g\u00fcvenlik kadar operasyonel hata riskini de minimize eder.<\/p>\n<h2><span id=\"DCHost_Uzerinde_Bu_Kontrol_Listesini_Nasil_Uygularsiniz\">DCHost \u00dczerinde Bu Kontrol Listesini Nas\u0131l Uygulars\u0131n\u0131z?<\/span><\/h2>\n<p>DCHost olarak sundu\u011fumuz VPS ve dedicated sunucu hizmetlerinde, bu yaz\u0131da bahsetti\u011fimiz ad\u0131mlar\u0131n \u00e7o\u011fu varsay\u0131lan kurulumlarda uygulanmaya haz\u0131r halde gelir; ancak her projenin ihtiyac\u0131 farkl\u0131 oldu\u011fu i\u00e7in, m\u00fc\u015fterilerimizin b\u00fcy\u00fck k\u0131sm\u0131 bu ayarlar\u0131 kendi s\u00fcre\u00e7lerine g\u00f6re \u00f6zelle\u015ftiriyor.<\/p>\n<p>Genel yakla\u015f\u0131m\u0131m\u0131z \u015f\u00f6yle:<\/p>\n<ul>\n<li>Yeni bir VPS a\u00e7t\u0131\u011f\u0131n\u0131zda, ilk i\u015f olarak i\u015fletim sistemini g\u00fcncellemeniz ve SSH anahtarlar\u0131n\u0131z\u0131 tan\u0131mlaman\u0131z i\u00e7in dok\u00fcmantasyon ve rehberler sunuyoruz.<\/li>\n<li>\u0130steyen m\u00fc\u015fteriler i\u00e7in y\u00f6netilen hizmet kapsam\u0131nda, <strong>sshd_config sertle\u015ftirme<\/strong>, <strong>fail2ban kurulumu<\/strong> ve <strong>otomatik g\u00fcvenlik g\u00fcncellemeleri<\/strong>ni standartla\u015ft\u0131r\u0131lm\u0131\u015f profillerle uygulayabiliyoruz.<\/li>\n<li>Y\u00fcksek eri\u015filebilirlik veya \u00e7ok sunuculu mimariler kuruyorsan\u0131z, <a href='https:\/\/www.dchost.com\/blog\/mysql-ve-postgresql-replikasyon-kurulumu-ile-vps-uzerinde-yuksek-erisilebilirlik\/'>VPS \u00fczerinde veritaban\u0131 replikasyon rehberimiz<\/a> gibi yaz\u0131larla a\u011f ve veri katman\u0131nda da g\u00fcvenli ve \u00f6l\u00e7eklenebilir \u00e7\u00f6z\u00fcmler planlaman\u0131za yard\u0131mc\u0131 oluyoruz.<\/li>\n<\/ul>\n<p>E\u011fer mevcut DCHost VPS\u2019inizde bu kontrol listesini uygularken tak\u0131ld\u0131\u011f\u0131n\u0131z bir nokta olursa, destek talebi a\u00e7arak konfig\u00fcrasyonunuza \u00f6zel \u00f6neri de isteyebilirsiniz.<\/p>\n<h2><span id=\"Sonuc_ve_Onerilen_Yol_Haritasi\">Sonu\u00e7 ve \u00d6nerilen Yol Haritas\u0131<\/span><\/h2>\n<p>VPS g\u00fcvenli\u011fi, tek bir \u201csihirli ayar\u201d ile \u00e7\u00f6z\u00fclen bir mesele de\u011fil. Ancak bu yaz\u0131da ele ald\u0131\u011f\u0131m\u0131z d\u00f6rt temel ba\u015fl\u0131k; <strong>sshd_config sertle\u015ftirme<\/strong>, <strong>root eri\u015fimini kapatma<\/strong>, <strong>fail2ban ile brute-force korumas\u0131<\/strong> ve <strong>otomatik g\u00fcvenlik g\u00fcncellemeleri<\/strong>, k\u00fc\u00e7\u00fck-b\u00fcy\u00fck fark etmeksizin neredeyse her Linux VPS i\u00e7in vazge\u00e7ilmez bir \u00e7ekirdek olu\u015fturuyor.<\/p>\n<p>Pratik bir yol haritas\u0131 isterseniz:<\/p>\n<ol>\n<li>\u00d6nce g\u00fcncellemeleri yap\u0131n ve SSH anahtarlar\u0131n\u0131z\u0131 tan\u0131mlay\u0131n.<\/li>\n<li>Ard\u0131ndan admin kullan\u0131c\u0131n\u0131z\u0131 olu\u015fturup root giri\u015fini kademeli olarak kapat\u0131n.<\/li>\n<li>sshd_config ayarlar\u0131n\u0131z\u0131 (port, kimlik do\u011frulama, AllowUsers) sertle\u015ftirin.<\/li>\n<li>fail2ban veya benzeri bir mekanizma ile SSH ve kritik servisleri brute-force sald\u0131r\u0131lar\u0131na kar\u015f\u0131 koruyun.<\/li>\n<li>Da\u011f\u0131t\u0131m\u0131n\u0131za uygun otomatik g\u00fcvenlik g\u00fcncellemelerini devreye al\u0131n, log ve yedek stratejinizi netle\u015ftirin.<\/li>\n<\/ol>\n<p>Bu ad\u0131mlar\u0131 tamamlad\u0131\u011f\u0131n\u0131zda, DCHost \u00fczerinde \u00e7al\u0131\u015fan VPS veya dedicated sunucunuz; hem d\u0131\u015f sald\u0131r\u0131lara hem de i\u00e7erden gelebilecek hatal\u0131 kullan\u0131mlara kar\u015f\u0131 \u00e7ok daha diren\u00e7li hale gelir. \u0130lerleyen a\u015famada WAF, CDN, merkezi loglama, geli\u015fmi\u015f izleme gibi katmanlarla g\u00fcvenlik mimarinizi geni\u015fletmek isterseniz, blogumuzdaki <a href='https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-pratik-olceklenebilir-ve-dogrulanabilir-yaklasimlar\/'>VPS sunucu g\u00fcvenli\u011fi<\/a> ve di\u011fer g\u00fcvenlik odakl\u0131 yaz\u0131lar\u0131m\u0131z \u00fczerinden ad\u0131m ad\u0131m ilerleyebilirsiniz.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 VPS G\u00fcvenlik Sertle\u015ftirme Neden Bu Kadar \u00d6nemli?2 VPS G\u00fcvenlik Sertle\u015ftirme Kontrol Listesi: B\u00fcy\u00fck Resim3 sshd_config ile SSH Eri\u015fimini Sertle\u015ftirmek3.1 Temel sshd_config Sertle\u015ftirme Parametreleri3.2 SSH Portunu De\u011fi\u015ftirmek: G\u00fcvenlik mi, G\u00fcr\u00fclt\u00fc Azaltma m\u0131?3.3 AllowUsers \/ AllowGroups ile Eri\u015fimi Daraltmak3.4 SSH Anahtar\u0131 Zorunlu K\u0131lmak4 Root Eri\u015fimini Kapatmak ve Sa\u011fl\u0131kl\u0131 Yetki Modeli Kurmak4.1 Ad\u0131m 1: Yetkili Bir Admin [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3569,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-3568","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=3568"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3568\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/3569"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=3568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=3568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=3568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}