[SSH服务]——一些安全性配置和补充实验

SSH 安全性和配置

转载于 http://www.ibm.com/developerworks/cn/aix/library/au-sshsecurity/

对于一些之前列举的代码示例，许多系统管理员担心 SSH 使用情况和功能的一些安全性实现。尽管已经口头和书面说明了常见的各种 SSH 安全性和远程主机安全性方法，下面有一系列流程和配置可用于加强有关远程主机访问的 SSH 安全性：

将 root 账户仅限制为控制台访问：

# vi /etc/ssh/sshd_config

PermitRootLogin no

为私有密钥使用一个强大的口令和密码保护来创建公私密钥对（绝不要生成一个无密码的密钥对或一个无密码口令无密钥的登录）：
```
(Use a higher bit rate for the encryption for more security)

ssh-keygen -t rsa -b 4096
```
配置 TCP 包装程序，以便仅允许选定的远程主机并拒绝不合意的主机：
```
# vi /etc/hosts.deny

ALL: 192.168.200.09		# IP Address of badguy
```
在工作站或笔记本电脑上，关闭 SSH 服务禁用 SSH 服务器，然后删除 ssh 服务器包：
```
# chkconfig sshd off

# yum erase openssh-server
```

通过控制用户访问限制 SSH 访问：

# vi /etc/ssh/sshd_config

AllowUsers fsmythe bnice swilson

DenyUsers jhacker joebadguy jripper

仅使用 SSH Protocol 2：
```
# vi /etc/ssh/sshd_config

Protocol 2
```

不要支持闲置会话，并配置 Idle Log Out Timeout 间隔：

# vi /etc/ssh/sshd_config

ClientAliveInterval 600		# (Set to 600 seconds = 10 minutes)

ClientAliveCountMax 0

禁用基于主机的身份验证：

# vi /etc/ssh/sshd_config

HostbasedAuthentication no

禁用用户的 .rhosts 文件：

# vi /etc/ssh/sshd_config

IgnoreRhosts yes

配置防火墙以接受仅来自已知网段的 SSH 连接：

Update /etc/sysconfig/iptables (Redhat specific file) to accept connection only

from 192.168.100.0/24 and 209.64.100.5/27, enter:

-A RH-FW-1-INPUT -s 192.168.100.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

-A RH-FW-1-INPUT -s 209.64.100.5/27 -m state --state NEW -p tcp --dport 22 -j ACCEPT

限制 SSH 将侦听和绑定到的可用接口：

# vi /etc/ssh/sshd_config

ListenAddress 192.168.100.17

ListenAddress 209.64.100.15

设置用户策略，实施强大的密码来防御强力攻击、社会工程企图（social engineering attempts）和字典攻击：
```
# < /dev/urandom tr -dc A-Za-z0-9_ | head -c8

oP0FNAUt[
```

使用 Chroot SSHD 将 SFTP 用户局限于其自己的主目录：

# vi /etc/ssh/sshd_config

ChrootDirectory /data01/home/%u

X11Forwarding no

AllowTcpForwarding no

禁用空密码：

# vi /etc/ssh/sshd_config

PermitEmptyPasswords no

在指定时间内对传入端口 2022 连接的数量限速：

Redhat iptables example (Update /etc/sysconfig/iptables): 

-A INPUT  -i eth0 -p tcp --dport 2022 -m state --state NEW -m limit --limit 3/min

--limit-burst 3 -j ACCEPT

-A INPUT  -i eth0 -p tcp --dport 2022 -m state --state ESTABLISHED -j ACCEPT

-A OUTPUT -o eth0 -p tcp --sport 2022 -m state --state ESTABLISHED -j ACCEPT

配置 iptables，以便在 30 秒内仅允许在端口 2022 上有三个连接尝试：

Redhat iptables example (Update /etc/sysconfig/iptables):

-I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --set

-I INPUT -p tcp --dport 2022 -i eth0 -m state --state NEW -m recent --update

--seconds 30 --hitcount 3 -j DR

使用一个日志分析器，比如 logcheck、loggrep、splunk 或 logwatch 来更好地理解日志并创建日志报告。另外，在 SSH 应用程序自身内增加日志记录的详细度：
```
Installation of the logwatch package on Redhat Linux

# yum install logwatch
```
通过配置增加 SSH 日志记录的详细度：
```
# vi /etc/ssh/sshd_config

LogLevel DEBUG
```
在补丁上总是将 SSH 程序包和需要的库保持为最新：
```
# yum update openssh-server openssh openssh-clients -y
```

隐藏 OpenSSH 版本，要求 SSH 源代码并进行重新编译。然后进行以下更新：

# vi /etc/ssh/sshd_config

VerifyReverseMapping yes	# Turn on  reverse name checking

UsePrivilegeSeparation yes	# Turn on privilege separation

StrictModes yes			# Prevent the use of insecure home directory

				# and key file permissions

AllowTcpForwarding no		# Turn off , if at all possible

X11Forwarding no		# Turn off , if at all possible

PasswordAuthentication no	# Specifies whether password authentication is

				# allowed.  The default is yes. Users must have

				# another authentication method available .

从系统上删除 rlogin 和 rsh 二进制程序，并将它们替代为 SSH 的一个 symlink：
```
# find /usr -name rsh

/usr/bin/rsh

# rm -f /usr/bin/rsh

# ln -s /usr/bin/ssh /usr/bin/rsh
```

SSH 支持可启用或禁用的多种不同的身份验证方法和技术。在 /etc/ssh/sshd_config 文件中，您可以进行这些配置更改，方法就是输入为身份验证方法列出的关键字，然后紧接 yes 或 no。下面是一些常见的配置更改：

# RSAAuthentication yes

# PubkeyAuthentication yes

# RhostsRSAAuthentication no

# HostbasedAuthentication no

# RhostsRSAAuthentication and HostbasedAuthentication

PasswordAuthentication yes

ChallengeResponseAuthentication no

# KerberosAuthentication no

GSSAPIAuthentication yes

  sshd_config 文件内的 AllowedAuthentications 和 RequiredAuthentications 决定哪些身份验证方法和配置仅用于 SSH Protocol 2，且它们支持密码和公钥身份验证的语法如下：

# vi /etc/ssh/sshd_config

AllowedAuthentications publickey, password

RequiredAuthentications publickey, password

其他/补充

1.建议把端口号改成9000以上

[root@lyj1 ~]# ssh 10.0.80.10

ssh: connect to host 10.0.80.10 port 22: Connection refused

[root@lyj1 ~]# ssh -p 9001 10.0.80.10

The authenticity of host '[10.0.80.10]:9001 ([10.0.80.10]:9001)' can't be established.

RSA key fingerprint is 55:e5:85:f1:45:19:0b:a7:b7:c0:af:fe:f4:57:20:dc.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '[10.0.80.10]:9001' (RSA) to the list of known hosts.

root@10.0.80.10's password:

2.服务器A和服务器B相互信任实验

实验描述：

服务器A：10.0.10.158，有普通用户user_00

服务器B：10.0.10.191，有普通用户user_00

实现A和B之间相互可以无密码SSH登陆

[user_00@lyj1 .ssh]$ su - user_00   #切换至用户user_00

[user_00@lyj1 .ssh]$ ssh-keygen     #生成公钥和密钥

......略......

[user_00@lyj1 .ssh]$ ls

authorized_keys  id_rsa  id_rsa.pub

[user_00@lyj1 .ssh]$ su - user_00

[user_00@lyj2 .ssh]$ ssh-keygen

......略......

[user_00@lyj2 .ssh]$ ls

authorized_keys  id_rsa  id_rsa.pub

[user_00@lyj1 .ssh]$ cat -n authorized_keys  #把B的公钥复制到A的authorized

     1	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain

     2	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxKhaOwUKoYkIDMYsja8eJUoJd0rr6C6urPNBEl33d86mWfgt2Qq23krPmxScRMK3QRJV7J1UiWlumwq6PfWkLCU3POlL2goEmgqfeKwn9ZlCTgnB3cjNef/6TdgcOESksj2xsprShBjT5djWC82xQbmieNHK+MiMwtvz1ITm4ZeyVfZgRoIRe3Lm1eWaUuMmve0kU7qFOJNvDV0+YHJu+ntOvpz17NXLHhzzWbHk9Ulnbz5brBPwQ8xBdFt+DSLYZMFNj+EVatvAg0YE5kAMFL6iuA49sgsKL70WN3VaGU++25PdrcU+Bw9YbtgmXGBzcbhjcWf8HdK22QuPOS+3jw== user_00@lyj2

[user_00@lyj2 .ssh]$ cat -n authorized_keys  #把A的公钥复制到B的authorized

     1	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAouMkukq0j5cinhEMvbDzbLmozHBeolqQ0nmDBxk7ViHF1lOxR/GCiME6D9GnSGHIMMqYIvRTNjgoQxzl7BHvAp0a3gTV28Q7F/hPKp3Uu9ab5ihdRraSU3N0HPxPka8U6jANn4UK6tAq7kZGx7Q5OjD7iZGY1ZDsgZS6BDgPPvyMQpUluy6ave0FwBCWYSHfWvqGK+2BlQ5L7fwieMYPYUPly4HKbrUAkuAPa7lH7vbwYzKe2FhqJlJ41ZCla88NKhZAt3WUZgNdY9/k1kwTbFZZttYVVFPc3aJnAXrZtF1aQv5iwkQ7cpuEBjcwFmcbZwSu8Qbk6rQv0HBsvtj18w== user_00@localhost.localdomain

     2	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwijcQXHMCIPupkTQm0q6S/BmKm9qL5yjxftCr2P0Ql+6+ZCL7Infv3DSL9qsRVkrOAgx0ADFA+qJ3vfN2EWux/yqRF6pjkQqFbW7CLu963O4ZmQjsVkzovWGen1rXI7yfZ342NPjmrGllqFFJxkQ210xztl/z0go1EZrN0GC2RQV/HLC7HQdgh9fzQXIdcJhfEga6WMh/uMCVZz/yWcaN0P9QcG8OGr7Px2rhz9hT51wtnHlavi+y32HVmoqqW1KYhY2r2GmKK+aE+YUakM5ghnoKl0lvSXNPn/S3IQx4gZg4oyLXz4u0R1cyOnAUBHg1zAIvy3ntw62tEIhoGDmbw== user_00@lyj1

[user_00@lyj2 .ssh]$ ll -d authorized_keys   #检查authorized文件的权限(644)和属主属组(user_00)

-rw-r--r--. 1 user_00 user_00 805 11月 26 09:52 authorized_keys

[user_00@lyj1 .ssh]$ ll -d authorized_keys

-rw-r--r--. 1 user_00 user_00 805 11月 26 00:08 authorized_keys

实验结果：

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAscAAACVCAIAAAA7TcCsAAAAA3NCSVQICAjb4U/gAAAAGXRFWHRTb2Z0d2FyZQBnbm9tZS1zY3JlZW5zaG907wO/PgAAFd9JREFUeJztnd2WtCyMRp1Zc411kX2Vc1Drc/EKhCQEjNbeR92lhCfhV1Q8DgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAOP7+/v7+/u5WAQAAv8L/3i0AAAAAXsL/6E8tr3o/n88CMVNcLspLhb5D5VGfv9/kTZt6g6WGOm2vUGS/AlkXohOl5RmXA2XMGLTWDQCAbJjXKj6fT8Je7+yOT3lnD+479CXcU+v9iHKYaQ45zeIY+hXITIiaqnziZ1wOlDFjkHtVAPAC/u9uAW9GvlQ1WZgZvM9FjlQkkRQuw2cwSTQAACaZnVXIF9OOWw+nEffSutBBh/TdFzd7q9a1/tXLBgLzNxE0qzimBXxNNDaM0OEyfKV8Y90AAAhk4dOavlsP9QTF1NX6phQr3pW48T7RGbcTTaqZW0XfX2KHxiQX/VEGL4USYhMAIBsLZxX1dKG+IyD0sI5RWbhW/rXn4D4Fh25oFMprWJRHdGx95RVeyrEGL4UCAPA+1j5X8b2R0euaNX2rtf8VzqcrHyKUl1yUi8RsS7XTIADAi1m+X4XjEfqZvByHHKclZybUQnklKcrwVDsNAgC8m7XPVTSflpDPvIX3rUs74imUl74o9+CrMOHVzG3w1+7HAcDvELALVjneNN+PkFNdDvVyMclT5iUfEsQ0r+N7knrR6KUyoVSozGimvOrHbE15NW3WMsoThMJypwqX0TOoTwUAAD/E5YK1/Pf2NZjbBQAAwE/xpF2wAt8WiYKlbAAAgBPDHRD4olwY7x0FAAAAAAAAAAAAAAAA0MPTqfBcktTeJDLguaie1hQek7y8WHg7f/99jaL85ftHuMI6r0umgRtOC3nFYg3XLeF1Gzzs76MKpqypwmXMGHQ/aNxLSHiHqYTfn4KpVeYfHeSTv3/InXzvBFNBTwYqW5wNu2CdikvpSdz40pz9LFK4czq/La+yJSgzfUp4mwZPf03bhvpShcuYMegOrzxYWmXIWbwyvFYBqbDKzj86CAzFB3o3aSpVnA/9rOKiO5sb2Ti7mw2pVpBEhgl5pWe7nAZ7pkrrZJimFPt5SniFicjt7S6JjBeQpzPfj+oOSDM6msW9+fXP2lrZJs+jl32oennpFZ5n1otLw7x661FyNJqphLzkfwWUhRKyNi7kJUe+Z1BAOE1zgbhhhA6X4bvwDb9cJrxRqawo21ezF212OD0Z7lYpJAm/O+brUnqBksUrRTpctg6jSeb0JWHfATlvWZ1Ouhce3Unqv90Kz3+bh+S85LrSc603dRv6ZUKQUf9htawPrxz5WJeV4rel2mDwDOmXEJszEN4VyF2K8PvR6dkEJltlnZFvdFjRpQw16OVdkujFl+fo/SqP6rVtIGxvzZ5jjla3qKEGKpwnWz04issXnzZTqs9/31X/pro3GvXV27pU2wyWIb13YkF493BpRElUnVya/JfA6aa7S1FOqmrxVjQKTYNUzinFsWHHbqvPZaT2NIyEpfILnG3sSFAEGyZStxhMAuHdzP5e1EdsxXB0KZsD5e70nlV1F34JHUDGtPi5VMa2VDsNJoHwwjaSdCkC+RXOs29WsfMepC+vt6ZKSOmI3MZudzlJSbkNBq4GregNfzC8i9bn8new4QbLVPm7FL1CpZEV54dg+LpYKe5sEs0w1UcvqZQZ1Xf6hUNNPTMK68WxYV61TeEmojKVkFddXTQR7smQBQyt+cIr5NgLrwMhUEoZ8k1rX6pwGT2D+lQaaiWEV5mql5EbTfvq9aJCz6bJ0dqZCwq3GZR7UWG4aRpU1gGNwvleVB4QWagDD3dNwAEAAOBVMKUAAIAMGO6AQCp864cAAAAAAAAAAAAAAAAAAACgR/VcheZdqeah84R1by7NI+f46DdzfOJN5TWZ19DgsfhttPIERy29GGw+Mzs0K6da8QBNeCubfOHwktbt8vDVQaWdYdrwQkliUPkupWOPAN8JeoW+pifLmCmURw8ck2if1uy94iy8CV3+ctjrzZ7yOPPqZfroyuEQ7/Z3RaDk2qXMMbyKBr7935OkF+9gWOfdBkOSuF0W/Iotl/BCSWJQ2dxM8jQF7Sji+t/wajNTKPuvjVOx9jsgZYH5roC38el8diiz5iE7xW/Iy9HvKM8PNKjMMYPBXp2PGjZ8BudLueeXyeBkMd1byr4Y6o3PVxufQcF4kmpzKLqU1zM7q/j0v8NWRtw9sWhOGMvchdOsefUuSo6OX8PlVqv42qDvkE98Kc89NkctIS5qmbXZ8kInOSaRysjPrzznRLMKsp/wGGoMrvA6cDXOZ3ARITKELqX8MYnLK7DdATkxDWDNf4d5mZakZlb8mh71vJCz1kvqTThkr/WpHOKFJBqGpuYrQHn0i8NaM+H8CkevK9ErbKbSiO8ZFKqQXpvJoN7sMJWvlHvnyzXKodDhtbIHUFobGhR+1Ji9yHAPh3Jn7jCoSesrZeGqUs5OsGwaVl6Dba2it0Z09i/1aoT7KrAX98DLSlMvE4Is3icjbdUU1rEE9Jc1ptWv5vDspjfA1JVfo3CYyie+11Tn63yd1looQ5cdBjV+fYyLpj0Z8gzDZPlozQ+sFVs4ZC3opoz5alP3Bm6DcqBMZmUZ86V8IXDwyoz5DojQLJuHepNxN2kHUQ0a8W+aW5xV4kig8HYBM8x0vvBifvNquEdmr+UVvjcx+yX0c8wI5xei/wt8Pp+dRdmrkO6OJryGOwzK4jMoxGAqg5rB9WUuv8PgO5idVSxFHo0eXaL5xc8rLC2ETCwSBu3SffsUrvYrYWcqWEhYygLui+OdhaLMK3/k71LoLmVHRsmLQINtF6xybBg+Z9Q8TflMkzWv+pApr97JvRNKVW6FygeXfKl84i8JrY8m9fKSdQrW5Ie8HAaHCpU2heCvVjhpcFhtblfoM+hrRCEKfc1EMDivsDkyWcPYMxhSbVbUw6PToSmtydXGXcpHy+ve8xzbpi9gJsOML0pDBl8AAAA0pL4D4uPG6R4zAAAA+GW0+1Ukx7d+uFrJvIxYawAAAAAAAAAAAAAAAAAAALAQHkWEHr66kb9GCQp5OFdJnhg+tMh6sv/+Zb8wgBrDOyDfWkvdhZofnFKAkjwxfO5mAM1N5E53Nm9fCyCjnVXUWycB/Dhnbw5utsXwrilFVG9J3wtPwbC3ZnOXzPPv5oaM7j3y5A06a4PD/SLl7EwGH+1yfWZvvtg8p3Z5fm/KXnYmg3KqYQwdfgmlLxjslVcelx0VW7N/Yp3qsMfwksTR0uWtDJVNTz7Usz/fbwj+unuAcJcBZnfBqnvJs/KFL9AlMfhol2V6GZ2/1EfLa83yb01GzVQ+l4VUwqEZv5qeCgZ94je73Dvkzis2hmVeq9cefC43LZj80leAXkZu5l0GOExfQperUa9OZ658n38/3W5tlk90Wea5yi+sG2zWMRn8DS7r59yvoemypt9YPelZh9tlgC+GWcVZk4TORXk5koeztRxeqY9z+UtvEZ4LkbvIX23yKwyn57Lcbzx3SnF4XQY4eeF3QKywpgcAVnr9xv5xt3l3aWlGdJUgsG9Wcc5z81BKWtFaErr85XK7NNayw2Z4oPIbDM8riULfoQ1MNvBSvNBvrJtSCJYXBVbpMsCFmHdAvvRWAoUThOyaCQWDZaXXt22HwXe4XPpS51UbFFLVaYca5FQhMVQadPvVqwYz4W0aFAh3WSPelNflhMAY9vKSqYt4sunVSQRJbr/k1m2dysS6DPAw7r2+uYUfdBnAyopm8oNN7wddhtWkfq5i3XJiWn7QZQAlS4fAH2x6P+gybEB1B2QnP7jO9oMuA/iQ7z/OWAsxmJ8fdBkAAAAAAAAAAADgZ+GBtXmIIQB8Ue2t2Xsda+k9uXufJBJevnoHvVfgfC+IzsjoZRf4quoM8uumprxmbmkHypgxuKJVyu9YHsb3G+WK7VAuvyzqoDa4qNHJZn0BiY2G1fHNvZODdQrD6+E6Ur8DciNn+b1yOznBl80VV8jOp2RRv1z/+PmP3mkhqcJlzBhc0QTqsU1oekqFTZ2+Vrzi5dX6x0WNbsXAFm7NVC75h9VFCp81+uSdVZwdRxQs0kKNcMWWpLbsGdhmUs0sA/gSDq0FTizeSngH6yaJDIjC8HWxHr13vc5GXi8KCYcuNpUGL0lW3z3pLcMOXT7+7dqaq74Olx0yag1Df2v7yoS18qZ+zSF5AdwxYAwXS2Sb4SP0Bhm+wXU4Wm/g0/9yZlknL6f5kFuK496TsumF5KUXI7egyX5DMHjB51Q9j3R3lbXN4SBlkifLGCp0GLyRgLWK3oJkPXzWI2tvJbMZHSFVuTTaq/S+ufm5wlFXxFqG4HJt8JJQjqHssj68ZRB8ATHR8+totZDhIcFl2eAiNkwpdho8Q5pkVa9uese/IpfmLrQUuR46DJaW9c18BrndRfUbgsH6DyuXuuHrKgUEg0p5ehm+yC+qG/PY1iqaHffQk50dfTg98bLXvVSf1hR4aE0gSTXq0ZPnmFLINu+aUlzKcVGqbQbrPutGek6VEwtrX5QcX28TmHsZ1aWt6TO3ory/vVsxafNFfmd5mZi9AyJfl5fk8TkEjTvWGf1h7z4yR3XGL4E8LvuUhOvPE5BwPv17Gc1D599Pn15c2FbEZ1R3ZpqB2132RT5neRnugMyvWd1LknVdeAdMKfZDE95AtuX0JvkVOvBFPmF5qWYVzfs6P9WdCSTp6Xwykoj3kVl8kuJwG9xz9bO5N5xccs9QNEvrfGlcLpoMTS+w8tx+weyLvCbVLSWl/bpYvZpdLzZebpWVztQtWTAopNXI6OVoQiO+PkFIdaqt/zj6MTy8LsvhveSocbyumpoID/1yHxIUTt6yrQ3W2Q0rmxzzmVThMnoG9akmEUpfONpU3vu3+YtJXtNaLcNn0OeyPqM6lbKZC12f6fZubVDuYIfWhEAFdpXDXtSnUJDRPNS0bErFEsAsGebR74YIAwBAk7y7YJlgnNsGk18AAOihvQOSH9+SGmiIvbsEAAAAAAAAAAAAAAAAeni8Bp4LtRfegWpvzWZdN70O9CN34q2vXd3FHp35o5Ff4WZm3nzbwGR5CQ8aUxMAovDvgqXkp2bfj+iSenuKhJM/GvkV7uSsGPVufcKhnawrL2oCQBSeN0tpge/gZeWof+U1yUw3iYxwkvjV3LYrbZ0f1l7uj8BTMH9d7K/4MuxRbRl5dPYR6211d6IxKKsSUul3DAxU2NumbYNCPcq8fIVyIWqTxB6+zf568oYKz198OyH2WodexlDhTHkJA5g8tulHvsmKLVeMWoYQCutorW/LwqGLjLTTHQArth27vzSHIrlPFJL0/j2KdmuaWPQyVeY73LpVc2ZTvMavKIVylE4Z1qxl8b3seqEI9EuJMGZ/WnuoCwprhm72ZARWvJnyqgfLOi+h/gj+Cnmt8Mv0e6+KavTXCX0VAOBN2NYqLt3KJLKpwCYnDwN/re/TC4c0COcLF14mhXJCIfeZHs2XSu5btyE47lvmaY61x8gvU/wnK8DMklLvcr/XCUT5pWl6Qi6OyYG7q6kTyuI3V3iAWzDfAQkc7DWm5rOTrzLPXqDOSzg0T285x6RwhTANUZnuFL/z6jBqzDutTVaA1XPiI9ovd9O7ZQ1AKV6z3AXwApzfAXlTq/h8PsKInqEXSCLDze3ikyw4u2XsrAB7phSnwcCml6SUjzXldc5UAJLjmVX4KrfQKu5qMGW+l15AOJREoXBmQm4Uf+NgU/rlk5G/Amj8qrWFN70kU4ok/QbAjaie1mw2jOYTSc22fWlmTZsXa/X5VpHNvOqnCjSpHOLraMh+hSvsoZTR80uZyyVVs27o/TJl2pQhX2RbFZ6n1X/IqYZ3RmprgsGhwvr8Ib68hlnI3YIpr/KXS9iHMxs5rzryVlOyeF9eAHAbO6/Vki8MvAlCDQDwIMxPawJsg+u5cHpTNIJ8gUAB+NDuV5Ec95Jv8rx+EMdtHQAAAAAAAAAAAAAAAAAAgEWY3yyNvc+teS2tJyZQyYanAoWHv8I9ar6auM47+UkIh3exL9PWlqMMWl+YHJpqpgo/pFRy+xMte8K7U4bPIE8awbNQ7YJ11uPwKYUj1aMbVTOSizza80Lm2UU29xMsj84blPNSWtaLt1pzG/S5vCJQwsYbm9kT3p0yfAYn6zzAfpw7dr8M07B3Yt1K4ZLFhunRhg5ICN0t74X2CsUdiqbB2MD6qt9S7tWTZOAMl5HEL4ClBOxXIdwf0ez9FzX2uLe0ay75nqdFLQg3k9c/CjcvfIEajojNvHq/aPIKHJCieuG6NCfRXDX68hJiKBhcMVzpm8OwmVsr8OrwKgmXwWID/AIBs4qyEymfk6gHyL9/PxAcOAgJeQ0H5uZg8/n3i8YX1y6OR/HNopmXg6ZfQqAm6ZWmMOnUGCz5FF+D7DGcqMkG69N8wbl3SqEJlGCnWdVPg3XTOEY16nIVEX4JsTTVBoNCPfQVJcCNBNwB+fuPy++XiXnCZd5shMdnW8Dlkdt9+7k5xpcGTQrLUfOSS+xN65lVJWFKYTrkCFQ5kg3P0aMxayI8vDtlyKaa9dBd5wFuYXatol4JKLlc4kzmBQ4Cl/17LCrfKIPNlfwQy8pMNQyFxY70k9zeln0C0lZRgDfhXKvQD1SxV4GpeNnK5KWYlANwtilFeKE4DL57SnE7TCkAMuOZVSg72bI7licWLxuen8tZTO65wraifPECWGwMXxyoJr7oZZiMamwev1SU8FDMu2CdlM9nnb/Uj241k9SW9U2l+UyTnJcsQzbYfCTNTTOv5txLE145l4sFa6EonVXWjV5eGpu9ovQtCaxQOGnQHcPYQAlJZGs9GWdFqv/QK2naHIoR9LtThctQGpyp8wCwFhZFAAAA1vH+XbCYSQAAAOxBdQfk6bCECAAAAAAAAACQAO7+AADATt7/XAUAAADswfBcRfKnE+ZfwDv6b4L5/LW+0ikYOTov5jneswUAAFiEeVaRc3wSdmjwHepZdqvS5CVYkOc3mg0qchYcAAC8iYBvlkKPciCf3GZ4Zk6w4VMgAAAAx4qvi03eelBenQ8lWQ9Z7Q9XAgT9+xcPWKgAAIANLHxa8xw76w+MCYfqCYppKuCbUqx4V6I3kG+YUpSf8+A1EAAA2MbCWUU9XagfWRDGPN+nrXoJkzxbsE3Gp+AIWqQBAACQWftcxfdGRm8o1Qyu1gFYOP93phQAAAC3sHy/ip2Xy/NTinVD/s4pBSsTAABwC2ufq2g+LSGfeQvlzYI9rHaZiQUAAOwnYBcsYZsm9zsg9fkmecq85EOCmHrMHj7M0Rzm5+cx7IIFAADwHi6rDuW/t6/B3C4AAAB+iiftghX4tkgUb3oAU5h/vMNBAABYjeEOCHwZ3lxw38S5F2YVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAv4f8BEbCArtXfs1cAAAAASUVORK5CYII=" alt="" />

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAArcAAACbCAIAAAD3DiREAAAAA3NCSVQICAjb4U/gAAAAGXRFWHRTb2Z0d2FyZQBnbm9tZS1zY3JlZW5zaG907wO/PgAAFg9JREFUeJztnd2WtCyMRp1Zc411kX2Vc1Drc/EKCSEEjOXeR92lhCfhV1Q8DgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBk/P39/f393a0CAAB+hP+9WwAAAAAk5X+UY+VV6efzWS9mjMtFc6nQd6g86vP3m/xMq+elG/mefzF4yIXiy8tBbIguNocsz7gcKEMy2FzUmawbAACb6c8ScvZfzfH4+6/vkGTZrcqSl2JBH4x146sLzm2/6dRkoBySAmXYDUaJBwDYyf/dLeCnKDt6X6d/ppoZM8pJRh6SSAqXkcQvAIAVDM8SlMvlo+oxLYeMV89dSaOHRu13r/wU/fsvFucX7S1L4kN+lXXGqMfIUKpwGRaDAAAPJfLpxXPM+HIUXadyqJ5wDHW4vinCincBpMFywxThjNuJJZWvvMrksQPkhinCfoPNQrmU17F3BgkAYCdyllAP//Utf2UMc9/nnr/MXcc2GZ+CwzbUKeXVLcoj2ilfoMLDG2jw8y/H4CQMACADwc8lfG8cSF2tpfMd7aCV898zRXCjlJdelIvEbEu10yAAwHOJ3y9h5+XR/BRh3ZCwc3ydCbVSXkmKMjzVToMAAI8m+LmE5tMG+pm3UC727mG1yw7jSnnZi3IPvuiFx3zI4O2VHABgHs+uSuX4cblivnSLzVSXQ1IuXRx56YcUMc3rbEmSMqzOz0uMCo0ZzZRX6aYlOyWGXfHNXEJShcswGvSVFwAAZOdyjVj+e/vl4+0CAADgl0i9q1Lg2xBR5H8gEQAAIArtjgN8MS5ES0cBAAAAAAAAAAAAAAAgMzytCc8lSe1NIgPS0n56UXls8PIi3O38/fc1gfKX7x/hCuu8LpkGbjCs5BXLaLhuCa/b4DH+/qRiajRVuAzJoP7a7eRbl1ItJbyWvJ7+vPNQq8w/Ougnf//QO3nphKGCngzU5jhruyqdCkopSYr/y6I9Cex5LWJbXt0NHmqeEt6mwdPfoW0lfanCZSgGv3z+ZT6vQ+77CK8xL0fM8zAqO//ooNAVH+jdpKnNcRZnCRcdqYo/IWXHsTrVCpLIGEJfidkup8Geqc86hqYI+3lKeJsThSRrDElk/AB5OvNw2nccmt5KnUX5+/x6Y22tbGOXKbwkw6HwPLNezOnmJa3/WJYiFXlNl6V/FYyF4qjiQxVAj7xkUEE5zXIB5xsShlKFy0hyYUp45/GNKMb21exFmx2OJMPdKpUk4XejfF2KFChdvFGkw+XRYXR/8/d/x+G85XOKdi/0uZPUf7sVnv82D+l56WWvL0U6/BpCkVH/MWrZHl498rEuG8VvS7XN4F/B+eMZ7fP3DREmvCvQuxTl90Po2RQmW2WdkW90WNGldDXY5V2S2MWX59j9Ko/atc3j33tREupomYsmR4EK59lcrhY+1Wc4RpOP5nU2iXujUV9drUu1x+AlnmWoL0VcHloE4d1TvWtVGzK1c2nyXwKnj+4uxThJmi9Ki8KhQeqWKcKxYofmUR9Kz/dU9IQD9hs428yRoAg2TIxuMZgEwruZ/b2oj9iK4ehSNgfK3emlqrqRX44G0BlabFwqY1uqnQaTQHhhG0m6FIX8CrssnCVcbuAtxZfXr6ZKSOmI3mZudzlJSQ0ZXBS0Fb3bC8O7aP0sfwcbbrBMlb9LsSs0GllxvgXta09lZuWNt/KXSwO46BtaBTpad8qVQ009MwrrxahuXrVN5SacMZWSV138lghLMnQBXWu+8Co5SuF1oATKKEO/6etLFS7DaNDXKhUlhHe0mUdNESwypF5U6dksOY525orCbQb1XlQZbpoGlQ5zdAiY70X1AZGFNDiOBNfcAAAAkBGmCAAAsAHtjgOkYnLdGAAAAAAAAAAAAAAAAAAAYD/t5xL0N+4s75+se9NmHj3HR79J4hM/VF6TeSmmTpa+PeVj/0Mh7jfWvgS+aLqioJ9bbYaiEW7wkGMY63Lz4ejAdhRSsVM18265PHRMOaRdlU5/6n2jzjotbSn1/df+BP7m2NWvDr+c24Og1KhuZRs1GK5wEaP2LQp9DS3Q09imd0u1GZIdbvCQY7jI5fLQPI4KEF7KvrwsNKNU2pzRdi/B33E4g/J9VS9zaD7CZ2Aya+6yU3ySQNWXYpPCNhi0nB9o0JhjbdDd7eoKpaY3ZHBzoRy9aGw2eImhJd8hheEGL8abvt+rMNzgo5elS4ZnCR/5O1dlUNwThUtk9QUx6V+7L83cD8Ev5Wh5gl18bdB3yCe+eS1y2Ihd9hzK0ZGqWV5f5hWGL25PXhgp/a/DTrNDHx2fapRq4zCo1N6otRAlGncZlAJ17+BkbA6x8hyDt64kfGb/aMT9EvRQ6gNS81+FS4OxTAV8eVk6o6YpKWu7JGkCoXttT+UQrySx0DU1WgFOlInRkNRAhYdQeWbqoZ7Kd9Wii3Q0SV2Jr4iV891X5PrM2CGyTGWMxmqD7u7LodBns9uVSVnMKJy5vp9veofcviyxfQSdtQRpqnsWfL1aMHkNpFzfzzPUUYagiw+5DsvDR15nUqib1l/rm/SjV12Wgh6KZFehm6gCbQZqpsJf7CjdXxe96YV3Goer2uhlKkVjm8Fu9+Uo6241nqk/lxUynylLDN0taGZKZDxf6TeeQv+Ow0e+d9A8NNOVSAJC7NzCaFcSa3k/Z5U4QhWOmto8F8xTFlFKjAswIW3cbdDeQU8Ssva21GCgndU2AwmXl9zfuxj+cvQ5BoQT2O/AjXw+n9ii1BttXSEnm3p4Dd9m8FUuT04RnuiyfvKBy8kM/gzDs4Sl6KPLo0sov/h5haWFPHM+xS+jy/bI+GKYv27kJzaGT79IdURj0VLEtkIJb3p7WuUj2n5nV6Xm8zUXr6QnQYzVzpdXfWgoL+lk6YRSlVthM0n3OQxjKp/4S0LfQ08Wl+3W5g02W52lvLYpHDJotGkx6Lg33Cxoh0FjnfcZVBRKOTpEWk5YalA5WY+GW6Fj6uDuvkYVhrgsKfQZrGtvtx5unj6+mgwzsigNGXwBAAA4st1x8HHjdIwRHQAAfhhxv4Tk+FYUVyuJelA5yhoAAAAAAAAAAAAAAAAAAEBqeDQPJHx1I3+NUhTysKqRPDF8aJFJsv/+Zb8weCHaOw7fWkhdhJoXThHASJ4YPvdl9OamZKc74dubAiiIs4R6Kx6Al3P2zuBmWwzvmiJE9Zb0vZAEbe9F5fsun+JLayE75ekbONYGu/sJ6tkNGXy0y/WZ0vyveU7tcsjOgM3shgzqqboxdPillL5iUCqvPC47KrZ997rJGF6SOFp6U8Bo09MPSfbn+w3FX3cPEO4y/DzDuyrVvd5ZmcIXxJIYfLTLOlJG5y/10fJasPzbklEzlc9lJZVyaMavpqeKQZ/4zS5Lh9x5xcawzGv12oDP5aaFIb/sFUDKyM28y/AGtC9H69VCqqOZK9Pn309djzazJ7qs81zlF9YNHuuYDP4Gl+1z6J+h6bKl31g9iVmH22V4Cdos4awZSmdhvFzIw1n7D6/Ux7n8RVr05kLhLvJXm/wKw5Fc1vuN504RDq/L8B5+4TsOo7CGBgCjSP3G/nG0eTdnaUZ0lW9m4SzhnIfmoZS0ovYndPnL5XZjrGWHzfBA5TcYnlcShb5DG5hs4KV4pd9YN0VQLC8KrNFleBvOdxy+SCtvyglKds2EisGyEtvbqsPgb7hc+lLnVRtUUtVpuxr0VCExNBp0+yVVg5nwNg0qhLtsET+U1+WEwBhKeenURTzZ9OokiiS3X3rrHp2axLoMcDP3Xn/cwgtdBhhlRTN5YdN7ocswSa7nEtYt36XlhS4DGFk6pL2w6b3QZZinfcdhJy9c13qhywA+9Pt9M9ZCDObnhS4DAAAAAAAAAAAAbIMHuOYhhgAvob33ovT60NJ7Wvc+WaO8LPQbSK9s+V5onJEhZRf4auUM+uuRQ3nN3BIOlCEZbA7zUa8g2pXoTc/y1qVSsR2y9ZcbHdQGFzU63awvILHRGHV8c+/kYJ3C8HroJtc7DjdylsdPbjem+LK5IirZ+ZQs6mfrHz//IZ0WkipchmLwy+df5vOyKClLTWl6XRnff5XpzqjsFS9b1j8uanQrBqpwa0PlkmSYVFikMNXok2iWUHZSIbAoCjXKFVWS2rJnoJo36LtM9yXsWgucKPwq4R2smyQywIj2tScJ6d2ks9HWizDKoYtNo8FLktV3K6Rlz67Lx79dVXOV1eGyQ0atoetvbd+YsFbe1G85pC84OwaA7mKGbtM35AylCpcRPlhu6+U/8pcJyzp5Oc2H3lIc91+MTS8kL7sYvQVN9huKwQs+p+p5oburrG12B6khebqMrkKHwXV41hKkBcB6OKxHSmnlsOmtkqpcipQqsW/ufK5A1BWrlqG4XBu8JNRjqLtsD28ZBF9AhpD8Olo1vntIX3BePTWUdO5Jtc3gX8H54xntujmso5lXqWRp7kpL0euhw2Bp2d7MZ9DbXVS/oRis/xjlUjd8XaWCYtAozy7DF/lFdaNLZy2h2UF0le3suMORxOteS6k+rSlq15rCnmrhRpLnmCLoNu+aIlzKcVGqPQbrdn3p6c4TykPrkJwqJwqjfVFyfL1NYO5lVJeW72duxXd/ex9lSJsv8jvLq2T4joN+3VySuUQdWNwZnXEf491B5qjO+KWQx2WfknD9eQISzke+d9A8VM5j9qlcz7YiPqO6M9MM3O6yL/K3lJd2x2F+jeheNqxSwntgirAfmvAGNi9f+8iv0IEv8vvLqz1LaN4XeVX3pJCk5/LJSCLeR2bxSYpjyOD+eG7u3SaXuG8smnUyJON60WRoeoGV5/YLYF/kLalWlJT4tad69bhe3LvcairF1S1TMaiktciQchzCIr4+QUl1qq3/OOQYHl6X9fBecrQ4Xlc1S4S7frkPKQonb3nWBuvsupVNj/lMqnAZRoOx7UsR2ez4ugqVViP9MiSvaa2W4TPoc9meUZ3K2MyVrm/odmptUO9gu9aUQAV2ld1e1KdQkdE81LQ8lIpL+isZ5rm/DREGAHgniXZVGoJxaxtMTgEAXot4xyE/viUssLButRkAAAAAAAAAAAAAACAbPJ4Cz4XaC4+gvfdis+4Ovb7ykjvZo68J3cUenfmjkV/hZm55E9LOZHkpD95SEwCMDOyqZORVs+NHdDHSnhbh5I9GfoU7OStGvZubcmgn68qLmgBgxPQmJC3qN/ixcrS/oplk5ppERjhJ/GpuHpW2zndrL/cjIAn9rz39FV/SPKotBQ9hnylpK7QTi0FdlZLKuAdZrEJpG68NCu0Y8/IVyoWoTfQkfJvBSfK6Cs9ffDvlSa3DLqOrcKa8lAFJH6vsI9lkxdYrRi1DCcXo6Gtvy8qhi4y00xeAC50dmr80hxa9j1OSSP8eRTscmihImRrz7W7VaTmzKd7iV5RCPUqnjNGsdfFSdlIoAv0yoozBn9ae2YrCmq6bkozAijdTXvXgV+el1B/FXyWvFX4N/S5VUYv+OqGvAgA8iM5awqWbmEQ3FdiE9G79r/V9buWQBeV85cJoSKGeUMl9pofypdL7ym0ojvuWYZpj59Hzayj+kxVgZslHuhyXOoEovyxNT8nFMdi7u5o6oS5+c4UHWEH/jkPg4G0xNZ+dfhV4tuo6L+XQPNJyy5DCFcIsRGW6U/zOq7eoMey0NlkBVs9xj2i/3E3vlmt0o3jLchRAfqzfcfilWv75fJQROkOrTiLDze3ikyzwumXsrAB7pginwcCml6SUjzXldc48AO7FNEvwVVallt/VAMp8L61aOZREoXJmQm4Uf+PgUfrlk5G/Alj8qrWFN70kU4Qk/QbAOtpPLzYrevMJnWZbvTSbps2Ltfr8LpLBi4CLQksqh/g6Grpf4QoljDIkv4y5XFI164bdr6FMmzL0i+BRhedp9R96qu6diNqaYrCrsD6/iy+vbhZ6tzCUV/nLJezdmYqeVx35UVO6eF9eABDGzmup5BfuvwShBgDIQ//pRYBtcL0VjjTlIsgXCBRAE3G/hOS4l1iT5/VCHLdRAAAAAAAAAAAAAAAAAADgKfTfhIy9T2x5jUoSE6hkw1NyysNQ4R41X6Vb553+JIHDu9iXP1coLBPaX/DzKQw/ZFRy+xMhe8K7U4bPIE/qQCrauyqd9TJ8iuBI9ehG0ozkIo/2vEB4dnnN/ebKo/MG9by2KSwTDuXlUBh+yKjEnmQRe8K7U4bP4ExeACt46ZuQvnF69Br9cuYn9NNZTRxLNaMo9m95j3EoU8vJliu/E5+zCSe+GyqnQpKBMFxGEr8AZvDMEpT7EZa94aLGEveWZ80l1vO0qAXYZvL6R+VmgS9QdcekF0ozCEN5BY55Sq/q63CjumnLVd1MeTVThUdDx94cus18tALbwzvKUKpwGSwGwA/gmSWUnUJ58VoPeH//flA1cFBR8uoOtM3Lps+/X4C9uHZxPIpvFs28HDT9UgI1iVSayiTSYnD0UHdtQ/+9Tr5nnambaigan+KzhKO5H60lqM+/3zmU2tch1KjLVUH4JcHSVBsM1uV1hshXlADrsH4TsuTvPy6/XybO5301kAiPz7aAK8PbzO1bZbwMHIDDb/oumiIMHfoUGAWUI1P3HDsWs0OEh3enDN1Usx46ihJgHcOzhLJ+10fLC/F5ceBgQ88S3v9+iR2r3KlGWTSGhUdjhttHrCQVgGEbXoh1lmAf9WOv0lLxY7OfSzEZR7tsUwSpUNwKh0r5DVOE22GKAHAjplmCsdMsu1d9ovBjw+1zuaz9OPpBirLEF43YGC6axqUlQ8xXGDzeV5SQk/6uSifl80rnL/WjTM0ktWV71W8+46PnpcvQDTYf0XLTzKs5l7KEV8/lYmG0UIzOGuuGlJfFpr0o7zJ4qPNgY3lJqXzipVptlGFsI7qMsyLVf9iVNG12xSj63anCZRgNOooSAJxwpQsAAODG845DcpgZAAAAhNC+4/B0WLIDAAAAAAAAADDA3RYAAAjkB59LAAAAgBC05xKS392ff2HskN9c8vmrvA3lePOz+SKZ471QAAAAH/1ZQs7xRtkhwHdIsjyj6hifdlxeNJcSWjZIyFlwAADwIDzfhASJ7p4qdgszY/yn9XFIAACAUYZnCfoGhY6lfuPVc1fS6KFR+90r9Vr/jd+zYCEBAADmiXx68Rw+6w8+KYfqCcfQsOqbIqx4F+DGgbn8HAOvOQAAQBSRs4R6+K9X4JUxzPepISnh2+7NfwqOX/wgJwAA7Cf4uYTvjQNphLaM2aPjunL+e6YIAAAAK4jfL2Hn5ez8FOE3ZhKsHAAAwAqCn0toPm2gn3kL5eL8b8BEAQAAwvHsqqRs++N+x6E+v8vSXZX0VJJUPRpSqiHYVQkAACAvl4WQ8t/b10huFwAAAL9E6l2VAt+GiOKXXp1Q5hO/4SAAAEyi3XGAL93F/OQfvJBglgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwbP4fOC/uuGxT0P8AAAAASUVORK5CYII=" alt="" width="709" height="155" />