ProHoster > Блог > Gudanarwa > Bitcoin a cikin keji?

Bitcoin a cikin keji?

Sai ya faru da cewa a cikin sana'a ni mai kula da tsarin kwamfuta da hanyoyin sadarwa (a takaice: tsarin gudanarwa), kuma na sami damar gaya wa Farfesa tsawon shekaru fiye da 10. ayyukan tsarin iri-iri iri-iri, gami da waɗanda ke buƙatar matakan tsaro [musamman]. Hakanan ya faru cewa wani lokaci da suka gabata na sami abin ban sha'awa bitcoin, kuma ba kawai amfani da shi ba, amma kuma kaddamar da wasu ƙananan ayyuka don koyon yadda za a yi aiki da kansa tare da hanyar sadarwar Bitcoin (aka p2p bayan duk) daga ra'ayi na mai haɓakawa (Ni hakika ɗaya ne daga cikin waɗannan). dev, don haka, ina wucewa). Amma ba na magana game da ci gaba ba, ina magana ne game da yanayi mai aminci da inganci don aikace-aikace.

Fasahar kudi (fintech) je kusa da tsaron bayanai (infosec) kuma na farko zai iya aiki ba tare da na biyu ba, amma ba na dogon lokaci ba. Shi ya sa nake so in raba gwaninta da saitin kayan aikin da nake amfani da su, wanda ya haɗa da duka biyun fintechkuma infosec, kuma a lokaci guda, kuma za'a iya amfani dashi don dalilai mafi girma ko mabanbanta. A cikin wannan labarin ba zan gaya muku ba game da Bitcoin ba, amma game da tsarin samar da kayan aiki don haɓakawa da aiki na ayyuka na kudi (kuma ba kawai) ba - a cikin kalma, waɗannan ayyuka inda "B" ke da mahimmanci. Wannan ya shafi duka ga musayar Bitcoin da kuma ga mafi yawan al'ada gidan zoo na sabis na karamin kamfani ba ya haɗa da Bitcoin ta kowace hanya.

Ina so in lura cewa ni mai goyon bayan ka'idoji ne "ki kiyaye wawa sauki" и "kasan yafi", don haka, duka labarin da abin da aka kwatanta a cikinsa za su sami kaddarorin da waɗannan ƙa'idodin ke tattare da su.

Halin hasashe: Bari mu kalli komai ta amfani da misalin mai musayar bitcoin. Mun yanke shawarar ƙaddamar da musayar rubles, daloli, Yuro don bitcoins da baya, kuma mun riga mun sami mafita mai aiki, amma ga sauran kuɗin dijital kamar qiwi da webmoney, i.e. Mun rufe duk batutuwan doka, muna da aikace-aikacen da aka shirya wanda ke aiki azaman ƙofar biyan kuɗi don rubles, dala da Yuro da sauran tsarin biyan kuɗi. Yana da alaƙa da asusun banki kuma yana da wasu nau'ikan API don aikace-aikacen mu na ƙarshe. Hakanan muna da aikace-aikacen gidan yanar gizo wanda ke aiki azaman mai musayar masu amfani, da kyau, kamar asusun qiwi na yau da kullun ko asusun yanar gizo - ƙirƙira asusu, ƙara kati, da sauransu. Yana sadarwa tare da aikace-aikacen ƙofar mu, ko da yake ta REST API a cikin yanki. Don haka mun yanke shawarar haɗa bitcoins kuma a lokaci guda haɓaka abubuwan more rayuwa, saboda ... Da farko, duk abin da aka sanya cikin sauri a kan kwalaye masu kama-da-wane a cikin ofishin a ƙarƙashin tebur ... an fara amfani da shafin, kuma mun fara damuwa game da lokaci da aiki.

Don haka, bari mu fara da babban abu - zabar uwar garken. Domin Kasuwancin da ke cikin misalinmu ƙanana ne kuma mun amince da hoster (OVH) za mu zaɓa wani zaɓi na kasafin kuɗi wanda ba shi yiwuwa a shigar da tsarin daga ainihin hoton .iso, amma ba kome ba, sashen tsaro na IT zai bincika hoton da aka shigar. Kuma idan muka girma, za mu yi hayan kabad ɗinmu a ƙarƙashin kulle da maɓalli tare da iyakacin damar jiki, kuma wataƙila za mu gina namu DC. A kowane hali, yana da mahimmanci a tuna cewa lokacin hayar kayan aiki da shigar da hotuna da aka shirya, akwai damar cewa za ku sami "Trojan daga mai masaukin baki" da ke rataye a kan tsarin ku, wanda a mafi yawan lokuta ba a yi niyya don leken asiri akan ku ba. amma don bayar da mafi dacewa uwar garken kayan aikin gudanarwa.

Shigar da uwar garken

Komai yana da sauki a nan. Muna zaɓar kayan aikin da suka dace da bukatunmu. Sannan zaɓi hoton FreeBSD. To, ko kuma mu haɗa (a yanayin wani mai masaukin baki da namu kayan aikin) ta hanyar IPMI ko tare da mai saka idanu mu ciyar da hoton .iso FreeBSD a cikin zazzagewa. Don saitin kaɗe-kaɗe na yi amfani da shi Mai yiwuwa и mfsbsd. Abin da kawai, a cikin yanayinmu da kimsufi, mun zaɓa shigarwa na al'ada Domin faifan diski guda biyu a cikin madubi su sami boot da / partitions na gida kawai “buɗe”, sauran sararin diski za a ɓoye, amma ƙari akan hakan daga baya.

Bitcoin a cikin keji?

Shigar da tsarin yana faruwa a daidaitaccen hanya, ba zan tsaya a kan wannan ba, zan lura kawai cewa kafin fara aiki yana da daraja a kula da shi. taurare zaɓuɓɓukan da yake bayarwa bsdinstaller a ƙarshen shigarwa (idan kun shigar da tsarin da kanku):

Bitcoin a cikin keji?

Akwai abu mai kyau akan wannan batu, zan sake maimaita shi a takaice anan.

Hakanan yana yiwuwa a kunna sigogin da aka ambata a sama akan tsarin da aka riga aka shigar. Don yin wannan, kuna buƙatar shirya fayil ɗin bootloader kuma kunna sigogin kernel. *ee edita ne kamar wannan a cikin BSD

# ee /etc/rc.conf

...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"    
sendmail_enable="NONE"

# ee /etc/sysctl.conf

...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1

Hakanan yakamata ku tabbatar cewa kun shigar da sabon sigar tsarin, kuma yi duk sabuntawa da haɓakawa. A cikin yanayinmu, alal misali, ana buƙatar haɓakawa zuwa sabon salo, saboda... Hotunan da aka riga aka shigar da su baya baya da watanni shida zuwa shekara. To, a can za mu canza tashar jiragen ruwa na SSH zuwa wani abu daban da na tsoho, ƙara ingantaccen maɓalli da kuma musaki tantance kalmar sirri.

Sa'an nan kuma mu daidaita aide, Kula da matsayin fayilolin tsarin tsarin tsarin. Kuna iya karantawa daki-daki a nan.

pkg install aide

kuma gyara crontab ɗin mu

crontab -e

06 01 * * 0-6 /root/chkaide.sh

#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME

Mun hada tsarin dubawa

sysrc auditd_enable=YES

# service auditd start

Yadda ake gudanar da wannan al'amari an bayyana shi daidai a ciki jagoranci.

Yanzu mun sake yi kuma mu ci gaba zuwa software a kan uwar garke. Kowane uwar garken babban mahalli ne don kwantena ko cikakkun injina. Sabili da haka, yana da mahimmanci cewa mai sarrafa na'ura yana goyan bayan VT-x da EPT idan muka shirya yin amfani da cikakkiyar haɓakawa.

Don sarrafa kwantena da injunan kama-da-wane da nake amfani da su cbsd daga olevole, Ina yi masa fatan karin lafiya da albarka don wannan abin amfani mai ban mamaki!

Kwantena? Docker kuma ko me?

Amma a'a. FreeBSD Jails kayan aiki ne mai kyau don ɗaukar kaya, amma da aka ambata cbsd don tsara waɗannan kwantena, waɗanda ake kira sel.

kejin shine mafita mai matuƙar inganci don gina ababen more rayuwa don dalilai iri-iri, inda ake buƙatar cikakken keɓewar sabis ko matakai na mutum a ƙarshe. Mahimmanci, shi ne clone na tsarin runduna, amma baya buƙatar cikakken ƙwarewar kayan aiki. Kuma godiya ga wannan, ba a kashe albarkatun a kan "OS baƙo", amma a kan aikin da ake yi kawai. Lokacin da ake amfani da sel don buƙatun ciki, wannan shine mafita mafi dacewa don ingantaccen amfani da albarkatu - tarin sel akan sabar kayan masarufi guda ɗaya kowanne zai iya amfani da duk albarkatun sabar idan ya cancanta. Bisa la'akari da cewa yawanci ma'aikatu daban-daban suna buƙatar ƙarin. albarkatu a lokuta daban-daban, zaku iya fitar da mafi girman aiki daga sabar ɗaya idan kun tsara yadda yakamata da daidaita sel tsakanin sabobin. Idan ya cancanta, ana iya ba da sel hani akan albarkatun da ake amfani da su.

Bitcoin a cikin keji?

Me game da cikakken kamantawa?

Kamar yadda na sani cbsd yana goyan bayan aiki bhyve da XEN hypervisors. Ban taba amfani da na biyun ba, amma na farko sabo ne hypervisor daga FreeBSD. Za mu dubi misalin amfani bhyve a cikin misalin da ke ƙasa.

Shigarwa da Ƙaddamar da Mai watsa shiri muhalli

Muna amfani da FS ZFS. Wannan babban kayan aiki ne mai ƙarfi don sarrafa sararin uwar garke. Godiya ga ZFS, zaku iya ƙirƙirar tsararrun jeri daban-daban daga faifai, faɗaɗa sararin "zafi" mai ƙarfi, canza matattun fayafai, sarrafa hotuna, da ƙari, waɗanda za a iya bayyana su a cikin jerin labaran gabaɗaya. Mu koma kan uwar garken mu da fayafai. A farkon shigarwa, mun bar sarari kyauta akan faifai don ɓoyayyun ɓangarori. Me yasa haka? Wannan shi ne don tsarin ya farka ta atomatik kuma ya saurare ta hanyar SSH.

gpart add -t freebsd-zfs /dev/ada0

/dev/ada0p4 added!

ƙara ɓangaren faifai zuwa sauran sarari

geli init /dev/ada0p4

shigar da kalmar sirrinmu

geli attach /dev/ada0p4

Mun sake shigar da kalmar wucewa kuma muna da na'ura /dev/ada0p4.eli - wannan shine sararin rufaffen mu. Sa'an nan kuma mu maimaita iri ɗaya don /dev/ada1 da sauran diski a cikin array. Kuma muna ƙirƙirar sabo ZFS pool.

zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli - To, muna da mafi ƙarancin kayan yaƙi a shirye. Dubi tsararrun faifai idan ɗaya daga cikin ukun ya gaza.

Ƙirƙirar saitin bayanai akan sabon "pool"

zfs create vms/jails

pkg install cbsd - mun ƙaddamar da ƙungiya kuma mun kafa gudanarwa don ƙwayoyin mu.

Bayan cbsd shigar, yana buƙatar farawa:

# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv

To, muna amsa tarin tambayoyi, galibi tare da amsoshi na asali.

* Idan kuna amfani da boye-boye, yana da mahimmanci cewa daemon cbsdd ba'a fara ta atomatik ba har sai kun yanke diski da hannu ko ta atomatik (a cikin misalinmu ana yin wannan ta hanyar zabbix)

**Ni kuma bana amfani da NAT daga cbsd, kuma na saita shi da kaina pf.

# sysrc pf_enable=YES

# ee /etc/pf.conf

IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"

#WHITE_CL="{ 127.0.0.1 }"

icmp_types="echoreq"

set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all

#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# service pf start

# pfctl -f /etc/pf.conf

Kafa manufofin Firewall shima wani batu ne na daban, don haka ba zan zurfafa cikin kafa tsarin BLOCK ALL da kafa masu ba da izini ba, zaku iya yin hakan ta hanyar karantawa. takardun hukuma ko kowane ɗayan manyan labaran da ake samu akan Google.

Da kyau ... mun shigar da cbsd, lokaci yayi da za mu ƙirƙiri doki na farko - aljanin Bitcoin!

cbsd jconstruct-tui

Bitcoin a cikin keji?

Anan muna ganin maganganun ƙirƙirar tantanin halitta. Bayan an saita duk ƙimar, bari mu ƙirƙira!

Lokacin ƙirƙirar tantanin halitta na farko, yakamata ku zaɓi abin da zaku yi amfani da shi azaman tushe ga sel. Na zaɓi rabawa daga ma'ajin FreeBSD tare da umarni repo. Ana yin wannan zaɓin ne kawai lokacin ƙirƙirar tantanin halitta na farko na takamaiman sigar (zaku iya ɗaukar nauyin sel na kowane sigar da ta girmi sigar mai watsa shiri).

Bayan an shigar da komai, muna ƙaddamar da keji!

# cbsd jstart bitcoind

Amma muna buƙatar shigar da software a cikin keji.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind

jexec bitcoind don shiga cell console

kuma tuni a cikin tantanin halitta mun shigar da software tare da abubuwan dogaronta (tsarin mai masaukinmu ya kasance mai tsabta)

bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils

bitcoind:/@[15:30] # sysrc bitcoind_enable=YES

bitcoind:/@[15:30] # service bitcoind start

Akwai Bitcoin a cikin keji, amma muna buƙatar ɓoyewa saboda muna son haɗawa da wasu cages ta hanyar sadarwar TOP. Gabaɗaya, muna shirin gudanar da yawancin ƙwayoyin sel tare da software masu tuhuma kawai ta hanyar wakili. Godiya ga pf Kuna iya kashe NAT don takamaiman kewayon adiresoshin IP akan hanyar sadarwar gida, kuma ku ba da izinin NAT kawai don kumburin TOR ɗin mu. Don haka, ko da malware ya shiga cikin tantanin halitta, da alama ba zai iya sadarwa tare da duniyar waje ba, kuma idan ya shiga, ba zai bayyana IP na sabar mu ba. Saboda haka, muna ƙirƙirar wani tantanin halitta zuwa sabis na "gaba" azaman sabis na ".albasa" kuma a matsayin wakili don samun damar Intanet zuwa sel guda ɗaya.

# cbsd jsconstruct-tui

# cbsd jstart tor

# jexec tor

tor:/@[15:38] # pkg install tor

tor:/@[15:38] # sysrc tor_enable=YES

tor:/@[15:38] # ee /usr/local/etc/tor/torrc

Saita don saurare a adireshin gida (akwai ga duk sel)

SOCKSPort 192.168.0.2:9050

Menene kuma muke bukata don cikakken farin ciki? Ee, muna buƙatar sabis don gidan yanar gizon mu, watakila fiye da ɗaya. Bari mu ƙaddamar da nginx, wanda zai yi aiki azaman wakili na baya kuma ya kula da sabunta Takaddun shaida Mu Encrypt

# cbsd jsconstruct-tui

# cbsd jstart nginx-rev

# jexec nginx-rev

nginx-rev:/@[15:47] # pkg install nginx py36-certbot

Don haka mun sanya 150 MB na abin dogaro a cikin keji. Kuma har yanzu mai gida yana da tsabta.

Bari mu koma kafa nginx daga baya, muna buƙatar haɓaka ƙarin sel guda biyu don ƙofar biyan kuɗin mu akan nodejs da tsatsa da aikace-aikacen yanar gizo, wanda saboda wasu dalilai yana cikin Apache da PHP, kuma ƙarshen yana buƙatar MySQL database.

# cbsd jsconstruct-tui

# cbsd jstart paygw

# jexec paygw

paygw:/@[15:55] # pkg install git node npm

paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

...da kuma wani 380 MB na fakiti ware

Bayan haka, muna zazzage aikace-aikacen mu tare da git kuma mu ƙaddamar da shi.

# cbsd jsconstruct-tui

# cbsd jstart webapp

# jexec webapp

webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql

450 MB fakiti. a cikin keji.

Anan muna ba masu haɓaka damar shiga ta hanyar SSH kai tsaye zuwa tantanin halitta, za su yi komai a can da kansu:

webapp:/@[16:02] # ee /etc/ssh/sshd_config

Port 2267 - canza tashar tashar SSH ta tantanin halitta zuwa kowane sabani

webapp:/@[16:02] # sysrc sshd_enable=YES

webapp:/@[16:02] # service sshd start

To, sabis ɗin yana gudana, duk abin da ya rage shine ƙara ƙa'ida zuwa pf Firewall

Bari mu ga abin da sel ɗinmu na IP suke da kuma yadda “yankinmu na gida” gabaɗaya yayi kama.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp

kuma ƙara doka

# ee /etc/pf.conf

## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

Da kyau, tunda muna nan, bari mu kuma ƙara ƙa'ida don wakili na baya:

## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# pfctl -f /etc/pf.conf

To, yanzu kadan game da bitcoins

Abin da muke da shi shine muna da aikace-aikacen yanar gizo wanda aka fallasa a waje kuma yana magana a cikin gida zuwa ƙofar biyan kuɗi. Yanzu muna buƙatar shirya yanayin aiki don hulɗa tare da hanyar sadarwar Bitcoin kanta - kumburi bitcoind Daemon ne kawai wanda ke kiyaye kwafin gida na blockchain har zuwa yau. Wannan daemon yana da RPC da aikin walat, amma akwai mafi dacewa "nade" don haɓaka aikace-aikacen. Da farko, mun yanke shawarar saka electrum jakar CLI ce. Wannan walat za mu yi amfani da shi azaman “ajiya mai sanyi” don bitcoins - gabaɗaya, waɗancan bitcoins waɗanda za a buƙaci a adana su “a waje” tsarin da ke da damar masu amfani kuma gabaɗaya daga kowa. Hakanan yana da GUI, don haka za mu yi amfani da walat iri ɗaya akan mu
kwamfutar tafi-da-gidanka. A yanzu za mu yi amfani da Electrum tare da uwar garken jama'a, kuma daga baya za mu ɗaga shi a wani tantanin halitta ElectrumXdon kar a dogara ga kowa kwata-kwata.

# cbsd jsconstruct-tui

# cbsd jstart electrum

# jexec electrum

electrum:/@[8:45] # pkg install py36-electrum

wani 700 MB na software a kejin mu

electrum:/@[8:53] # adduser

Username: wallet
Full name: 
Uid (Leave empty for default): 
Login group [wallet]: 
Login group is wallet. Invite wallet into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: 
Username   : wallet
Password   : <disabled>
Full Name  : 
Uid        : 1001
Class      : 
Groups     : wallet 
Home       : /home/wallet
Home Mode  : 
Shell      : /bin/tcsh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet

electrum:/@[8:53] # su wallet

wallet@electrum:/ % electrum-3.6 create

{
    "msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
    "path": "/usr/home/wallet/.electrum/wallets/default_wallet",
    "seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}

Yanzu muna da walat da aka ƙirƙira.

wallet@electrum:/ % electrum-3.6 listaddresses

[
    "18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
    "14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
    "1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
    ...
    "1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
    "18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]

wallet@electrum:/ % electrum-3.6 help

Zuwa ga mu on-sarkar Iyakantaccen adadin mutane ne kawai za su iya haɗawa da walat ɗin daga yanzu. Don kada a buɗe damar shiga wannan tantanin halitta daga waje, haɗin kai ta hanyar SSH zai faru ta hanyar TOP (sigar VPN mai ɓarna). Muna ƙaddamar da SSH a cikin tantanin halitta, amma kar a taɓa pf.conf ɗin mu akan mai watsa shiri.

electrum:/@[9:00] # sysrc sshd_enable=YES

electrum:/@[9:00] # service sshd start

Yanzu bari mu kashe tantanin halitta tare da damar Intanet na walat. Bari mu ba shi adireshin IP daga wani sarari na subnet wanda ba NATed ba. Da farko mu canza /etc/pf.conf akan mai gida

# ee /etc/pf.conf

JAIL_IP_POOL="192.168.0.0/24" mu canza shi zuwa JAIL_IP_POOL="192.168.0.0/25", don haka duk adiresoshin 192.168.0.126-255 ba za su sami damar shiga Intanet kai tsaye ba. Wani nau'in cibiyar sadarwa na “air-gap” software. Kuma tsarin NAT ya kasance kamar yadda yake

nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

Overloading dokoki

# pfctl -f /etc/pf.conf

Yanzu bari mu dauki cell mu

# cbsd jconfig jname=electrum

Bitcoin a cikin keji?

Bitcoin a cikin keji?

jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200

Hmm amma yanzu tsarin da kansa zai daina yi mana aiki. Duk da haka, zamu iya ƙayyade tsarin wakili. Amma akwai abu ɗaya, akan TOR wakili ne na SOCKS5, kuma don dacewa kuma muna son wakili na HTTP.

# cbsd jsconstruct-tui

# cbsd jstart polipo

# jexec polipo

polipo:/@[9:28] # pkg install polipo

polipo:/@[9:28] # ee /usr/local/etc/polipo/config

socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5

polipo:/@[9:42] # sysrc polipo_enable=YES

polipo:/@[9:43] # service polipo start

To, yanzu akwai sabar proxy guda biyu a cikin tsarinmu, kuma duka suna fitarwa ta hanyar TOR: socks5://192.168.0.2:9050 da http://192.168.0.6:8123

Yanzu za mu iya saita yanayin walat ɗin mu

# jexec electrum

electrum:/@[9:45] # su wallet

wallet@electrum:/ % ee ~/.cshrc

#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123

To, yanzu harsashi zai yi aiki daga ƙarƙashin wakili. Idan muna son shigar da fakiti, to ya kamata mu ƙara zuwa /usr/local/etc/pkg.conf daga ƙarƙashin tushen keji

pkg_env: {
               http_proxy: "http://my_proxy_ip:8123",
           }

Da kyau, yanzu lokaci ya yi da za a ƙara sabis ɗin ɓoye na TOR azaman adireshin sabis na SSH a cikin tantanin halitta.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22

tor:/@[10:01] # mkdir /var/db/tor/electrum

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum

tor:/@[10:01] # chmod 700 /var/db/tor/electrum

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/electrum/hostname

mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion

Wannan shine adireshin haɗin yanar gizon mu. Bari mu bincika daga injin gida. Amma da farko muna buƙatar ƙara maɓallin SSH ɗin mu:

wallet@electrum:/ % mkdir ~/.ssh

wallet@electrum:/ % ee ~/.ssh/authorized_keys

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local

To, daga injin abokin ciniki na Linux

user@local ~$ nano ~/.ssh/config

#remote electrum wallet
Host remotebtc
        User wallet
        Port 22
        Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
        ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p

Mu haɗa (Don wannan ya yi aiki, kuna buƙatar TOR daemon na gida wanda ke sauraron 9050)

user@local ~$ ssh remotebtc

The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC 
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
        -- Dru <[email protected]>
wallet@electrum:~ % logout

Nasara!

Don yin aiki tare da biya nan take da ƙananan biya, muna kuma buƙatar kumburi Hasken walƙiya, a gaskiya, wannan zai zama babban kayan aikin mu tare da Bitcoin. U*c-walƙiyawanda za mu yi amfani da shi azaman daemon shine Sparko plugin, wanda shine cikakkiyar hanyar sadarwa ta HTTP (REST) ​​kuma yana ba ku damar yin aiki tare da ma'amaloli biyu da kuma kan sarkar. c-lightning ake buƙata don aiki bitcoind amma a.

*Akwai aiwatarwa daban-daban na ka'idar hanyar sadarwar walƙiya a cikin harsuna daban-daban. Daga cikin waɗanda muka gwada, c-walƙiya (wanda aka rubuta a cikin C) ya zama mafi kwanciyar hankali da ingantaccen albarkatu.

# cbsd jsconstruct-tui

# cbsd jstart cln

# jexec cln

lightning:/@[10:23] # adduser

Username: lightning
...

lightning:/@[10:24] # pkg install git

lightning:/@[10:23] # su lightning

cd ~ && git clone https://github.com/ElementsProject/lightning

lightning@lightning:~ % exit

lightning:/@[10:30] # cd /home/lightning/lightning/

lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils

lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install

Yayin da ake tattara duk abin da ake buƙata kuma an shigar dashi, bari mu ƙirƙiri mai amfani da RPC don lightningd в bitcoind

# jexec bitcoind

bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf

rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32

bitcoind:/@[10:39] # service bitcoind restart

Canjawar rudani na tsakanin sel ya zama ba hargitsi ba idan kun lura da mai amfani tmux, wanda ke ba ka damar ƙirƙira ƙananan ƙananan zama masu yawa a cikin zama ɗaya. Analogue: screen

Bitcoin a cikin keji?

Don haka, ba mu so mu bayyana ainihin IP na kullin mu, kuma muna so mu gudanar da duk ma'amaloli na kudi ta hanyar TOP. Saboda haka, wani .albasa ba a buƙatar.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735

tor:/@[10:01] # mkdir /var/db/tor/cln

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln

tor:/@[10:01] # chmod 700 /var/db/tor/cln

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/cln/hostname

en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion

Yanzu bari mu ƙirƙiri saitin don c-walƙiya

lightning:/home/lightning/lightning@[10:31] # su lightning

lightning@lightning:~ % mkdir .lightning

lightning@lightning:~ % ee .lightning/config

alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000

# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko

sparko-host=192.168.0.7
sparko-port=9737

sparko-tls-path=sparko-tls

#sparko-login=mywalletusername:mywalletpassword

#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like

lightning@lightning:~ % mkdir .lightning/plugins

lightning@lightning:~ % cd .lightning/plugins/

lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048

lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650

lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko

lightning@lightning:~/.lightning/plugins % cd ~

Hakanan kuna buƙatar ƙirƙirar fayil ɗin daidaitawa don bitcoin-cli, mai amfani da ke sadarwa tare da bitcoind

lightning@lightning:~ % mkdir .bitcoin

lightning@lightning:~ % ee .bitcoin/bitcoin.conf

rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test

dubawa

lightning@lightning:~ % bitcoin-cli echo "test"

[
  "test"
]

kaddamar da lightningd

lightning@lightning:~ % lightningd --daemon

Kansa lightningd za ka iya sarrafa mai amfani lightning-cli, alal misali:

lightning-cli newaddr sami adireshin don sabon biya mai shigowa

{
   "address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
   "bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}

lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all aika duk kuɗin da ke cikin walat ɗin zuwa adireshin (duk adiresoshin kan sarkar)

Hakanan yana ba da umarni don ayyukan kashe sarka lightning-cli invoice, lightning-cli listinvoices, lightning-cli pay da dai sauransu.

To, don sadarwa tare da aikace-aikacen muna da REST Api

curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'

Bari mu ƙayyade sakamakon

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp
     7  192.168.0.200   electrum.space.com            /zroot/jails/jails/electrum
     8  192.168.0.6     polipo.space.com              /zroot/jails/jails/polipo
     9  192.168.0.7     lightning.space.com           /zroot/jails/jails/cln

Bitcoin a cikin keji?

Muna da saitin kwantena, kowanne yana da nasa matakin samun dama daga kuma zuwa cibiyar sadarwar gida.

# zfs list

NAME                    USED  AVAIL  REFER  MOUNTPOINT
zroot                   279G  1.48T    88K  /zroot
zroot/ROOT             1.89G  1.48T    88K  none
zroot/ROOT/default     1.89G  17.6G  1.89G  /
zroot/home               88K  1.48T    88K  /home
zroot/jails             277G  1.48T   404M  /zroot/jails
zroot/jails/bitcoind    190G  1.48T   190G  /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln         653M  1.48T   653M  /zroot/jails/jails-data/cln-data
zroot/jails/electrum    703M  1.48T   703M  /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev   190M  1.48T   190M  /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw      82.4G  1.48T  82.4G  /zroot/jails/jails-data/paygw-data
zroot/jails/polipo     57.6M  1.48T  57.6M  /zroot/jails/jails-data/polipo-data
zroot/jails/tor        81.5M  1.48T  81.5M  /zroot/jails/jails-data/tor-data
zroot/jails/webapp      360M  1.48T   360M  /zroot/jails/jails-data/webapp-data

Kamar yadda kuke gani, bitcoind yana ɗaukar duk 190 GB na sarari. Idan muna buƙatar wani kumburi don gwaji fa? Wannan shine inda ZFS ya zo da amfani. Tare da taimako cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com za ku iya ƙirƙirar hoto kuma ku haɗa sabon tantanin halitta zuwa wannan hoton. Sabuwar tantanin halitta zai sami nasa sararin samaniya, amma kawai bambanci tsakanin yanayin yanzu da ainihin za a yi la'akari da shi a cikin tsarin fayil (za mu adana aƙalla 190 GB)

Kowane tantanin halitta shine nasa keɓanta bayanan ZFS, kuma wannan ya dace sosai. ZFS kuma yana ba da izini Yi wasu abubuwa masu daɗi daban-daban, kamar aika hotuna ta hanyar SSH. Ba za mu kwatanta shi ba, akwai riga da yawa.

Har ila yau, ya kamata a lura da buƙatar kulawa ta nesa na mai watsa shiri, don waɗannan dalilai da muke da su Zabbix.

B - aminci

Game da tsaro, bari mu fara daga mahimman ƙa'idodi a cikin mahallin abubuwan more rayuwa:

Privacy - Daidaitaccen kayan aikin UNIX-kamar tsarin yana tabbatar da aiwatar da wannan ka'ida. A hankali muna raba damar shiga kowane nau'i na tsarin a hankali - tantanin halitta. Ana ba da damar shiga ta daidaitaccen ingantaccen mai amfani ta amfani da maɓallan sirri na masu amfani. Duk sadarwa tsakanin da zuwa ƙarshen sel yana faruwa ne a rufaffen tsari. Godiya ga boye-boye faifai, ba dole ba ne mu damu da amincin bayanan lokacin maye gurbin diski ko ƙaura zuwa wata uwar garken. Hanya mai mahimmanci kawai ita ce samun dama ga tsarin runduna, tunda irin wannan damar gabaɗaya yana ba da damar yin amfani da bayanai a cikin kwantena.

Mutunci “Ayyukan aiwatar da wannan ka'ida yana faruwa a matakai daban-daban. Da fari dai, yana da mahimmanci a lura cewa a cikin yanayin kayan aikin uwar garken, ƙwaƙwalwar ECC, ZFS riga "daga cikin akwatin" tana kula da amincin bayanan a matakin bayanan bayanan. Hotunan nan take suna ba ku damar yin ajiyar kuɗi a kowane lokaci a kan tashi. Ingantattun kayan aikin fitarwa/shigo da tantanin halitta suna yin kwafin tantanin halitta mai sauƙi.

samuwa - Wannan riga na zaɓi ne. Ya dogara da girman shahararku da gaskiyar cewa kuna da maƙiya. A cikin misalinmu, mun tabbatar da cewa ana samun damar walat ɗin daga cibiyar sadarwar TOP kawai. Idan ya cancanta, zaku iya toshe duk abin da ke kan Tacewar zaɓi kuma ku ba da damar shiga uwar garken ta hanyar tunnels na musamman (TOR ko VPN wani lamari ne). Don haka, uwar garken za a yanke shi daga duniyar waje kamar yadda zai yiwu, kuma mu kawai za mu iya yin tasiri ga samuwa.

Rashin yiwuwar ƙi - Kuma wannan ya dogara da ƙarin aiki da bin ka'idoji masu dacewa don haƙƙin mai amfani, samun dama, da dai sauransu. Amma tare da hanyar da ta dace, duk ayyukan mai amfani ana duba su, kuma godiya ga hanyoyin da za a iya ganowa ba tare da shakka ba wanda ya yi wasu ayyuka da kuma lokacin.

Tabbas, ƙayyadaddun tsarin da aka kwatanta ba cikakken misali ba ne na yadda ya kamata koyaushe ya kasance, misali ɗaya ne na yadda zai iya kasancewa, yayin da yake riƙe da sassauƙan ƙima da iya daidaitawa.

Me game da cikakken kamantawa?

Game da cikakken kamantawa ta amfani da cbsd zaka iya karanta a nan. Zan ƙara wannan don aiki kawai bhyve Kuna buƙatar kunna wasu zaɓuɓɓukan kwaya.

# cat /etc/rc.conf

...
kld_list="vmm if_tap if_bridge nmdm"
...

# cat /boot/loader.conf

...
vmm_load="YES"
...

Don haka idan ba zato ba tsammani kuna buƙatar fara docker, sannan shigar da debian kuma ku tafi!

Bitcoin a cikin keji?

Shi ke nan

Ina tsammanin shine kawai abin da nake so in raba. Idan kuna son labarin, to zaku iya aiko min da bitcoins - bc1qu7lhf45xw83ddll5mnzte6ahju8ktkeu6qhttc. Idan kuna son gwada sel a cikin aiki kuma kuna da wasu bitcoins, zaku iya zuwa nawa Pet-project.

source: www.habr.com