ProHoster > Блог > Gudanarwa > Tukwici da dabaru na Linux: uwar garken, buɗewa

Tukwici da dabaru na Linux: uwar garken, buɗewa

Ga waɗanda suke buƙatar samar da kansu, ƙaunatattun su, tare da samun damar yin amfani da sabobin su daga ko'ina cikin duniya ta hanyar SSH/RDP / wani, ƙaramin RTFM / spur.

Muna buƙatar yin ba tare da VPN da sauran karrarawa da whistles ba, daga kowace na'ura a hannu.

Kuma don kada ku yi motsa jiki da yawa tare da uwar garken.

Duk abin da kuke buƙata don wannan shine buga, Hannu madaidaici da minti 5 na aiki.

"Komai yana kan Intanet," ba shakka (har ma akan Habre), amma idan aka zo ga takamaiman aiwatarwa, anan ne aka fara ...

Za mu yi amfani da Fedora/CentOS a matsayin misali, amma wannan ba kome ba ne.

Spur ya dace da masu farawa da masana a cikin wannan al'amari, don haka za a yi sharhi, amma za su kasance ya fi guntu.

1. Uwargida

  • shigar knock-server:
    yum/dnf install knock-server

  • saita shi (misali akan ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    An saita ɓangaren "buɗewa" don rufewa ta atomatik bayan awa 1. Ba ka taba sani ba...

  • / sauransu/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • gaba:

    service iptables restart
service knockd start

  • za ka iya ƙara RDP zuwa kama-da-wane Windows Server kadi a ciki (/etc/knockd.conf; musanya sunan dubawa don dacewa da dandano):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Muna bin duk bugun mu daga abokin ciniki akan sabar tare da umarnin iptables -S.

2. Jagora ga rake

knockd.conf:

Har ila yau, mana yana ƙunshe da komai (amma wannan ba daidai ba ne), amma ƙwanƙwasa shine abokin da yake da rowa da saƙonni, don haka kuna buƙatar yin hankali sosai.

  • sigar
    A cikin ma'ajiyar Fedora/CentOS, sabon ƙwanƙwasa na yau shine 0.63. Wanene yake son UDP - nemi fakiti 0.70.
  • dubawa
    A cikin tsoho Fedora/CentOS daidaita wannan layin babu. Ƙara da hannuwanku, in ba haka ba ba zai yi aiki ba.
  • timeout
    Anan zaka iya zaɓar bisa ga dandano. Wajibi ne cewa abokin ciniki yana da isasshen lokaci don duk kicks - kuma bot ɗin na'urar daukar hotan takardu zai rushe (kuma 146% zai duba).
  • farawa/tsayawa/umarni.
    Idan akwai umarni daya, to umarni, idan akwai biyu, to start_command+stop_command.
    Idan kun yi kuskure, ƙwanƙwasawa zai yi shiru, amma ba zai yi aiki ba.
  • ladabi
    A ka'ida, ana iya amfani da UDP. A aikace, na haɗa tcp da udp, kuma abokin ciniki daga bakin teku a Bali ya sami damar buɗe ƙofar a karo na biyar kawai. Domin TCP ya isa lokacin da ake buƙata, amma UDP ba gaskiya ba ne. Amma wannan batu ne na dandano, kuma.
  • jerin
    Rake a fakaice shi ne kada jerin gwanon su shiga tsakani... yadda ake saka shi...

Misali, wannan:

open: 11111,22222,33333
close: 22222,11111,33333

Farashin 11111 bude zai jira bugun gaba a 22222. Duk da haka, bayan wannan (22222) kick zai fara aiki kusa da kuma komai zai karye. Wannan kuma ya dogara da jinkirin abokin ciniki kuma. Irin waɗannan abubuwa ©.

iptables

Idan a /etc/sysconfig/iptables wannan shine:

*nat
:PREROUTING ACCEPT [0:0]

Ba lallai ya dame mu ba, don haka ga shi:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Yana tsoma baki.

Tun da ƙwanƙwasa yana ƙara ƙa'idodi zuwa ƙarshen sarkar INPUT, za mu sami ƙin yarda.

Kuma kashe wannan ƙin yana nufin buɗe motar zuwa duk iskoki.

Don kar a rasa a cikin iptables abin da za a saka kafin menene (kamar wannan mutane shawara) bari mu sauƙaƙa:

  • tsoho akan CentOS/Fedora na farko dokar ("abin da ba a haramta ba ya halatta") za a maye gurbinsa da akasin haka,
  • kuma mun cire doka ta ƙarshe.

Sakamakon yakamata ya kasance:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Kuna iya, ba shakka, yin REJECT maimakon DROP, amma tare da DROP rayuwa za ta fi jin daɗi ga bots.

3. Abokin ciniki

Wannan wurin shine mafi ban sha'awa (daga ra'ayi na), tun da kuna buƙatar yin aiki ba kawai daga kowane rairayin bakin teku ba, har ma daga kowace na'ura.

A ƙa'ida, an jera adadin abokan ciniki akan shafin aikin, amma wannan daga jerin guda ɗaya ne "komai yana kan Intanet." Don haka, zan jera abin da ke aiki a yatsana nan da yanzu.

Lokacin zabar abokin ciniki, kuna buƙatar tabbatar da cewa yana goyan bayan zaɓin jinkiri tsakanin fakiti. Ee, akwai bambance-bambance tsakanin rairayin bakin teku da megabits 100 ba su taɓa yin garantin cewa fakiti za su zo cikin tsari daidai a lokacin da ya dace daga wurin da aka bayar.

Ee, lokacin kafa abokin ciniki, kuna buƙatar zaɓar jinkirin da kanku. Lokaci mai yawa - bots zasu kai hari, kadan kadan - abokin ciniki ba zai sami lokaci ba. Da yawa jinkiri - abokin ciniki ba zai yi shi a cikin lokaci ba ko kuma za a yi rikici na wawaye (duba "rakes"), kadan kadan - fakitin za su ɓace akan Intanet.

Tare da lokacin ƙarewa = 5s, jinkiri = 100..500ms zaɓi ne na aiki gaba ɗaya

Windows

Ko ta yaya abin dariya yake, ba ƙaramin abu bane ga Google kwararren abokin ƙwanƙwasa wannan dandamali. Irin wannan CLI yana goyan bayan jinkiri, TCP - kuma ba tare da baka ba.

A madadin, kuna iya gwadawa wannan shi ne. Da alama Google dina ba cake ba ne.

Linux

Komai yana da sauki a nan:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

Hanya mafi sauƙi ita ce shigar da tashar jiragen ruwa daga homebrew:
brew install knock
kuma zana fayilolin da ake buƙata don umarni kamar:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

Zaɓin aiki shine KnockOnD (kyauta, daga shagon).

Android

"Knock on Ports" Ba talla ba, amma yana aiki kawai. Kuma masu haɓakawa suna da amsa sosai.

PS markdown akan Habré, tabbas, Allah ya albarkace shi wata rana...

UPD1: godiya ga ga mutumin kirki samu abokin ciniki aiki karkashin Windows.
UPD2: Wani kuma mutumin kirki tunatar da ni cewa sanya sabbin dokoki a ƙarshen iptables ba koyaushe bane amfani. Amma - ya dogara.

source: www.habr.com

Add a comment