ProHoster > Pūnaewele > Nā Administration > Nā ʻōlelo aʻoaʻo a me nā hoʻopunipuni Linux: server, wehe

Nā ʻōlelo aʻoaʻo a me nā hoʻopunipuni Linux: server, wehe

No ka poʻe pono e hoʻolako iā lākou iho, i kā lākou poʻe aloha, me ke komo ʻana i kā lākou mau kikowaena mai nā wahi āpau o ka honua ma o SSH / RDP / ʻē aʻe, kahi RTFM / spur liʻiliʻi.

Pono mākou e hana me ka ʻole VPN a me nā bele ʻē aʻe a me nā puʻupuʻu, mai kekahi mea ma ka lima.

A no laila ʻaʻole pono ʻoe e hoʻoikaika nui me ke kikowaena.

ʻO nā mea a pau āu e pono ai no kēia kikeke, nā lima pololei a me 5 mau minuke o ka hana.

"Aia nā mea a pau ma ka Pūnaewele," ʻoiaʻiʻo (ʻoiai ma Habré), akā i ka hiki ʻana mai i kahi hoʻokō kikoʻī, eia kahi e hoʻomaka ai ...

E hoʻomaʻamaʻa mākou i ka hoʻohana ʻana iā Fedora/CentOS ma ke ʻano he laʻana, akā ʻaʻole ia he mea nui.

Ua kūpono ka spur no nā poʻe hoʻomaka a me nā poʻe akamai i kēia mea, no laila e loaʻa nā manaʻo, akā e pōkole.

1. Kahua

  • e hoʻouka i ke kīkēkē:
    yum/dnf install knock-server

  • hoʻonohonoho iā ia (no ka laʻana ma ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Hoʻonohonoho ʻia ka ʻāpana "wehe" e pani ʻakomi ma hope o 1 hola. ʻAʻole ʻoe i ʻike ...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • i mua:

    service iptables restart
service knockd start

  • hiki iā ʻoe ke hoʻohui i ka RDP i ka Windows Server virtual e wili ana i loko (/etc/knockd.conf; hoʻololi i ka inoa interface e kūpono i kou ʻono):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Hoʻopaʻa mākou i kā mākou kiki āpau mai ka mea kūʻai aku ma ke kikowaena me ke kauoha iptables -S.

2. Alakaʻi i nā rake

knockd.conf:

Loaʻa i ka mana nā mea a pau (akā, ʻaʻole pololei kēia), akā ʻo ke kīkēkē he hoaaloha ʻoi loa ka sting me nā leka, no laila pono ʻoe e makaʻala loa.

  • ʻike
    I ka Fedora / CentOS repositories, ʻo ka mea hou i kīkēkē ʻia no kēia lā ʻo 0.63. ʻO wai ka makemake iā UDP - e ʻimi i nā ʻeke 0.70.
  • mau '
    Ma ka hoʻonohonoho Fedora / CentOS paʻamau i kēia laina nele. Hoʻohui me kou mau lima, inā ʻaʻole e hana.
  • manawa hoʻomaha
    Maanei hiki iā ʻoe ke koho e like me kou makemake. Pono e lawa ka manawa o ka mea kūʻai aku no nā kī a pau - a e wāwahi ʻia ka bot scanner port (a ʻo 146% e scan).
  • hoʻomaka / hoʻomaha / kauoha.
    Inā hoʻokahi kauoha, a laila kauoha, inā ʻelua, a laila start_command+stop_command.
    Inā kuhi hewa ʻoe, e hāmau ke kīkēkē, akā ʻaʻole e hana.
  • nolaila
    ʻO ke kumu, hiki ke hoʻohana ʻia ka UDP. I ka hoʻomaʻamaʻa, ua hui au i ka tcp a me ka udp, a ua hiki i ka mea kūʻai mai kahakai ma Bali ke wehe i ka puka i ka lima wale nō. No ka mea ua hiki mai ʻo TCP i ka wā e pono ai, akā ʻaʻole ʻo UDP he ʻoiaʻiʻo. Akā, he mea ʻono kēia, hou.
  • ka papa
    ʻO ka rake implicit ʻaʻole pono e hui nā kaʻina ... pehea e kau ai ...

Eia kekahi laʻana, penei:

open: 11111,22222,33333
close: 22222,11111,33333

Ma ke kick 11111 hamama e kali no ke kiki hou ma 22222. Eia naʻe, ma hope o kēia (22222) kik e hoʻomaka ana e hana. kokoke a e haki nā mea a pau. Pili kēia i ka lohi o ka mea kūʻai aku. ʻO ia mau mea ©.

ipoku

Inā ma /etc/sysconfig/iptables kēia:

*nat
:PREROUTING ACCEPT [0:0]

ʻAʻole pilikia ia iā mākou, no laila eia kēia:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Ke keakea nei.

No ka hoʻohui ʻana o knockd i nā lula i ka hopena o ke kaulahao INPUT, e hōʻole mākou.

A ʻo ka hoʻopau ʻana i kēia hōʻole ʻo ia ka wehe ʻana i ke kaʻa i nā makani āpau.

I ʻole e nalowale i nā iptables i ka mea e hoʻokomo ai ma mua o ka mea (e like me kēia nā kānaka manaʻo) e hana maʻalahi mākou:

  • paʻamau ma CentOS/Fedora ʻo ka mua ka lula ("ʻae ʻia ka mea ʻaʻole i pāpā ʻia") e pani ʻia e ka mea ʻē aʻe,
  • a wehe mākou i ke kānāwai hope loa.

Pono ka hopena:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Hiki iā ʻoe, ʻoiaʻiʻo, hana REJECT ma kahi o DROP, akā me ka DROP ola e ʻoi aku ka leʻaleʻa no nā bots.

3. Mea kūʻai

ʻO kēia wahi ka mea hoihoi loa (mai koʻu manaʻo), no ka mea, pono ʻoe e hana ʻaʻole wale mai kekahi kahakai, akā mai kekahi mea hana.

Ma ke kumu, helu ʻia nā mea kūʻai aku ma kahua pūnaewele papahana, akā mai kēia pūʻulu like "aia nā mea a pau ma ka Pūnaewele." No laila, e papa inoa wau i nā mea e hana nei ma koʻu manamana lima ma aneʻi a i kēia manawa.

Ke koho ʻana i kahi mea kūʻai aku, pono ʻoe e hōʻoia i ke kākoʻo ʻana i ke koho lohi ma waena o nā ʻeke. ʻAe, aia nā ʻokoʻa ma waena o nā kahakai a me 100 megabits ʻaʻole e hōʻoiaʻiʻo e hōʻea mai nā ʻeke i ke kauoha kūpono i ka manawa kūpono mai kahi i hāʻawi ʻia.

A ʻae, i ka hoʻonohonoho ʻana i kahi mea kūʻai aku, pono ʻoe e koho i ka lohi iā ʻoe iho. Nui ka manawa - e hoʻouka ʻia nā bots, liʻiliʻi loa - ʻaʻohe manawa o ka mea kūʻai aku. Ka lōʻihi loa - ʻaʻole hiki i ka mea kūʻai ke hana i ka manawa a i ʻole he paio o nā naʻaupō (e ʻike i nā "rakes"), liʻiliʻi loa - e nalowale nā ​​ʻeke ma ka Pūnaewele.

Me ka manawa pau = 5s, hoʻopaneʻe = 100..500ms kahi koho hana holoʻokoʻa

Windows

ʻAʻohe mea ʻakaʻaka, ʻaʻole ia he mea koʻikoʻi iā Google kahi mea kūʻai kīkē maʻemaʻe no kēia kahua. Kākoʻo ka CLI i ka lohi, TCP - a me ke kakaka ʻole.

ʻO kahi ʻē aʻe, hiki iā ʻoe ke hoʻāʻo ʻo ia kēia. ʻO kaʻu Google ʻaʻole ia he keke.

Linux

He mea maʻalahi nā mea a pau maʻaneʻi:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

ʻO ke ala maʻalahi e hoʻokomo i ke awa mai ka homebrew:
brew install knock
a huki i nā faila pūʻulu pono no nā kauoha e like me:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

IOS

ʻO kahi koho hana ʻo KnockOnD (noa, mai ka hale kūʻai).

Android

"Knock on Ports" ʻAʻole hoʻolaha, akā hana wale ia. A pane maikaʻi nā mea hoʻomohala.

PS markdown ma Habré, ʻoiaʻiʻo, hoʻomaikaʻi ke Akua iā ia i kekahi lā ...

UPD1: mahalo i i ke kanaka maikai loaa mea kūʻai hana malalo o Windows.
UPD2: Kekahi kanaka maikai hoʻomanaʻo mai iaʻu ʻaʻole pono mau ke kau ʻana i nā lula hou ma ka hope o nā iptables. Akā - pili ia.

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka