ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Linux lub tswv yim & tricks: server, qhib

Linux lub tswv yim & tricks: server, qhib

Rau cov neeg uas xav muab lawv tus kheej, lawv cov neeg hlub, nrog rau kev nkag mus rau lawv cov servers los ntawm txhua qhov chaw hauv ntiaj teb ntawm SSH / RDP / lwm yam, RTFM / spur me me.

Peb yuav tsum ua yam tsis muaj VPN thiab lwm lub tswb thiab xuav, los ntawm ib qho khoom siv ntawm tes.

Thiab yog li ntawd koj tsis tas yuav siv ntau dhau nrog lub server.

Txhua yam koj xav tau rau qhov no yog khob, ncaj caj npab thiab 5 feeb ua haujlwm.

"Txhua yam yog nyob rau hauv Internet," tau kawg (txawm nyob rau Habre), tab sis thaum nws los txog rau qhov kev siv tshwj xeeb, qhov no yog qhov uas nws pib ...

Peb yuav xyaum siv Fedora/CentOS ua piv txwv, tab sis qhov ntawd tsis muaj teeb meem.

Lub spur yog tsim rau ob qho tib si pib thiab cov kws tshaj lij hauv qhov teeb meem no, yog li yuav muaj cov lus pom, tab sis lawv yuav luv dua.

1. Server

  • nruab knock-server:
    yum/dnf install knock-server

  • configure nws (piv txwv li ntawm ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Qhov "qhib" yog teem rau nws pib-kaw tom qab 1 teev. Koj yeej tsis paub...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • pem hauv ntej:

    service iptables restart
service knockd start

  • koj tuaj yeem ntxiv RDP rau virtual Windows Server spinning sab hauv (/etc/knockd.conf; hloov lub npe interface kom haum koj saj):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Peb taug qab tag nrho peb cov ncaws pob los ntawm cov neeg siv khoom ntawm lub server nrog cov lus txib iptables -S.

2. Qhia rau rakes

khob.conf:

Lub mana kuj muaj txhua yam (tab sis qhov no tsis raug), tab sis khob yog ib tug phooj ywg uas stingy heev nrog cov lus, yog li koj yuav tsum tau ceev faj heev.

  • version
    Hauv Fedora/CentOS repositories, qhov tseeb khob rau hnub no yog 0.63. Leej twg xav UDP - nrhiav 0.70 pob ntawv.
  • interface
    Nyob rau hauv lub neej ntawd Fedora/CentOS configuration kab no tsis muaj. Ntxiv nrog koj txhais tes, txwv tsis pub nws yuav tsis ua haujlwm.
  • timeout
    Ntawm no koj tuaj yeem xaiv raws li koj nyiam. Nws yog qhov tsim nyog tias tus neeg siv khoom muaj sijhawm txaus rau txhua qhov kev ncaws pob - thiab qhov chaw nres nkoj scanner bot yuav tawg (thiab 146% yuav luam theej duab).
  • start/stop/command.
    Yog tias muaj ib qho lus txib, ces hais kom ua, yog tias muaj ob, ces start_command + stop_command.
    Yog tias koj ua yuam kev, khob yuav nyob twj ywm, tab sis yuav tsis ua haujlwm.
  • raws
    Raws li kev xav, UDP tuaj yeem siv tau. Hauv kev xyaum, kuv sib xyaw tcp thiab udp, thiab cov neeg siv khoom los ntawm lub puam hauv Bali tuaj yeem qhib lub rooj vag tsuas yog zaum thib tsib. Vim TCP tuaj txog thaum xav tau, tab sis UDP tsis yog qhov tseeb. Tab sis qhov no yog qhov teeb meem ntawm saj, dua.
  • sib lawv liag
    Lub implicit rake yog cov sequences yuav tsum tsis intersect ... yuav ua li cas muab ...

Piv txwv li, qhov no:

open: 11111,22222,33333
close: 22222,11111,33333

Los ntawm Kick 11111 qhib yuav tos rau qhov ncaws tom ntej ntawm 22222. Txawm li cas los xij, tom qab no (22222) ncaws nws yuav pib ua haujlwm ze thiab txhua yam yuav tawg. Qhov no nyob ntawm tus neeg siv khoom ncua thiab. Tej yam Β©.

iptables

Yog tias hauv /etc/sysconfig/iptables qhov no yog:

*nat
:PREROUTING ACCEPT [0:0]

Nws tsis tshua thab peb, yog li ntawm no nws yog:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Nws cuam tshuam.

Txij li thaum knockd ntxiv cov cai mus rau qhov kawg ntawm INPUT saw, peb yuav tau txais tsis lees paub.

Thiab kaw qhov kev tsis lees paub no txhais tau tias qhib lub tsheb rau txhua qhov cua.

Txhawm rau kom tsis txhob poob hauv iptables dab tsi los ntxig ua ntej dab tsi (zoo li qhov no neeg tswv yim) cia peb ua kom yooj yim dua:

  • ua ntej ntawm CentOS/Fedora thawj txoj cai ("dab tsi yog txwv tsis pub yog tso cai") yuav raug hloov los ntawm qhov opposite,
  • thiab peb tshem tawm txoj cai kawg.

Qhov tshwm sim yuav tsum yog:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Koj tuaj yeem, tau kawg, ua REJECT hloov DROP, tab sis nrog DROP lub neej yuav muaj kev lom zem ntau dua rau bots.

3. Cov neeg siv khoom

Qhov chaw no yog qhov nthuav tshaj plaws (los ntawm kuv qhov kev xav), vim tias koj yuav tsum ua haujlwm tsis yog los ntawm lub puam, tab sis kuj los ntawm ib qho khoom siv.

Nyob rau hauv txoj cai, ib tug xov tooj ntawm cov neeg tau teev nyob rau hauv qhov chaw qhov project, tab sis qhov no yog los ntawm tib lub koob "txhua yam nyob hauv Internet." Yog li ntawd, kuv yuav teev dab tsi ua haujlwm ntawm kuv lub ntsis ntiv tes ntawm no thiab tam sim no.

Thaum xaiv tus neeg siv khoom, koj yuav tsum xyuas kom meej tias nws txhawb kev ncua kev xaiv ntawm pob ntawv. Yog lawm, muaj qhov sib txawv ntawm ntug hiav txwv dej thiab 100 megabits yeej tsis tau lees tias cov pob ntawv yuav tuaj txog ntawm qhov kev txiav txim raug raws sijhawm los ntawm qhov chaw muab.

Thiab yog, thaum teeb tsa tus neeg siv khoom, koj yuav tsum xaiv qhov ncua koj tus kheej. Ntau dhau sijhawm - bots yuav tawm tsam, tsawg dhau - tus neeg siv khoom yuav tsis muaj sijhawm. Kev ncua ntau dhau - tus neeg siv yuav tsis ua rau lub sijhawm lossis yuav muaj kev tsis sib haum xeeb ntawm cov neeg ruam (saib "rakes"), tsawg dhau - cov pob ntawv yuav ploj hauv Is Taws Nem.

Nrog timeout = 5s, ncua = 100..500ms yog qhov kev xaiv ua haujlwm tiav

lub qhov rais

Txawm hais tias nws zoo nkauj npaum li cas, nws yog qhov tsis tseem ceeb rau Google tus neeg siv khoom meej meej rau lub platform no. Xws li tias CLI txhawb nqa qeeb, TCP - thiab tsis muaj hneev.

Xwb, koj tuaj yeem sim qhov no yog nws. Thaj kuv Google tsis yog ncuav mog qab zib.

Linux

Txhua yam yog yooj yim ntawm no:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

Txoj kev yooj yim tshaj plaws yog nruab qhov chaw nres nkoj los ntawm homebrew:
brew install knock
thiab kos cov ntaub ntawv tsim nyog batch rau cov lus txib xws li:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

Kev xaiv ua haujlwm yog KnockOnD (dawb, los ntawm lub khw).

Android

"Knock ntawm Ports" Tsis yog kev tshaj tawm, tab sis nws tsuas yog ua haujlwm. Thiab cov developers yog heev teb.

PS markdown ntawm Habre, tau kawg, Vajtswv foom koob hmoov rau nws ib hnub ...

Hloov Kho Tshiab 1: ua tsaug rau rau tus neeg zoo pom neeg ua haujlwm hauv qab Windows.
Hloov Kho Tshiab 2: Lwm tus tus txiv neej zoo ceeb toom kuv tias kev tso cov cai tshiab thaum kawg ntawm iptables tsis yog ib txwm muaj txiaj ntsig. Tab sis - nws nyob ntawm.

Tau qhov twg los: www.hab.com

Ntxiv ib saib