O mere na site na ọrụ m bụ onye nchịkwa nke sistemụ kọmputa na netwọkụ (na nkenke: onye nchịkwa sistemụ), enwere m ohere ịgwa prof maka ntakịrị ihe karịrị afọ 10. Ọrụ nke usoro dị iche iche dị iche iche, gụnyere ndị na-achọ ihe nchebe [oke]. O mekwara na oge ụfọdụ gara aga, ahụrụ m ya n'anya , na ọ bụghị nanị na-eji ya, ma malitekwa ọtụtụ micro-ọrụ iji mụta otú onwe-arụ ọrụ na Bitcoin netwọk (aka p2p mgbe niile) site n'echiche nke onye mmepụta (m n'ezie otu n'ime ndị ahụ). dev, ya mere, m na-agafe). Mana anaghị m ekwu maka mmepe, ana m ekwu maka ebe nchekwa dị mma ma dị mma maka ngwa.
Teknụzụ ego (fintech) gaa n'akụkụ nchekwa ozi (Ama nke) na nke mbụ nwere ike ịrụ ọrụ na-enweghị nke abụọ, ma ọ bụghị ogologo oge. Ọ bụ ya mere m ji chọọ ịkọrọ ahụmịhe m na usoro ngwaọrụ m na-eji, nke gụnyere ha abụọ fintech, na Ama nke, na n'otu oge ahụ, a pụkwara iji ya mee ihe maka nzube sara mbara ma ọ bụ kpamkpam dị iche iche. N'isiokwu a, m ga-agwa gị ọ bụghị ọtụtụ ihe gbasara Bitcoin, ma banyere ihe nlereanya akụrụngwa maka mmepe na ọrụ nke ọrụ ego (na ọ bụghị naanị) - na okwu, ọrụ ndị ahụ ebe "B" dị mkpa. Nke a na-emetụta ma Bitcoin mgbanwe na ndị kasị ahụkarị ụlọ ọrụ zoo nke ọrụ nke obere ụlọ ọrụ na-adịghị ejikọrọ na Bitcoin n'ụzọ ọ bụla.
Ọ ga-amasị m ịmara na abụ m onye na-akwado ụkpụrụ "mee ka ọ dị nzuzu mfe" и "obere karịa", ya mere, ma isiokwu ahụ na ihe a kọwara na ya ga-enwe ihe ndị ụkpụrụ ndị a na-ekwu banyere ya.
Ọdịiche dị n'echiche: Ka anyị leba anya n'ihe niile na-eji ihe atụ nke onye na-agbanwe bitcoin. Anyị kpebiri ịmalite mgbanwe nke rubles, dollar, euro maka bitcoins na azụ, anyị enweelarị ngwọta na-arụ ọrụ, ma maka ego dijitalụ ndị ọzọ dị ka qiwi na webmoney, i.e. Anyị emechiela okwu niile gbasara iwu, anyị nwere ngwa ejikere nke na-eje ozi dị ka ọnụ ụzọ ịkwụ ụgwọ maka rubles, dollar na euro na usoro ịkwụ ụgwọ ndị ọzọ. Ejikọtara ya na akaụntụ akụ anyị ma nwee ụdị API maka ngwa njedebe anyị. Anyị nwekwara ngwa weebụ nke na-eme dị ka onye na-agbanwe maka ndị ọrụ, nke ọma, dị ka akaụntụ qiwi ma ọ bụ ego webmoney - mepụta akaụntụ, tinye kaadị, na ihe ndị ọzọ. Ọ na-ekwurịta okwu na ngwa ọnụ ụzọ ámá anyị, n'agbanyeghị site na REST API na mpaghara mpaghara. Ya mere, anyị kpebiri ijikọ bitcoins na n'otu oge kwalite akụrụngwa, n'ihi na ... Na mbụ, a na-etinye ihe niile na ngwa ngwa na virtualboxes na ụlọ ọrụ dị n'okpuru tebụl ... a malitere iji saịtị ahụ mee ihe, anyị malitekwara ichegbu onwe anyị banyere oge na arụmọrụ.
Ya mere, ka anyị malite na isi ihe - ịhọrọ ihe nkesa. N'ihi na Azụmahịa dị na ihe atụ anyị dị obere ma anyị tụkwasịrị obi onye ọbịa (OVH) anyị ga-ahọrọ nke na-agaghị ekwe omume ịwụnye usoro ahụ site na ihe oyiyi .iso mbụ, ma ọ dịghị mkpa, ngalaba nchekwa IT ga-enyocha ihe oyiyi arụnyere. Ma mgbe anyị tolitere, anyị ga-agbazite kaboodu nke anyị n'okpuru mkpọchi na igodo nwere oke anụ ahụ, ma eleghị anya, anyị ga-ewu DC nke anyị. N'ọnọdụ ọ bụla, ọ bara uru icheta na mgbe ị na-agbazinye ngwaike ma na-etinye ihe oyiyi emebere, enwere ohere na ị ga-enwe "Trojan from the Hoster" na-adabere na sistemụ gị, nke n'ọtụtụ ọnọdụ na-abụghị nke a na-eche n'iledo gị. ma na-enye ndị ọzọ adaba management ngwaọrụ ihe nkesa.
Ntinye nkesa
Ihe niile dị mfe ebe a. Anyị na-ahọrọ ngwaike dabara anyị mkpa. Wee họrọ onyonyo FreeBSD. Ọ dị mma, ma ọ bụ anyị jikọọ (n'ihe banyere onye ọbịa ọzọ na ngwaike nke anyị) site na IPMI ma ọ bụ jiri ihe nleba anya wee zụọ onyonyo .iso FreeBSD n'ime nbudata. Maka nhazi orchestral m na-eji и . Naanị ihe, n'ọnọdụ anyị na kimsufi, anyị họọrọ omenala echichi ka diski abụọ dị na enyo wee nwee naanị akpụkpọ ụkwụ na / ụlọ "meghere", a ga-ezobe ohere diski ndị ọzọ, ma ọzọ na nke ahụ emechaa.
Ntinye nke usoro a na-eme n'ụzọ ziri ezi, agaghị m echere na nke a, naanị m ga-achọpụta na tupu ịmalite ọrụ ọ bara uru ịṅa ntị na ya. isi ike nhọrọ nke ọ na-enye bsdinstaller na njedebe nke nrụnye (ọ bụrụ na ị wụnye usoro ahụ n'onwe gị):
E nwere na isiokwu a, m ga-ekwughachi ya nkenke ebe a.
Ọ dịkwa ike ịme ka paramita ndị a kpọtụrụ aha n'elu na sistemụ arụnyerelarị. Iji mee nke a, ịkwesịrị idezi faịlụ bootloader ma mee ka kernel parameters. *ee bụ onye nchịkọta akụkọ dị ka nke a na BSD
# ee /etc/rc.conf
...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
# ee /etc/sysctl.conf
...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1I kwesịkwara ijide n'aka na ị nwere ụdị sistemụ arụnyere kacha ọhụrụ, yana . N'ọnọdụ anyị, dịka ọmụmaatụ, a chọrọ nkwalite gaa na ụdị ọhụrụ, n'ihi na ... Onyonyo nwụnye tupu etinye ya na-ada azụ site na ọnwa isii ruo otu afọ. Ọfọn, n'ebe ahụ anyị na-agbanwe ọdụ ụgbọ mmiri SSH ka ọ bụrụ ihe dị iche na nke ndabara, tinye nyocha igodo ma gbanyụọ njirimara paswọọdụ.
Mgbe ahụ, anyị na-ahazi aide, nyochaa ọnọdụ nke faịlụ nhazi usoro. Ị nwere ike ịgụkwuo n'uju .
pkg install aide
ma dezie crontab anyị
crontab -e
06 01 * * 0-6 /root/chkaide.sh
#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAMEAnyị gụnyere
sysrc auditd_enable=YES
# service auditd start
A kọwara nke ọma otu esi ahazi okwu a .
Ugbu a, anyị reboot na gaba na software na ihe nkesa. Onye nkesa ọ bụla bụ hypervisor maka arịa ma ọ bụ igwe mebere zuru oke. Ya mere, ọ dị mkpa na processor na-akwado VT-x na EPT ma ọ bụrụ na anyị na-eme atụmatụ na-eji zuru virtualization.
Ka m jikwaa arịa na igwe mebere m na-eji si , M na-achọ ya ọzọ ahụ ike na ngọzi maka nke a magburu onwe uru!
Akpa? Docker ọzọ ma ọ bụ gịnị?
Ma mba. bụ ihe magburu onwe ngwá ọrụ maka containerization, ma e kwuru cbsd iji hazie arịa ndị a, nke a na-akpọ cell.
Ngwongwo a bụ ihe ngwọta dị oke mma maka iwulite akụrụngwa maka ebumnuche dị iche iche, ebe a chọrọ n'ikpeazụ ikewapụ ọrụ ma ọ bụ usoro nke onye ọ bụla. N'ụzọ bụ isi, ọ bụ mmepụta oyiri nke sistemu nnabata, mana ọ chọghị ngwaike ngwaike zuru oke. Na ekele maka nke a, a naghị eji ihe onwunwe eme ihe na "OS ọbịa", kama ọ bụ naanị na ọrụ a na-arụ. Mgbe a na-eji mkpụrụ ndụ eme ihe maka mkpa nke ime, nke a bụ ngwọta dị mma maka iji akụrụngwa kachasị mma - ụyọkọ mkpụrụ ndụ na otu ihe nkesa ngwaike nwere ike iji ihe nkesa niile n'otu n'otu ma ọ bụrụ na ọ dị mkpa. N'ịtụle na ọ na-abụkarị ndị ọrụ dị iche iche chọrọ mgbakwunye. akụrụngwa n'oge dị iche iche, ị nwere ike wepụ arụmọrụ kachasị site na otu ihe nkesa ma ọ bụrụ na ị na-eme atụmatụ nke ọma ma dozie sel n'etiti sava. Ọ bụrụ na ọ dị mkpa, sel nwekwara ike inye mmachi na akụrụngwa eji.
Kedu maka ime ihe n'ụzọ zuru oke?
Ka m si mara cbsd na-akwado ọrụ bhyve na XEN hypervisors. Ejibeghị m nke abụọ eme ihe, ma nke mbụ dị ọhụrụ . Anyị ga-eleba anya n'ihe atụ nke ojiji bhyve na ihe atụ n'okpuru.
Ịwụnye na Ịhazi Gburugburu Ndị ọbịa
Anyị na-eji FS . Nke a bụ ngwá ọrụ siri ike maka ijikwa oghere nkesa. Ekele ZFS, ị nwere ike wulite usoro nhazi dị iche iche site na diski, na-agbasa ohere na-ekpo ọkụ, gbanwee diski nwụrụ anwụ, jikwaa snapshots, na ọtụtụ ihe ndị ọzọ, nke enwere ike ịkọwa n'usoro isiokwu dum. Ka anyị laghachi na sava anyị na diski ya. Ná mmalite nke nrụnye, anyị hapụrụ ohere efu na diski maka akụkụ ezoro ezo. Gịnị kpatara nke ahụ? Nke a bụ ka sistemụ na-eteta na-akpaghị aka wee gee ntị site na SSH.
gpart add -t freebsd-zfs /dev/ada0
/dev/ada0p4 added!
tinye akụkụ diski na oghere fọdụrụ
geli init /dev/ada0p4
tinye paswọọdụ nzuzo anyị
geli attach /dev/ada0p4
Anyị tinye paswọọdụ ọzọ ma anyị nwere ngwaọrụ /dev/ada0p4.eli - nke a bụ oghere ezoro ezo. Mgbe ahụ, anyị na-emegharị otu ihe ahụ maka / dev/ada1 na diski ndị ọzọ na nhazi ahụ. Na anyị ike ọhụrụ .
zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli - Ọ dị mma, anyị nwere ngwa ọgụ kacha nta dị njikere. Ọtụtụ diski enyo enyo ma ọ bụrụ na otu n'ime ha daa.
Ịmepụta ihe ndekọ data na "ọdọ mmiri" ọhụrụ
zfs create vms/jails
pkg install cbsd - anyị malitere otu ma guzobe njikwa maka sel anyị.
Mgbe cbsd arụnyere, ọ kwesịrị ibido:
# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv
Ọfọn, anyị na-aza ọtụtụ ajụjụ, na-enwekarị azịza ndabara.
* Ọ bụrụ na ị na-eji ezoro ezo, ọ dị mkpa na daemon cbsdd amaliteghị na akpaghị aka ruo mgbe i jiri aka gị decrypts diski ahụ ma ọ bụ na-akpaghị aka (n'ihe atụ anyị nke a bụ zabbix)
**M na-adịghịkwa eji NAT si cbsd, m na-ahazi ya n'onwe m pf.
# sysrc pf_enable=YES
# ee /etc/pf.conf
IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"
#WHITE_CL="{ 127.0.0.1 }"
icmp_types="echoreq"
set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all
#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# service pf start
# pfctl -f /etc/pf.conf
Ịmepụta atumatu firewall bụkwa isiokwu dị iche iche, yabụ na agaghị m abanye n'ime ịtọ ntọala BLOCK ALL na ịmepụta ndị ọcha, ị nwere ike ime nke ahụ site n'ịgụ. ma ọ bụ nke ọ bụla n'ime nnukwu ọnụọgụ akụkọ dị na Google.
Ọ dị mma ... anyị etinyela cbsd, oge eruola ịmepụta ọrụ mbụ anyị - mmụọ ọjọọ Bitcoin caged!
cbsd jconstruct-tui
N'ebe a, anyị na-ahụ mkparịta ụka okike cell. Mgbe emechara ụkpụrụ niile, ka anyị mepụta!
Mgbe ị na-eke cell mbụ gị, ị kwesịrị ịhọrọ ihe ị ga-eji dị ka ntọala maka sel. Ana m ahọrọ nkesa site na ebe nchekwa FreeBSD jiri iwu ahụ repo. A na-eme nhọrọ a naanị mgbe ị na-emepụta cell mbụ nke otu ụdị (ị nwere ike ịnabata sel nke ụdị ọ bụla nke tọrọ ụdị nke nnabata).
Mgbe emechara ihe niile, anyị na-amalite oghere!
# cbsd jstart bitcoind
Mana anyị kwesịrị ịwụnye sọftụwia n'ime ọnụ ụlọ.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoindjexec bitcoind ịbanye na kọnsụl cell
na ugbua n'ime cell anyị wụnye software na ndabere ya (usoro anyị ọbịa na-anọgide na-adị ọcha)
bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils
bitcoind:/@[15:30] # sysrc bitcoind_enable=YES
bitcoind:/@[15:30] # service bitcoind start
Enwere Bitcoin n'ime oghere, mana anyị chọrọ amaghị aha n'ihi na anyị chọrọ ijikọ na ụfọdụ cages site na netwọk TOP. N'ozuzu, anyị na-eme atụmatụ iji sọftụwia na-enyo enyo na-agba ọtụtụ sel naanị site na proxy. Daalụ pf Ị nwere ike gbanyụọ NAT maka ụfọdụ adreesị IP na netwọk mpaghara, ma hapụ NAT naanị maka oghere TOR anyị. Ya mere, ọ bụrụgodị na malware abanye na cell, ọ ga-abụ na ọ gaghị enwe mkparịta ụka na ụwa dị n'èzí, ma ọ bụrụ na ọ na-eme ya, ọ gaghị ekpughe IP nke ihe nkesa anyị. Ya mere, anyị na-emepụta cell ọzọ na-arụ ọrụ "na-aga n'ihu" dị ka ọrụ ". yabasị" na dịka onye nnọchiteanya maka ịnweta ịntanetị na sel nke ọ bụla.
# cbsd jsconstruct-tui
# cbsd jstart tor
# jexec tor
tor:/@[15:38] # pkg install tor
tor:/@[15:38] # sysrc tor_enable=YES
tor:/@[15:38] # ee /usr/local/etc/tor/torrc
Tọọ ige ntị na adreesị mpaghara (dị maka sel niile)
SOCKSPort 192.168.0.2:9050
Olee ihe ọzọ dị anyị mkpa maka obi ụtọ zuru ezu? Ee, anyị chọrọ ọrụ maka webụ anyị, ikekwe karịa otu. Ka anyị malite nginx, nke ga-arụ ọrụ dị ka onye nnọchi anya ma lekọta anya imeghari asambodo Let's Encrypt
# cbsd jsconstruct-tui
# cbsd jstart nginx-rev
# jexec nginx-rev
nginx-rev:/@[15:47] # pkg install nginx py36-certbot
Ya mere, anyị tinyere 150 MB nke ịdabere n'ime ọnụ ụlọ. Onye ọbịa ka dịkwa ọcha.
Ka anyị laghachi na ịtọlite nginx ka emechara, anyị kwesịrị ibuli mkpụrụ ndụ abụọ ọzọ maka ọnụ ụzọ ịkwụ ụgwọ anyị na nodejs na nchara na ngwa weebụ, nke n'ihi ihe ụfọdụ dị na Apache na PHP, nke ikpeazụ na-achọkwa nchekwa data MySQL.
# cbsd jsconstruct-tui
# cbsd jstart paygw
# jexec paygw
paygw:/@[15:55] # pkg install git node npm
paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
... na 380 MB ọzọ nke ngwugwu dịpụrụ adịpụ
Ọzọ, anyị na-ebudata ngwa anyị na git wee malite ya.
# cbsd jsconstruct-tui
# cbsd jstart webapp
# jexec webapp
webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql
450 MB ngwugwu. n'ime ọnụ ụlọ.
Ebe a anyị na-enye onye nrụpụta ohere site na SSH ozugbo na cell, ha ga-eme ihe niile n'ebe ahụ n'onwe ha:
webapp:/@[16:02] # ee /etc/ssh/sshd_config
Port 2267 - gbanwee ọdụ ụgbọ mmiri SSH nke cell gaa na nke ọ bụla aka ike
webapp:/@[16:02] # sysrc sshd_enable=YES
webapp:/@[16:02] # service sshd start
Ọfọn, ọrụ ahụ na-agba ọsọ, naanị ihe fọdụrụ bụ ịgbakwunye iwu na pf firewall
Ka anyị hụ ihe IP sel anyị nwere na ihe "mpaghara" anyị na-adịkarị.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webappma tinye iwu
# ee /etc/pf.conf
## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
Ọfọn, ebe anyị nọ ebe a, ka anyị tinyekwa iwu maka reverse-proxy:
## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL# pfctl -f /etc/pf.conf
Ọfọn, ugbu a ntakịrị banyere bitcoins
Ihe anyị nwere bụ na anyị nwere ngwa weebụ nke ekpughere na mpụga yana ọ na-ekwu okwu na mpaghara na ọnụ ụzọ ịkwụ ụgwọ anyị. Ugbu a, anyị kwesịrị ịkwadebe ebe ọrụ maka ịmekọrịta na netwọk Bitcoin n'onwe ya - ọnụ bitcoind ọ bụ naanị daemon na-edobe nnomi nke blockchain mpaghara ka ọ dị ugbu a. Daemon a nwere ọrụ RPC na obere akpa, mana enwere “ihe mkpuchi” dabara adaba maka mmepe ngwa. Iji malite, anyị kpebiri itinye electrum bụ obere akpa CLI. anyị ga-eji ya dị ka "nchekwa oyi" maka bitcoins anyị - n'ozuzu, bitcoins ndị ahụ ga-adị mkpa ka echekwara "n'èzí" usoro nke ndị ọrụ na-enweta na n'ozuzu ya pụọ na onye ọ bụla. O nwekwara GUI, yabụ anyị ga-eji otu obere akpa na nke anyị
laptọọpụ. Maka ugbu a, anyị ga-eji Electrum na sava ọha, ma emechaa, anyị ga-ebuli ya na cell ọzọ ka ọ ghara ịdabere na onye ọ bụla ma ọlị.
# cbsd jsconstruct-tui
# cbsd jstart electrum
# jexec electrum
electrum:/@[8:45] # pkg install py36-electrum
ọzọ 700 MB nke software n'ime ụlọ anyị
electrum:/@[8:53] # adduser
Username: wallet
Full name:
Uid (Leave empty for default):
Login group [wallet]:
Login group is wallet. Invite wallet into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : wallet
Password : <disabled>
Full Name :
Uid : 1001
Class :
Groups : wallet
Home : /home/wallet
Home Mode :
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su walletelectrum:/@[8:53] # su wallet
wallet@electrum:/ % electrum-3.6 create
{
"msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
"path": "/usr/home/wallet/.electrum/wallets/default_wallet",
"seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}Ugbu a, anyị nwere obere akpa e kere.
wallet@electrum:/ % electrum-3.6 listaddresses
[
"18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
"14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
"1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
...
"1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
"18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]wallet@electrum:/ % electrum-3.6 help
Maka anyị na yinbụ Naanị ọnụọgụ mmadụ ole na ole ga-enwe ike jikọọ na obere akpa site ugbu a gawa. Ka ị ghara imepe ohere ịnweta cell a site na mpụga, njikọ site na SSH ga-eme site na TOP (ụdị nke VPN). Anyị na-ebunye SSH na cell, mana emetụla pf.conf anyị na onye ọbịa.
electrum:/@[9:00] # sysrc sshd_enable=YES
electrum:/@[9:00] # service sshd start
Ugbu a, ka anyị gbanyụọ cell site na ịnweta ịntanetị nke obere akpa. Ka anyị nye ya adreesị IP sitere na oghere subnet ọzọ na-abụghị NATed. Mbụ ka anyị gbanwee /etc/pf.conf na onye ọbịa
# ee /etc/pf.conf
JAIL_IP_POOL="192.168.0.0/24" ka anyị gbanwee ya JAIL_IP_POOL="192.168.0.0/25", yabụ adreesị niile 192.168.0.126-255 agaghị enwe ohere ịntanetị ozugbo. Ụdị sọftụwia “air-gap” netwọkụ. Na iwu NAT ka dị ka ọ dị
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
Ibufe iwu
# pfctl -f /etc/pf.conf
Ugbu a, ka anyị were na cell anyị
# cbsd jconfig jname=electrum
jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200Hmm, mana ugbu a sistemụ n'onwe ya ga-akwụsị ịrụ ọrụ maka anyị. Agbanyeghị, anyị nwere ike ịkọwapụta proxy sistemụ. Mana enwere otu ihe, na TOR ọ bụ proxy SOCKS5, yana maka ịdị mma anyị ga-achọkwa proxy HTTP.
# cbsd jsconstruct-tui
# cbsd jstart polipo
# jexec polipo
polipo:/@[9:28] # pkg install polipo
polipo:/@[9:28] # ee /usr/local/etc/polipo/config
socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5polipo:/@[9:42] # sysrc polipo_enable=YES
polipo:/@[9:43] # service polipo start
Ọ dị mma, ugbu a enwere sava proxy abụọ na sistemụ anyị, yana nsonaazụ site na TOR: socks5://192.168.0.2:9050 na
Ugbu a, anyị nwere ike ịhazi ebe obibi obere akpa anyị
# jexec electrum
electrum:/@[9:45] # su wallet
wallet@electrum:/ % ee ~/.cshrc
#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123Ọfọn, ugbu a, shei ga-arụ ọrụ n'okpuru proxy. Ọ bụrụ na anyị chọrọ ịwụnye ngwugwu, mgbe ahụ anyị kwesịrị ịgbakwunye na /usr/local/etc/pkg.conf site n'okpuru mgbọrọgwụ nke onu
pkg_env: {
http_proxy: "http://my_proxy_ip:8123",
}Ọ dị mma, ugbu a bụ oge ịgbakwunye ọrụ TOR zoro ezo dị ka adreesị nke ọrụ SSH anyị na cell wallet.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22tor:/@[10:01] # mkdir /var/db/tor/electrum
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum
tor:/@[10:01] # chmod 700 /var/db/tor/electrum
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/electrum/hostname
mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onionNke a bụ adreesị njikọ anyị. Ka anyị lelee site na igwe mpaghara. Mana mbụ anyị kwesịrị itinye igodo SSH anyị:
wallet@electrum:/ % mkdir ~/.ssh
wallet@electrum:/ % ee ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@localỌfọn, site na igwe ahịa Linux
user@local ~$ nano ~/.ssh/config
#remote electrum wallet
Host remotebtc
User wallet
Port 22
Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p
Ka anyị jikọọ (Ka nke a rụọ ọrụ, ịchọrọ TOR daemon mpaghara na-ege ntị na 9050)
user@local ~$ ssh remotebtc
The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
-- Dru <[email protected]>
wallet@electrum:~ % logout
Ihe ịga nke ọma!
Iji rụọ ọrụ na nkwụnye ụgwọ ngwa ngwa na obere obere, anyị chọkwara ọnụ , N'ezie, nke a ga-abụ isi ọrụ anyị na Bitcoin. U*nke anyị ga-eji dị ka daemon , nke bụ interface HTTP (REST) zuru oke ma na-enye gị ohere ịrụ ọrụ na azụmahịa abụọ na n'azụ. c-lightning achọrọ maka ịrụ ọrụ bitcoind mana ee.
*Enwere mmemme dị iche iche nke Lightning Network protocol n'asụsụ dị iche iche. N'ime ndị anyị nwalere, c-lightning (nke e dere na C) yiri ka ọ kacha kwụsie ike na nke na-arụ ọrụ nke ọma.
# cbsd jsconstruct-tui
# cbsd jstart cln
# jexec cln
lightning:/@[10:23] # adduser
Username: lightning
...lightning:/@[10:24] # pkg install git
lightning:/@[10:23] # su lightning
cd ~ && git clone https://github.com/ElementsProject/lightning
lightning@lightning:~ % exit
lightning:/@[10:30] # cd /home/lightning/lightning/
lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils
lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install
Mgbe a na-achịkọta ma tinye ihe niile dị mkpa, ka anyị mepụta onye ọrụ RPC maka lightningd в bitcoind
# jexec bitcoind
bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf
rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32bitcoind:/@[10:39] # service bitcoind restart
Mgbanwe ọgba aghara m n'etiti sel na-apụta na ọ bụghị ọgba aghara ma ọ bụrụ na ị mara uru ahụ tmux, nke na-enye gị ohere ịmepụta ọtụtụ ọdụ ọdụ n'ime otu nnọkọ. Analọg: screen
Yabụ, anyị achọghị ikpughe ezigbo IP nke ọnụ anyị, anyị chọkwara ịme azụmahịa ego niile site na TOP. Ya mere, ọzọ .eyịm adịghị mkpa.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735tor:/@[10:01] # mkdir /var/db/tor/cln
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln
tor:/@[10:01] # chmod 700 /var/db/tor/cln
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/cln/hostname
en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onionUgbu a, ka anyị mepụta nhazi maka c-lightning
lightning:/home/lightning/lightning@[10:31] # su lightning
lightning@lightning:~ % mkdir .lightning
lightning@lightning:~ % ee .lightning/config
alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000
# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko
sparko-host=192.168.0.7
sparko-port=9737
sparko-tls-path=sparko-tls
#sparko-login=mywalletusername:mywalletpassword
#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something likelightning@lightning:~ % mkdir .lightning/plugins
lightning@lightning:~ % cd .lightning/plugins/
lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048
lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650
lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko
lightning@lightning:~/.lightning/plugins % cd ~
ịkwesịrị ịmepụta faịlụ nhazi maka bitcoin-cli, ọrụ na-ekwurịta okwu bitcoind
lightning@lightning:~ % mkdir .bitcoin
lightning@lightning:~ % ee .bitcoin/bitcoin.conf
rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=testịlele
lightning@lightning:~ % bitcoin-cli echo "test"
[
"test"
]igba egbe lightningd
lightning@lightning:~ % lightningd --daemon
Ya onwe ya lightningd ị nwere ike ijikwa uru ahụ lightning-cli, dịka ọmụmaatụ:
lightning-cli newaddr nweta adreesị maka ụgwọ mbata ọhụrụ
{
"address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
"bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all zipu ego niile dị na obere akpa na adreesị (adreesị niile nọ na ya)
Ọ na-enyekwa iwu maka ịrụ ọrụ na-adịghị agbụ lightning-cli invoice, lightning-cli listinvoices, lightning-cli pay wdg.
Ọ dị mma, maka nkwukọrịta na ngwa anyị nwere REST Api
curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'
Ka anyị chịkọta ihe ọ rụpụtara
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
7 192.168.0.200 electrum.space.com /zroot/jails/jails/electrum
8 192.168.0.6 polipo.space.com /zroot/jails/jails/polipo
9 192.168.0.7 lightning.space.com /zroot/jails/jails/cln
Anyị nwere otu akpa, nke ọ bụla nwere ọkwa nke ya ma site na netwọk mpaghara.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zroot 279G 1.48T 88K /zroot
zroot/ROOT 1.89G 1.48T 88K none
zroot/ROOT/default 1.89G 17.6G 1.89G /
zroot/home 88K 1.48T 88K /home
zroot/jails 277G 1.48T 404M /zroot/jails
zroot/jails/bitcoind 190G 1.48T 190G /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln 653M 1.48T 653M /zroot/jails/jails-data/cln-data
zroot/jails/electrum 703M 1.48T 703M /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev 190M 1.48T 190M /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw 82.4G 1.48T 82.4G /zroot/jails/jails-data/paygw-data
zroot/jails/polipo 57.6M 1.48T 57.6M /zroot/jails/jails-data/polipo-data
zroot/jails/tor 81.5M 1.48T 81.5M /zroot/jails/jails-data/tor-data
zroot/jails/webapp 360M 1.48T 360M /zroot/jails/jails-data/webapp-dataDị ka ị pụrụ ịhụ, bitcoind na-eweghara 190 GB nke ohere. Gịnị ma ọ bụrụ na anyị chọrọ ọnụ ọzọ maka ule? Nke a bụ ebe ZFS na-abịa aka. Site n'enyemaka cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com ị nwere ike ịmepụta foto ma tinye cell ọhụrụ na foto a. Igwe ọhụrụ ahụ ga-enwe ohere nke ya, mana naanị ọdịiche dị n'etiti ọnọdụ dị ugbu a na nke mbụ ka a ga-eburu n'uche na sistemụ faịlụ (anyị ga-echekwa ma ọ dịkarịa ala 190 GB)
Selụ ọ bụla bụ ihe ndekọ data ZFS nke ya, nke a dịkwa mma nke ukwuu. mee ihe ndị ọzọ dị mma, dị ka izipu snapshots site na SSH. Anyị agaghị akọwa ya, enweelarị ọtụtụ ihe.
Ọ dịkwa mma ịmara mkpa maka nlekota anya nke onye ọbịa, maka ebumnuche ndị a anyị nwere .
B - nchekwa
Banyere nchekwa, ka anyị bido n'ụkpụrụ ndị bụ isi n'ihe gbasara akụrụngwa:
Nzuzo - Ngwá ọrụ ọkọlọtọ nke usoro UNIX yiri ka ọ na-eme ka mmejuputa ụkpụrụ a. Anyị n'ụzọ ezi uche na-ekewa ohere nke ọ bụla n'ụzọ ezi uche dị iche iche nke usoro - a cell. A na-enye ohere site na njirimara njirimara ọkọlọtọ site na iji igodo nke onye ọrụ. Nzikọrịta niile dị n'etiti na ruo na sel ngwụcha na-apụta n'ụdị ezoro ezo. Ekele maka izo ya ezo diski, anyị ekwesịghị ichegbu onwe anyị maka nchekwa data mgbe ị na-edochi diski ma ọ bụ na-akwaga na nkesa ọzọ. Naanị ohere dị oke mkpa bụ ịnweta sistemụ nnabata, ebe ọ bụ na ohere dị otú ahụ na-enye ohere ịnweta data n'ime igbe.
Iguzosi ike n'ezi ihe “Mmejuputa ụkpụrụ a na-eme n'ọtụtụ ọkwa dị iche iche. Mbụ, ọ dị mkpa iburu n'obi na n'ihe banyere ngwaike nkesa, ECC ebe nchekwa, ZFS ugbua "si na igbe" na-elekọta data iguzosi ike n'ezi ihe na ọkwa nke ozi ibe n'ibe. Ihe onyonyo ozugbo na-enye gị ohere ịme nkwado ndabere na mpaghara oge ọ bụla na ofufe. Ngwa mbupụ / mbubata cell dị mma na-eme ka mmegharị cell dị mfe.
Nnweta - Nke a abụrụla nhọrọ. Dabere n'ókè nke aha gị na eziokwu na ị nwere ndị kpọrọ asị. N'ihe atụ anyị, anyị hụrụ na a na-enweta obere akpa ahụ naanị site na netwọk TOP. Ọ bụrụ na ọ dị mkpa, ị nwere ike igbochi ihe niile dị na firewall ma kwe ka ịnweta sava ahụ naanị site na tunnels (TOR ma ọ bụ VPN bụ ihe ọzọ). Ya mere, a ga-ebipụ ihe nkesa ahụ site n'èzí dị ka o kwere mee, naanị anyị onwe anyị ga-enwe ike imetụta nnweta ya.
Enweghị ike ịjụ - Ma nke a dabere na ọrụ ndị ọzọ na nrube isi na iwu ziri ezi maka ikike onye ọrụ, ịnweta, wdg. Mana site na ụzọ ziri ezi, a na-enyocha omume onye ọrụ niile, yana ekele maka azịza cryptographic ọ ga-ekwe omume ịmata onye mere ụfọdụ omume na mgbe.
N'ezie, nhazi a kọwara abụghị ihe atụ zuru oke nke otu o kwesịrị ịdị mgbe niile, ọ bụ otu ihe atụ nke otu ọ ga-esi bụrụ, ebe ọ na-ejigide ike na-agbanwe agbanwe na nhazi.
Kedu maka ime ihe n'ụzọ zuru oke?
Ihe gbasara njiri mara nke ọma site na iji cbsd ị nwere ike . Aga m agbakwunye ya maka ọrụ bhyve Ịkwesịrị ịme ụfọdụ nhọrọ kernel.
# cat /etc/rc.conf
...
kld_list="vmm if_tap if_bridge nmdm"
...# cat /boot/loader.conf
...
vmm_load="YES"
...Yabụ ọ bụrụ na ịchọrọ ịmalite docker na mberede, tinyezie ụfọdụ debian wee gaa!
Ọ gwụla
Echere m na ọ bụ naanị ihe m chọrọ ịkọrọ. Ọ bụrụ na akụkọ ahụ masịrị gị, mgbe ahụ ị nwere ike izitere m ụfọdụ bitcoins - . Ọ bụrụ na ịchọrọ ịnwale mkpụrụ ndụ n'omume ma nwee ụfọdụ bitcoins, ị nwere ike ịga na nke m .
isi: www.habr.com