Bitcoin ing kandhang?

Kedaden sing dening Profesi aku administrator saka sistem komputer lan jaringan (ing singkat: administrator sistem), lan aku duwe kesempatan kanggo ngomong prof kanggo sethitik luwih saka 10 taun. aktivitas saka macem-macem saka sudhut sistem, kalebu sing mbutuhake langkah keamanan [ekstrem]. Kedaden uga sawetara wektu kepungkur aku ketemu menarik bitcoin, lan ora mung digunakake, nanging uga dibukak sawetara mikro-layanan supaya sinau carane independen bisa karo jaringan Bitcoin (alias p2p sawise kabeh) saka sudut pandang pangembang (aku mesthi salah siji saka sing dev, dadi, aku liwat). Nanging aku ora ngomong babagan pembangunan, aku ngomong babagan lingkungan sing aman lan efisien kanggo aplikasi.

Teknologi keuangan (fintech) menyang jejere keamanan informasi (infosek) lan sing pisanan bisa kerja tanpa sing kapindho, nanging ora suwe. Pramila aku pengin nuduhake pengalaman lan set alat sing digunakake, sing kalebu loro-lorone fintechlan infosek, lan ing wektu sing padha, lan uga bisa digunakake kanggo tujuan sing luwih jembar utawa beda. Ing artikel iki aku bakal pitutur marang kowe ora dadi luwih bab Bitcoin, nanging bab model infrastruktur kanggo pangembangan lan operasi financial (lan ora mung) layanan - ing tembung, layanan sing ngendi "B" prakara. Iki ditrapake kanggo ijol-ijolan Bitcoin lan layanan zoo perusahaan sing paling khas saka perusahaan cilik sing ora nyambung karo Bitcoin kanthi cara apa wae.

Aku kaya kanggo Wigati sing aku ndhukung prinsip "tetep simpel wae" и "kurang luwih", mulane, artikel lan apa sing dijlentrehake ing kono bakal nduweni sipat sing ana ing prinsip kasebut.

Skenario khayalan: Ayo ndeleng kabeh nggunakake conto exchanger bitcoin. Kita mutusake kanggo miwiti ijol-ijolan rubel, dolar, euro kanggo bitcoins lan bali, lan kita wis duwe solusi sing bisa digunakake, nanging kanggo dhuwit digital liyane kaya qiwi lan webmoney, i.e. Kita wis nutup kabeh masalah legal, kita duwe aplikasi siap-digawe sing serves minangka gateway pembayaran kanggo rubles, dolar lan euro lan sistem pembayaran liyane. Disambungake menyang akun bank lan duwe sawetara jinis API kanggo aplikasi pungkasan. Kita uga duwe aplikasi web sing tumindak minangka exchanger kanggo pangguna, uga, kaya akun qiwi utawa webmoney khas - nggawe akun, nambah kertu, lan liya-liyane. Komunikasi karo aplikasi gateway kita, sanajan liwat REST API ing wilayah lokal. Lan supaya kita mutusake kanggo nyambung bitcoins lan ing wektu sing padha nganyarke infrastruktur, amarga ... Kaping pisanan, kabeh wis cepet-cepet ing virtualboxes ing kantor ing ngisor meja ... situs wiwit digunakake, lan kita wiwit padha sumelang ing bab uptime lan kinerja.

Dadi, ayo miwiti kanthi utama - milih server. Amarga bisnis ing conto kita cilik lan kita dipercaya hoster (OVH) kita bakal milih pilihan budget kang mokal kanggo nginstal sistem saka gambar .iso asli, nanging ora Matter, departemen keamanan IT mesthi bakal njelasno gambar diinstal. Lan nalika kita gedhe, kita umume bakal nyewa lemari dhewe ing kunci lan akses fisik winates, lan mungkin kita bakal mbangun DC dhewe. Ing kasus apa wae, kudu eling yen nalika nyewa hardware lan nginstal gambar sing wis siap, ana kemungkinan sampeyan bakal duwe "Trojan saka hoster" ing sistem sampeyan, sing biasane ora dimaksudake kanggo Spy sampeyan. nanging kanggo nawakake server alat manajemen sing luwih trep.

Instalasi server

Kabeh iku prasaja ing kene. Kita milih hardware sing cocog karo kabutuhan. Banjur pilih gambar FreeBSD. Inggih, utawa kita nyambung (ing cilik saka hoster liyane lan hardware kita dhewe) liwat IPMI utawa karo monitor lan feed gambar .iso FreeBSD menyang download. Kanggo persiyapan orkestra aku nggunakake Ansible и mfsbsd. Ing bab mung, ing kasus kita karo kimsufi, kita milih instalasi adat supaya loro disk ing pangilon mung duwe boot lan / partisi ngarep "mbukak", liyane saka papan disk bakal ndhelik, nanging liyane ing mengko.

Instalasi sistem kasebut ditindakake kanthi cara standar, aku ora bakal mikir babagan iki, aku mung bakal nyathet yen sadurunge miwiti operasi, kudu digatekake. atos opsi sing nawakake bsdinstaller ing pungkasan instalasi (yen sampeyan nginstal sistem dhewe):

Ana materi sing apik ing topik iki, aku sedhela bakal mbaleni kene.

Sampeyan uga bisa ngaktifake paramèter sing kasebut ing ndhuwur ing sistem sing wis diinstal. Kanggo nindakake iki, sampeyan kudu ngowahi file bootloader lan ngaktifake paramèter kernel. *ee iku editor kaya iki ing BSD

# ee /etc/rc.conf

...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"    
sendmail_enable="NONE"

# ee /etc/sysctl.conf

...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1

Sampeyan uga kudu nggawe manawa sampeyan duwe versi paling anyar saka sistem diinstal, lan nindakake kabeh nganyari lan nginggilaken. Ing kasus kita, umpamane, upgrade menyang versi paling anyar dibutuhake, amarga ... gambar pra-instalasi lag konco dening enem sasi kanggo setahun. Inggih, ing kana kita ngganti port SSH dadi beda karo standar, nambah otentikasi kunci lan mateni otentikasi sandhi.

Banjur kita ngatur aide, ngawasi status file konfigurasi sistem. Sampeyan bisa maca luwih rinci kene.

pkg install aide

lan nyunting crontab kita

crontab -e

06 01 * * 0-6 /root/chkaide.sh

#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME

We kalebu audit sistem

sysrc auditd_enable=YES

# service auditd start

Cara ngatur prakara iki kanthi sampurna diterangake ing kepemimpinan.

Saiki kita urip maneh lan nerusake menyang piranti lunak ing server. Saben server minangka hypervisor kanggo kontaner utawa mesin virtual lengkap. Mulane, penting yen prosesor ndhukung VT-x lan EPT yen kita rencana nggunakake virtualisasi lengkap.

Kanggo ngatur kontaner lan mesin virtual aku nggunakake cbsd saka olevole, Muga-muga dheweke luwih sehat lan berkah kanggo sarana sing apik iki!

Wadhah? Docker maneh utawa apa?

Lan ing kene ora. FreeBSD Jails iku alat banget kanggo containerization, nanging kasebut cbsd kanggo ngatur wadhah kasebut, sing diarani sel.

Kandhang minangka solusi sing efektif banget kanggo mbangun infrastruktur kanggo macem-macem tujuan, ing ngendi isolasi lengkap layanan utawa proses individu dibutuhake. Ateges, iku tiron saka sistem inang, nanging ora mbutuhake virtualisasi hardware lengkap. Lan amarga iki, sumber daya ora digunakake ing "OS tamu", nanging mung kanggo karya sing ditindakake. Nalika sel digunakake kanggo kabutuhan internal, iki minangka solusi sing trep banget kanggo nggunakake sumber daya sing optimal - sekelompok sel ing siji server hardware bisa nggunakake kabeh sumber daya server yen perlu. Ngelingi sing biasane beda subservices mbutuhake tambahan. sumber daya ing wektu sing beda-beda, sampeyan bisa extract kinerja maksimum saka siji server yen rencana mlaku lan Balance sel antarane server. Yen perlu, sel uga bisa diwenehi watesan babagan sumber daya sing digunakake.

Kepiye babagan virtualisasi lengkap?

Sejatine aku ngerti cbsd ndhukung karya bhyve lan hypervisor XEN. Aku ora tau nggunakake sing kapindho, nanging sing pisanan relatif anyar hypervisor saka FreeBSD. Kita bakal nliti conto panggunaan bhyve ing conto ing ngisor iki.

Nginstal lan Konfigurasi Lingkungan Host

Kita nggunakake FS ZFS. Iki minangka alat sing kuat banget kanggo ngatur ruang server. Thanks kanggo ZFS, sampeyan bisa langsung mbangun susunan saka macem-macem konfigurasi saka disk, mbosenke "panas" nggedhekake spasi, ngganti disk mati, ngatur snapshots, lan akeh liyane, kang bisa diterangake ing kabeh seri artikel. Ayo bali menyang server lan disk. Ing wiwitan instalasi, kita ninggalake ruang kosong ing disk kanggo partisi sing dienkripsi. Kok ngono? Iki supaya sistem tangi kanthi otomatis lan ngrungokake liwat SSH.

gpart add -t freebsd-zfs /dev/ada0

/dev/ada0p4 added!

nambah partisi disk menyang papan sing isih ana

geli init /dev/ada0p4

ketik sandhi enkripsi kita

geli attach /dev/ada0p4

Kita ngetik sandhi maneh lan kita duwe piranti /dev/ada0p4.eli - iki papan sing dienkripsi. Banjur kita mbaleni padha kanggo / dev / ada1 lan liyane saka disk ing Uploaded. Lan kita nggawe sing anyar blumbang ZFS.

zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli - Inggih, kita duwe kit pertempuran minimal siap. A Uploaded mirrored disk yen salah siji saka telu gagal.

Nggawe dataset ing "blumbang" anyar

zfs create vms/jails

pkg install cbsd - kita ngluncurake tim lan ngatur manajemen sel kita.

Sawise cbsd diinstal, iku perlu kanggo miwiti:

# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv

Ya, kita mangsuli pirang-pirang pitakon, biasane nganggo jawaban standar.

* Yen sampeyan nggunakake enkripsi, iku penting sing daemon cbsdd ora diwiwiti kanthi otomatis nganti sampeyan dekripsi disk kanthi manual utawa otomatis (ing conto iki ditindakake dening zabbix)

** Aku uga ora nggunakake NAT saka cbsd, lan aku ngatur dhewe ing pf.

# sysrc pf_enable=YES

# ee /etc/pf.conf

IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"

#WHITE_CL="{ 127.0.0.1 }"

icmp_types="echoreq"

set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all

#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# service pf start

# pfctl -f /etc/pf.conf

Nyetel kabijakan firewall uga minangka topik sing kapisah, mula aku ora bakal nyiyapake kabijakan BLOCK ALL lan nyetel dhaptar putih, sampeyan bisa nindakake kanthi maca. dokumentasi resmi utawa akeh artikel sing kasedhiya ing Google.

Inggih ... kita wis diinstal cbsd, iku wektu kanggo nggawe workhorse pisanan kita - setan Bitcoin caged!

cbsd jconstruct-tui

Ing kene kita ndeleng dialog nggawe sel. Sawise kabeh nilai wis disetel, ayo nggawe!

Nalika nggawe sel pisanan, sampeyan kudu milih apa sing bakal digunakake minangka basis sel. Aku milih distribusi saka gudang FreeBSD karo printah repo. Pilihan iki mung digawe nalika nggawe sel pisanan saka versi tartamtu (sampeyan bisa dadi host sel saka versi apa wae sing luwih lawas tinimbang versi host).

Sawise kabeh wis diinstal, kita miwiti kandhang!

# cbsd jstart bitcoind

Nanging kita kudu nginstal piranti lunak ing kandhang.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind

jexec bitcoind kanggo njaluk menyang console sel

lan wis ana ing njero sel, kita nginstal piranti lunak kanthi dependensi (sistem host kita tetep resik)

bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils

bitcoind:/@[15:30] # sysrc bitcoind_enable=YES

bitcoind:/@[15:30] # service bitcoind start

Ana Bitcoin ing kandhang, nanging kita kudu anonim amarga kita pengin nyambung menyang sawetara kandhang liwat jaringan TOP. Umumé, kita rencana kanggo mbukak paling sel karo piranti lunak curiga mung liwat proxy. Matur nuwun kanggo pf Sampeyan bisa mateni NAT kanggo sawetara alamat IP tartamtu ing jaringan lokal, lan ngidini NAT mung kanggo simpul TOR kita. Mangkono, sanajan malware mlebu ing sel, mesthine ora bakal komunikasi karo jagad njaba, lan yen ora, ora bakal mbukak IP server kita. Mulane, kita nggawe sel liyane kanggo "maju" layanan minangka layanan ". bawang" lan minangka proxy kanggo ngakses Internet kanggo sel individu.

# cbsd jsconstruct-tui

# cbsd jstart tor

# jexec tor

tor:/@[15:38] # pkg install tor

tor:/@[15:38] # sysrc tor_enable=YES

tor:/@[15:38] # ee /usr/local/etc/tor/torrc

Setel kanggo ngrungokake ing alamat lokal (kasedhiya kanggo kabeh sel)

SOCKSPort 192.168.0.2:9050

Apa maneh sing dibutuhake kanggo rasa seneng sing lengkap? Ya, kita butuh layanan kanggo web kita, bisa uga luwih saka siji. Ayo ngluncurake nginx, sing bakal dadi proxy reverse lan ngurus nganyari sertifikat Ayo Encrypt

# cbsd jsconstruct-tui

# cbsd jstart nginx-rev

# jexec nginx-rev

nginx-rev:/@[15:47] # pkg install nginx py36-certbot

Dadi, kita nyelehake 150 MB dependensi ing kandhang. Lan tuan rumah isih resik.

Ayo bali menyang nyetel nginx mengko, kita kudu ngunggahake rong sel maneh kanggo gateway pembayaran kita ing nodejs lan teyeng lan aplikasi web, sing sakperangan alesan ing Apache lan PHP, lan sing terakhir uga mbutuhake database MySQL.

# cbsd jsconstruct-tui

# cbsd jstart paygw

# jexec paygw

paygw:/@[15:55] # pkg install git node npm

paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

... lan liyane 380 MB paket diisolasi

Sabanjure, kita ngundhuh aplikasi kita karo git lan miwiti.

# cbsd jsconstruct-tui

# cbsd jstart webapp

# jexec webapp

webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql

Paket 450 MB. ing kandhang.

ing kene kita menehi akses pangembang liwat SSH langsung menyang sel, dheweke bakal nindakake kabeh ing kana:

webapp:/@[16:02] # ee /etc/ssh/sshd_config

Port 2267 - ngganti port SSH saka sel menyang sembarang sembarang

webapp:/@[16:02] # sysrc sshd_enable=YES

webapp:/@[16:02] # service sshd start

Inggih, layanan wis mlaku, sing isih ana yaiku nambahake aturan kasebut pf firewall

Ayo ndeleng apa IP sel kita lan apa "wilayah lokal" umume katon.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp

lan nambah aturan

# ee /etc/pf.conf

## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

Ya, amarga kita ana ing kene, ayo tambahake aturan kanggo proxy-reverse:

## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# pfctl -f /etc/pf.conf

Inggih, saiki sethitik babagan bitcoins

Apa sing kita duweni yaiku kita duwe aplikasi web sing katon ing njaba lan ngobrol sacara lokal menyang gateway pembayaran. Saiki kita kudu nyiapake lingkungan kerja kanggo sesambungan karo jaringan Bitcoin dhewe - simpul bitcoind iku mung daemon sing nyimpen salinan lokal saka blockchain anyar. Daemon iki nduweni fungsi RPC lan dompet, nanging ana "wrappers" sing luwih trep kanggo pangembangan aplikasi. Kanggo miwiti, kita mutusake kanggo nyelehake electrum yaiku dompet CLI. Dompet iki kita bakal nggunakake minangka "panyimpenan kadhemen" kanggo bitcoins kita - ing umum, sing bitcoins sing kudu disimpen "njaba" sistem diakses kanggo pangguna lan umume adoh saka kabeh wong. Uga duwe GUI, supaya kita bakal nggunakake dompet padha ing kita
laptop. Saiki kita bakal nggunakake Electrum karo server umum, lan mengko kita bakal mundhakaken ing sel liyane ElectrumXsupaya ora gumantung marang sapa wae.

# cbsd jsconstruct-tui

# cbsd jstart electrum

# jexec electrum

electrum:/@[8:45] # pkg install py36-electrum

liyane 700 MB lunak ing kandhang kita

electrum:/@[8:53] # adduser

Username: wallet
Full name: 
Uid (Leave empty for default): 
Login group [wallet]: 
Login group is wallet. Invite wallet into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: 
Username   : wallet
Password   : <disabled>
Full Name  : 
Uid        : 1001
Class      : 
Groups     : wallet 
Home       : /home/wallet
Home Mode  : 
Shell      : /bin/tcsh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet

electrum:/@[8:53] # su wallet

wallet@electrum:/ % electrum-3.6 create

{
    "msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
    "path": "/usr/home/wallet/.electrum/wallets/default_wallet",
    "seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}

Saiki kita duwe dompet digawe.

wallet@electrum:/ % electrum-3.6 listaddresses

[
    "18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
    "14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
    "1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
    ...
    "1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
    "18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]

wallet@electrum:/ % electrum-3.6 help

Kanggo kita ing-chain Mung sawetara wong sing bisa nyambung menyang dompet wiwit saiki. Supaya ora mbukak akses menyang sel iki saka njaba, sambungan liwat SSH bakal kedadeyan liwat TOP (versi desentralisasi VPN). Kita miwiti SSH ing sel, nanging aja ndemek pf.conf ing host.

electrum:/@[9:00] # sysrc sshd_enable=YES

electrum:/@[9:00] # service sshd start

Saiki ayo mateni sel kanthi akses Internet dompet. Ayo menehi alamat IP saka papan subnet liyane sing ora NATed. Pisanan ayo padha ganti /etc/pf.conf ing tuan rumah

# ee /etc/pf.conf

JAIL_IP_POOL="192.168.0.0/24" ayo diganti dadi JAIL_IP_POOL="192.168.0.0/25", saéngga kabeh alamat 192.168.0.126-255 ora bakal duwe akses langsung menyang Internet. A jinis piranti lunak "air-gap" jaringan. Lan aturan NAT tetep kaya saiki

nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

Overloading aturan

# pfctl -f /etc/pf.conf

Saiki ayo njupuk sel kita

# cbsd jconfig jname=electrum

jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200

Hmm, nanging saiki sistem kasebut bakal mandheg digunakake kanggo kita. Nanging, kita bisa nemtokake proxy sistem. Nanging ana siji bab, ing TOR iku proxy SOCKS5, lan kanggo penak kita uga pengin proxy HTTP.

# cbsd jsconstruct-tui

# cbsd jstart polipo

# jexec polipo

polipo:/@[9:28] # pkg install polipo

polipo:/@[9:28] # ee /usr/local/etc/polipo/config

socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5

polipo:/@[9:42] # sysrc polipo_enable=YES

polipo:/@[9:43] # service polipo start

Saiki, ana rong server proxy ing sistem kita, lan loro-lorone metu liwat TOR: socks5://192.168.0.2:9050 lan http://192.168.0.6:8123

Saiki kita bisa ngatur lingkungan dompet kita

# jexec electrum

electrum:/@[9:45] # su wallet

wallet@electrum:/ % ee ~/.cshrc

#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123

Nah, saiki cangkang bakal bisa digunakake saka proxy. Yen kita pengin nginstal paket, kita kudu nambah /usr/local/etc/pkg.conf saka ngisor oyod kandhang

pkg_env: {
               http_proxy: "http://my_proxy_ip:8123",
           }

Nah, saiki wektune nambahake layanan sing didhelikake TOR minangka alamat layanan SSH ing sel dompet.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22

tor:/@[10:01] # mkdir /var/db/tor/electrum

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum

tor:/@[10:01] # chmod 700 /var/db/tor/electrum

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/electrum/hostname

mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion

Iki alamat sambungan kita. Ayo mriksa saka mesin lokal. Nanging pisanan kita kudu nambah kunci SSH kita:

wallet@electrum:/ % mkdir ~/.ssh

wallet@electrum:/ % ee ~/.ssh/authorized_keys

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local

Inggih, saka mesin klien Linux

user@local ~$ nano ~/.ssh/config

#remote electrum wallet
Host remotebtc
        User wallet
        Port 22
        Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
        ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p

Ayo nyambung (Kanggo iki bisa digunakake, sampeyan butuh daemon TOR lokal sing ngrungokake 9050)

user@local ~$ ssh remotebtc

The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC 
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
        -- Dru <[email protected]>
wallet@electrum:~ % logout

Sukses!

Kanggo nggarap pembayaran cepet lan mikro, kita uga butuh simpul Jaringan Lightning, nyatane, iki bakal dadi alat kerja utama kita karo Bitcoin. U*c-kilatsing bakal kita gunakake minangka daemon Plugin Spark, yaiku antarmuka HTTP (REST) ​​lengkap lan ngidini sampeyan nggarap transaksi off-chain lan on-chain. c-lightning dibutuhake kanggo fungsi bitcoind nanging ya.

*Ana macem-macem implementasi protokol Lightning Network ing macem-macem basa. Saka sing dites, c-lightning (ditulis ing C) katon paling stabil lan efisien sumber daya.

# cbsd jsconstruct-tui

# cbsd jstart cln

# jexec cln

lightning:/@[10:23] # adduser

Username: lightning
...

lightning:/@[10:24] # pkg install git

lightning:/@[10:23] # su lightning

cd ~ && git clone https://github.com/ElementsProject/lightning

lightning@lightning:~ % exit

lightning:/@[10:30] # cd /home/lightning/lightning/

lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils

lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install

Nalika kabeh sing perlu disusun lan diinstal, ayo nggawe pangguna RPC kanggo lightningd в bitcoind

# jexec bitcoind

bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf

rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32

bitcoind:/@[10:39] # service bitcoind restart

Ngoper saya semrawut antarane sel dadi ora dadi semrawut yen sampeyan nyathet sarana tmux, sing ngidini sampeyan nggawe sawetara sub-sesi terminal ing siji sesi. Analog: screen

Dadi, kita ora pengin mbukak IP nyata saka simpul kita, lan kita pengin nindakake kabeh transaksi finansial liwat TOP. Mulane, .bawang liyane ora perlu.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735

tor:/@[10:01] # mkdir /var/db/tor/cln

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln

tor:/@[10:01] # chmod 700 /var/db/tor/cln

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/cln/hostname

en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion

Saiki ayo nggawe konfigurasi kanggo c-lightning

lightning:/home/lightning/lightning@[10:31] # su lightning

lightning@lightning:~ % mkdir .lightning

lightning@lightning:~ % ee .lightning/config

alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000

# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko

sparko-host=192.168.0.7
sparko-port=9737

sparko-tls-path=sparko-tls

#sparko-login=mywalletusername:mywalletpassword

#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like

lightning@lightning:~ % mkdir .lightning/plugins

lightning@lightning:~ % cd .lightning/plugins/

lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048

lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650

lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko

lightning@lightning:~/.lightning/plugins % cd ~

sampeyan uga kudu nggawe file konfigurasi kanggo bitcoin-cli, sarana sing komunikasi karo bitcoind

lightning@lightning:~ % mkdir .bitcoin

lightning@lightning:~ % ee .bitcoin/bitcoin.conf

rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test

mriksa

lightning@lightning:~ % bitcoin-cli echo "test"

[
  "test"
]

miwiti lightningd

lightning@lightning:~ % lightningd --daemon

Dheweke dhewe lightningd sampeyan bisa ngontrol sarana lightning-cli, contone:

lightning-cli newaddr njaluk alamat kanggo pembayaran mlebu anyar

{
   "address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
   "bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}

lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all ngirim kabeh dhuwit ing dompet menyang alamat (kabeh alamat on-chain)

Uga printah kanggo operasi off-chain lightning-cli invoice, lightning-cli listinvoices, lightning-cli pay lsp.

Nah, kanggo komunikasi karo aplikasi kita duwe REST Api

curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'

Ayo sumurake asil

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp
     7  192.168.0.200   electrum.space.com            /zroot/jails/jails/electrum
     8  192.168.0.6     polipo.space.com              /zroot/jails/jails/polipo
     9  192.168.0.7     lightning.space.com           /zroot/jails/jails/cln

Kita duwe set kontaner, saben duwe tingkat akses dhewe saka lan menyang jaringan lokal.

# zfs list

NAME                    USED  AVAIL  REFER  MOUNTPOINT
zroot                   279G  1.48T    88K  /zroot
zroot/ROOT             1.89G  1.48T    88K  none
zroot/ROOT/default     1.89G  17.6G  1.89G  /
zroot/home               88K  1.48T    88K  /home
zroot/jails             277G  1.48T   404M  /zroot/jails
zroot/jails/bitcoind    190G  1.48T   190G  /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln         653M  1.48T   653M  /zroot/jails/jails-data/cln-data
zroot/jails/electrum    703M  1.48T   703M  /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev   190M  1.48T   190M  /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw      82.4G  1.48T  82.4G  /zroot/jails/jails-data/paygw-data
zroot/jails/polipo     57.6M  1.48T  57.6M  /zroot/jails/jails-data/polipo-data
zroot/jails/tor        81.5M  1.48T  81.5M  /zroot/jails/jails-data/tor-data
zroot/jails/webapp      360M  1.48T   360M  /zroot/jails/jails-data/webapp-data

Nalika sampeyan bisa ndeleng, bitcoind njupuk kabeh 190 GB saka papan. Apa yen kita butuh simpul liyane kanggo nyoba? Iki ngendi ZFS teka ing Handy. Kanthi bantuan cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com sampeyan bisa nggawe gambar asli lan masang sel anyar menyang gambar asli iki. Sèl anyar bakal duwe ruang dhewe, nanging mung prabédan antarane negara saiki lan asli bakal dianggep ing sistem file (kita bakal nyimpen paling ora 190 GB).

Saben sel minangka set data ZFS dhewe, lan iki trep banget. ZFS uga ngidini nindakake macem-macem prekara liyane, kayata ngirim gambar liwat SSH. Kita ora bakal njlèntrèhaké, wis ana akeh.

Iku uga worth kang lagi nyimak perlu kanggo remot ngawasi saka inang, kanggo tujuan iki kita duwe Zabbix.

B - safety

Babagan keamanan, ayo miwiti saka prinsip utama ing konteks infrastruktur:

Rahasia - Piranti standar sistem kaya UNIX njamin implementasine prinsip iki. Kita kanthi logis misahake akses menyang saben unsur logis sing kapisah saka sistem - sel. Akses diwenehake liwat otentikasi pangguna standar nggunakake kunci pribadi pangguna. Kabeh komunikasi antarane lan menyang sel pungkasan dumadi ing wangun ndhelik. Thanks kanggo enkripsi disk, kita ora perlu kuwatir babagan keamanan data nalika ngganti disk utawa pindhah menyang server liyane. Siji-sijine akses kritis yaiku akses menyang sistem inang, amarga akses kasebut umume nyedhiyakake akses menyang data ing njero wadhah.

Integritas "Implementasi prinsip iki dumadi ing sawetara tingkat sing beda. Sepisanan, iku penting kanggo Wigati sing ing cilik saka hardware server, memori ECC, ZFS wis "metu saka kothak" njupuk care saka integritas data ing tingkat bit informasi. Snapshots cepet ngidini sampeyan nggawe serep sawayah-wayah kanthi cepet. Piranti ekspor/impor sel sing trep nggawe replikasi sel gampang.

Kasedhiyan - Iki wis opsional. Gumantung ing derajat ketenaran lan kasunyatan sing duwe sengit. Ing conto kita, kita mesthekake yen dompet bisa diakses sacara eksklusif saka jaringan TOP. Yen perlu, sampeyan bisa mblokir kabeh sing ana ing firewall lan ngidini akses menyang server kanthi eksklusif liwat terowongan (TOR utawa VPN minangka masalah liyane). Mangkono, server bakal dipotong saka jagad njaba sabisane, lan mung kita dhewe sing bisa mengaruhi kasedhiyan.

Impossibility saka nolak - Lan iki gumantung ing operasi luwih lan selaras karo kawicaksanan bener kanggo hak pangguna, akses, etc. Nanging kanthi pendekatan sing bener, kabeh tumindak pangguna diaudit, lan amarga solusi kriptografi bisa dingerteni kanthi jelas sapa sing nindakake tumindak tartamtu lan kapan.

Mesthine, konfigurasi sing diterangake ora minangka conto mutlak babagan cara sing kudu ditindakake, nanging minangka salah sawijining conto babagan carane bisa, nalika nahan kemampuan skala lan kustomisasi sing fleksibel.

Kepiye babagan virtualisasi lengkap?

Babagan virtualisasi lengkap nggunakake cbsd sampeyan bisa waca kene. Aku mung nambah kanggo karya bhyve Sampeyan kudu ngaktifake sawetara opsi kernel.

# cat /etc/rc.conf

...
kld_list="vmm if_tap if_bridge nmdm"
...

# cat /boot/loader.conf

...
vmm_load="YES"
...

Dadi yen sampeyan dumadakan kudu miwiti docker, banjur instal sawetara debian lan pindhah!

Mekaten

Aku kira iku kabeh aku wanted kanggo nuduhake. Yen sampeyan seneng karo artikel kasebut, sampeyan bisa ngirim sawetara bitcoin - bc1qu7lhf45xw83ddll5mnzte6ahju8ktkeu6qhttc. Yen sampeyan pengin nyoba sel ing tumindak lan duwe sawetara bitcoins, sampeyan bisa pindhah menyang sandi pet-proyek.

Source: www.habr.com