ProHoster > Блог > Whakahaerenga > Linux Tohutohu me ngā Tinihanga: Tūmau, Tuwhera

Linux Tohutohu me ngā Tinihanga: Tūmau, Tuwhera

Mō te hunga e hiahia ana ki te whakarato urunga ki ā rātou tūmau mai i ngā wāhi katoa o te ao mā te SSH/RDP/ētahi atu - he RTFM/tinihanga iti tēnei.

Me mutu tā tātou whakamahi i te VPN me ērā atu taputapu, mai i tētahi pūrere kei a tātou.

Ā, kia kore ai e nui rawa te whakakori tinana me te tūmau.

Ko tāu noa iho e hiahia ana mō tēnei patuki, ngā ringa tika me te 5 meneti o te mahi.

"Kei runga i te Ipurangi ngā mea katoa," ko te tikanga (tae atu ki runga i Habré), engari ina tae ki te whakatinanatanga motuhake, koinei te tīmatanga...

Hei tauira, me whakaharatau tātou ki te whakamahi i a Fedora.CentOS, engari kāore he aha.

He pai tēnei pepa tinihanga mā te hunga tīmata me ngā tohunga tauhou, nō reira ka puta ētahi kōrero, engari he poto noa iho.

1. Tūmau

  • ka tāutahia e mātou he tūmau-patuki:
    yum/dnf install knock-server

  • Ka whirihorahia e mātou (hei tauira, mō te ssh) — /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Kua whakaritea te wāhanga "tuwheratanga" kia kati aunoa i muri i te 1 hāora. Kāore koe e mōhio...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • whakamua:

    service iptables restart
service knockd start

  • Ka taea e koe te tāpiri i te RDP ki te mīhini mariko e rere ana i roto Windows Server (/etc/knockd.conf; whakakapia te ingoa atanga kia rite ki te hiahia):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Ka aroturukihia e mātou ā mātou whana katoa mai i te kiritaki i runga i te tūmau mā te whakahau iptables -S.

2. He Aratohu ki te Rake

knockd.conf:

Kei roto i te manga ngā mea katoa (engari kāore i te tino rite), engari he tangata hiroki a knockd ki ngā karere, nō reira me tino tupato koe.

  • putanga
    I roto i ngā putunga raraunga Fedora/CentOS Ko te whakahekenga hou mō tēnei rā ko te 0.63. Ko te hunga e hiahia ana ki te UDP me rapu i ngā mōkihi 0.70.
  • atanga
    I roto i te whirihoranga taunoa o Fedora/CentOS tēnei rārangi kahoreTāpirihia ā-ringa, ki te kore, e kore e mahi.
  • waahi
    He mea nā te tangata ake tēnei e pai ai. Me nui te wā o te kiritaki ki te whakaoti i ngā mahi katoa e tika ana, ā, me rahua te karetao matawai tauranga (ā, ka matawai te 146% o rātou).
  • tīmata/mutu/whakahau.
    Mena kotahi te whakahau, ko te whakahau; ki te rua, ko te whakahau_tīmata+whakahau_mutu.
    Ki te hē koe, ka noho puku a knockd, engari e kore e mahi.
  • kawa
    I roto i te ariā, ka taea e koe te whakamahi i te UDP. I roto i te mahi, i whakaranua e au te TCP me te UDP, ā, i taea e tētahi kiritaki i te takutai moana i Bali te whakatuwhera i te kuaha i te whakamātau tuarima anake. Nā te mea ka tukuna te TCP i te wā tika, engari kāore te UDP i te whakamanahia. Engari anō, he mea e pai ana ki te hiahia.
  • raupapa
    Ko te mea huna, kaua e tūtaki ngā raupapatanga... me pēhea te whakamārama...

Hei tauira, ko tēnei:

open: 11111,22222,33333
close: 22222,11111,33333

Mā te whana 11111 tuwhera ka tatari mō te whana e whai ake nei i te 22222. Heoi, i tēnei whana (22222) ka tīmata te mahi tata ā, ka pakaru ngā mea katoa. Kei te whakaroa o te kiritaki, me ētahi atu mea anō hoki. Koinei te āhua ©.

iptables

Mena kei roto i te /etc/sysconfig/iptables tēnei:

*nat
:PREROUTING ACCEPT [0:0]

Kāore e tino pāngia ana mātou, nō reira koinei:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Ka pokanoa.

I te mea ka tāpirihia e knockd ngā ture ki te mutunga o te mekameka INPUT, ka whiwhi tātou i te reject.

Ā, mā te whakaweto i tēnei ārai, me whakatuwhera te motuka ki ngā hau katoa.

Kia kore ai e raru ki ngā iptables, me whakatakoto te aha ki hea i mua i te aha (pēnei i tēnei iwi (E kī ana rātou) me whakangawari ake:

  • taunoa в CentOS/Fedora tuatahi ka whakakapia te ture ("ko te mea kāore i te rāhuitia, e whakaaetia ana") ki te ritenga kē,
  • ā, ka tangohia e mātou te ture whakamutunga.

Ko te hua me penei:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Heoi anō, ka taea e koe te whakamahi i te REJECT hei utu mō te DROP, engari mā te DROP ka nui ake te ngahau o ngā karetao.

3. Kiritaki

Koinei te wāhi e tino whakamere ai (ki taku titiro), nā te mea me mahi koe ehara i te mea mai i tētahi takutai anake, engari mai i tētahi taputapu anō hoki.

Ko te tikanga, he maha ngā kiritaki kua whakarārangihia ki pae kaupapa, engari he rite tonu ki "kei runga i te ipurangi ngā mea katoa." Nō reira ka whakarārangihia e au ngā mea e mahi ana māku i tēnei wā.

I te wā e whiriwhiri ana i tētahi kiritaki, kia tino tautokona te kōwhiringa whakaroa i waenga i ngā mōkihi. Ae, he rerekē ia takutai, ā, kāore te 100 megabits e kī taurangi ka tae mai ngā mōkihi i te raupapa tika i te wā tika mai i tētahi wāhi kua whakaritea.

Āe, i te whakatūnga o tētahi kiritaki, me whiriwhiri e koe te whakaroa. Ki te nui rawa te wā whakatā, ka whakaeke mai ngā karetao; ki te iti rawa, kāore e tae mai te kiritaki i te wā tika. Ki te nui rawa te whakaroa, kāore e tae mai te kiritaki i te wā tika, ka puta he pakanga kōrerorero (tirohia "Rake"); ki te iti rawa, ka ngaro ngā mōkihi ki te ipurangi.

Ki te timeout=5s, ko te kōwhiringa e mahi pai ana ko te delay=100..500ms

Windows

Ahakoa te ahua wairangi, he tino uaua te rapu i tētahi kiritaki pai mō tēnei tūāpapa i runga i te Google. He mea kei roto he CLI, he tautoko whakaroa, he tautoko TCP, ā, kāore he whakaritenga motuhake.

Hei kōwhiringa, ka taea e koe te whakamātau koinei tēneiTe āhua nei ehara taku Google i te mea ngāwari noa iho.

Linux

He tino māmā ngā mea katoa i konei:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

Ko te huarahi māmā ko te tāuta i te tauranga mai i te homebrew:
brew install knock
ā, tuhia ngā kōnae puranga raina whakahau e tika ana pēnei:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

Ko tētahi kōwhiringa pai ko KnockOnD (kore utu, mai i te toa).

Android

"Patohia ngā Tauranga." Ehara i te pānuitanga, engari he mahi noa iho. Ā, he tino aro mai ngā kaiwhakawhanake.

P.S. He utu whakaheke mō Habr, āe, kia whakaorangia ia e te Atua i tētahi rā...

UPD1: whakawhetai ki ki tētahi tangata pai i kitea kiritaki e mahi ana i raro i Windows.
UPD2kotahi anō tangata pai I whakamahara atu ahau ki a ia kāore i te whai hua tonu te tāpiri ture hou ki te mutunga o iptables. Engari—kei te āhua tonu.

Source: will.com

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster