Bitcoin mu khola?

Zinachitika kuti mwa ntchito ndine woyang'anira makompyuta ndi ma intaneti (mwachidule: woyang'anira dongosolo), ndipo ndinali ndi mwayi wouza prof. kwa zaka zoposa 10. ntchito za machitidwe osiyanasiyana, kuphatikizapo zomwe zimafuna njira [zambiri] zachitetezo. Zinachitikanso kuti nthawi ina yapitayo ndinazipeza zosangalatsa bitcoin, ndipo sanagwiritse ntchito kokha, komanso adayambitsanso ma micro-services angapo kuti aphunzire momwe angagwirire ntchito pawokha ndi intaneti ya Bitcoin (aka p2p pambuyo pa zonse) kuchokera kumalingaliro a wopanga (ine ndine mmodzi wa iwo. dev, kotero, ndinali kudutsa). Koma sindikunena za chitukuko, ndikulankhula za malo otetezeka komanso ogwira mtima ogwiritsira ntchito.

Ukadaulo wachuma (fintech) pitani pafupi ndi chitetezo chazidziwitso (infosec) ndipo woyamba akhoza kugwira ntchito popanda yachiwiri, koma osati kwa nthawi yaitali. Ichi ndichifukwa chake ndikufuna kugawana zomwe ndakumana nazo komanso zida zomwe ndimagwiritsa ntchito, zomwe zimaphatikizapo zonse ziwiri fintech, ndi infosec, ndipo nthawi yomweyo, ndipo angagwiritsidwenso ntchito pa cholinga chokulirapo kapena chosiyana kotheratu. M'nkhaniyi sindikuuzani zambiri za Bitcoin, koma zachitukuko cha chitukuko ndi kayendetsedwe ka ntchito zachuma (osati kokha) - m'mawu amodzi, mautumiki omwe "B" amafunikira. Izi zikugwiranso ntchito pakusinthana kwa Bitcoin komanso kumalo osungiramo nyama odziwika bwino amakampani ang'onoang'ono osalumikizana ndi Bitcoin mwanjira iliyonse.

Ndikufuna kuzindikira kuti ndine wothandizira mfundo "sungani zopusa" и "zochepa ndi zambiri", kotero, zonse zomwe zafotokozedwa m'nkhaniyo ndi zomwe zafotokozedwamo zidzakhala ndi makhalidwe omwe mfundozi zikukhudza.

Zongoyerekeza: Tiyeni tiwone chilichonse pogwiritsa ntchito chitsanzo cha bitcoin exchanger. Tinaganiza zoyambitsa kusinthanitsa kwa ma ruble, madola, ma euro a bitcoins ndi kumbuyo, ndipo tili kale ndi yankho logwira ntchito, koma ndalama zina za digito monga qiwi ndi webmoney, i.e. Tatseka nkhani zonse zamalamulo, tili ndi pulogalamu yokonzekera yomwe imagwira ntchito ngati njira yolipira ma ruble, madola ndi ma euro ndi machitidwe ena olipira. Imalumikizidwa ndi maakaunti athu aku banki ndipo ili ndi mtundu wina wa API wamapulogalamu athu omaliza. Tilinso ndi pulogalamu yapaintaneti yomwe imagwira ntchito ngati exchanger kwa ogwiritsa ntchito, ngati akaunti ya qiwi kapena webmoney - pangani akaunti, onjezani khadi, ndi zina zotero. Imalumikizana ndi pulogalamu yathu yolowera pachipata, ngakhale kudzera pa REST API mdera lanu. Ndipo kotero tinaganiza zogwirizanitsa ma bitcoins ndipo nthawi yomweyo kukweza zowonongeka, chifukwa ... Poyambirira, zonse zidayikidwa mwachangu pamabokosi owoneka bwino muofesi pansi pa tebulo ... tsambalo lidayamba kugwiritsidwa ntchito, ndipo tidayamba kudandaula za nthawi ndi magwiridwe antchito.

Kotero, tiyeni tiyambe ndi chinthu chachikulu - kusankha seva. Chifukwa bizinesi mu chitsanzo chathu ndi yaying'ono ndipo timakhulupirira hoster (OVH) yomwe tidzasankhe njira ya bajeti momwe sizingatheke kukhazikitsa dongosolo kuchokera ku chithunzi choyambirira cha .iso, koma ziribe kanthu, dipatimenti ya chitetezo cha IT idzasanthula ndithu chithunzicho. Ndipo tikadzakula, tidzabwereka chipinda chathu chotsekera ndi fungulo ndi mwayi wochepa wakuthupi, ndipo mwina tidzamanga DC yathu. Mulimonsemo, ndi bwino kukumbukira kuti pobwereka zida ndikuyika zithunzi zopangidwa kale, pali mwayi woti mudzakhala ndi "Trojan yochokera ku hoster" yopachikidwa pa dongosolo lanu, lomwe nthawi zambiri silinapangidwe kuti muzikazonde. koma kuti mupereke seva ya zida zowongolera zosavuta.

Kuyika kwa seva

Zonse ndi zophweka apa. Timasankha zida zomwe zimagwirizana ndi zosowa zathu. Kenako sankhani chithunzi cha FreeBSD. Chabwino, kapena timagwirizanitsa (pankhani ya hoster ina ndi hardware yathu) kudzera pa IPMI kapena ndi polojekiti ndikudyetsa chithunzi cha .iso FreeBSD kutsitsa. Ndimagwiritsa ntchito nyimbo za orchestra Amatha и mfsd. Chinthu chokhacho, kwa ife ndi kimsufi, tinasankha unsembe mwambo kuti ma disks awiri pagalasi akhale ndi boot ndi / nyumba zogawa "zotseguka", malo ena onse a disk adzasungidwa, koma zambiri pambuyo pake.

Kuyika kwadongosolo kumachitika mwanjira yokhazikika, sindikhala pa izi, ndingozindikira kuti musanayambe kugwira ntchito ndiyenera kumvera. kuumitsa zosankha zomwe zimapereka bsdinstaller kumapeto kwa kukhazikitsa (ngati muyika nokha):

pali zinthu zabwino pamutuwu, ndibwereza mwachidule apa.

Ndizothekanso kuloleza magawo omwe tawatchulawa pamakina omwe adayikidwa kale. Kuti muchite izi, muyenera kusintha fayilo ya bootloader ndikuyambitsa magawo a kernel. *ee ndi mkonzi ngati uyu mu BSD

# ee /etc/rc.conf

...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"    
sendmail_enable="NONE"

# ee /etc/sysctl.conf

...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1

Muyeneranso kuwonetsetsa kuti muli ndi mtundu waposachedwa wadongosolo, ndi kuchita zosintha zonse ndi kukweza. Kwa ife, mwachitsanzo, kukweza kwa mtundu waposachedwa kumafunika, chifukwa ... zithunzi zoyikiratu zimatsalira pakadutsa miyezi isanu ndi umodzi mpaka chaka. Chabwino, pamenepo timasintha doko la SSH kukhala china chosiyana ndi chosasinthika, onjezani kutsimikizika kwachinsinsi ndikuletsa kutsimikizika kwachinsinsi.

Kenako tinakhazikitsa aide, kuyang'anira momwe mafayilo amachitidwe amachitidwe. Mukhoza kuwerenga mwatsatanetsatane apa.

pkg install aide

ndikusintha crontab yathu

crontab -e

06 01 * * 0-6 /root/chkaide.sh

#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME

Yatsani kuwunika kwadongosolo

sysrc auditd_enable=YES

# service auditd start

Momwe mungayendetsere nkhaniyi ndikufotokozedwa bwino mu utsogoleri.

Tsopano tikuyambiranso ndikupitilira pulogalamuyo pa seva. Seva iliyonse ndi hypervisor ya zotengera kapena makina athunthu. Chifukwa chake, ndikofunikira kuti purosesa ithandizire VT-x ndi EPT ngati tikufuna kugwiritsa ntchito mawonekedwe onse.

Kuwongolera zotengera ndi makina enieni omwe ndimagwiritsa ntchito cbsd от olevole, ndikumufunira thanzi labwino ndi madalitso chifukwa cha ntchito yabwinoyi!

Zotengera? Docker kapena chiyani?

Koma ayi. Ndende za FreeBSD ndi chida chabwino kwambiri chosungiramo zotengera, koma zomwe zatchulidwazi cbsd kupanga zotengera izi, zomwe zimatchedwa ma cell.

Khola ndi njira yothandiza kwambiri pomanga zomangamanga pazifukwa zosiyanasiyana, pomwe kudzipatula kwathunthu kwa ntchito kapena njira zomwe zimafunikira. M'malo mwake, ndiwofanana ndi makina opangira, koma safuna kukhazikika kwathunthu kwa hardware. Ndipo chifukwa cha izi, zothandizira sizikugwiritsidwa ntchito pa "OS ya alendo", koma pa ntchito yomwe ikuchitika. Maselo akagwiritsidwa ntchito pazosowa zamkati, iyi ndi njira yabwino kwambiri yogwiritsira ntchito zida - gulu la maselo pa seva imodzi ya hardware aliyense payekha angagwiritse ntchito seva yonse ngati kuli kofunikira. Poganizira kuti nthawi zambiri ntchito zosiyanasiyana zimafunikira zowonjezera. zothandizira nthawi zosiyanasiyana, mutha kutulutsa magwiridwe antchito kuchokera pa seva imodzi ngati mukukonzekera bwino ndikuwongolera ma cell pakati pa maseva. Ngati ndi kotheka, ma cell amathanso kupatsidwa zoletsa pazomwe zimagwiritsidwa ntchito.

Nanga bwanji virtualization wathunthu?

Monga ndikudziwira, cbsd imathandizira ntchito bhyve ndi XEN hypervisors. Sindinagwiritsepo ntchito yachiwiri, koma yoyamba ndi yatsopano hypervisor kuchokera ku FreeBSD. Tiona chitsanzo cha ntchito bhyve mu chitsanzo pansipa.

Kukhazikitsa ndi Kukonza Malo Okhalamo

Timagwiritsa ntchito FS ZFS. Ichi ndi chida champhamvu kwambiri chowongolera malo a seva. Chifukwa cha ZFS, mutha kupanga mwachindunji masanjidwe osiyanasiyana kuchokera ku ma disks, "kutentha" kukulitsa malo, kusintha ma disks akufa, kuyang'anira zithunzithunzi, ndi zina zambiri, zomwe zitha kufotokozedwa mndandanda wonse wankhani. Tiyeni tibwerere ku seva yathu ndi ma disks ake. Kumayambiriro kwa kukhazikitsa, tinasiya malo aulere pa disks kuti tigawane magawo obisika. Ndichoncho chifukwa chiyani? Izi zili choncho kuti makinawo amadzuka okha ndikumvetsera kudzera pa SSH.

gpart add -t freebsd-zfs /dev/ada0

/dev/ada0p4 added!

onjezerani gawo la disk ku malo otsala

geli init /dev/ada0p4

lowetsani mawu athu achinsinsi

geli attach /dev/ada0p4

Timalowetsanso mawu achinsinsi ndipo tili ndi chipangizo /dev/ada0p4.eli - iyi ndi malo athu obisika. Kenako timabwereza zomwezo kwa / dev/ada1 ndi ma disks ena onse pamndandanda. Ndipo timapanga chatsopano ZFS pool.

zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli - Chabwino, tili ndi zida zomenyera zochepa zokonzeka. Ma disks owonetsera ngati chimodzi mwa zitatuzo chalephera.

Kupanga deta pa "dziwe" latsopano

zfs create vms/jails

pkg install cbsd - tidayambitsa gulu ndikukhazikitsa oyang'anira ma cell athu.

Pambuyo pake cbsd imayikidwa, iyenera kukhazikitsidwa:

# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv

Chabwino, timayankha mulu wa mafunso, makamaka ndi mayankho okhazikika.

* Ngati mukugwiritsa ntchito kubisa, ndikofunikira kuti daemonyo cbsdd sizinayambe zokha mpaka mutachotsa ma disks pamanja kapena mwachisawawa (mu chitsanzo chathu izi zimachitika ndi zabbix)

**Sindigwiritsanso ntchito NAT kuchokera cbsd, ndipo ndimadzikonza ndekha pf.

# sysrc pf_enable=YES

# ee /etc/pf.conf

IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"

#WHITE_CL="{ 127.0.0.1 }"

icmp_types="echoreq"

set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all

#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# service pf start

# pfctl -f /etc/pf.conf

Kukhazikitsa malamulo a firewall kulinso mutu wosiyana, kotero sindingalowe mwakuya pakukhazikitsa mfundo za BLOCK ALL ndikukhazikitsa zoyera, mutha kuchita izi powerenga. zolemba zovomerezeka kapena kuchuluka kwa zolemba zomwe zilipo pa Google.

Tayika cbsd, ndi nthawi yoti tipange kavalo wathu woyamba - chiwanda cha Bitcoin chotsekeredwa!

cbsd jconstruct-tui

Apa tikuwona zokambirana za kupanga ma cell. Zikhalidwe zonse zikakhazikitsidwa, tiyeni tipange!

Mukapanga cell yanu yoyamba, muyenera kusankha zomwe mungagwiritse ntchito ngati maziko a ma cell. Ndimasankha kugawa kuchokera kumalo osungira a FreeBSD ndi lamulo repo. Kusankha kumeneku kumapangidwa kokha popanga selo yoyamba ya mtundu wina (mungathe kuchititsa ma cell a mtundu uliwonse womwe uli wakale kuposa mtundu wa host).

Zonse zikakhazikitsidwa, timayambitsa khola!

# cbsd jstart bitcoind

Koma tiyenera kukhazikitsa mapulogalamu mu khola.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind

jexec bitcoind kuti alowe mu cell console

ndipo kale mkati mwa selo timayika pulogalamuyo ndi zodalira zake (dongosolo lathu lokhalamo limakhala loyera)

bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils

bitcoind:/@[15:30] # sysrc bitcoind_enable=YES

bitcoind:/@[15:30] # service bitcoind start

Pali Bitcoin mu khola, koma tifunika kusadziwika chifukwa tikufuna kulumikizana ndi makola ena kudzera pa intaneti ya TOP. Nthawi zambiri, timakonzekera kuyendetsa ma cell ambiri okhala ndi mapulogalamu okayikitsa kudzera pa proxy. Zikomo ku pf Mutha kuletsa NAT pamitundu ingapo ya ma adilesi a IP pa netiweki yakomweko, ndikulola NAT pa node yathu ya TOR yokha. Chifukwa chake, ngakhale pulogalamu yaumbanda ikalowa m'selo, sichingalumikizane ndi dziko lakunja, ndipo ikatero, sichidzawulula IP ya seva yathu. Choncho, timapanga selo lina kuti "tipititse patsogolo" mautumiki monga ".onion" utumiki komanso ngati wothandizira kuti apeze intaneti kumaselo amodzi.

# cbsd jsconstruct-tui

# cbsd jstart tor

# jexec tor

tor:/@[15:38] # pkg install tor

tor:/@[15:38] # sysrc tor_enable=YES

tor:/@[15:38] # ee /usr/local/etc/tor/torrc

Khazikitsani kumvetsera ku adilesi yapafupi (yopezeka m'maselo onse)

SOCKSPort 192.168.0.2:9050

Ndi chiyani chinanso chimene timafunikira kuti tikhale osangalala kotheratu? Inde, tikufuna ntchito pa intaneti yathu, mwina kuposa imodzi. Tiyeni tiyambitse nginx, yomwe ikhala ngati projekiti yobwereza ndikusamaliranso ma satifiketi a Let's Encrypt

# cbsd jsconstruct-tui

# cbsd jstart nginx-rev

# jexec nginx-rev

nginx-rev:/@[15:47] # pkg install nginx py36-certbot

Ndipo kotero tidayika 150 MB yodalira mu khola. Ndipo wochereza akadali woyera.

Tiyeni tibwererenso kukhazikitsa nginx pambuyo pake, tifunika kukweza ma cell ena awiri panjira yathu yolipira pa nodejs ndi dzimbiri ndi pulogalamu yapaintaneti, yomwe pazifukwa zina ili mu Apache ndi PHP, ndipo chomalizacho chimafunanso database ya MySQL.

# cbsd jsconstruct-tui

# cbsd jstart paygw

# jexec paygw

paygw:/@[15:55] # pkg install git node npm

paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

...ndi 380 MB ina ya mapaketi akutali

Kenako, timatsitsa pulogalamu yathu ndi git ndikuyiyambitsa.

# cbsd jsconstruct-tui

# cbsd jstart webapp

# jexec webapp

webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql

450 MB phukusi. mu khola.

apa timapatsa wogwiritsa ntchito mwayi kudzera pa SSH mwachindunji kupita ku cell, azichita zonse pamenepo:

webapp:/@[16:02] # ee /etc/ssh/sshd_config

Port 2267 - sinthani doko la SSH la cell kukhala lina lililonse losagwirizana

webapp:/@[16:02] # sysrc sshd_enable=YES

webapp:/@[16:02] # service sshd start

Chabwino, ntchito ikuyenda, chomwe chatsala ndikuwonjezera lamulo pf makhoma oteteza

Tiyeni tiwone zomwe IP maselo athu ali ndi zomwe "dera lathu" limawonekera.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp

ndi kuwonjezera lamulo

# ee /etc/pf.conf

## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

Chabwino, popeza tili pano, tiyeni tiwonjezere lamulo la reverse-proxy:

## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# pfctl -f /etc/pf.conf

Chabwino, tsopano pang'ono za bitcoins

Zomwe tili nazo ndikuti tili ndi pulogalamu yapaintaneti yomwe imawonekera kunja ndipo imalankhula kwanuko ndi njira yathu yolipira. Tsopano tiyenera kukonzekera malo ogwira ntchito kuti tigwirizane ndi maukonde a Bitcoin palokha - mfundo bitcoind ndi daemon chabe yomwe imasunga kopi yakomweko ya blockchain kukhala yatsopano. Daemon iyi ili ndi RPC ndi magwiridwe antchito a chikwama, koma pali "zopukutira" zosavuta zopangira pulogalamu. Poyamba, tinaganiza zoyikapo electrum ndi chikwama cha CLI. Chikwama ichi tidzagwiritsa ntchito ngati "kusungirako kozizira" kwa ma bitcoins athu - ambiri, ma bitcoins omwe adzafunika kusungidwa "kunja" kwa dongosolo lofikira kwa ogwiritsa ntchito ndipo nthawi zambiri kutali ndi aliyense. Ilinso ndi GUI, kotero tigwiritsa ntchito chikwama chomwecho pa zathu
laputopu. Pakalipano tidzagwiritsa ntchito Electrum ndi ma seva a anthu, ndipo kenako tidzayikweza mu selo lina Mtengo wa ElectrumXkuti asadalire aliyense.

# cbsd jsconstruct-tui

# cbsd jstart electrum

# jexec electrum

electrum:/@[8:45] # pkg install py36-electrum

700 MB ina ya mapulogalamu mu khola lathu

electrum:/@[8:53] # adduser

Username: wallet
Full name: 
Uid (Leave empty for default): 
Login group [wallet]: 
Login group is wallet. Invite wallet into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: 
Username   : wallet
Password   : <disabled>
Full Name  : 
Uid        : 1001
Class      : 
Groups     : wallet 
Home       : /home/wallet
Home Mode  : 
Shell      : /bin/tcsh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet

electrum:/@[8:53] # su wallet

wallet@electrum:/ % electrum-3.6 create

{
    "msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
    "path": "/usr/home/wallet/.electrum/wallets/default_wallet",
    "seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}

Tsopano tili ndi chikwama chopangidwa.

wallet@electrum:/ % electrum-3.6 listaddresses

[
    "18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
    "14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
    "1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
    ...
    "1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
    "18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]

wallet@electrum:/ % electrum-3.6 help

Ku athu pa unyolo Ndi anthu ochepa okha omwe azitha kulumikizana ndi chikwamachi kuyambira pano. Kuti musatsegule mwayi wa cell iyi kuchokera kunja, kulumikizana kudzera pa SSH kudzachitika kudzera mu TOP (mtundu wa VPN). Timatsegula SSH mu selo, koma musakhudze pf.conf yathu pa wolandira.

electrum:/@[9:00] # sysrc sshd_enable=YES

electrum:/@[9:00] # service sshd start

Tsopano tiyeni tizimitse selo ndi intaneti ya chikwamacho. Tiyeni tipatse adilesi ya IP kuchokera kumalo ena apansi omwe si a NTED. Choyamba tiyeni tisinthe /etc/pf.conf pa wolandira

# ee /etc/pf.conf

JAIL_IP_POOL="192.168.0.0/24" tiyeni tisinthe kukhala JAIL_IP_POOL="192.168.0.0/25", motero maadiresi onse 192.168.0.126-255 sadzakhala ndi mwayi wopita ku intaneti. Mtundu wa pulogalamu ya "air-gap" network. Ndipo lamulo la NAT limakhalabe momwe linalili

nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

Kuchulukitsa malamulo

# pfctl -f /etc/pf.conf

Tsopano tiyeni titenge cell yathu

# cbsd jconfig jname=electrum

jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200

Hmm, koma tsopano dongosolo lokha lisiya kutigwirira ntchito. Komabe, tikhoza kufotokozera proxy system. Koma pali chinthu chimodzi, pa TOR ndi SOCKS5 proxy, ndipo kuti zitheke tingafunenso woyimira HTTP.

# cbsd jsconstruct-tui

# cbsd jstart polipo

# jexec polipo

polipo:/@[9:28] # pkg install polipo

polipo:/@[9:28] # ee /usr/local/etc/polipo/config

socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5

polipo:/@[9:42] # sysrc polipo_enable=YES

polipo:/@[9:43] # service polipo start

Chabwino, tsopano pali ma seva awiri ovomerezeka m'dongosolo lathu, ndipo zonse zotuluka kudzera pa TOR: socks5://192.168.0.2:9050 ndi http://192.168.0.6:8123

Tsopano tikhoza kukonza malo athu a chikwama

# jexec electrum

electrum:/@[9:45] # su wallet

wallet@electrum:/ % ee ~/.cshrc

#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123

Chabwino, tsopano chipolopolocho chidzagwira ntchito pansi pa proxy. Ngati tikufuna kukhazikitsa phukusi, tiyenera kuwonjezera /usr/local/etc/pkg.conf kuchokera pansi pa muzu wa khola

pkg_env: {
               http_proxy: "http://my_proxy_ip:8123",
           }

Chabwino, tsopano ndi nthawi yoti muwonjezere ntchito yobisika ya TOR ngati adilesi ya ntchito yathu ya SSH mu khola lachikwama.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22

tor:/@[10:01] # mkdir /var/db/tor/electrum

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum

tor:/@[10:01] # chmod 700 /var/db/tor/electrum

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/electrum/hostname

mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion

Iyi ndi adilesi yathu yolumikizira. Tiyeni tifufuze kuchokera kumakina akomweko. Koma choyamba tiyenera kuwonjezera kiyi yathu ya SSH:

wallet@electrum:/ % mkdir ~/.ssh

wallet@electrum:/ % ee ~/.ssh/authorized_keys

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local

Chabwino, kuchokera ku makina a kasitomala a Linux

user@local ~$ nano ~/.ssh/config

#remote electrum wallet
Host remotebtc
        User wallet
        Port 22
        Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
        ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p

Tiyeni tigwirizane (Kuti izi zitheke, mufunika daemon yapafupi ya TOR yomwe imamvetsera pa 9050)

user@local ~$ ssh remotebtc

The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC 
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
        -- Dru <[email protected]>
wallet@electrum:~ % logout

Kupambana!

Kuti tigwire ntchito ndi zolipira pompopompo komanso zazing'ono, timafunikiranso node Mphepo yamphepete, kwenikweni, ichi chidzakhala chida chathu chachikulu chogwirira ntchito ndi Bitcoin. U*c-mphezizomwe tigwiritsa ntchito ngati daemon Pulogalamu ya Sparko, yomwe ndi mawonekedwe athunthu a HTTP (REST) ​​​​ndipo imakulolani kuti mugwire ntchito ndi ma chain-chain and on-chain transaction. c-lightning zofunikira kuti zigwire ntchito bitcoind koma inde.

*Pali kukhazikitsidwa kosiyanasiyana kwa protocol ya Lightning Network m'zilankhulo zosiyanasiyana. Mwa zomwe tidayesa, c-mphezi (yolembedwa mu C) idawoneka yokhazikika komanso yothandiza kwambiri.

# cbsd jsconstruct-tui

# cbsd jstart cln

# jexec cln

lightning:/@[10:23] # adduser

Username: lightning
...

lightning:/@[10:24] # pkg install git

lightning:/@[10:23] # su lightning

cd ~ && git clone https://github.com/ElementsProject/lightning

lightning@lightning:~ % exit

lightning:/@[10:30] # cd /home/lightning/lightning/

lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils

lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install

Pomwe chilichonse chofunikira chimapangidwa ndikuyikidwa, tiyeni tipange wogwiritsa ntchito RPC lightningd в bitcoind

# jexec bitcoind

bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf

rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32

bitcoind:/@[10:39] # service bitcoind restart

Kusintha kwanga kwachisokonezo pakati pa ma cell sikukhala kosokoneza ngati muwona zofunikira tmux, zomwe zimakupatsani mwayi wopanga magawo angapo a terminal mkati mwa gawo limodzi. Analogi: screen

Chifukwa chake, sitikufuna kuwulula IP yeniyeni ya node yathu, ndipo tikufuna kuchita zonse zachuma kudzera mu TOP. Choncho, wina .anyezi sikufunika.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735

tor:/@[10:01] # mkdir /var/db/tor/cln

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln

tor:/@[10:01] # chmod 700 /var/db/tor/cln

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/cln/hostname

en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion

Tsopano tiyeni tipange config kwa c-mphezi

lightning:/home/lightning/lightning@[10:31] # su lightning

lightning@lightning:~ % mkdir .lightning

lightning@lightning:~ % ee .lightning/config

alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000

# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko

sparko-host=192.168.0.7
sparko-port=9737

sparko-tls-path=sparko-tls

#sparko-login=mywalletusername:mywalletpassword

#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like

lightning@lightning:~ % mkdir .lightning/plugins

lightning@lightning:~ % cd .lightning/plugins/

lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048

lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650

lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko

lightning@lightning:~/.lightning/plugins % cd ~

muyeneranso kupanga fayilo yosinthira bitcoin-cli, chida chomwe chimalumikizana nacho bitcoind

lightning@lightning:~ % mkdir .bitcoin

lightning@lightning:~ % ee .bitcoin/bitcoin.conf

rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test

fufuzani

lightning@lightning:~ % bitcoin-cli echo "test"

[
  "test"
]

kuyambitsa lightningd

lightning@lightning:~ % lightningd --daemon

Mwiniwake lightningd mukhoza kulamulira zothandiza lightning-cli, mwachitsanzo:

lightning-cli newaddr pezani adilesi yamalipiro atsopano omwe akubwera

{
   "address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
   "bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}

lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all tumizani ndalama zonse zomwe zili m'chikwama ku adilesi (maadiresi onse a pa tcheni)

Komanso amalamula ntchito off-chain lightning-cli invoice, lightning-cli listinvoices, lightning-cli pay ndi zina.

Chabwino, polumikizana ndi pulogalamuyi tili ndi REST Api

curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'

Tiyeni tiwone zotsatira

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp
     7  192.168.0.200   electrum.space.com            /zroot/jails/jails/electrum
     8  192.168.0.6     polipo.space.com              /zroot/jails/jails/polipo
     9  192.168.0.7     lightning.space.com           /zroot/jails/jails/cln

Tili ndi zotengera, chilichonse chili ndi mulingo wake wofikira kuchokera komanso kupita ku netiweki yakomweko.

# zfs list

NAME                    USED  AVAIL  REFER  MOUNTPOINT
zroot                   279G  1.48T    88K  /zroot
zroot/ROOT             1.89G  1.48T    88K  none
zroot/ROOT/default     1.89G  17.6G  1.89G  /
zroot/home               88K  1.48T    88K  /home
zroot/jails             277G  1.48T   404M  /zroot/jails
zroot/jails/bitcoind    190G  1.48T   190G  /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln         653M  1.48T   653M  /zroot/jails/jails-data/cln-data
zroot/jails/electrum    703M  1.48T   703M  /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev   190M  1.48T   190M  /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw      82.4G  1.48T  82.4G  /zroot/jails/jails-data/paygw-data
zroot/jails/polipo     57.6M  1.48T  57.6M  /zroot/jails/jails-data/polipo-data
zroot/jails/tor        81.5M  1.48T  81.5M  /zroot/jails/jails-data/tor-data
zroot/jails/webapp      360M  1.48T   360M  /zroot/jails/jails-data/webapp-data

Monga mukuonera, bitcoind imatenga malo onse a 190 GB. Nanga bwanji ngati tikufuna mfundo ina yoyesera? Apa ndipamene ZFS imabwera bwino. Ndi chithandizo cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com mutha kupanga chithunzithunzi ndikulumikiza foni yatsopano ku chithunzichi. Selo latsopanoli lidzakhala ndi malo akeake, koma kusiyana kokha pakati pa zomwe zikuchitika panopa ndi zoyambirira zidzaganiziridwa mu fayilo (tidzasunga osachepera 190 GB).

Selo lililonse lili ndi deta yake yosiyana ya ZFS, ndipo izi ndizosavuta kwambiri. ZFS imalolanso chitani zinthu zina zabwino, monga kutumiza zithunzithunzi kudzera pa SSH. Sitidzafotokoza, pali zambiri.

Ndikoyeneranso kuzindikira kufunika koyang'anira kutali kwa wolandirayo, pazifukwa zomwe tili nazo Zabbix.

B - chitetezo

Pankhani ya chitetezo, tiyeni tiyambire pa mfundo zazikuluzikulu za zomangamanga:

Chinsinsi - Zida zokhazikika zamakina ngati UNIX zimatsimikizira kukhazikitsidwa kwa mfundoyi. Timalekanitsa mwanzeru mwayi wopita ku chinthu chilichonse chosiyana chadongosolo - selo. Kufikira kumaperekedwa kudzera mu kutsimikizika kokhazikika kwa ogwiritsa ntchito pogwiritsa ntchito makiyi amunthu. Kulumikizana kulikonse pakati ndi mpaka kumapeto kwa maselo kumachitika mu mawonekedwe obisika. Chifukwa cha kubisa kwa disk, sitiyenera kuda nkhawa ndi chitetezo cha data mukasintha disk kapena kusamukira ku seva ina. Njira yokhayo yofunikira ndiyo kupeza makina osungira, chifukwa mwayi woterewu umapereka mwayi wopeza deta mkati mwazotengera.

Umphumphu “Kukhazikitsidwa kwa mfundo imeneyi kumachitika pamilingo yosiyanasiyana. Choyamba, ndikofunikira kuzindikira kuti pankhani ya seva ya Hardware, kukumbukira kwa ECC, ZFS kale "kunja kwa bokosi" imasamalira kukhulupirika kwa data pamlingo wazidziwitso. Zithunzi pompopompo zimakulolani kuti mupange zosunga zobwezeretsera nthawi iliyonse pakuwuluka. Zida zosavuta kutumiza / kutumiza kunja kumapangitsa kubwereza kwa cell kukhala kosavuta.

Kupezeka - Izi ndizosankha kale. Zimatengera kuchuluka kwa kutchuka kwanu komanso kuti muli ndi adani. Muchitsanzo chathu, tidawonetsetsa kuti chikwamacho chizipezeka kokha kuchokera ku netiweki ya TOP. Ngati ndi kotheka, mukhoza kuletsa chirichonse pa chowotcha moto ndi kulola mwayi kwa seva kudzera tunnel (TOR kapena VPN ndi nkhani ina). Chifukwa chake, seva idzachotsedwa kudziko lakunja momwe tingathere, ndipo ndife tokha omwe titha kukhudza kupezeka kwake.

Kusatheka kukana - Ndipo izi zimadalira ntchito yowonjezereka ndi kutsata ndondomeko zolondola za ufulu wogwiritsa ntchito, mwayi, ndi zina zotero. Koma ndi njira yoyenera, zochita zonse za ogwiritsa ntchito zimawunikidwa, ndipo chifukwa cha mayankho a cryptographic ndizotheka kuzindikira mosakayikira omwe adachita zinthu zina komanso liti.

Zachidziwikire, kasinthidwe kofotokozedwako si chitsanzo chenicheni cha momwe ziyenera kukhalira nthawi zonse, koma ndi chitsanzo chimodzi cha momwe zingakhalire, ndikusunga kuthekera kosinthika komanso makonda.

Nanga bwanji virtualization wathunthu?

Za virtualization zonse pogwiritsa ntchito cbsd mungathe werengani apa. Ndingowonjezera kuti ntchito bhyve Muyenera kuyatsa zosankha zina za kernel.

# cat /etc/rc.conf

...
kld_list="vmm if_tap if_bridge nmdm"
...

# cat /boot/loader.conf

...
vmm_load="YES"
...

Chifukwa chake ngati mwadzidzidzi muyenera kuyambitsa docker, kenaka yikani debian ndikupita!

Ndizomwezo

Ndikuganiza kuti ndizo zonse zomwe ndimafuna kugawana. Ngati mudakonda nkhaniyi, ndiye kuti mutha kunditumizira ma bitcoins - bc1qu7lhf45xw83ddll5mnzte6ahju8ktkeu6qhttc. Ngati mukufuna kuyesa maselo akugwira ntchito ndikukhala ndi ma bitcoins, mutha kupita ku wanga pet-projekiti.

Source: www.habr.com