Pulogalamu ya ProHoster > Blog > Ulamuliro > Malangizo & zidule za Linux: seva, tsegulani

Malangizo & zidule za Linux: seva, tsegulani

Kwa iwo omwe akufunikira kudzipereka okha, okondedwa awo, ndi mwayi wopeza ma seva awo kuchokera kulikonse padziko lapansi kudzera pa SSH / RDP / zina, RTFM / spur yaying'ono.

Tiyenera kuchita popanda VPN ndi mabelu ena ndi mluzu, kuchokera ku chipangizo chilichonse chomwe chili pafupi.

Ndipo kotero kuti simuyenera kuchita masewera olimbitsa thupi kwambiri ndi seva.

Zomwe mukufunikira pa izi ndi anagogoda, mikono yowongoka ndi mphindi 5 za ntchito.

"Chilichonse chili pa intaneti," inde (ngakhale pa Habre), koma zikafika pakukhazikitsa kwina, apa ndipamene zimayambira ...

Tidzayesa kugwiritsa ntchito Fedora / CentOS monga chitsanzo, koma zilibe kanthu.

The spur ndi yoyenera kwa oyamba kumene ndi akatswiri pa nkhaniyi, kotero padzakhala ndemanga, koma zidzakhala zazifupi.

1. Seva

  • kukhazikitsa knock-server:
    yum/dnf install knock-server

  • sinthani (mwachitsanzo pa ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Gawo "lotsegula" lakhazikitsidwa kuti lizitsekera pakatha ola limodzi. Simudziwa...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • patsogolo:

    service iptables restart
service knockd start

  • mutha kuwonjezera RDP ku Windows Server yozungulira mkati (/etc/knockd.conf; lowetsani dzina la mawonekedwe kuti ligwirizane ndi zomwe mumakonda):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Timatsata zokopa zathu zonse kuchokera kwa kasitomala pa seva ndi lamulo iptables -S.

2. Kalozera wa ma rakes

knockd.conf:

Mana imakhalanso ndi zonse (koma izi sizolondola), koma kugogoda ndi bwenzi lopweteka ndi mauthenga, kotero muyenera kusamala kwambiri.

  • Baibulo
    M'malo osungira a Fedora / CentOS, zomwe zagogoda posachedwa lero ndi 0.63. Ndani akufuna UDP - yang'anani mapaketi 0.70.
  • Mawonekedwe
    Pakusintha kosasintha kwa Fedora/CentOS mzere uwu akusowa. Onjezani ndi manja anu, apo ayi sizingagwire ntchito.
  • lekeza panjira
    Apa mutha kusankha malinga ndi kukoma kwanu. Ndikofunikira kuti kasitomala azikhala ndi nthawi yokwanira yomenyera - ndipo bot scanner ya doko idzawonongeka (ndipo 146% idzajambula).
  • kuyamba/kuyimitsa/kulamula.
    Ngati pali lamulo limodzi, ndiye lamulani, ngati alipo awiri, ndiye yambani_command+stop_command.
    Ngati mwalakwitsa, kugogoda kumakhala chete, koma sikungagwire ntchito.
  • kutulutsa
    Mwachidziwitso, UDP ikhoza kugwiritsidwa ntchito. Pochita, ndinasakaniza tcp ndi udp, ndipo kasitomala wochokera kumphepete mwa nyanja ku Bali adatha kutsegula chipata kokha kachisanu. Chifukwa TCP inafika pakufunika, koma UDP sizoona. Koma iyi ndi nkhani ya kukoma, kachiwiri.
  • zofanana
    Chodziwika bwino ndichakuti zotsatizanazi zisadutse ...

Mwachitsanzo, izi:

open: 11111,22222,33333
close: 22222,11111,33333

Pa 11111 lotseguka adzadikirira kukankha kotsatira pa 22222. Komabe, pambuyo pa izi (22222) kukankha iyamba kugwira ntchito. pafupi ndipo zonse zidzasweka. Izi zimatengera kuchedwa kwa kasitomala komanso. Zinthu zotere Β©.

iptables

Ngati mu /etc/sysconfig/iptables ndi izi:

*nat
:PREROUTING ACCEPT [0:0]

Sikutivuta kwenikweni, choncho nayi:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Zimasokoneza.

Popeza kugogoda kumawonjezera malamulo kumapeto kwa unyolo wa INPUT, tidzakanidwa.

Ndipo kuzimitsa kukana uku kumatanthauza kutsegula galimoto ku mphepo zonse.

Kuti musasowe mu iptables zomwe muyenera kuyika patsogolo pa zomwe (monga izi anthu suggest) tiyeni tipangitse kukhala kosavuta:

  • kusakhulupirika pa CentOS/Fedora yoyamba lamulo ("chomwe sichiletsedwa ndichololedwa") chidzasinthidwa ndi chosiyana,
  • ndipo timachotsa lamulo lomaliza.

Chotsatira chiyenera kukhala:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Mutha kuchita REJECT m'malo mwa DROP, koma ndi DROP moyo udzakhala wosangalatsa kwambiri kwa bots.

3. Wothandizira

Malo awa ndi osangalatsa kwambiri (kuchokera kumalingaliro anga), chifukwa muyenera kugwira ntchito osati kuchokera kumphepete mwa nyanja, komanso kuchokera ku chipangizo chilichonse.

Mfundo, angapo makasitomala zalembedwa pa malo pulojekitiyi, koma izi zikuchokera ku mndandanda womwewo "zonse zili pa intaneti." Chifukwa chake, ndilemba zomwe zikugwira ntchito pano ndi pano.

Posankha kasitomala, muyenera kuwonetsetsa kuti imathandizira njira yochedwa pakati pa mapaketi. Inde, pali kusiyana pakati pa magombe ndi ma megabits 100 sikutsimikizira kuti mapaketi adzafika mu dongosolo loyenera panthawi yoyenera kuchokera kumalo omwe aperekedwa.

Ndipo inde, pokhazikitsa kasitomala, muyenera kusankha kuchedwa nokha. Nthawi yochuluka kwambiri - ma bots adzaukira, pang'ono - kasitomala sadzakhala ndi nthawi. Kuchedwa kwambiri - kasitomala sangafike nthawi yake kapena padzakhala mkangano wa zitsiru (onani "rakes"), pang'ono - mapaketi adzatayika pa intaneti.

Ndi timeout = 5s, kuchedwa = 100..500ms ndi njira yogwirira ntchito kwathunthu

Windows

Ziribe kanthu momwe zimamvekera zoseketsa, ndizosachepera kwa Google kasitomala womveka bwino papulatifomu. Zoti CLI imathandizira kuchedwa, TCP - komanso popanda mauta.

Kapenanso, mutha kuyesa izi ndizo. Zikuwoneka kuti Google yanga si keke.

Linux

Zonse ndi zophweka apa:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

Njira yosavuta ndiyo kukhazikitsa doko kuchokera ku homebrew:
brew install knock
ndi kujambula mafayilo ofunikira a batch amalamulo monga:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

Njira yogwirira ntchito ndi KnockOnD (yaulere, kuchokera ku sitolo).

Android

"Kugogoda pa Ports" Osati kutsatsa, koma zimangogwira ntchito. Ndipo Madivelopa amalabadira.

PS adalemba pa Habre, inde, Mulungu amudalitse tsiku lina ...

UPD1: zikomo kwa munthu wabwino anapeza ntchito kasitomala pansi pa Windows.
UPD2: Winanso munthu wabwino adandikumbutsa kuti kuyika malamulo atsopano kumapeto kwa iptables sikuthandiza nthawi zonse. Koma - zimatengera.

Source: www.habr.com

Kuwonjezera ndemanga