Bitcoin mukeji?

Zvakazoitika kuti nebasa ndiri maneja wemakomputa masisitimu uye network (muchidimbu: system administrator), uye ndakave nemukana wekuudza prof. kweanopfuura makore gumi. mabasa ezvirongwa zvakasiyana-siyana, kusanganisira izvo zvinoda [zvakanyanya] kuchengetedza matanho. Zvakaitikawo kuti pane imwe nguva yapfuura ndakaona zvichinakidza bitcoin, uye kwete kungoishandisa chete, asi zvakare yakatanga akati wandei-masevhisi kuti udzidze kuzvimiririra kushanda neBitcoin network (aka p2p mushure mezvose) kubva pakuona kwemugadziri (ini ndiri mumwe weavo dev, saka, ndakanga ndichipfuura). Asi handisi kutaura nezvebudiriro, ndiri kutaura nezve yakachengeteka uye inoshanda nharaunda yemaapplication.

Tekinoroji yemari (fintech) enda pedyo nekuchengetedzwa kwemashoko (infosec) uye yekutanga inogona kushanda pasina yechipiri, asi kwete kwenguva refu. Ndosaka ndichida kugovera ruzivo rwangu uye seti yezvishandiso zvandinoshandisa, izvo zvinosanganisira zvese fintech, uye infosec, uye panguva imwe chete, uye inogonawo kushandiswa kune chinangwa chakafara kana chakasiyana zvachose. Muchinyorwa chino ini ndichakuudza kwete zvakanyanya nezveBitcoin, asi nezvemhando yezvivakwa zvekusimudzira uye kushanda kwemari (uye kwete chete) masevhisi - mushoko, iwo masevhisi apo "B" ane basa. Izvi zvinoshanda kuBitcoin exchange uye kune yakajairwa makambani zoo yemasevhisi ekambani diki isina kubatana neBitcoin neimwe nzira.

Ndinoda kuziva kuti ndiri mutsigiri wenheyo "ramba wakapusa" и "zvishoma zvakawanda", saka, zvose zvinyorwa uye izvo zvinotsanangurwa mairi zvichave nehupfumi izvo nheyo idzi dziri pamusoro.

Mamiriro ezvinhu ekufungidzira: Ngatitarisei pane zvese tichishandisa muenzaniso we bitcoin exchanger. Takasarudza kutanga kuchinjana kweRubles, madhora, euros ye bitcoins uye kumashure, uye isu tatova nekugadzirisa kushanda, asi kune imwe mari yedhijitari se qiwi uye webmoney, i.e. Isu takavhara nyaya dzese dzemutemo, isu tine yakagadzirira-yakagadzirirwa application inoshanda seyekubhadhara gedhi reRubles, madhora uye euro uye mamwe masystem ekubhadhara. Yakabatana nemaakaundi edu ekubhangi uye ine imwe mhando yeAPI yedu yekupedzisira maapplication. Isu tine webhu application iyo inoshanda seanotsinhanisa vashandisi, zvakanaka, seyakajairwa qiwi kana webmoney account - gadzira account, wedzera kadhi, zvichingodaro. Inotaurirana neyedu gedhi application, kunyangwe neiyo REST API munharaunda yenzvimbo. Uye saka takasarudza kubatanidza bitcoins uye panguva imwechete kusimudzira zvivakwa, nekuti ... Pakutanga, zvinhu zvose zvakasimudzwa nekukurumidza pamabhokisi e-virtual muhofisi pasi petafura ... nzvimbo yacho yakatanga kushandiswa, uye takatanga kunetseka pamusoro penguva uye kushanda.

Saka, ngatitangei nechinhu chikuru - kusarudza sevha. Nokuti bhizinesi mumuenzaniso wedu idiki uye tinovimba nehoster (OVH) yatichasarudza sarudzo yebhajeti umo zvisingabviri kuisa sisitimu kubva kune yepakutanga .iso mufananidzo, asi hazvina basa, iyo IT yekuchengetedza dhipatimendi ichanyatso ongorora iyo yakaiswa mufananidzo. Uye kana takura, ticharenda yedu wadhiropu pasi pekiyi nekiyi tisina kuwana muviri, uye pamwe tichavaka yedu DC. Chero zvazvingava, zvakakosha kuyeuka kuti kana uchirenda hardware uye nekuisa mifananidzo yakagadzirwa, pane mukana wekuti iwe uchave ne "Trojan kubva kune hoster" yakarembera pane yako system, iyo kazhinji haina kuitirwa kukusora. asi kupa mamwe ari nyore manejimendi maturusi server.

Kuisa server

Zvose zviri nyore pano. Isu tinosarudza hardware inokodzera zvatinoda. Wobva wasarudza iyo FreeBSD mufananidzo. Zvakanaka, kana isu tinobatanidza (munyaya yeimwe hoster uye hardware yedu pachedu) kuburikidza ne IPMI kana nemonita uye kudyisa iyo .iso FreeBSD mufananidzo mukurodha. Kugadzira orchestral yandinoshandisa Anable и mfsbsd. Chinhu chega, mune yedu kimsufi, isu takasarudza custom installation kuitira kuti madhisiki maviri mugirazi angove nebhutsu uye / zvidimbu zvemba "zvakavhurika", iyo yakasara yedhisiki nzvimbo ichave yakavharidzirwa, asi zvimwe pane izvo gare gare.

Kuiswa kweiyo sisitimu kunoitika nenzira yakajairwa, ini handisi kuzogara pane izvi, ini ndinongoona kuti ndisati ndatanga kuvhiya zvakakodzera kuterera kune. kuomesa sarudzo dzainopa bsdinstaller pakupera kwekuisirwa (kana iwe ukaisa iyo system pachako):

kune zvinhu zvakanaka pamusoro penyaya iyi, ndichadzokorora muchidimbu pano.

Izvo zvakare zvinogoneka kugonesa izvo zvataurwa pamusoro apa parameter pane yakatoiswa system. Kuti uite izvi, unofanirwa kugadzirisa iyo bootloader faira uye kugonesa kernel paramita. *ee mupepeti seuyu muBSD

# ee /etc/rc.conf

...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"    
sendmail_enable="NONE"

# ee /etc/sysctl.conf

...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1

Iwe unofanirwawo kuve nechokwadi chekuti une yazvino vhezheni yeiyo system yakaiswa, uye ita zvese zvinogadziridza uye upgrades. Muchiitiko chedu, semuenzaniso, kukwidziridzwa kune yazvino vhezheni kunodiwa, nekuti ... pre-installation mifananidzo inosara nemwedzi mitanhatu kusvika pagore. Zvakanaka, ipapo isu tinoshandura chiteshi cheSSH kune chimwe chinhu chakasiyana kubva kune chakasarudzika, wedzera kiyi yekusimbisa uye kudzima password yekusimbisa.

Zvadaro tinogadzirisa aide, kutarisa mamiriro ehurongwa hwekugadzirisa mafaira. Unogona kuverenga zvakawanda zvakadzama pano.

pkg install aide

uye gadzirisa crontab yedu

crontab -e

06 01 * * 0-6 /root/chkaide.sh

#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME

Isu tinosanganisira system auditing

sysrc auditd_enable=YES

# service auditd start

Nzira yekutonga nyaya iyi inotsanangurwa zvakakwana mukati hutungamiri.

Iye zvino tinotangazve uye tinopfuurira kune software pane server. Imwe neimwe sevha ndeye hypervisor yemidziyo kana yakazara chaiyo michina. Naizvozvo, zvakakosha kuti processor itsigire VT-x uye EPT kana tikaronga kushandisa yakazara virtualization.

Kubata midziyo nemichina chaiyo yandinoshandisa cbsd от olevole, ndinomushuvira humwe hutano uye zvikomborero kune iyi yakanaka yekushandisa!

Containers? Docker zvakare kana chii?

Asi kwete. Majeri eFreeBSD chishandiso chakanakisa chekutakura, asi chataurwa cbsd kuronga midziyo iyi, inonzi masero.

Iyo keji imhinduro inoshanda zvakanyanya yekuvaka zvivakwa zvezvinangwa zvakasiyana, uko kuparadzaniswa kwakakwana kwemasevhisi ega ega kana maitiro anozodiwa. Chaizvoizvo, iyo clone yeiyo host system, asi haidi yakazara hardware virtualization. Uye nekuda kweizvi, zviwanikwa hazvishandiswe pa "muenzi OS", asi pane basa riri kuitwa chete. Kana maseru achishandiswa kune zvinodiwa zvemukati, iyi ndiyo mhinduro iri nyore yekushandisa yakakwana sosi - boka remasero pane imwe sevha yehardware mumwe nemumwe anogona kushandisa ese server sosi kana zvichidikanwa. Tichifunga kuti kazhinji masevhisi akasiyana anoda kuwedzera. zviwanikwa panguva dzakasiyana, unogona kuburitsa yakanyanya kuita kubva kune imwe sevha kana iwe ukaronga nemazvo uye kuenzanisa maseru pakati pemaseva. Kana zvichidikanwa, maseru anogonawo kupihwa zvirambidzo pachishandiswa chinoshandiswa.

Zvakadini neakazara virtualization?

Sekuziva kwangu cbsd inotsigira basa bhyve uye XEN hypervisors. Handisati ndamboshandisa yechipiri, asi yekutanga ichangopfuura hypervisor kubva kuFreeBSD. Tichatarisa muenzaniso wekushandisa bhyve mumuenzaniso uri pasi apa.

Kuisa uye Kugadzirisa Nzvimbo Yekugamuchira

Isu tinoshandisa FS ZFS. Ichi chishandiso chine simba kwazvo chekugadzirisa server nzvimbo. Kutenda kuZFS, unogona kugadzira zvakananga marongero akasiyana-siyana kubva kumadhisiki, ane simba "anopisa" kuwedzera nzvimbo, shandura akafa dhisiki, maneja mapikicha, uye zvakawanda, zvakawanda, izvo zvinogona kutsanangurwa munhevedzano yezvinyorwa. Ngatidzokere kune yedu server nemadhisiki ayo. Pakutanga kwekuiswa, takasiya nzvimbo yemahara pamadisiki ezvikamu zvakavharwa. Nei zvakadaro? Izvi ndezvekuti sisitimu inomuka otomatiki uye inoteerera kuburikidza neSSH.

gpart add -t freebsd-zfs /dev/ada0

/dev/ada0p4 added!

wedzera disk partition kune yakasara nzvimbo

geli init /dev/ada0p4

isa yedu encryption password

geli attach /dev/ada0p4

Isu tinoisa password zvakare uye isu tine mudziyo /dev/ada0p4.eli - iyi ndiyo nzvimbo yedu yakavharidzirwa. Zvadaro tinodzokorora zvakafanana kune / dev / ada1 uye mamwe ma disks ari muhurongwa. Uye isu tinogadzira imwe itsva ZFS dziva.

zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli - Zvakanaka, isu tine shoma yekurwa kit yakagadzirira. Chimiro chemiratidzo yedhisiki kana imwe yevatatu ikatadza.

Kugadzira dataset pane "dziva" idzva

zfs create vms/jails

pkg install cbsd - takatangisa timu uye takamisa manejimendi emasero edu.

Pashure cbsd yakaiswa, inoda kutanga:

# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv

Zvakanaka, isu tinopindura boka remibvunzo, kazhinji nemhinduro dzakasarudzika.

*Kana uri kushandisa encryption, zvakakosha kuti daemon cbsdd hazvina kutanga otomatiki kudzamara wanyora madhisiki nemaoko kana otomatiki (mumuenzaniso wedu izvi zvinoitwa ne zabbix)

**Ini zvakare handishandise NAT kubva cbsd, uye ini ndinoigadzira ini pf.

# sysrc pf_enable=YES

# ee /etc/pf.conf

IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"

#WHITE_CL="{ 127.0.0.1 }"

icmp_types="echoreq"

set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all

#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# service pf start

# pfctl -f /etc/pf.conf

Kumisikidza mafirewall marongero zvakare inyaya yakaparadzana, saka ini handisi kuzopinda zvakadzama mukumisikidza iyo BLOCK ALL mutemo uye kumisikidza whitelists, unogona kuzviita nekuverenga. zvinyorwa zvepamutemo kana chero yehuwandu hukuru hwezvinyorwa zviripo paGoogle.

Zvakanaka ... isu takaisa cbsd, yave nguva yekugadzira yedu yekutanga bhiza - iyo yakavharirwa Bitcoin dhimoni!

cbsd jconstruct-tui

Pano tinoona nhaurirano yekugadzira masero. Mushure mezvose zvakakosha zvagadziriswa, ngatigadzirei!

Paunenge uchigadzira sero rako rekutanga, iwe unofanirwa kusarudza chekushandisa sehwaro hwemasero. Ini ndinosarudza kugovera kubva kuFreeBSD repository nemurairo repo. Sarudzo iyi inoitwa chete kana uchigadzira sero yekutanga yeimwe vhezheni (iwe unogona kugamuchira maseru echero vhezheni iyo yakakura kupfuura iyo host vhezheni).

Mushure mekunge zvese zvaiswa, tinotangisa keji!

# cbsd jstart bitcoind

Asi isu tinofanirwa kuisa software mukeji.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind

jexec bitcoind kupinda muchitokisi

uye nechekare mukati mesero isu tinoisa software ine zvinoenderana nayo (yedu yekutambira system inoramba yakachena)

bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils

bitcoind:/@[15:30] # sysrc bitcoind_enable=YES

bitcoind:/@[15:30] # service bitcoind start

Kune Bitcoin mukeji, asi tinoda kusazivikanwa nekuti tinoda kubatanidza kune mamwe matanga kuburikidza neTOP network. Kazhinji, isu tinoronga kumhanyisa maseru mazhinji neanofungidzirwa software chete kuburikidza neproxy. Thanks to pf Iwe unogona kudzima NAT yeimwe mhando yeIP kero pane yemuno network, uye bvumidza NAT chete kune yedu TOR node. Nekudaro, kunyangwe kana malware ikapinda muchitokisi, kazhinji haigone kutaurirana nenyika yekunze, uye kana ikadaro, haizoratidze IP yeserver yedu. Nokudaro, tinogadzira imwe sero ye "mberi" sevhisi se ".onion" sevhisi uye semumiririri wekuwana Indaneti kune masero ega.

# cbsd jsconstruct-tui

# cbsd jstart tor

# jexec tor

tor:/@[15:38] # pkg install tor

tor:/@[15:38] # sysrc tor_enable=YES

tor:/@[15:38] # ee /usr/local/etc/tor/torrc

Seta kuti uteerere kune kero yenzvimbo (inowanika kumaseru ese)

SOCKSPort 192.168.0.2:9050

Chii chimwe chatinoda kuti tiwane mufaro wakakwana? Hongu, tinoda sevhisi yewebhu yedu, pamwe inodarika imwe. Ngatitangei nginx, iyo ichaita senge reverse-proxy uye ita nehanya nekuvandudza Let's Encrypt zvitupa

# cbsd jsconstruct-tui

# cbsd jstart nginx-rev

# jexec nginx-rev

nginx-rev:/@[15:47] # pkg install nginx py36-certbot

Uye saka takaisa 150 MB yekutsamira mukeji. Uye muridzi wacho achiri akachena.

Ngatidzokei kunomisikidza nginx gare gare, isu tinofanirwa kusimudza mamwe masero maviri eyedu yekubhadhara gedhi pane nodejs uye ngura uye webhu application, iyo nekuda kwechimwe chikonzero iri muApache uye PHP, uye iyo yekupedzisira inodawo MySQL dhatabhesi.

# cbsd jsconstruct-tui

# cbsd jstart paygw

# jexec paygw

paygw:/@[15:55] # pkg install git node npm

paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

...uye imwe 380 MB yemapakeji akaparadzaniswa

Tevere, isu tinodhawunirodha application yedu negit uye toitanga.

# cbsd jsconstruct-tui

# cbsd jstart webapp

# jexec webapp

webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql

450 MB mapakeji. muchizarira.

pano isu tinopa mugadziri mukana kuburikidza neSSH zvakananga kuchitokisi, ivo vanozoita zvese ipapo ivo pachavo:

webapp:/@[16:02] # ee /etc/ssh/sshd_config

Port 2267 - shandura SSH chiteshi chesero kune chero chinopokana

webapp:/@[16:02] # sysrc sshd_enable=YES

webapp:/@[16:02] # service sshd start

Zvakanaka, sevhisi iri kushanda, chasara kuwedzera mutemo kune pf firewall

Ngationei kuti maIPs maseru edu anei uye kuti “nzvimbo yedu” inotaridzika sei.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp

uye wedzera mutemo

# ee /etc/pf.conf

## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

Zvakanaka, sezvo tiri pano, ngatiwedzereiwo mutemo we reverse-proxy:

## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# pfctl -f /etc/pf.conf

Zvakanaka, ikozvino zvishoma nezve bitcoins

Zvatinazvo isu tine webhu application iyo inoburitswa kunze uye inotaura munharaunda kune yedu yekubhadhara gedhi. Iye zvino tinoda kugadzirira nzvimbo yekushanda yekudyidzana neBitcoin network pachayo - iyo node bitcoind ingori daemon inochengeta kopi yemuno ye blockchain kusvika parizvino. Iyi daemon ine RPC uye wallet mashandiro, asi kune mamwe ari nyore "wrappers" ekuvandudza application. Kutanga, takasarudza kuisa electrum chikwama cheCLI. Chikwama ichi tichaishandisa se "kuchengetera kutonhora" kune yedu bitcoins - kazhinji, iwo bitcoins anozoda kuchengetwa "kunze" system inowanikwa kune vashandisi uye kazhinji kure nemunhu wese. Iyo zvakare ine GUI, saka isu tiri kuzoshandisa imwechete chikwama pane yedu
laptops. Parizvino tichashandisa Electrum nemaseva eruzhinji, uye gare gare tichaisimudza mune imwe sero ElectrumXkuti urege kutsamira pane chero ani zvake.

# cbsd jsconstruct-tui

# cbsd jstart electrum

# jexec electrum

electrum:/@[8:45] # pkg install py36-electrum

imwe 700 MB yesoftware mukeji yedu

electrum:/@[8:53] # adduser

Username: wallet
Full name: 
Uid (Leave empty for default): 
Login group [wallet]: 
Login group is wallet. Invite wallet into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: 
Username   : wallet
Password   : <disabled>
Full Name  : 
Uid        : 1001
Class      : 
Groups     : wallet 
Home       : /home/wallet
Home Mode  : 
Shell      : /bin/tcsh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet

electrum:/@[8:53] # su wallet

wallet@electrum:/ % electrum-3.6 create

{
    "msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
    "path": "/usr/home/wallet/.electrum/wallets/default_wallet",
    "seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}

Iye zvino tine chikwama chakagadzirwa.

wallet@electrum:/ % electrum-3.6 listaddresses

[
    "18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
    "14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
    "1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
    ...
    "1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
    "18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]

wallet@electrum:/ % electrum-3.6 help

Kwedu pamaketani Vanhu vashoma chete ndivo vachakwanisa kubatana nechikwama kubva zvino zvichienda mberi. Kuti usavhure kupinda kune iyi sero kubva kunze, zvinongedzo kuburikidza neSSH zvichaitika kuburikidza neTOP (a decentralized version yeVPN). Isu tinovhura SSH muchitokisi, asi usabate pf.conf yedu pane iyo host.

electrum:/@[9:00] # sysrc sshd_enable=YES

electrum:/@[9:00] # service sshd start

Zvino ngatidzime sero neinternet yewallet. Ngatipei iyo IP kero kubva kune imwe subnet nzvimbo isiri NATed. Kutanga ngatichinje /etc/pf.conf pamugamuchiri

# ee /etc/pf.conf

JAIL_IP_POOL="192.168.0.0/24" ngatichinje kuti JAIL_IP_POOL="192.168.0.0/25", saka kero dzese 192.168.0.126-255 hadzizove nekuwana zvakananga kuInternet. Rudzi rwesoftware "air-gap" network. Uye mutemo weNAT unoramba wakadaro

nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

Kuwedzeredza mitemo

# pfctl -f /etc/pf.conf

Zvino ngatitore sero yedu

# cbsd jconfig jname=electrum

jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200

Hmm, asi ikozvino sisitimu yacho pachayo ichamira kutishandira. Nekudaro, isu tinogona kutsanangura system proxy. Asi pane chinhu chimwe chete, paTOR iri SOCKS5 proxy, uye kuti zvive nyore isu tinodawo HTTP proxy.

# cbsd jsconstruct-tui

# cbsd jstart polipo

# jexec polipo

polipo:/@[9:28] # pkg install polipo

polipo:/@[9:28] # ee /usr/local/etc/polipo/config

socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5

polipo:/@[9:42] # sysrc polipo_enable=YES

polipo:/@[9:43] # service polipo start

Zvakanaka, ikozvino kune maviri proxy maseva muhurongwa hwedu, uye ese anobuda kuburikidza neTOR: socks5://192.168.0.2:9050 uye http://192.168.0.6:8123

Iye zvino tinogona kugadzirisa nharaunda yedu yechikwama

# jexec electrum

electrum:/@[9:45] # su wallet

wallet@electrum:/ % ee ~/.cshrc

#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123

Zvakanaka, ikozvino goko richashanda kubva pasi pe proxy. Kana tichida kuisa mapakeji, saka tinofanira kuwedzera kune /usr/local/etc/pkg.conf kubva pasi pemudzi wekeji

pkg_env: {
               http_proxy: "http://my_proxy_ip:8123",
           }

Zvakanaka, ikozvino yave nguva yekuwedzera iyo TOR yakavanzwa sevhisi sekero yeSSH yedu sevhisi muchikwama chewallet.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22

tor:/@[10:01] # mkdir /var/db/tor/electrum

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum

tor:/@[10:01] # chmod 700 /var/db/tor/electrum

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/electrum/hostname

mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion

Iyi ndiyo kero yedu yekubatanidza. Ngatitarisei kubva kumuchina wemuno. Asi chekutanga tinoda kuwedzera yedu SSH kiyi:

wallet@electrum:/ % mkdir ~/.ssh

wallet@electrum:/ % ee ~/.ssh/authorized_keys

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local

Zvakanaka, kubva kuLinux mutengi muchina

user@local ~$ nano ~/.ssh/config

#remote electrum wallet
Host remotebtc
        User wallet
        Port 22
        Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
        ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p

Ngatibatanei (Kuti izvi zvishande, unoda yemuno TOR daemon inoteerera pa9050)

user@local ~$ ssh remotebtc

The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC 
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
        -- Dru <[email protected]>
wallet@electrum:~ % logout

Success!

Kuti tishande nekukasira uye micro-kubhadhara, isu tinodawo node Lightning Network, chokwadi, ichi chichava chishandiso chedu chikuru chekushanda neBitcoin. U*c-mheniiyo yatichashandisa se daemon iri Sparko plugin, inova yakazara-yakazara HTTP (REST) ​​​​interface uye inobvumidza iwe kushanda nezvose zviri zviviri off-cheni uye on-cheni kutengeserana. c-lightning zvinodiwa pakushanda bitcoind asi hongu.

*Kune akasiyana mashandisirwo eMheni Network protocol mumitauro yakasiyana. Pane izvo zvatakaedza, c-mheni (yakanyorwa muC) yairatidza kugadzikana uye inoshanda-inoshanda.

# cbsd jsconstruct-tui

# cbsd jstart cln

# jexec cln

lightning:/@[10:23] # adduser

Username: lightning
...

lightning:/@[10:24] # pkg install git

lightning:/@[10:23] # su lightning

cd ~ && git clone https://github.com/ElementsProject/lightning

lightning@lightning:~ % exit

lightning:/@[10:30] # cd /home/lightning/lightning/

lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils

lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install

Nepo zvese zvinodiwa zvichiunganidzwa uye kuiswa, ngatigadzirei RPC mushandisi we lightningd в bitcoind

# jexec bitcoind

bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf

rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32

bitcoind:/@[10:39] # service bitcoind restart

Kuchinja kwangu kwechaotic pakati pemasero kunobva kwaita kunge kusiri mhirizhonga kana iwe ukacherekedza zvinoshandiswa tmux, iyo inokutendera kuti ugadzire akawanda terminal sub-sessions mukati mechikamu chimwe. Analogue: screen

Saka, isu hatidi kuburitsa iyo chaiyo IP yenode yedu, uye isu tinoda kuita zvese zvekutengesa zvemari kuburikidza neTOP. Nokudaro, imwe .onion haidiwi.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735

tor:/@[10:01] # mkdir /var/db/tor/cln

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln

tor:/@[10:01] # chmod 700 /var/db/tor/cln

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/cln/hostname

en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion

Zvino ngatigadzirei config ye c-mheni

lightning:/home/lightning/lightning@[10:31] # su lightning

lightning@lightning:~ % mkdir .lightning

lightning@lightning:~ % ee .lightning/config

alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000

# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko

sparko-host=192.168.0.7
sparko-port=9737

sparko-tls-path=sparko-tls

#sparko-login=mywalletusername:mywalletpassword

#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like

lightning@lightning:~ % mkdir .lightning/plugins

lightning@lightning:~ % cd .lightning/plugins/

lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048

lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650

lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko

lightning@lightning:~/.lightning/plugins % cd ~

iwe zvakare unofanirwa kugadzira faira yekumisikidza ye bitcoin-cli, chishandiso chinotaurirana nacho bitcoind

lightning@lightning:~ % mkdir .bitcoin

lightning@lightning:~ % ee .bitcoin/bitcoin.conf

rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test

check

lightning@lightning:~ % bitcoin-cli echo "test"

[
  "test"
]

launch lightningd

lightning@lightning:~ % lightningd --daemon

Iye pachako lightningd unogona kudzora utility lightning-cli, somuenzaniso:

lightning-cli newaddr tora kero yekubhadhara kutsva kuri kuuya

{
   "address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
   "bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}

lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all tumira mari yese muchikwama kukero (ese pa-chetani kero)

Zvakare mirairo ye off-chain mashandiro lightning-cli invoice, lightning-cli listinvoices, lightning-cli pay etc.

Zvakanaka, zvekutaurirana nechishandiso isu tine REST Api

curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'

Ngationei mhinduro

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp
     7  192.168.0.200   electrum.space.com            /zroot/jails/jails/electrum
     8  192.168.0.6     polipo.space.com              /zroot/jails/jails/polipo
     9  192.168.0.7     lightning.space.com           /zroot/jails/jails/cln

Isu tine seti yemidziyo, imwe neimwe iine mwero wayo wekuwana kubva uye kune yemuno network.

# zfs list

NAME                    USED  AVAIL  REFER  MOUNTPOINT
zroot                   279G  1.48T    88K  /zroot
zroot/ROOT             1.89G  1.48T    88K  none
zroot/ROOT/default     1.89G  17.6G  1.89G  /
zroot/home               88K  1.48T    88K  /home
zroot/jails             277G  1.48T   404M  /zroot/jails
zroot/jails/bitcoind    190G  1.48T   190G  /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln         653M  1.48T   653M  /zroot/jails/jails-data/cln-data
zroot/jails/electrum    703M  1.48T   703M  /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev   190M  1.48T   190M  /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw      82.4G  1.48T  82.4G  /zroot/jails/jails-data/paygw-data
zroot/jails/polipo     57.6M  1.48T  57.6M  /zroot/jails/jails-data/polipo-data
zroot/jails/tor        81.5M  1.48T  81.5M  /zroot/jails/jails-data/tor-data
zroot/jails/webapp      360M  1.48T   360M  /zroot/jails/jails-data/webapp-data

Sezvauri kuona, bitcoind inotora ese 190 GB yenzvimbo. Ko kana tichida imwe node yekuyedza? Apa ndipo panouya ZFS inobatsira. Nerubatsiro cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com unogona kugadzira mufananidzo uye kubatanidza sero nyowani kune iyi snapshot. Iyo sero nyowani ichave neyayo nzvimbo, asi chete mutsauko uripo pakati pemamiriro azvino uye epakutanga ndiwo uchaverengerwa mufaira system (tichachengetedza kanenge 190 GB)

Sero rega rega ndiro rayo rakaparadzana reZFS dataset, uye izvi zviri nyore kwazvo. ZFS inobvumirawo ita zvimwe zvakasiyana-siyana zvinhu zvinotonhorera, sekutumira mapikicha kuburikidza neSSH. Hatisi kuzozvitsanangura, zvatowanda.

Izvo zvakakoshawo kucherechedza kudiwa kwekutarisisa kure kwemuenzi, nekuda kweizvi zvinangwa zvatinazvo Zabbix.

B - kuchengeteka

Nezve chengetedzo, ngatitangei kubva kumisimboti yakakosha mumamiriro ezvivakwa:

Kuvanzika -Maturusi akajairwa eUNIX-senge masisitimu anovimbisa kuitwa kwemusimboti uyu. Isu tinopatsanura zvine mutsindo kuwana kune yega yega yakapatsanurwa chinhu cheiyo system - sero. Kupinda kunopihwa kuburikidza neyakajairwa mushandisi echokwadi uchishandisa vashandisi makiyi ega. Kutaurirana kwese pakati uye kusvika kumagumo maseru kunoitika mune encrypted fomu. Kutenda kudhisiki encryption, isu hatifanirwe kunetseka nezve chengetedzo yedata kana uchitsiva dhisiki kana kutamira kune imwe sevha. Iyo chete yakakosha yekuwana kuwana kune iyo host system, sezvo kuwana kwakadaro kunowanzo kupa mukana kune data mukati memidziyo.

Kuperera “Kuitwa kwemusimboti uyu kunoitika pamatanho akati wandei. Chekutanga, zvakakosha kuziva kuti kana iri server hardware, ECC memory, ZFS yatove "kunze kwebhokisi" inotarisira kuperera kwedata padanho remabhiti eruzivo. Instant snapshots inokutendera iwe kuti uite backups chero nguva pakubhururuka. Yakareruka sero kutumira / ekunze maturusi anoita kuti kudzokorora kwesero kuve nyore.

Kuwanika - Izvi zvatove sarudzo. Zvinoenderana nekuwanda kwemukurumbira wako uye kuti une vanokuvenga. Mumuenzaniso wedu, takava nechokwadi chekuti wallet yaiwanikwa chete kubva kuTOP network. Kana zvichidikanwa, unogona kuvhara zvese zviri pafirewall uye bvumidza kupinda kune server chete kuburikidza nematanho (TOR kana VPN imwe nyaya). Saka, sevha ichagurwa kubva kunze kwenyika zvakanyanya sezvinobvira, uye isu chete isu pachedu tichakwanisa kupesvedzera kuwanikwa kwayo.

Kusaita kwekuramba - Uye izvi zvinoenderana nekuwedzera kushanda uye kutevedzera marongero akakodzera ekodzero dzevashandisi, kuwana, nezvimwe. Asi nenzira kwayo, zvese zviito zvemushandisi zvinoongororwa, uye nekuda kwekriptographic mhinduro zvinokwanisika kuziva zvisina kujeka kuti ndiani akaita zvimwe zviito uye rinhi.

Ehe, iyo yakatsanangurwa kumisikidzwa hausi wakakwana muenzaniso wekuti inofanira kugara yakaita sei, inotova imwe muenzaniso wekuti ingave sei, uchichengeta zvakanyanya kuchinjika kuyera uye kugadzirisa maitiro.

Zvakadini neakazara virtualization?

Nezve yakazara virtualization uchishandisa cbsd unogona verenga pano. Ndichangowedzera kuti kubasa bhyve Iwe unofanirwa kugonesa dzimwe sarudzo dze kernel.

# cat /etc/rc.conf

...
kld_list="vmm if_tap if_bridge nmdm"
...

# cat /boot/loader.conf

...
vmm_load="YES"
...

Saka kana iwe ukangoerekana wada kutanga docker, wobva waisa imwe debian uende!

Ndizvo zvose

Ndinofungidzira kuti ndizvo chete zvandaida kugovera. Kana iwe wakafarira chinyorwa, saka unogona kunditumira mamwe bitcoins - bc1qu7lhf45xw83ddll5mnzte6ahju8ktkeu6qhttc. Kana iwe uchida kuyedza maseru muchiito uye uine mamwe bitcoins, unogona kuenda kune yangu pet-projekti.

Source: www.habr.com