ProHoster > Blog > Utongi > Linux matipi & matipi: server, vhura kumusoro

Linux matipi & matipi: server, vhura kumusoro

Kune avo vanoda kuzvipa ivo, vadikani vavo, nekuwana maseva avo kubva kupi zvako munyika kuburikidza neSSH/RDP/zvimwe, diki RTFM/spur.

Isu tinofanirwa kuita pasina VPN uye mamwe mabhero uye muridzo, kubva kune chero chishandiso chiripo.

Uye kuti haufanirwe kurovedza muviri zvakanyanya neserver.

Zvese zvaunoda pane izvi ndizvo akagogodza, maoko akatwasuka uye maminitsi mashanu ebasa.

"Zvese zviri paInternet," hongu (kunyangwe pa HabrΓ©), asi kana zvasvika pakuitwa kwacho, ndipo pazvinotangira...

Tichadzidzira kushandisa Fedora/CentOS semuenzaniso, asi izvozvo hazvina basa.

Iyo spur yakakodzera kune vese vanotanga uye nyanzvi mune iyi nyaya, saka pachava nekutaura, asi ivo vachave mapfupi.

1. Sevha

  • isa knock-server:
    yum/dnf install knock-server

  • gadzirisa (semuenzaniso pane ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Chikamu che "kuvhura" chakaiswa kuti chivhare otomatiki mushure meawa imwe. Haungazive...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • mberi:

    service iptables restart
service knockd start

  • unogona kuwedzera RDP kune chaiyo Windows Server kutenderera mukati (/etc/knockd.conf; tsiva zita rekushandisa kuti rienderane nekuravira kwako):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Isu tinoteedzera mateke edu ese kubva kumutengi pane server nemirairo iptables -S.

2. Nhungamiro kune rakes

knockd.conf:

Iyo manna zvakare ine zvese (asi izvi hazvina chokwadi), asi kugogodza ishamwari inonyima nemeseji, saka unofanirwa kungwarira.

  • version
    MuFedora/CentOS repositories, ichangoburwa nhasi ndeye 0.63. Ndiani anoda UDP - tsvaga 0.70 mapaketi.
  • inowanikwa
    Mune iyo default Fedora/CentOS gadziriso iyi mutsara asipo. Wedzera nemaoko ako, kana zvisina kudaro hazvishande.
  • nguva yapera
    Pano unogona kusarudza maererano nekuravira kwako. Izvo zvinodikanwa kuti mutengi ave nenguva yakakwana kune ese makicks - uye port scanner bot ichapunzika (uye 146% ichaongorora).
  • tanga/mira/kuraira.
    Kana paine murairo mumwechete, wobva waraira, kana paine maviri, wobva watanga_command+stop_command.
    Kana ukakanganisa, kugogodza kunoramba kukanyarara, asi hakushande.
  • muenzaniso
    Theoretically, UDP inogona kushandiswa. Mukuita, ndakasanganisa tcp uye udp, uye mutengi kubva kumhenderekedzo yegungwa muBali akakwanisa kuzarura gedhi kechishanu chete. Nekuti TCP yakasvika paidiwa, asi UDP haisi chokwadi. Asi iyi inyaya yekuravira, zvakare.
  • zvinoteverana
    Iyo yakasarudzika rake ndeyekuti kutevedzana hakufanirwe kupindirana ... sei kuisa ...

Somuenzaniso, izvi:

open: 11111,22222,33333
close: 22222,11111,33333

Pakazosvika 11111 yakazaruka ichamirira kukikwa kunotevera pa22222. Zvisineyi, mushure meizvi (22222) rovambira ichatanga kushanda pedyo uye zvose zvichaputsika. Izvi zvinoenderana nekunonoka kwemutengi zvakare. Zvinhu zvakadai Β©.

iptables

Kana mu /etc/sysconfig/iptables izvi ndezvi:

*nat
:PREROUTING ACCEPT [0:0]

Hazvina kutinetsa, saka hezvino:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Zvinopindira.

Sezvo kugogodzwa kunowedzera mitemo kusvika kumagumo eINPUT ketani, tinozorambwa.

Uye kudzima kurambwa uku kunoreva kuvhura mota kumhepo dzese.

Kuti usarasika muma iptables zvekuisa pamberi pei (sezvizvi vanhu suggest) ngatiite kuti zvive nyore:

  • default paCentOS/Fedora yekutanga mutemo ("zvisingarambidzwe zvinotenderwa") zvichatsiviwa nezvinopesana,
  • uye tinobvisa mutemo wekupedzisira.

Mhedzisiro inofanira kuva:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Iwe unogona, hongu, kuita REJECT panzvimbo yeDROP, asi neDROP hupenyu huchave hunonakidza kune bots.

3. Mutengi

Iyi nzvimbo ndiyo inonyanya kufadza (kubva pakuona kwangu), sezvo iwe uchida kushanda kwete kubva kune chero gungwa, asiwo kubva kune chero chigadzirwa.

Muchidimbu, nhamba yevatengi yakanyorwa pa site purojekiti, asi izvi zvinobva kune imwecheteyo "zvese zviri paInternet." Naizvozvo, ini ndichanyora zviri kushanda pamunwe wangu pano uye ikozvino.

Paunenge uchisarudza mutengi, unofanirwa kuve nechokwadi chekuti inotsigira sarudzo yekunonoka pakati pemapaketi. Ehe, pane misiyano pakati pemahombekombe uye zana megabits haambovimbisi kuti mapaketi achasvika nehurongwa hwakakodzera panguva chaiyo kubva kunzvimbo yakapihwa.

Uye hongu, kana uchigadzira mutengi, iwe unofanirwa kusarudza kunonoka iwe pachako. Yakawandisa nguva yekubuda - bots icharwisa, ishoma - mutengi haazove nenguva. Kunyanya kunonoka - mutengi haaite nenguva kana kuti pachava nekukakavadzana kwemapenzi (ona "rakes"), zvishoma - mapaketi acharasika paInternet.

With timeout=5s, delay=100..500ms isarudzo inoshanda chose

Windows

Hazvina mhosva kuti zvinosekesa sei, hazvisi-zvidiki kuGoogle mutengi akajeka wekugogodza papuratifomu iyi. Zvekuti CLI inotsigira kunonoka, TCP - uye isina uta.

Neimwe nzira, unogona kuedza Ndizvozvo. Zviripachena Google yangu haisi keke.

Linux

Zvese zviri nyore pano:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

Nzira iri nyore ndeyekuisa chiteshi kubva kumba brew:
brew install knock
uye dhirowa anodiwa batch mafaera emirairo senge:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

Sarudzo yekushanda ndeye KnockOnD (yemahara, kubva muchitoro).

Android

"Knock on Ports" Kwete kushambadza, asi inoshanda chete. Uye vanogadzira vanonyatsoteerera.

PS mucherechedzo paHabrΓ©, hongu, Mwari vamuropafadze rimwe zuva...

UPD1: thanks ku kumunhu akanaka akawana kushanda mutengi pasi peWindows.
UPD2: Imwe zvekare murume akanaka akandiyeuchidza kuti kuisa mitemo mitsva pamagumo eptables haisi nguva dzose inobatsira. Asi - zvinoenderana.

Source: www.habr.com

Voeg