Kune avo vanoda kuzvipa ivo, vadikani vavo, nekuwana maseva avo kubva kupi zvako munyika kuburikidza neSSH/RDP/zvimwe, diki RTFM/spur.
Isu tinofanirwa kuita pasina VPN uye mamwe mabhero uye muridzo, kubva kune chero chishandiso chiripo.
Uye kuti haufanirwe kurovedza muviri zvakanyanya neserver.
Zvese zvaunoda pane izvi ndizvo
"Zvese zviri paInternet," hongu (kunyangwe pa
Tichadzidzira kushandisa Fedora/CentOS semuenzaniso, asi izvozvo hazvina basa.
Iyo spur yakakodzera kune vese vanotanga uye nyanzvi mune iyi nyaya, saka pachava nekutaura, asi ivo vachave mapfupi.
1. Sevha
-
isa knock-server:
yum/dnf install knock-server
-
gadzirisa (semuenzaniso pane ssh) - /etc/knockd.conf:
[options] UseSyslog interface = enp1s0f0 [SSHopen] sequence = 33333,22222,11111 seq_timeout = 5 tcpflags = syn start_command = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 3600 stop_command = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT [SSHclose] sequence = 11111,22222,33333 seq_timeout = 5 tcpflags = syn command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
Chikamu che "kuvhura" chakaiswa kuti chivhare otomatiki mushure meawa imwe. Haungazive...
-
/etc/sysconfig/iptables:
... -A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT ...
-
mberi:
service iptables restart service knockd start
-
unogona kuwedzera RDP kune chaiyo Windows Server kutenderera mukati (/etc/knockd.conf; tsiva zita rekushandisa kuti rienderane nekuravira kwako):
[RDPopen] sequence = 44444,33333,22222 seq_timeout = 5 tcpflags = syn start_command = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2 cmd_timeout = 3600 stop_command = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2 [RDPclose] sequence = 22222,33333,44444 seq_timeout = 5 tcpflags = syn command = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
Isu tinoteedzera mateke edu ese kubva kumutengi pane server nemirairo
iptables -S
.
2. Nhungamiro kune rakes
knockd.conf:
Iyo manna zvakare ine zvese (asi izvi hazvina chokwadi), asi kugogodza ishamwari inonyima nemeseji, saka unofanirwa kungwarira.
- version
MuFedora/CentOS repositories, ichangoburwa nhasi ndeye 0.63. Ndiani anoda UDP - tsvaga 0.70 mapaketi. - inowanikwa
Mune iyo default Fedora/CentOS gadziriso iyi mutsara asipo. Wedzera nemaoko ako, kana zvisina kudaro hazvishande. - nguva yapera
Pano unogona kusarudza maererano nekuravira kwako. Izvo zvinodikanwa kuti mutengi ave nenguva yakakwana kune ese makicks - uye port scanner bot ichapunzika (uye 146% ichaongorora). - tanga/mira/kuraira.
Kana paine murairo mumwechete, wobva waraira, kana paine maviri, wobva watanga_command+stop_command.
Kana ukakanganisa, kugogodza kunoramba kukanyarara, asi hakushande. - muenzaniso
Theoretically, UDP inogona kushandiswa. Mukuita, ndakasanganisa tcp uye udp, uye mutengi kubva kumhenderekedzo yegungwa muBali akakwanisa kuzarura gedhi kechishanu chete. Nekuti TCP yakasvika paidiwa, asi UDP haisi chokwadi. Asi iyi inyaya yekuravira, zvakare. - zvinoteverana
Iyo yakasarudzika rake ndeyekuti kutevedzana hakufanirwe kupindirana ... sei kuisa ...
Somuenzaniso, izvi:
open: 11111,22222,33333
close: 22222,11111,33333
Pakazosvika 11111 yakazaruka ichamirira kukikwa kunotevera pa22222. Zvisineyi, mushure meizvi (22222) rovambira ichatanga kushanda pedyo uye zvose zvichaputsika. Izvi zvinoenderana nekunonoka kwemutengi zvakare. Zvinhu zvakadai Β©.
iptables
Kana mu /etc/sysconfig/iptables izvi ndezvi:
*nat
:PREROUTING ACCEPT [0:0]
Hazvina kutinetsa, saka hezvino:
*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Zvinopindira.
Sezvo kugogodzwa kunowedzera mitemo kusvika kumagumo eINPUT ketani, tinozorambwa.
Uye kudzima kurambwa uku kunoreva kuvhura mota kumhepo dzese.
Kuti usarasika muma iptables zvekuisa pamberi pei (sezvizvi
- default paCentOS/Fedora yekutanga mutemo ("zvisingarambidzwe zvinotenderwa") zvichatsiviwa nezvinopesana,
- uye tinobvisa mutemo wekupedzisira.
Mhedzisiro inofanira kuva:
*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
Iwe unogona, hongu, kuita REJECT panzvimbo yeDROP, asi neDROP hupenyu huchave hunonakidza kune bots.
3. Mutengi
Iyi nzvimbo ndiyo inonyanya kufadza (kubva pakuona kwangu), sezvo iwe uchida kushanda kwete kubva kune chero gungwa, asiwo kubva kune chero chigadzirwa.
Muchidimbu, nhamba yevatengi yakanyorwa pa
Paunenge uchisarudza mutengi, unofanirwa kuve nechokwadi chekuti inotsigira sarudzo yekunonoka pakati pemapaketi. Ehe, pane misiyano pakati pemahombekombe uye zana megabits haambovimbisi kuti mapaketi achasvika nehurongwa hwakakodzera panguva chaiyo kubva kunzvimbo yakapihwa.
Uye hongu, kana uchigadzira mutengi, iwe unofanirwa kusarudza kunonoka iwe pachako. Yakawandisa nguva yekubuda - bots icharwisa, ishoma - mutengi haazove nenguva. Kunyanya kunonoka - mutengi haaite nenguva kana kuti pachava nekukakavadzana kwemapenzi (ona "rakes"), zvishoma - mapaketi acharasika paInternet.
With timeout=5s, delay=100..500ms isarudzo inoshanda chose
Windows
Hazvina mhosva kuti zvinosekesa sei, hazvisi-zvidiki kuGoogle mutengi akajeka wekugogodza papuratifomu iyi. Zvekuti CLI inotsigira kunonoka, TCP - uye isina uta.
Neimwe nzira, unogona kuedza
Linux
Zvese zviri nyore pano:
dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333
MacOS
Nzira iri nyore ndeyekuisa chiteshi kubva kumba brew:
brew install knock
uye dhirowa anodiwa batch mafaera emirairo senge:
#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333
iOS
Sarudzo yekushanda ndeye KnockOnD (yemahara, kubva muchitoro).
Android
"Knock on Ports" Kwete kushambadza, asi inoshanda chete. Uye vanogadzira vanonyatsoteerera.
PS mucherechedzo paHabrΓ©, hongu, Mwari vamuropafadze rimwe zuva...
UPD1: thanks ku
UPD2: Imwe zvekare
Source: www.habr.com