Bitcoin qafis ku jira?

Waxaa dhacday in xirfad ahaan aan maamule ka ahay nidaamyada kombuyuutarrada iyo shabakadaha (oo kooban: nidaamka maamulaha), oo aan fursad u helay in aan u sheego prof. Dhaqdhaqaaqyada nidaamyo kala duwan oo kala duwan, oo ay ku jiraan kuwa u baahan tallaabooyin ammaan [aad u daran]. Waxa kale oo dhacday in wakhti ka hor aan ka helay xiiso Seeraar, oo ma aha oo kaliya loo isticmaalo, laakiin sidoo kale bilaabay dhowr adeegyo yar-yar si ay u bartaan sida si madax-bannaan ula shaqeeyaan shabakadda Seeraar (aka p2p ka dib) marka laga eego aragtida horumariyaha (waxaan ahay dabcan mid ka mid ah kuwan). dev, sidaa darteed, waan marayay). Laakiin kama hadlayo horumarka, waxaan ka hadlayaa jawi badbaado leh oo hufan oo codsiyada.

Tignoolajiyada maaliyadeed (fintech) u gudub dhanka amaanka macluumaadka (infosec) iyo kan ugu horreeya wuxuu shaqayn karaa kan labaad la'aanteed, laakiin ma shaqeyn karo muddo dheer. Taasi waa sababta aan rabo inaan la wadaago waayo-aragnimadayda iyo qalabka aan isticmaalo, oo ay ku jiraan labadaba fintech, iyo infosec, iyo isla mar ahaantaana, waxaana sidoo kale loo isticmaali karaa ujeedo ballaaran ama gebi ahaanba ka duwan. Maqaalkani waxaan kuu sheegi doonaa wax badan oo ku saabsan Bitcoin, laakiin ku saabsan qaabka kaabayaasha horumarinta iyo hawlgalka adeegyada maaliyadeed (oo aan ahayn oo keliya) - erey, adeegyadaas "B" arrimaha. Tani waxay khusaysaa sarrifka Seeraar iyo midka caadiga ah ee xayawaanka adeegyada shirkad yar oo aan ku xidhnayn Bitcoin sinaba.

Waxaan jeclaan lahaa in aan ogaado in aan ahay taageeraha mabaadi'da "doqonnimo iska dhig" и "ka yar ayaa ka badan", sidaas darteed, maqaalka iyo waxa lagu sifeeyay labadaba waxay yeelan doonaan sifooyin ay mabaadi'daas ku saabsan yihiin.

Xaalad khayaali ah: Aynu eegno wax kasta anagoo adeegsanayna tusaalaha sariflayaasha bitcoin. Waxaan go'aansanay inaan bilowno beddelka Rubles, dollars, euros ee bitcoins iyo gadaal, waxaanan horey u haysanay xal shaqo, laakiin lacagaha kale ee dhijitaalka ah sida qiwi iyo webmoney, i.e. Waxaan xirnay dhammaan arrimaha sharciga, waxaan haynaa codsi diyaarsan oo u adeega sida albaabka lacag bixinta ee rubles, dollars iyo euros iyo hababka kale ee lacag bixinta. Waxay ku xidhan tahay xisaabaadkayada bangiga waxayna leedahay nooc API ah oo loogu talagalay codsiyadayada dhamaadka ah. Waxaan sidoo kale haysanaa arji shabakad ah oo u shaqeeya sida beddelka isticmaalayaasha, si fiican, sida xisaabaadka qiwi ama webmoney caadiga ah - samee xisaab, ku dar kaar, iyo wixii la mid ah. Waxay la xidhiidhaa arjiga albaabkayaga, in kasta oo loo sii marayo API REST ee aagga maxalliga ah. Oo sidaas darteed waxaan go'aansanay inaan isku xirno bitcoins isla markaana aan kor u qaadno kaabayaasha, sababtoo ah ... Markii hore, wax walba ayaa si degdeg ah loogu dhejiyay sanduuqyada farsamada ee xafiiska miiska hoostiisa ... goobta ayaa bilaabay in la isticmaalo, waxaana bilawnay inaan ka walwalno wakhtiga iyo waxqabadka.

Markaa, aan ku bilowno waxa ugu muhiimsan - doorashada server. Sababtoo ah Ganacsiga tusaalahayagu waa mid yar waxaanan ku kalsoonahay martigeliyaha (OVH) waan dooran doonaa doorasho miisaaniyad taas oo aysan suurtagal ahayn in lagu rakibo nidaamka sawirka asalka ah ee .iso, laakiin dhib ma laha, waaxda amniga IT-ga ayaa si hubaal ah u falanqeyn doonta sawirka la rakibay. Markaan weyneyno, waxaan ku kireyn doonaa armaajo noo gaar ah hoosta qufulka iyo furaha oo leh xaddidnaan jireed, waxaana laga yaabaa inaan dhisno DC noo gaar ah. Si kastaba ha ahaatee, waxaa habboon in la xasuusto in marka aad kiraysato qalabka iyo rakibidda sawirada diyaarsan, ay jirto fursad aad ku heli doonto "Trojan from the hoster" oo ku dhegan nidaamkaaga, taas oo inta badan aan loogu talagalin in lagugu basaaso. laakiin si aad u bixiso adeegaha agabka maaraynta ku habboon.

Ku rakibida server-ka

Wax walba waa sahlan yihiin halkan. Waxaan dooranaa qalabka ku habboon baahiyahayaga. Kadib dooro sawirka FreeBSD. Hagaag, ama waxaan ku xireynaa (haddii ay dhacdo martigeliyaha kale iyo qalabkayaga) annaga oo adeegsanayna IPMI ama kormeere oo aan ku quudinno sawirka .iso FreeBSD soo dejinta. Habaynta orkesteralka waxaan isticmaalaa Caqli ahaan и mfsbsd. Waxa kaliya ee, kiiskeena kimsuufi, waan dooranay rakibaadda caadada Si labada saxan ee muraayadda ku jira ay u lahaadaan oo keliya boot iyo/qaybaha guriga “u furaan”, inta ka hartay booska saxanka waa la sir doona, laakiin wax badan ayaa dib loo dhigi doonaa.

Rakibaadda nidaamku waxay ku dhacdaa hab caadi ah, ma sii joogi doono tan, kaliya waxaan ogaan doonaa in ka hor inta aan la bilaabin hawlgalka ay mudan tahay in fiiro gaar ah loo yeesho. adkeyn fursadaha ay bixiso bsdinstaller dhamaadka rakibidda (haddii aad adigu rakibto nidaamka):

Waxaa jira wax wanaagsan mowduucan, waxaan si kooban ugu celin doonaa halkan.

Waxa kale oo suurtogal ah in la suurtogeliyo xuduudaha kor ku xusan ee nidaamka horeba loo rakibay. Si tan loo sameeyo, waxaad u baahan tahay inaad wax ka beddesho faylka bootloader oo aad awood u yeelatid cabbirrada kernel. *ee waa tafatire kan oo kale ah BSD

# ee /etc/rc.conf

...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"    
sendmail_enable="NONE"

# ee /etc/sysctl.conf

...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1

Waa inaad sidoo kale hubisaa inaad haysato noocii ugu dambeeyay ee nidaamka lagu rakibay, iyo samee dhammaan cusbooneysiinta iyo cusbooneysiinta. Xaaladeena, tusaale ahaan, cusboonaysiinta nooca ugu dambeeyay ayaa loo baahan yahay, sababtoo ah... Sawirada hore loo rakibay ayaa dib u dhacaya lix bilood ilaa sanad. Hagaag, halkaas waxaan ku beddeleynaa dekedda SSH wax ka duwan kan caadiga ah, ku dar aqoonsiga muhiimka ah oo aan joojinno aqoonsiga sirta ah.

Kadibna waan dejinay aide, la socodka xaaladda faylasha habaynta nidaamka. Waxaad si faahfaahsan u akhriyi kartaa halkan.

pkg install aide

oo wax ka beddel crontab-keena

crontab -e

06 01 * * 0-6 /root/chkaide.sh

#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME

Waxaan ka mid nahay nidaamka hanti dhawrka

sysrc auditd_enable=YES

# service auditd start

Sida loo maamulo arrintan ayaa si fiican loogu sharraxay hogaaminta.

Hadda waanu dib u bilownay oo u sii wadnaa software-ka server-ka. Seerfar kastaa waa hypervisor-ka weelasha ama mashiinnada farsamada gacanta oo buuxa. Sidaa darteed, waxaa muhiim ah in Processor-ku uu taageero VT-x iyo EPT haddii aan qorsheyneyno inaan isticmaalno farsamo-yaqaannimo buuxda.

Si aan u maareeyo weelasha iyo mashiinada farsamada gacanta waxaan isticmaalaa cbsd ka olevole, Waxaan u rajaynayaa caafimaad iyo barako dheeraad ah isticmaalkan cajiibka ah!

Konteenarada? Docker mar kale ama waa maxay?

Laakiin maya. Jeelasha FreeBSD waa qalab aad u fiican oo loogu talagalay weelka, laakiin ku xusan cbsd si loo habeeyo weelashaas, kuwaas oo loo yaqaan unugyo.

Qafisku waa xal aad wax ku ool ah oo loogu talagalay dhisidda kaabayaasha ujeedooyin kala duwan, halkaas oo go'doomin dhammaystiran ee adeegyada ama hababka ugu dambeyntii loo baahan yahay. Asal ahaan, waa qaab-dhismeed ka mid ah nidaamka martida loo yahay, laakiin uma baahna farsamayn buuxda oo hardware ah. Taasna waad ku mahadsan tahay, kheyraadka laguma kharash gareeyo "guest OS", laakiin kaliya shaqada la qabanayo. Marka unugyada loo isticmaalo baahida gudaha, tani waa xal aad ugu habboon isticmaalka kheyraadka ugu habboon - farabadan oo unugyo ah oo ku jira hal server oo qalab ah ayaa mid kasta si gaar ah u isticmaali karaa dhammaan ilaha server-ka haddii loo baahdo. Iyadoo la tixgelinayo in inta badan adeeg-hoosaadyo kala duwan ay u baahan yihiin dheeraad ah. kheyraadka waqtiyo kala duwan, waxaad ka soo saari kartaa waxqabadka ugu sarreeya ee hal server haddii aad si habboon u qorsheyso oo aad u dheelitirto unugyada u dhexeeya server-yada. Haddi loo baahdo, unugyadu waxa kale oo la siin karaa xadaynta agabka la isticmaalo.

Ka waran ku saabsan farsamaynta buuxda?

Ilaa hadda sida aan ogaado cbsd taageertaa shaqada bhyve iyo XEN hypervisors. Waligay ma isticmaalin kan labaad, laakiin kan hore waa cusub yahay hypervisor ka FreeBSD. Waxaan eegi doonaa tusaale isticmaalka bhyve Tusaalaha hoose.

Rakibaadda iyo Habaynta Deegaanka martida loo yahay

Waxaan isticmaalnaa FS ZFS. Tani waa qalab aad u awood badan oo lagu maareeyo booska server-ka. Waad ku mahadsan tahay ZFS, waxaad si toos ah u dhisi kartaa qaabab kala duwan oo kala duwan oo ka soo baxa saxanadaha, si firfircoon "kulul" u ballaadhiyaa meel bannaan, beddelo saxannada dhintay, maareyn sawir-qaadista, iyo wax ka badan, oo lagu sharxi karo maqaallo taxane ah. Aan ku soo noqono server-kayaga iyo saxankiisa. Bilawgii rakibidda, waxaan ka tagnay meel bannaan oo saxan ah oo loogu talagalay qaybo qarsoon. Waa maxay sababtu? Tani waa si nidaamku si toos ah u tooso oo uu u dhegeysto SSH.

gpart add -t freebsd-zfs /dev/ada0

/dev/ada0p4 added!

ku dar qayb disk ah meesha hadhay

geli init /dev/ada0p4

geli erayga sirta ah ee qarsoodiga ah

geli attach /dev/ada0p4

Mar labaad ayaanu galinaa erayga sirta ah waxaanan haynaa qalab /dev/ada0p4.eli - tani waa meel noo qarsoon. Ka dib waxaan ku celineynaa isku mid ah /dev/ada1 iyo inta kale ee saxanadaha ku jira array. Oo waxaan abuurnaa mid cusub barkadda ZFS.

zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli - Hagaag, waxaanu haysanaa xidhmada ugu yar ee dagaalka oo diyaar ah. Qalab muraayad ah oo saxan ah haddii ay dhacdo in mid ka mid ah saddexdaas uu guuldareysto.

Abuuritaanka kayd xogeed "pool" cusub

zfs create vms/jails

pkg install cbsd - waxaanu samaynay koox waxaanu u samaynay maamulka unugyadeena.

Ka dib cbsd rakibay, waxay u baahan tahay in la bilaabo:

# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv

Hagaag, waxaanu ka jawaabnaa su'aalo badan, oo u badan jawaabo aan caadi ahayn.

*Haddii aad isticmaalayso sireed, waxaa muhiim ah in daemon-ka cbsdd si toos ah uma bilaabin ilaa aad gacanta ka saarto saxanka ama si toos ah (tusaale ahaan tan waxa sameeyay zabbix)

**Sidoo kale ma isticmaalo NAT ka cbsd, oo anigu naftayda ayaan ku habeeyaa pf.

# sysrc pf_enable=YES

# ee /etc/pf.conf

IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"

#WHITE_CL="{ 127.0.0.1 }"

icmp_types="echoreq"

set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all

#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# service pf start

# pfctl -f /etc/pf.conf

Dejinta siyaasadaha firewall sidoo kale waa mawduuc gaar ah, markaa si qoto dheer uguma sii socon doono dejinta siyaasada oo dhan BLOCK ALL iyo dejinta liisaska cadcad, taas waxaad ku samayn kartaa akhrinta dukumeenti rasmi ah ama mid ka mid ah tirada badan ee maqaallada laga heli karo Google.

Hagaag... waxaan ku rakibnay cbsd, waa waqtigii aan abuuri lahayn shaqadeena ugu horeysa - shaydaanka Bitcoin ee qafissan!

cbsd jconstruct-tui

Halkan waxaan ku aragnaa wada hadalka abuurista unugga. Ka dib markii dhammaan qiyamka la dejiyay, aan abuurno!

Markaad abuurayso unuggaaga koowaad, waa inaad doorataa waxa aad u isticmaali lahayd saldhigga unugyada. Waxaan ka dooranayaa qaybinta kaydka FreeBSD oo leh amarka repo. Doorashadan waxaa la sameeyaa kaliya marka la abuurayo unugga ugu horreeya ee nooc gaar ah (waxaad martigelin kartaa unugyada nooc kasta oo ka weyn nooca martida loo yahay).

Ka dib markii wax walba la rakibo, waxaan bilaabeynaa qafiska!

# cbsd jstart bitcoind

Laakiin waxaan u baahanahay inaan ku rakibno software qafiska.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind

jexec bitcoind si aad u gasho console-ka unugga

oo horeba gudaha unugga waxaan ku rakibnay software-ka iyada oo ay ku tiirsan yihiin (nidaamkayaga martida loo yahay ayaa weli nadiif ah)

bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils

bitcoind:/@[15:30] # sysrc bitcoind_enable=YES

bitcoind:/@[15:30] # service bitcoind start

Waxaa jira Bitcoin qafiska ku jira, laakiin waxaan u baahanahay qarsoodi sababtoo ah waxaan rabnaa inaan ku xirno baqashada qaar ka mid ah shabakada TOP. Guud ahaan, waxa aanu qorshaynaynaa in aanu ku socodsiino unugyada badidood software shaki leh oo kaliya iyada oo loo marayo wakiil. Mahadsanid pf Waxaad NAT ka joojin kartaa ciwaanada IP-ga ee kala duwan ee shabakada deegaanka, waxaadna u ogolaan kartaa NAT kaliya noodayada TOR. Sidaa darteed, xitaa haddii malware uu galo unugga, waxay u badan tahay inaysan la xiriiri doonin adduunka ka baxsan, iyo haddii uu sameeyo, ma muujin doono IP-ga server-kayaga. Sidaa darteed, waxaan abuurnaa unug kale oo loogu talagalay adeegyada "hormarinta" sida adeegga ". basasha" iyo wakiil ahaan gelitaanka internetka unugyada gaarka ah.

# cbsd jsconstruct-tui

# cbsd jstart tor

# jexec tor

tor:/@[15:38] # pkg install tor

tor:/@[15:38] # sysrc tor_enable=YES

tor:/@[15:38] # ee /usr/local/etc/tor/torrc

Deji in lagu dhegeysto ciwaan maxalli ah (loo heli karo dhammaan unugyada)

SOCKSPort 192.168.0.2:9050

Maxaa kale oo aan ugu baahanahay farxad buuxda? Haa, waxaan u baahanahay adeeg shabakadeena, laga yaabee in ka badan hal. Aynu bilowno nginx, kaas oo u dhaqmi doona sidii wakiil-ka-noqod oo ka taxadari doona cusboonaysiinta shahaadooyinka Aynu sirin

# cbsd jsconstruct-tui

# cbsd jstart nginx-rev

# jexec nginx-rev

nginx-rev:/@[15:47] # pkg install nginx py36-certbot

Oo sidaas daraaddeed waxaan dhignay 150 MB ee ku tiirsanaanta qafis. Oo martigeliyaha weli waa nadiif.

Aan ku soo laabano dejinta nginx ka dib, waxaan u baahanahay inaan kor u qaadno laba unug oo dheeri ah albaabkayaga lacag bixinta ee nodejs iyo miridhku iyo codsiga webka, taas oo sabab qaar ka mid ah ay ku jirto Apache iyo PHP, kan dambe wuxuu sidoo kale u baahan yahay database MySQL ah.

# cbsd jsconstruct-tui

# cbsd jstart paygw

# jexec paygw

paygw:/@[15:55] # pkg install git node npm

paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

...iyo 380 MB oo kale oo xirmo ah ayaa go'doonsan

Marka xigta, waxaan ku soo dejisanay codsigeena git oo aan bilownay.

# cbsd jsconstruct-tui

# cbsd jstart webapp

# jexec webapp

webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql

450 MB baakadaha. qafis ku jira.

Halkan waxaan ku siinaa horumariyaha marinka SSH si toos ah unugga, waxay ku samayn doonaan wax kasta oo ayaga laftooda:

webapp:/@[16:02] # ee /etc/ssh/sshd_config

Port 2267 - u beddel dekedda SSH ee unugga mid kasta oo aan sabab lahayn

webapp:/@[16:02] # sysrc sshd_enable=YES

webapp:/@[16:02] # service sshd start

Hagaag, adeeggu wuu socdaa, waxa hadhay oo dhan waa in lagu daro xeerka pf brannmur

Aynu aragno waxa IP-ga unugyadeenu haystaan ​​iyo sida "aagga maxalliga ah" guud ahaan u eg yahay.

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp

oo xeer ku darso

# ee /etc/pf.conf

## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

Hagaag, maadaama aan halkaan joogno, aan sidoo kale ku darno xeer wakiil-ka-noqod:

## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL

# pfctl -f /etc/pf.conf

Hagaag, hadda wax yar oo ku saabsan bitcoins

Waxa aan hayno waa in aan haysano codsi shabakadeed oo dibadda ah oo ka hadlaya gudaha albaabkayaga lacag bixinta. Hadda waxaan u baahanahay inaan u diyaarino jawi shaqo si aan ula macaamilno shabakada Bitcoin lafteeda - noodhka bitcoind kaliya waa daemon ka ilaaliya koobiga maxalliga ah ee blockchain ilaa taariikhda. Daemon-kani waxa uu leeyahay RPC iyo shaqaynta boorsada jeebka, laakiin waxa jira “duubayaal” ku habboon horumarinta codsiga. Si aan ku bilowno, waxaan go'aansanay inaan dhigno electrum waa boorsada CLI. Shandadan waxaanu u isticmaali doonaa sida "kaydinta qabow" ee bitcoin-yadayada - guud ahaan, bitcoins kuwaas oo u baahan doona in lagu kaydiyo "ka baxsan" nidaamka ay heli karaan isticmaalayaasha iyo guud ahaan ka fog qof kasta. Waxa kale oo ay leedahay GUI, markaa waxaanu ku isticmaali doonaa isla boorsadayada
laptops. Hadda waxaan isticmaali doonaa Electrum oo wata server-yada dadweynaha, ka dibna waxaan ku soo qaadi doonaa qol kale ElectrumXsi aan qofna ugu tiirsanaan.

# cbsd jsconstruct-tui

# cbsd jstart electrum

# jexec electrum

electrum:/@[8:45] # pkg install py36-electrum

700 MB kale oo software ah oo ku jira qafiskeena

electrum:/@[8:53] # adduser

Username: wallet
Full name: 
Uid (Leave empty for default): 
Login group [wallet]: 
Login group is wallet. Invite wallet into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: 
Username   : wallet
Password   : <disabled>
Full Name  : 
Uid        : 1001
Class      : 
Groups     : wallet 
Home       : /home/wallet
Home Mode  : 
Shell      : /bin/tcsh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su wallet

electrum:/@[8:53] # su wallet

wallet@electrum:/ % electrum-3.6 create

{
    "msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
    "path": "/usr/home/wallet/.electrum/wallets/default_wallet",
    "seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}

Hadda waxaan haynaa boorso la abuuray.

wallet@electrum:/ % electrum-3.6 listaddresses

[
    "18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
    "14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
    "1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
    ...
    "1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
    "18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]

wallet@electrum:/ % electrum-3.6 help

Ku socotaa silsilad Kaliya tiro xaddidan oo dad ah ayaa awoodi doona inay ku xidhmaan jeebka wixii hadda ka dambeeya. Si aan loo furin gelitaanka unuggan bannaanka, isku xirka SSH waxa uu ku dhici doona TOP (nooca VPN ee baahsan). Waxaan ka dhex bilownaa SSH gudaha qolka, laakiin ha taaban pf.conf-kayaga martigeliyaha.

electrum:/@[9:00] # sysrc sshd_enable=YES

electrum:/@[9:00] # service sshd start

Hadda aan daminno unugga gelitaanka internetka ee boorsada jeebka. Aynu siino ciwaanka IP-ga ee meel kale oo subnet ah oo aan NATed ahayn. Marka hore aan bedelno /etc/pf.conf on martigeliyaha

# ee /etc/pf.conf

JAIL_IP_POOL="192.168.0.0/24" aan u bedelno JAIL_IP_POOL="192.168.0.0/25", sidaas darteed dhammaan ciwaanada 192.168.0.126-255 si toos ah uma heli doonaan internetka. Nooc ka mid ah shabakada "air-gap" software. Xeerka NAT-na wuxuu ahaanayaa sidii uu ahaa

nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC

Xeerarka oo xad dhaaf ah

# pfctl -f /etc/pf.conf

Hadda aan qaadanno qolkayaga

# cbsd jconfig jname=electrum

jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200

Hmm, laakiin hadda nidaamka laftiisa ayaa joojin doona inuu noo shaqeeyo. Si kastaba ha ahaatee, waxaan qeexi karnaa nidaamka wakiil. Laakiin waxaa jira hal shay, TOR waa wakiil SOCKS5, si ku habboonna waxaan sidoo kale jeclaan lahayn wakiil HTTP ah.

# cbsd jsconstruct-tui

# cbsd jstart polipo

# jexec polipo

polipo:/@[9:28] # pkg install polipo

polipo:/@[9:28] # ee /usr/local/etc/polipo/config

socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5

polipo:/@[9:42] # sysrc polipo_enable=YES

polipo:/@[9:43] # service polipo start

Hagaag, hadda waxaa nidaamkayaga ku jira laba wakiil oo wakiil ah, oo labaduba waxay soo saaraan TOR: socks5://192.168.0.2:9050 iyo http://192.168.0.6:8123

Hadda waxaan habeyn karnaa jawiga jeebka

# jexec electrum

electrum:/@[9:45] # su wallet

wallet@electrum:/ % ee ~/.cshrc

#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123

Hagaag, hadda qolofku wuxuu ka hoos shaqayn doonaa wakiil. Haddii aan rabno inaan ku rakibno baakadaha, markaa waa inaan ku darnaa /usr/local/etc/pkg.conf xididka qafiska hoostiisa

pkg_env: {
               http_proxy: "http://my_proxy_ip:8123",
           }

Hagaag, hadda waa waqtigii lagu dari lahaa adeegga qarsoon ee TOR sida cinwaanka adeegga SSH ee qafiska jeebka.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22

tor:/@[10:01] # mkdir /var/db/tor/electrum

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum

tor:/@[10:01] # chmod 700 /var/db/tor/electrum

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/electrum/hostname

mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion

Kani waa ciwaanka xidhiidhkayaga. Aan ka hubino mashiinka maxaliga ah. Laakiin marka hore waxaan u baahanahay inaan ku darno furahayaga SSH:

wallet@electrum:/ % mkdir ~/.ssh

wallet@electrum:/ % ee ~/.ssh/authorized_keys

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@local

Hagaag, laga bilaabo mashiinka macmiilka Linux

user@local ~$ nano ~/.ssh/config

#remote electrum wallet
Host remotebtc
        User wallet
        Port 22
        Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
        ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p

Aan isku xirno (Si ay tani u shaqeyso, waxaad u baahan tahay TOR daemon maxalli ah oo dhegaysata 9050)

user@local ~$ ssh remotebtc

The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC 
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
        -- Dru <genesis@istar.ca>
wallet@electrum:~ % logout

Guul!

Si aad ula shaqeyso lacag-bixinnada degdegga ah iyo kuwa yar-yar, waxaan sidoo kale u baahanahay nood Shabakad ifaya, dhab ahaantii, tani waxay noqon doontaa qalabkeena ugu muhiimsan ee Bitcoin. U*c- hillaackaas oo aan u isticmaali doono sida daemon-ka Sparko plugin, kaas oo ah interface buuxa HTTP (REST) ​​oo kuu ogolaanaya inaad la shaqeyso labada silsiladda iyo macaamilka. c-lightning loo baahan yahay si uu u shaqeeyo bitcoind laakiin haa.

*Waxaa jira dhaqangelino kala duwan oo ku saabsan borotokoolka Shabakada Hillaaca oo luuqado kala duwan ku qoran. Kuwii aanu tijaabinay, c-hillaacu (oo lagu qoray C) waxa uu u muuqday midka ugu xasilloon uguna waxtarka badan.

# cbsd jsconstruct-tui

# cbsd jstart cln

# jexec cln

lightning:/@[10:23] # adduser

Username: lightning
...

lightning:/@[10:24] # pkg install git

lightning:/@[10:23] # su lightning

cd ~ && git clone https://github.com/ElementsProject/lightning

lightning@lightning:~ % exit

lightning:/@[10:30] # cd /home/lightning/lightning/

lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils

lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install

Iyadoo wax kasta oo lagama maarmaan ah la ururiyey oo la rakibay, aynu u abuurno isticmaale RPC lightningd в bitcoind

# jexec bitcoind

bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf

rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32

bitcoind:/@[10:39] # service bitcoind restart

Beddelka fowdada ah ee u dhexeeya unugyadu waxay noqotaa mid aan fowdo ahayn haddii aad ogaato utility-ga tmux, kaas oo kuu ogolaanaya inaad ku abuurto dhowr fadhi-hoosaadyo hal fadhi gudaheed. Analogue: screen

Markaa, ma rabno inaan muujino IP-ga dhabta ah ee noodhkayaga, waxaanan rabnaa inaan sameyno dhammaan macaamil ganacsiyeedka iyada oo loo marayo TOP. Sidaa darteed, basal kale looma baahna.

# jexec tor

tor:/@[9:59] # ee /usr/local/etc/tor/torrc

HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735

tor:/@[10:01] # mkdir /var/db/tor/cln

tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln

tor:/@[10:01] # chmod 700 /var/db/tor/cln

tor:/@[10:03] # service tor restart

tor:/@[10:04] # cat /var/db/tor/cln/hostname

en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion

Hadda aynu u abuurno hab-habeedka c-hillaaca

lightning:/home/lightning/lightning@[10:31] # su lightning

lightning@lightning:~ % mkdir .lightning

lightning@lightning:~ % ee .lightning/config

alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000

# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko

sparko-host=192.168.0.7
sparko-port=9737

sparko-tls-path=sparko-tls

#sparko-login=mywalletusername:mywalletpassword

#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something like

lightning@lightning:~ % mkdir .lightning/plugins

lightning@lightning:~ % cd .lightning/plugins/

lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls

lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048

lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650

lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64

lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko

lightning@lightning:~/.lightning/plugins % cd ~

waxaad sidoo kale u baahan tahay inaad abuurto faylka qaabeynta ee bitcoin-cli, utility la xidhiidha bitcoind

lightning@lightning:~ % mkdir .bitcoin

lightning@lightning:~ % ee .bitcoin/bitcoin.conf

rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=test

hubinta

lightning@lightning:~ % bitcoin-cli echo "test"

[
  "test"
]

bilaabid lightningd

lightning@lightning:~ % lightningd --daemon

Naftiisa lightningd waxaad xakameyn kartaa utility lightning-cli, tusaale ahaan:

lightning-cli newaddr hel cinwaanka lacag-bixin cusub oo soo socota

{
   "address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
   "bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}

lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all u dir dhammaan lacagta jeebka ku jirta ciwaanka (dhammaan ciwaanada silsiladda ku jira)

Sidoo kale waxay amar ku bixisaa hawlgallada silsiladda ka baxsan lightning-cli invoice, lightning-cli listinvoices, lightning-cli pay iwm.

Hagaag, xidhiidhka arjiga waxaan haysanaa REST Api

curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'

Aynu soo koobno ​​natiijooyinka

# jls

   JID  IP Address      Hostname                      Path
     1  192.168.0.1     bitcoind.space.com            /zroot/jails/jails/bitcoind
     2  192.168.0.2     tor.space.com                 /zroot/jails/jails/tor
     3  192.168.0.3     nginx-rev.space.com           /zroot/jails/jails/nginx-rev
     4  192.168.0.4     paygw.space.com               /zroot/jails/jails/paygw
     5  192.168.0.5     webapp.my.domain              /zroot/jails/jails/webapp
     7  192.168.0.200   electrum.space.com            /zroot/jails/jails/electrum
     8  192.168.0.6     polipo.space.com              /zroot/jails/jails/polipo
     9  192.168.0.7     lightning.space.com           /zroot/jails/jails/cln

Waxaan haynaa weelal isku xiran, mid walbana wuxuu leeyahay heer u gaar ah oo laga soo galo ama laga galo shabakada deegaanka.

# zfs list

NAME                    USED  AVAIL  REFER  MOUNTPOINT
zroot                   279G  1.48T    88K  /zroot
zroot/ROOT             1.89G  1.48T    88K  none
zroot/ROOT/default     1.89G  17.6G  1.89G  /
zroot/home               88K  1.48T    88K  /home
zroot/jails             277G  1.48T   404M  /zroot/jails
zroot/jails/bitcoind    190G  1.48T   190G  /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln         653M  1.48T   653M  /zroot/jails/jails-data/cln-data
zroot/jails/electrum    703M  1.48T   703M  /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev   190M  1.48T   190M  /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw      82.4G  1.48T  82.4G  /zroot/jails/jails-data/paygw-data
zroot/jails/polipo     57.6M  1.48T  57.6M  /zroot/jails/jails-data/polipo-data
zroot/jails/tor        81.5M  1.48T  81.5M  /zroot/jails/jails-data/tor-data
zroot/jails/webapp      360M  1.48T   360M  /zroot/jails/jails-data/webapp-data

Sida aad arki karto, bitcoind waxay qaadataa 190 GB oo boos ah. Maxaa dhacaya haddii aan u baahanno noodh kale oo baaritaanno ah? Tani waa halka ay ZFS ku imanayso anfaca. Caawinaad cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com waxaad samayn kartaa sawir qaade oo waxaad ku dhejin kartaa unug cusub sawirkan. Unugga cusub wuxuu lahaan doonaa meel u gaar ah, laakiin kaliya farqiga u dhexeeya gobolka hadda jira iyo kan asalka ah ayaa lagu xisaabtami doonaa nidaamka faylka (waxaan badbaadin doonaa ugu yaraan 190 GB)

Unug kastaa waa xog-ururinta ZFS gaar ah, tanina aad ayay ugu habboon tahay. ZFS sidoo kale waa ogolaataa samee waxyaabo kale oo wanaagsan, sida ku dirida sawir-qaadista SSH. Ma qeexi doono, mar hore ayaa jira wax badan.

Waxa kale oo xusid mudan baahida loo qabo la socodka fog ee martida loo yahay, ujeeddooyinkan aan leenahay Zabbix.

B - badbaadada

Dhanka amniga, aan ka bilowno mabaadi'da muhiimka ah ee macnaha guud ee kaabayaasha:

Qarsoodiga - Qalabka caadiga ah ee hababka UNIX-u eg waxay xaqiijinayaan hirgelinta mabda'a. Waxaan si macquul ah u kala saareynaa gelitaanka qayb kasta oo macquul ah oo gaar ah oo nidaamka - unug. Gelitaanka waxa lagu bixiyaa aqoonsiga isticmaalaha caadiga ah iyadoo la isticmaalayo furayaasha gaarka ah ee isticmaalayaasha. Dhammaan xidhiidhka ka dhexeeya iyo ilaa unugyada dhamaadka waxay ku dhacdaa qaab qarsoodi ah. Waad ku mahadsan tahay sirta diskka, uma baahnid inaan ka walwalno badbaadada xogta marka la beddelayo diskka ama u guurayo server kale. Helitaanka kaliya ee muhiimka ah ayaa ah gelitaanka nidaamka martida loo yahay, maadaama gelitaankan oo kale guud ahaan ay bixiso helitaanka xogta gudaha weelasha.

Daacadnimo "Hirgelinta mabda'aani waxay ku dhacdaa heerar kala duwan oo kala duwan. Marka hore, waxaa muhiim ah in la ogaado in kiiska qalabka server-ka, xusuusta ECC, ZFS horeyba "ka baxsan sanduuqa" waxay daryeeshaa daacadnimada xogta heerka xogta macluumaadka. Sawir-qaadista degdega ahi waxay kuu oggolaanaysaa inaad samaysato kayd wakhti kasta oo aad duuleyso. Qalabka dhoofinta-soo dejinta unugga ee habboon ayaa ka dhigaya ku-noqoshada unugga mid fudud.

Helitaanka - Tani mar horeba waa ikhtiyaari. Waxay kuxirantahay heerka caannimadaada iyo xaqiiqda inaad leedahay nacayb. Tusaalahayaga, waxaan hubinnay in boorsada jeebka laga heli karo si gaar ah shabakadda TOP. Haddii loo baahdo, waxaad xannibi kartaa wax kasta oo ku yaala dab-damiska oo u oggolow gelitaanka serverka si gaar ah iyada oo loo marayo tunnels (TOR ama VPN waa arrin kale). Sidaa darteed, server-ku wuxuu ka go'i doonaa adduunka dibadda inta ugu badan ee suurtogalka ah, annaga oo kaliya ayaa awood u yeelan doona in aan saameyn ku yeelano helitaanka.

Suurtagal ma aha diidmo - Waxayna tani ku xidhan tahay hawlgal dheeraad ah iyo u hogaansanaanta siyaasadaha saxda ah ee xuquuqda isticmaalaha, gelitaanka, iwm. Laakiin iyadoo la raacayo habka saxda ah, dhammaan ficillada isticmaalaha waa la hubiyaa, waxaana mahad leh xalalka cryptographic waxaa suurtagal ah in si aan caddayn loo aqoonsan cidda fulisay falalka qaarkood iyo goorta.

Dabcan, qaabeynta la sharraxay maaha tusaale buuxda oo ah sida ay tahay inay had iyo jeer ahaato, waa hal tusaale oo ah sida ay noqon karto, iyadoo la ilaalinayo miisaan aad u dabacsan iyo awoodaha habeynta.

Ka waran ku saabsan farsamaynta buuxda?

Ku saabsan qaabaynta buuxda ee isticmaalka cbsd waad awoodaa halkan ka akhriso. Kaliya taas shaqada ayaan ku dari doonaa bhyve Waxaad u baahan tahay inaad karti u yeelato qaar ka mid ah fursadaha kernel-ka.

# cat /etc/rc.conf

...
kld_list="vmm if_tap if_bridge nmdm"
...

# cat /boot/loader.conf

...
vmm_load="YES"
...

Markaa haddii si lama filaan ah loo baahdo in la bilaabo deker, markaa waxaan soo uruurineynaa qaar debian iyo hore!

Waa intaas

Waxaan filayaa inay taasi tahay waxa kaliya ee aan rabay inaan wadaago. Haddii aad jeclayd maqaalka, markaa waxaad ii soo diri kartaa xoogaa bitcoins - bc1qu7lhf45xw83ddll5mnzte6ahju8ktkeu6qhttc. Haddii aad rabto in aad tijaabiso unugyo ficil ah oo aad haysato xoogaa bitcoins, waxaad aadi kartaa kayga mashruuca xayawaanka.

Source: www.habr.com