ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Talooyin Linux & tabaha: server, fur

Talooyin Linux & tabaha: server, fur

Kuwa u baahan inay naftooda, kuwa ay jecel yihiin, helaan adeegyadooda meel kasta oo adduunka ka mid ah iyaga oo sii maraya SSH/RDP/kale, RTFM/spur yar.

Waxaan u baahanahay inaan sameyno la'aanteed VPN iyo gambaleelka kale iyo foorida, qalab kasta oo gacanta ku jira.

Iyo si aadan ugu baahneen inaad jimicsi badan la sameyso serverka.

Waxa kaliya ee aad u baahan tahay tan waa garaacday, Gacmo toosan iyo 5 daqiiqo oo shaqo ah.

"Wax walbaa waxay ku yaalaan internetka," dabcan (xitaa on HabrΓ©), laakiin marka ay timaado hirgelinta gaar ah, tani waa meesha ay ka bilaabato ...

Waxaan ku tababari doonaa isticmaalka Fedora/CentOS tusaale ahaan, laakiin taasi dhib ma leh.

Xoojinta ayaa ku habboon labadaba bilawga iyo khabiirada arrintan, markaa waxaa jiri doona faallooyin, laakiin waxay noqon doonaan kuwo gaaban.

1. Adeegaha

  • ku rakib server garaac:
    yum/dnf install knock-server

  • habee (tusaale ahaan ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Qaybta "furitaanka" ayaa lagu dejiyay inay si toos ah u xidho 1 saac kadib. Waligaa ma ogid...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • hore u soco:

    service iptables restart
service knockd start

  • waxaad ku dari kartaa RDP galka Windows Server-ka ee gudaha (/etc/knockd.conf; ku beddel magaca interface si aad dhadhankaaga ugu habboonaato):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Waxaan la soconaa dhammaan laadadkayada macmiilka ku jira serverka iyadoo la raacayo amarka iptables -S.

2. Hagaha rashka

garaacid.conf:

Mana waxa kale oo ka kooban wax walba (laakiin tani waa khalad), laakiin garaaca waa saaxiib aad ugu bakhayli fariimaha, markaa waxaad u baahan tahay inaad aad uga taxadarto.

  • version
    Goobaha Fedora/CentOS, kii ugu dambeeyay ee la garaacay maanta waa 0.63. Yaa raba UDP - raadi 0.70 baakidh.
  • interface
    Qaabaynta Fedora/CentOS ee khadkan no. Ku dar gacmahaaga, haddii kale ma shaqayn doonto.
  • Waqti go'an
    Halkan waxaad ku dooran kartaa hadba dhadhankaaga. Waa lagama maarmaan in macmiilku uu haysto waqti ku filan dhammaan laadadka - iyo bot scanner bot ayaa burburin doona (iyo 146% ayaa iskaan doona).
  • bilow/joojin/amar.
    Haddii uu jiro hal amar, ka dib amar, haddii ay jiraan laba, ka dibna start_command+stop_command.
    Haddii aad khalad samayso, garaaca wuu aamusi doonaa, laakiin ma shaqayn doono.
  • borotokoolka
    Aragti ahaan, UDP waa la isticmaali karaa. Ficil ahaan, waxaan isku daray tcp iyo udp, macmiilka ka yimid xeebta Bali wuxuu awooday inuu furo albaabka markii shanaad. Sababtoo ah TCP waxay timid markii loo baahdo, laakiin UDP xaqiiq maaha. Laakiin tani waa arrin dhadhan, mar kale.
  • isku xigxiga
    Ceebta daahsoon ayaa ah in tixanuhu aysan is dhex galin...sida loo dhigo...

Tusaale ahaan, tan:

open: 11111,22222,33333
close: 22222,11111,33333

Tusmada ugu hooseysa ee 11111 furan waxay sugi doontaa laadka soo socda 22222. Si kastaba ha ahaatee, tan ka dib (22222) laad waxay bilaabi doontaa shaqada ku dhow wax walbana way jabi doonaan. Tani waxay ku xiran tahay daahitaanka macmiilka sidoo kale. Waxyaalahaas oo kale Β©.

Iptables

Haddii gudaha /etc/sysconfig/iptables kani waa:

*nat
:PREROUTING ACCEPT [0:0]

Runtii nama dhibayso, markaa waa kan:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Way faragelisaa.

Mar haddii la garaacay ay xeerar ku darto dhammaadka silsiladda INPUT, waanu diidi doonnaa.

Deminta diidmadan waxay la macno tahay in baabuurka loo furo dhammaan dabaylaha.

Si aan loogu lumin iptables waxa la galinayo ka hor waxa (sidan oo kale ah dadka soo jeedi) aynu fududeyno:

  • default on CentOS/Fedora marka hore qaanuunka ("waxa aan la mamnuucin waa la ogol yahay") waxaa lagu bedeli doonaa mid ka soo horjeeda,
  • waxaana meesha ka saaraynaa xeerkii u dambeeyay.

Natiijadu waa inay noqotaa:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Dabcan, waad diidi kartaa halkii aad ku DIIjin lahayd, laakiin DROP noloshu waxay noqon doontaa mid aad u xiiso badan bots.

3. Macmiil

Meeshani waa tan ugu xiisaha badan (marka laga eego aragtidayda), maadaama aad u baahan tahay inaad ka shaqeyso kaliya maaha xeeb kasta, laakiin sidoo kale qalab kasta.

Mabda 'ahaan, tiro macaamiil ah ayaa ku qoran goobta mashruuca, laakiin tani waxay ka socotaa isla taxanaha "wax walbaa waxay ku yaalaan internetka." Sidaa darteed, waxaan halkan iyo hadda ku qori doonaa waxa farahayga ka shaqaynaya.

Markaad dooranayso macmiil, waxaad u baahan tahay inaad hubiso inay taageerto ikhtiyaarka daahitaanka ee u dhexeeya xirmooyinka. Haa, waxaa jira faraqyo u dhexeeya xeebaha iyo 100 megabits waligood ma dammaanad qaadin in baakidhooyinku si sax ah u iman doonaan wakhtiga saxda ah ee meel la siiyey.

Oo haa, markaad dejinayso macmiil, waxaad u baahan tahay inaad adigu doorato daahitaanka. Waqti aad u badan - bots ayaa weerari doona, aad u yar - macmiilku ma heli doono waqti. Dib u dhac aad u badan - macmiilku ma samayn doono wakhti ama waxaa jiri doona isku dhac doqomo ah (eeg "rakes"), aad u yar - baakidhyadu waxay ku lumi doonaan internetka.

Waqti ka bax=5s, daahitaan=100..500ms waa doorasho gabi ahaanba shaqaynaysa

Windows

Si kasta oo ay u qosol badan tahay, waa wax aan fududayn in Google uu si cad u garaaco macmiilka goobtan. Sida in CLI ay taageerto dib u dhac, TCP - iyo qaansooyin la'aan.

Haddii kale, waad isku dayi kartaa waa kan. Sida muuqata Google-kaygu maaha keeg.

Linux

Wax walba halkan waa ku fudud yihiin:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

Habka ugu fudud ayaa ah in laga soo dejiyo dekeddii homebrew:
brew install knock
oo u sawir faylalka dufcada lagama maarmaanka u ah amarada sida:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

macruufka

Ikhtiyaarka shaqadu waa KnockOnD (bilaash, dukaanka).

Android

"Ku garaac Dekedaha" Xayeysiintu maaha, laakiin way shaqeysaa. Horumariyayaashuna aad bay uga jawaabaan.

PS calaamad u ah HabrΓ©, dabcan, Ilaahay ha barakeeyo maalin uun...

UPD1: mahadsanid qof wanaagsan helay macmiilka shaqeeya Daaqadaha hoos yimaada.
UPD2: Mid kale nin wanaagsan wuxuu i xasuusiyay in ku dhejinta xeerar cusub dhamaadka iptables aysan had iyo jeer faa'iido lahayn. Laakiin - waxay kuxirantahay.

Source: www.habr.com

Add a comment