ProHoster > Blog > Tsamaiso > Malebela le maqheka a Linux: seva, bula

Malebela le maqheka a Linux: seva, bula

Bakeng sa ba hlokang ho fana ka bona, baratuoa ba bona, ka phihlello ea li-server tsa bona ho tsoa kae kapa kae lefatšeng ka SSH/RDP/tse ling, RTFM/spur e nyane.

Re hloka ho etsa ntle le VPN le litloloko tse ling le liloli, ho tloha sesebelisoa leha e le sefe se haufi.

'Me e le hore u se ke ua tlameha ho ikoetlisa haholo le seva.

Sohle seo u se hlokang bakeng sa sena ke kokota, matsoho a otlolohileng le metsotso ea 5 ea mosebetsi.

"Ntho e 'ngoe le e 'ngoe e Inthaneteng," ehlile (esita le ho Habre), empa ha ho tluoa ts'ebetsong e itseng, ke hona moo e qalang ...

Re tla itloaetsa ho sebelisa Fedora / CentOS joalo ka mohlala, empa seo ha se na taba.

The spur e loketse ba qalang le litsebi tabeng ena, kahoo ho tla ba le litlhaloso, empa li tla ba khutšoanyane.

1. Seva

  • kenya knock-server:
    yum/dnf install knock-server

  • e hlophise (mohlala ho ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Karolo ea "ho bula" e ikemiselitse ho koala ka mor'a hora e le 'ngoe. Ha o tsebe ...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • pele:

    service iptables restart
service knockd start

  • o ka eketsa RDP ho Windows Server e bilikang ka hare (/etc/knockd.conf; kenya lebitso la sebopeho ho lumellana le tatso ea hau):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Re lekola likhahla tsohle tsa rona ho tsoa ho moreki ho seva ka taelo iptables -S.

2. Tataiso ea liraka

knockd.conf:

Manane a boetse a na le ntho e 'ngoe le e' ngoe (empa sena ha sea nepahala), empa ho kokota ke motsoalle ea nang le melaetsa e matla haholo, kahoo o lokela ho ba hlokolosi haholo.

  • tlhahiso
    Libakeng tsa polokelo ea Fedora / CentOS, ea morao-rao e kokotiloeng kajeno ke 0.63. Ke mang ea batlang UDP - batla lipakete tse 0.70.
  • segokanyimmediamentsi sa sebolokigolo
    Ka mokhoa oa kamehla oa Fedora / CentOS tlhophiso ea mohala ona ha e eo. Eketsa ka matsoho a hau, ho seng joalo e ke ke ea sebetsa.
  • khefutso
    Mona o ka khetha ho ea ka tatso ea hau. Hoa hlokahala hore moreki a be le nako e lekaneng bakeng sa likhahla tsohle - mme bot scanner bot e tla senyeha ('me 146% e tla hlahloba).
  • qala/ emisa/ laela.
    Haeba ho na le taelo e le 'ngoe, joale laela, haeba ho na le tse peli, joale qala_command+stop_command.
    Haeba u etsa phoso, ho kokota ho tla khutsa, empa ho ke ke ha sebetsa.
  • mohlala
    Ka khopolo, UDP e ka sebelisoa. Ka ts'ebetso, ke ile ka kopanya tcp le udp, 'me mofani ea tsoang lebōpong la leoatle la Bali o ile a khona ho bula heke ka lekhetlo la bohlano feela. Hobane TCP e fihlile ha ho hlokahala, empa UDP ha se 'nete. Empa sena ke taba ea tatso, hape.
  • tatelano
    Rake e hlakileng ke hore tatellano ha ea lokela ho kopana ... mokhoa oa ho e beha ...

Ka mohlala, sena:

open: 11111,22222,33333
close: 22222,11111,33333

Ka ho raha 11111 bulehetse e tla emela ho raha ho latelang ho 22222. Leha ho le joalo, ka mor'a sena (22222) raha e tla qala ho sebetsa. haufi mme tsohle di tla robeha. Sena se itšetlehile ka tieho ea moreki hape. Lintho tse joalo ©.

li-iptables

Haeba ho /etc/sysconfig/iptables sena ke:

*nat
:PREROUTING ACCEPT [0:0]

Ha e hlile ha e re khathatse, kahoo ke ena:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

E ea kena-kenana.

Kaha knocked e eketsa melao qetellong ea ketane ea INPUT, re tla hana.

'Me ho tima ho hana hona ho bolela ho bula koloi moeeng oohle.

E le hore u se ke ua lahleheloa ke li-iptables tseo u lokelang ho li kenya pele ho eng (joaloka sena batho suggest) ha re e nolofatseng:

  • ya kamehla ho CentOS/Fedora ea pele molao ("se sa haneloang se lumelletsoe") se tla nkeloa sebaka ke se fapaneng,
  • mme re tlosa molao wa ho qetela.

Sephetho e lokela ho ba:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Ehlile, u ka etsa REJECT sebakeng sa DROP, empa ka DROP bophelo bo tla ba monate ho bots.

3. Moreki

Sebaka sena ke se thahasellisang ka ho fetisisa (ho ea ka pono ea ka), kaha u hloka ho sebetsa eseng feela ho tloha lebōpong leha e le lefe, empa hape ho tloha ho sesebelisoa leha e le sefe.

Ha e le hantle, palo ea bareki e thathamisitsoe ho sebaka morero ona, empa sena se tsoa letotong le le leng la "tsohle li fumaneha Inthaneteng." Ka hona, ke tla thathamisa se sebetsang matsohong a ka mona le hona joale.

Ha u khetha moreki, u lokela ho etsa bonnete ba hore e tšehetsa khetho ea ho lieha pakeng tsa lipakete. E, ho na le phapang pakeng tsa mabopo a leoatle le 100 megabits ha ho mohla e tiisang hore lipakete li tla fihla ka tatellano e nepahetseng ka nako e nepahetseng ho tsoa sebakeng se fanoeng.

E, ha u theha moreki, u tlameha ho ikhethela tieho. Ho qeta nako e ngata haholo - bots e tla hlasela, e nyane haholo - moreki a ke ke a ba le nako. Ho lieha haholo - mofani a ke ke a e etsa ka nako kapa ho tla ba le khohlano ea li-idiots (bona "rakes"), e nyenyane haholo - lipakete li tla lahleha Inthaneteng.

Ka timeout=5s, delay=100..500ms ke khetho e sebetsang ka botlalo

Windows

Ho sa tsotelehe hore na e utloahala e qabola hakae, ha se ntho e nyane ho Google moreki ea hlakileng oa sethala sena. E le hore CLI e tšehetse ho lieha, TCP - le ntle le liqha.

Ho seng joalo, u ka leka ke ena. Ho bonahala eka Google ea ka ha se kuku.

Linux

Tsohle li bonolo mona:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

Tsela e bonolo ka ho fetisisa ke ho kenya boema-kepe ho tloha ho homebrew:
brew install knock
'me u hule lifaele tsa batch tse hlokahalang bakeng sa litaelo tse kang:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

Khetho e sebetsang ke KnockOnD (mahala, ho tloha lebenkeleng).

Android

"Konya Boemakepeng" Ha se papatso, empa e sebetsa feela. 'Me bahlahisi ba arabela hantle.

PS e tšoaea Habré, ehlile, Molimo a mo hlohonolofatse ka tsatsi le leng...

BOPHELO: kea leboha ho motho ya lokileng fumanehile moreki ea sebetsang tlas'a Windows.
BOPHELO: E 'ngoe monna ya lokileng e nkhopotsa hore ho beha melao e mecha qetellong ea iptables hase kamehla ho leng molemo. Empa - ho itshetlehile.

Source: www.habr.com

Eketsa ka tlhaloso