ProHoster > Ibhulogi > Ulawulo > Iingcebiso zeLinux & namaqhinga: iseva, vula

Iingcebiso zeLinux & namaqhinga: iseva, vula

Kwabo bafuna ukubonelela ngokwabo, abathandekayo babo, ngokufikelela kwiiseva zabo ukusuka naphi na kwihlabathi nge-SSH / RDP / enye, i-RTFM / spur encinci.

Kufuneka senze ngaphandle kweVPN kunye nezinye iintsimbi kunye neempempe, nakwesiphi na isixhobo esisesandleni.

Kwaye ukuze ungasebenzisi kakhulu kunye nomncedisi.

Konke okudingayo kule nto wankqonkqoza, iingalo ezithe tye kunye nemizuzu emi-5 yomsebenzi.

"Yonke into ikwi-Intanethi," kunjalo (nakwi-Intanethi Habre), kodwa xa kufikwa kuphunyezo oluthile, kulapho iqala khona...

Siza kuziqhelanisa nokusebenzisa iFedora/CentOS njengomzekelo, kodwa oko akunamsebenzi.

I-spur ifanelekile kubo bobabini abaqalayo kunye neengcali kulo mbandela, ngoko kuya kubakho izimvo, kodwa ziya kuba zifutshane.

1. Iseva

  • faka i-knock-server:
    yum/dnf install knock-server

  • yilungise (umzekelo kwi-ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Inxalenye "yokuvula" isetelwe ukuvala ngokuzenzekelayo emva kweyure eyi-1. Awunokwazi...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • phambili:

    service iptables restart
service knockd start

  • unokongeza i-RDP kwinyani yeWindows Server ejikelezayo ngaphakathi (/etc/knockd.conf; beka endaweni yegama lojongano ukuze lilungele incasa yakho):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Silandelela konke ukukhaba kwethu kumthengi kumncedisi ngomyalelo iptables -S.

2. Isikhokelo kwiirekhi

knockd.conf:

I-mana iqulethe yonke into (kodwa oku akuchanekanga), kodwa unkqonkqozwa ngumhlobo otyhafileyo ngemiyalezo, ngoko kufuneka ulumke kakhulu.

  • версия
    Kwiindawo zokugcina ze-Fedora / CentOS, eyona nto inkqonkqoziweyo namhlanje yi-0.63. Ngubani ofuna i-UDP - khangela iipakethi ze-0.70.
  • U mboniso
    Kwimeko engagqibekanga yeFedora/CentOS uqwalaselo lo mgca engekhoyo. Yongeza ngezandla zakho, kungenjalo ayiyi kusebenza.
  • kuphele ixesha
    Apha ungakhetha ngokuthanda kwakho. Kuyimfuneko ukuba umxhasi unexesha elaneleyo lokukhaba - kwaye i-port scanner bot iya kuphuka (kunye ne-146% iya kuskena).
  • qala/yekisa/yalela.
    Ukuba kukho umyalelo omnye, ngoko umyalelo, ukuba mibini, ngoko qala_command+stop_command.
    Ukuba wenze impazamo, unkqonkqoze uya kuhlala ethule, kodwa akayi kusebenza.
  • nditsho
    Ngokwethiyori, i-UDP ingasetyenziswa. Ngokuziqhelanisa, ndaxuba i-tcp kunye ne-udp, kwaye umxhasi ovela elunxwemeni e-Bali wakwazi ukuvula isango kuphela okwesihlanu. Ngenxa yokuba i-TCP yafika xa ifuneka, kodwa i-UDP ayikho inyaniso. Kodwa lo ngumcimbi wokungcamla, kwakhona.
  • ngokulandelelana
    Iraki efihliweyo kukuba ulandelelwano akufanelekanga ukunqumla ... indlela yokuyibeka...

Umzekelo, oku:

open: 11111,22222,33333
close: 22222,11111,33333

Ngokukhaba ngo-11111 evulekileyo izakulinda ukukhaba okulandelayo ngo-22222. Nangona kunjalo, emva koku (22222) ukukhaba iyakuqala ukusebenza. close kwaye yonke into iya kuphuka. Oku kuxhomekeke ekulibazisekeni komxhasi ngokunjalo. Izinto ezinjalo ©.

iptables

Ukuba kwi/etc/sysconfig/iptables oku:

*nat
:PREROUTING ACCEPT [0:0]

Ayisikhathazi ngokwenene, nantsi ke:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Iyaphazamisa.

Kuba i-knock yongeza imithetho ekupheleni kwekhonkco le-INPUT, siya kufumana ukwaliwa.

Kwaye ukucima oku kwaliwa kuthetha ukuvula imoto kuyo yonke imimoya.

Ukuze ungalahleki kwii-iptables ukuba ufaka ntoni ngaphambi kwento (njengale abantu cebisa) masenze lula:

  • ukungagqibeki kwi-CentOS/Fedora yokuqala umgaqo (“into engathintelwayo ivumelekile”) iya kuthatyathelw’ indawo ngomnye,
  • kwaye sisusa umgaqo wokugqibela.

Isiphumo kufuneka sibe:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Unako, ewe, ukwenza REJECT endaweni ye-DROP, kodwa nge-DROP ubomi buya kuba mnandi ngakumbi kwi-bots.

3. Umxhasi

Le ndawo iyona nto inomdla kakhulu (ukusuka kwimbono yam), ekubeni kufuneka ungasebenzi kuphela ukusuka kulo naluphi na ulwandle, kodwa nakwesiphi na isixhobo.

Ngokomgaqo, inani labathengi zidweliswe kuyo indawo iprojekthi, kodwa le iphuma kolu chungechunge lunye "yonke into ikwi-Intanethi." Ke ngoko, ndiza kudwelisa oko kusebenza ezandleni zam apha kwaye ngoku.

Xa ukhetha umxhasi, kufuneka uqinisekise ukuba ixhasa ukhetho lokulibaziseka phakathi kweepakethi. Ewe, kukho iyantlukwano phakathi kweelwandle kunye ne-100 megabits ayisoze yaqinisekisa ukuba iipakethi ziya kufika ngendlela efanelekileyo ngexesha elifanelekileyo ukusuka kwindawo ethile.

Kwaye ewe, xa useta umxhasi, kufuneka ukhethe ukulibaziseka ngokwakho. Ixesha elininzi lokuphuma - ii-bots ziya kuhlasela, zincinci kakhulu - umxhasi akayi kuba nexesha. Ukulibaziseka kakhulu - umxhasi akayi kuyenza ngexesha okanye kuya kubakho ukungqubuzana kwee-idiots (jonga "i-rakes"), encinci kakhulu - iipakethi ziya kulahleka kwi-Intanethi.

Ngokuphuma kwexesha=5s, ukulibaziseka=100..500ms lukhetho olusebenzayo ngokupheleleyo

Windows

Nokuba ivakala ihlekisa kangakanani, ayiyonto incinci kuGoogle umxhasi ocacileyo weli qonga. Enjalo ukuba i-CLI ixhasa ukulibaziseka, i-TCP - kwaye ngaphandle kwezaphetha.

Kungenjalo, ungazama kuko oku. Kuyabonakala ukuba uGoogle wam ayisiyokhekhe.

Linux

Yonke into ilula apha:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

Eyona ndlela ilula kukufaka izibuko kwi-homebrew:
brew install knock
kwaye uzobe iifayile zebhetshi eziyimfuneko zemiyalelo efana nale:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

Inketho yokusebenza yi-KnockOnD (isimahla, kwivenkile).

Android

"Betha ezibukweni" Hayi intengiso, kodwa isebenza nje. Kwaye abaphuhlisi basabela kakhulu.

Ukubekwa phantsi kwePS kuHabré, ewe, uThixo amsikelele ngenye imini...

UPD1: Enkosi Ku kumntu olungileyo ifunyenwe umxhasi osebenzayo phantsi kweWindows.
UPD2: Enye kwakhona indaoda elungile wandikhumbuza ukuba ukubeka imithetho emitsha ekupheleni kweeptables akusoloko luncedo. Kodwa - kuxhomekeke.

umthombo: www.habr.com

Yongeza izimvo