Kwenzeka ukuthi ngokomsebenzi ngingumqondisi wezinhlelo zekhompiyutha namanethiwekhi (ngamafuphi: umlawuli wesistimu), futhi ngathola ithuba lokutshela u-prof. iminyaka engaphezudlwana kwe-10. imisebenzi yezinhlelo eziningi ezahlukahlukene, okuhlanganisa nalezo ezidinga izinyathelo [ezidlulele] zokuphepha. Kwenzeka nokuthi esikhathini esithile esidlule ngakuthola kuthakazelisa , futhi akayisebenzisanga nje kuphela, kodwa futhi wethula izinsizakalo ezincane ezimbalwa ukuze ufunde ukuthi ungasebenza kanjani ngokuzimela nenethiwekhi ye-Bitcoin (aka p2p ngemuva kwakho konke) ngokombono womthuthukisi (impela ngingomunye walabo dev, ngakho, ngangidlula). Kodwa angikhulumi ngentuthuko, ngikhuluma ngendawo ephephile nesebenzayo yezinhlelo zokusebenza.
Ubuchwepheshe bezezimali (fintech) hamba eduze nokuphepha kolwazi (infosec) futhi owokuqala angasebenza ngaphandle kwesibili, kodwa hhayi isikhathi eside. Kungakho ngifuna ukwabelana ngolwazi lwami kanye nesethi yamathuluzi engiwasebenzisayo, ahlanganisa kokubili fintech, futhi infosec, futhi ngesikhathi esifanayo, futhi ingasetshenziselwa injongo ebanzi noma ehluke ngokuphelele. Kulesi sihloko ngeke ngikutshele okuningi nge-Bitcoin, kodwa mayelana nemodeli yengqalasizinda yokuthuthukiswa nokusebenza kwezinsizakalo zezezimali (hhayi kuphela) - ngegama, lezo zinsizakalo lapho "B" ibalulekile. Lokhu kusebenza kokubili ekushintshanisweni kwe-Bitcoin kanye nasezu yebhizinisi ejwayelekile kakhulu yezinsizakalo zenkampani encane engaxhumene ne-Bitcoin nganoma iyiphi indlela.
Ngithanda ukuqaphela ukuthi ngingumsekeli wezimiso "yigcine isiphukuphuku silula" ΠΈ "okuncane okuningi", ngakho-ke, kokubili i-athikili kanye nalokho okuchazwe kuyo kuzoba nezakhiwo lezi zimiso eziphathelene nazo.
Isimo esicatshangelwayo: Ake sibheke yonke into sisebenzisa isibonelo se-bitcoin exchanger. Sinqume ukwethula ukushintshaniswa kwama-ruble, amadola, ama-euro ama-bitcoins nangemuva, futhi sesivele sinesixazululo sokusebenza, kodwa ngeminye imali yedijithali efana ne-qiwi ne-webmoney, i.e. Sivale zonke izindaba ezingokomthetho, sinesicelo esenziwe ngomumo esisebenza njengesango lokukhokha lama-ruble, amadola nama-euro nezinye izinhlelo zokukhokha. Ixhumeke kuma-akhawunti ethu asebhange futhi inohlobo oluthile lwe-API lwezinhlelo zethu zokusebenza zokugcina. Siphinde sibe nohlelo lokusebenza lwewebhu olusebenza njenge-exchanger yabasebenzisi, kuhle, njenge-akhawunti evamile ye-qiwi noma ye-webmoney - dala i-akhawunti, engeza ikhadi, njalonjalo. Ixhumana nesicelo sethu sesango, noma nge-REST API endaweni. Futhi ngakho-ke sanquma ukuxhuma ama-bitcoins futhi ngesikhathi esifanayo sithuthukise ingqalasizinda, ngoba ... Ekuqaleni, yonke into yafakwa ngokushesha kuma-virtualboxes ehhovisi ngaphansi kwetafula ... isayithi laqala ukusetshenziswa, futhi saqala ukukhathazeka mayelana nesikhathi nokusebenza.
Ngakho-ke, ake siqale ngento esemqoka - ukukhetha iseva. Ngoba ibhizinisi esibonelweni sethu lincane futhi siyamethemba umsingathi (OVH) esizomkhetha lapho kungenakwenzeka khona ukufaka isistimu kusukela kumfanekiso wokuqala we-.iso, kodwa akunandaba, umnyango wezokuphepha we-IT uzohlaziya ngokuqinisekile isithombe esifakiwe. Futhi lapho sikhula, sizoqasha ikhabethe lethu ngaphansi kwesikhiya nokhiye ngokufinyelela okulinganiselwe ngokomzimba, futhi mhlawumbe sizozakhela i-DC yethu. Kunoma yikuphi, kufanelekile ukukhumbula ukuthi lapho uqasha i-hardware futhi ufaka izithombe esezilungile, kunethuba lokuthi uzoba ne-"Trojan evela kumphathi" elenga kusistimu yakho, okuyinto ezimweni eziningi engahlosiwe ukukuhlola. kodwa ukunikeza iseva yamathuluzi okuphatha alula kakhulu.
Ukufakwa kweseva
Konke kulula lapha. Sikhetha ihadiwe elifanele izidingo zethu. Bese ukhetha isithombe se-FreeBSD. Hhayi-ke, noma sixhuma (esimeni somunye umsingathi kanye nezingxenyekazi zekhompuyutha zethu) nge-IPMI noma ngemonitha futhi sondle isithombe se-.iso FreeBSD ekulandeni. Ukusetha i-orchestra engiyisebenzisayo ΠΈ . Okuwukuphela kwento, esimweni sethu nge-kimsufi, sakhetha ukufakwa ngokwezifiso ukuze amadiski amabili esibukweni abe ne-boot kanye/nezihlukanisi zasekhaya kuphela βezivuliweβ, sonke isikhala sediski sizobethelwa, kodwa okuningi ngalokho kamuva.
Ukufakwa kwesistimu kwenzeka ngendlela ejwayelekile, ngeke ngigxile kulokhu, ngizoqaphela kuphela ukuthi ngaphambi kokuqala ukusebenza kufanelekile ukunaka. lukhuni ongakhetha enikezayo bsdinstaller ekupheleni kokufakwa (uma uzifakela isistimu):
Zikhona kulesi sihloko, ngizokuphinda kafushane lapha.
Kungenzeka futhi ukunika amandla amapharamitha ashiwo ngenhla ohlelweni oseluvele lufakiwe. Ukuze wenze lokhu, udinga ukuhlela ifayela le-bootloader futhi unike amandla imingcele ye-kernel. *ee ungumhleli onje kuBSD
# ee /etc/rc.conf
...
#sec hard
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
# ee /etc/sysctl.conf
...
#sec hard
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=$(jot -r 1 9999)
security.bsd.stack_guard_page=1Kufanele futhi uqinisekise ukuthi unenguqulo yakamuva yesistimu efakiwe, futhi . Esimweni sethu, isibonelo, ukuthuthukela enguqulweni yakamuva kuyadingeka, ngoba... izithombe ezifakwe ngaphambilini zisala ngemuva ngezinyanga eziyisithupha kuya onyakeni. Hhayi-ke, lapho sishintsha imbobo ye-SSH iye kokuthile okuhlukile kokuzenzakalelayo, engeza ukuqinisekiswa kokhiye bese ukhubaza ukuqinisekiswa kwephasiwedi.
Bese simisa aide, eqapha isimo samafayela okucushwa kwesistimu. Ungafunda kabanzi ngokuningiliziwe .
pkg install aide
futhi uhlele i-crontab yethu
crontab -e
06 01 * * 0-6 /root/chkaide.sh
#! /bin/sh
#chkaide.sh
MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/local/bin/aide --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/usr/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -20 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAMESifaka
sysrc auditd_enable=YES
# service auditd start
Indlela yokuphatha lolu daba ichazwe kahle ku .
Manje siqala kabusha futhi siqhubekela ku-software kuseva. Iseva ngayinye iyi-hypervisor yeziqukathi noma imishini egcwele ebonakalayo. Ngakho-ke, kubalulekile ukuthi iphrosesa isekele i-VT-x ne-EPT uma sihlela ukusebenzisa ukubonwa okugcwele.
Ukuphatha iziqukathi nemishini ebonakalayo engiyisebenzisayo kusukela , ngimfisela impilo nezibusiso ezengeziwe ngalesi sisetshenziswa esihle!
Iziqukathi? Docker futhi noma yini?
Kodwa cha. iyithuluzi elihle kakhulu le-containerization, kodwa elishiwo cbsd ukuhlela lezi zitsha, ezibizwa ngamaseli.
Ikheji iyisixazululo esisebenza kahle kakhulu sokwakha ingqalasizinda yezinhloso ezehlukene, lapho ekugcineni kudingwa ukuhlukaniswa okuphelele kwezinsizakalo noma izinqubo. Empeleni, iwuhlelo lwe-host host, kodwa ayidingi ukwenziwa kwe-Hardware okugcwele. Futhi ngenxa yalokhu, izinsiza azisetshenziswa "ku-OS yesivakashi", kodwa kuphela emsebenzini owenziwayo. Uma amaseli esetshenziselwa izidingo zangaphakathi, lesi yisixazululo esilungele ukusetshenziswa kwensiza - inqwaba yamaseli kuseva yezingxenyekazi zekhompiyutha ngayinye ingasebenzisa insiza ngayinye yeseva uma kunesidingo. Uma kucatshangelwa ukuthi ngokuvamile izinsiza ezahlukene zidinga okungeziwe. izinsiza ngezikhathi ezihlukene, ungakwazi ukukhipha ukusebenza okuphezulu kuseva eyodwa uma uhlela kahle futhi ulinganisela amaseli phakathi kwamaseva. Uma kunesidingo, amaseli angaphinda anikezwe imikhawulo kunsiza esetshenzisiwe.
Kuthiwani nge-virtualization egcwele?
Ngokwazi kwami cbsd isekela umsebenzi bhyve kanye nama-hypervisors e-XEN. Angikaze ngisebenzise eyesibili, kodwa eyokuqala yintsha uma kuqhathaniswa . Sizobheka isibonelo sokusebenzisa bhyve esibonelweni esingezansi.
Ifaka futhi Ilungiselela Indawo Yokusingatha
Sisebenzisa i-FS . Leli ithuluzi elinamandla kakhulu lokuphatha isikhala seseva. Ngenxa ye-ZFS, ungakha ngokuqondile ukuhlelwa okuhlukahlukene okuvela kumadiski, "hot" ukwandisa isikhala, uguqule amadiski afile, uphathe izifinyezo, nokunye okuningi, okungachazwa kulo lonke uchungechunge lwezihloko. Masibuyele kuseva yethu namadiski ayo. Ekuqaleni kokufakwa, sishiye isikhala samahhala kumadiski ukuze kuhlukaniswe izingxenye ezibethelwe. Kungani kunjalo? Lokhu kwenzelwa ukuthi isistimu ivuke ngokuzenzakalelayo futhi ilalele nge-SSH.
gpart add -t freebsd-zfs /dev/ada0
/dev/ada0p4 added!
engeza i-disk partition esikhaleni esisele
geli init /dev/ada0p4
faka iphasiwedi yethu yokubhala
geli attach /dev/ada0p4
Sifaka iphasiwedi futhi futhi sinedivayisi /dev/ada0p4.eli - lesi isikhala sethu esibethelwe. Bese siphinda okufanayo ku-/dev/ada1 kanye nawo wonke amanye amadiski kuhlu. Futhi sidala entsha .
zpool create vms mirror /dev/ada0p4.eli /dev/ada1p4.eli /dev/ada3p4.eli - Hhayi-ke, sinekhithi yokulwa encane elungile. Uhlu olubukiwe lwamadiski uma kwenzeka eyodwa kwamathathu ehluleka.
Ukudala idathasethi "kwichibi" elisha
zfs create vms/jails
pkg install cbsd - sethule iqembu futhi samisa abaphathi bamaseli ethu.
Ngemuva cbsd ifakiwe, idinga ukuqaliswa:
# env workdir="/vms/jails" /usr/local/cbsd/sudoexec/initenv
Hhayi-ke, siphendula inqwaba yemibuzo, ikakhulukazi ngezimpendulo ezizenzakalelayo.
*Uma usebenzisa ukubethela, kubalulekile ukuthi i-daemon cbsdd akuzange kuqale ngokuzenzakalelayo kuze kube yilapho ususa ukubhala ngesandla amadiski ngokuzenzakalelayo (esibonelweni sethu lokhu kwenziwa yi-zabbix)
**Angiphinde ngisebenzise i-NAT evela cbsd, futhi ngizilungiselela ngokwami pf.
# sysrc pf_enable=YES
# ee /etc/pf.conf
IF_PUBLIC="em0"
IP_PUBLIC="1.23.34.56"
JAIL_IP_POOL="192.168.0.0/24"
#WHITE_CL="{ 127.0.0.1 }"
icmp_types="echoreq"
set limit { states 20000, frags 20000, src-nodes 20000 }
set skip on lo0
scrub in all
#NAT for jails
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
## Bitcoin network port forward
IP_JAIL="192.168.0.1"
PORT_JAIL="{8333}"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
# service pf start
# pfctl -f /etc/pf.conf
Ukusetha izinqubomgomo ze-firewall nakho kuyisihloko esihlukile, ngakho-ke ngeke ngingene ngijule ekusetheni inqubomgomo ethi VIMBELA KONKE kanye nokusetha uhlu olugunyaziwe, ungakwenza lokho ngokufunda. noma iyiphi inombolo enkulu yezindatshana ezitholakala ku-Google.
Yebo... sifakile i-cbsd, sekuyisikhathi sokudala ihhashi lethu lokuqala - idemoni le-Bitcoin elivalelwe!
cbsd jconstruct-tui
Lapha sibona ibhokisi lokudala iseli. Ngemuva kokuthi wonke amanani asethiwe, masidale!
Lapho udala iseli lakho lokuqala, kufanele ukhethe ukuthi yini ozoyisebenzisa njengesisekelo samaseli. Ngikhetha ukusatshalaliswa endaweni yokugcina ye-FreeBSD ngomyalo repo. Lokhu kukhetha kwenziwa kuphela lapho udala iseli lokuqala lenguqulo ethile (ungasingatha amaseli anoma iyiphi inguqulo endala kunenguqulo yomsingathi).
Ngemva kokufakwa konke, sethula ikheji!
# cbsd jstart bitcoind
Kodwa sidinga ukufaka isofthiwe ekhejini.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoindjexec bitcoind ukungena ku-cell console
futhi kakade ngaphakathi kweseli sifaka isofthiwe ngokuncika kwayo (uhlelo lwethu lokusingatha luhlala luhlanzekile)
bitcoind:/@[15:25] # pkg install bitcoin-daemon bitcoin-utils
bitcoind:/@[15:30] # sysrc bitcoind_enable=YES
bitcoind:/@[15:30] # service bitcoind start
Kukhona i-Bitcoin ekhejini, kodwa sidinga ukungaziwa ngoba sifuna ukuxhuma kwamanye amakheji ngenethiwekhi ye-TOP. Ngokuvamile, sihlela ukusebenzisa amaseli amaningi anesofthiwe esolisayo kuphela ngommeleli. Sibonga u pf Ungakwazi ukukhubaza i-NAT kuhlu oluthile lwamakheli e-IP kunethiwekhi yendawo, futhi uvumele i-NAT kuphela endaweni yethu ye-TOR. Ngakho-ke, noma ngabe uhlelo olungayilungele ikhompuyutha lungena kuseli, cishe ngeke luxhumane nomhlaba wangaphandle, futhi uma lwenza kanjalo, ngeke ludalule i-IP yeseva yethu. Ngakho-ke, sidala elinye iseli ukuze "lidlulisele phambili" izinsizakalo njengesevisi ye-".onion" futhi njengommeleli wokufinyelela i-inthanethi kumaseli ngamanye.
# cbsd jsconstruct-tui
# cbsd jstart tor
# jexec tor
tor:/@[15:38] # pkg install tor
tor:/@[15:38] # sysrc tor_enable=YES
tor:/@[15:38] # ee /usr/local/etc/tor/torrc
Misa ukulalela ekhelini lendawo (litholakala kuwo wonke amaseli)
SOCKSPort 192.168.0.2:9050
Yini enye esiyidingayo ukuze sithole injabulo ephelele? Yebo, sidinga isevisi yewebhu yethu, mhlawumbe engaphezu kweyodwa. Ake sethule i-nginx, ezosebenza njenge-reverse-proxy futhi inakekele ukuvuselela izitifiketi ze-Let's Encrypt
# cbsd jsconstruct-tui
# cbsd jstart nginx-rev
# jexec nginx-rev
nginx-rev:/@[15:47] # pkg install nginx py36-certbot
Ngakho-ke sibeke u-150 MB wokuncika ekhejini. Futhi umninikhaya usahlanzekile.
Ake sibuyele ekusetheni i-nginx ngokuhamba kwesikhathi, sidinga ukukhulisa amanye amaseli amabili esango lethu lokukhokha kuma-nodejs nokugqwala kanye nohlelo lokusebenza lwewebhu, okuthi ngesizathu esithile liku-Apache ne-PHP, futhi lokhu kwakamuva kudinga isizindalwazi se-MySQL.
# cbsd jsconstruct-tui
# cbsd jstart paygw
# jexec paygw
paygw:/@[15:55] # pkg install git node npm
paygw:/@[15:55] # curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
...kanye nokunye okungu-380 MB kwamaphakheji ahlukanisiwe
Okulandelayo, silanda uhlelo lwethu lokusebenza nge-git futhi siyethule.
# cbsd jsconstruct-tui
# cbsd jstart webapp
# jexec webapp
webapp:/@[16:02] # pkg install mariadb104-server apache24 php74 mod_php74 php74-pdo_mysql
450 MB amaphakheji. ehhokweni.
lapha sinikeza unjiniyela ukufinyelela nge-SSH ngqo kuseli, bazokwenza yonke into lapho ngokwabo:
webapp:/@[16:02] # ee /etc/ssh/sshd_config
Port 2267 - shintsha imbobo ye-SSH yeseli ibe yinoma iyiphi engenangqondo
webapp:/@[16:02] # sysrc sshd_enable=YES
webapp:/@[16:02] # service sshd start
Hhayi-ke, isevisi iyasebenza, okusele nje ukwengeza umthetho pf firewall
Ake sibone ukuthi i-IP amaseli ethu anayo nokuthi "indawo yethu yasendaweni" ivamise ukubukeka kanjani.
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webappbese wengeza umthetho
# ee /etc/pf.conf
## SSH for web-Devs
IP_JAIL="192.168.0.5"
PORT_JAIL="{ 2267 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL
Nokho, njengoba silapha, masiphinde sengeze umthetho we-reverse-proxy:
## web-ports for nginx-rev
IP_JAIL="192.168.0.3"
PORT_JAIL="{ 80, 443 }"
rdr pass on $IF_PUBLIC proto tcp from any to $IP_PUBLIC port $PORT_JAIL -> $IP_JAIL# pfctl -f /etc/pf.conf
Manje, kancane mayelana nama-bitcoins
Esinakho ukuthi sinesicelo sewebhu esivezwa ngaphandle futhi sikhuluma endaweni yethu nesango lethu lokukhokha. Manje sidinga ukulungiselela indawo yokusebenza yokuxhumana nenethiwekhi ye-Bitcoin ngokwayo - i-node bitcoind i-daemon nje egcina ikhophi yendawo ye-blockchain isesikhathini samanje. Le daemon ine-RPC nokusebenza kwe-wallet, kodwa kukhona "ama-wrapper" alula kakhulu okuthuthukiswa kohlelo lokusebenza. Okokuqala, sanquma ukubeka electrum isikhwama semali se-CLI. sizoyisebenzisa "njengesitoreji esibandayo" sama-bitcoins ethu - ngokuvamile, lawo ma-bitcoins azodinga ukugcinwa "ngaphandle" kwesistimu kufinyeleleke kubasebenzisi futhi ngokuvamile kude nawo wonke umuntu. Iphinde ibe ne-GUI, ngakho-ke sizosebenzisa isikhwama esifanayo kweyethu
amalaptop. Okwamanje sizosebenzisa i-Electrum namaseva omphakathi, futhi kamuva sizoyiphakamisa kwelinye iseli ukuze linganciki kumuntu nhlobo.
# cbsd jsconstruct-tui
# cbsd jstart electrum
# jexec electrum
electrum:/@[8:45] # pkg install py36-electrum
enye i-700 MB yesofthiwe ekhejini lethu
electrum:/@[8:53] # adduser
Username: wallet
Full name:
Uid (Leave empty for default):
Login group [wallet]:
Login group is wallet. Invite wallet into other groups? []:
Login class [default]:
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/wallet]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]:
Username : wallet
Password : <disabled>
Full Name :
Uid : 1001
Class :
Groups : wallet
Home : /home/wallet
Home Mode :
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (wallet) to the user database.
Add another user? (yes/no): no
Goodbye!
electrum:/@[8:53] # su walletelectrum:/@[8:53] # su wallet
wallet@electrum:/ % electrum-3.6 create
{
"msg": "Please keep your seed in a safe place; if you lose it, you will not be able to restore your wallet.",
"path": "/usr/home/wallet/.electrum/wallets/default_wallet",
"seed": "jealous win pig material ribbon young punch visual okay cactus random bird"
}Manje sinesikhwama esidaliwe.
wallet@electrum:/ % electrum-3.6 listaddresses
[
"18WEhbjvMLGRMfwudzUrUd25U5C7uZYkzE",
"14XHSejhxsZNDRtk4eFbqAX3L8rftzwQQU",
"1KQXaN8RXiCN1ne9iYngUWAr6KJ6d4pPas",
...
"1KeVcAwEYhk29qEyAfPwcBgF5mMMoy4qjw",
"18VaUuSeBr6T2GwpSHYF3XyNgLyLCt1SWk"
]wallet@electrum:/ % electrum-3.6 help
Kwethu ku-chain Inani elilinganiselwe kuphela labantu elizokwazi ukuxhuma ku-wallet kusukela manje kuqhubeke. Ukuze ungavuli ukufinyelela kwaleli seli ngaphandle, ukuxhumana nge-SSH kuzokwenzeka nge-TOP (inguqulo ehlukaniswe yaba yi-VPN). Sethula i-SSH kuseli, kodwa ungathinti i-pf.conf yethu kumsingathi.
electrum:/@[9:00] # sysrc sshd_enable=YES
electrum:/@[9:00] # service sshd start
Manje ake sivale iseli ngokufinyelela ku-inthanethi kwesikhwama semali. Masiyinikeze ikheli le-IP elisuka kwesinye isikhala se-subnet esingeyona i-NTED. Asiqale sishintshe /etc/pf.conf kumphathi
# ee /etc/pf.conf
JAIL_IP_POOL="192.168.0.0/24" asiguqule sibe JAIL_IP_POOL="192.168.0.0/25", ngakho wonke amakheli 192.168.0.126-255 ngeke abe nokufinyelela okuqondile ku-inthanethi. Uhlobo lwenethiwekhi "ye-air-gap" yesoftware. Futhi umthetho we-NAT uhlala unjengoba wawunjalo
nat pass on $IF_PUBLIC from $JAIL_IP_POOL to any -> $IP_PUBLIC
Ukulayisha ngokweqile imithetho
# pfctl -f /etc/pf.conf
Manje ake sithathe iseli yethu
# cbsd jconfig jname=electrum
jset mode=quiet jname=electrum ip4_addr="192.168.0.200"
Remove old IP: /sbin/ifconfig em0 inet 192.168.0.6 -alias
Setup new IP: /sbin/ifconfig em0 inet 192.168.0.200 alias
ip4_addr: 192.168.0.200Hmm, kodwa manje uhlelo ngokwalo luzoyeka ukusisebenzela. Nokho, singacacisa ummeleli wesistimu. Kodwa kunento eyodwa, ku-TOR i-proxy ye-SOCKS5, futhi ukuze kube lula singathanda futhi ummeleli we-HTTP.
# cbsd jsconstruct-tui
# cbsd jstart polipo
# jexec polipo
polipo:/@[9:28] # pkg install polipo
polipo:/@[9:28] # ee /usr/local/etc/polipo/config
socksParentProxy = "192.168.0.2:9050"
socksProxyType = socks5polipo:/@[9:42] # sysrc polipo_enable=YES
polipo:/@[9:43] # service polipo start
Nokho, manje kukhona amaseva amabili ommeleli ohlelweni lwethu, futhi kokubili okukhiphayo nge-TOR: amasokisi5://192.168.0.2:9050 kanye
Manje singakwazi ukumisa indawo yethu yesikhwama
# jexec electrum
electrum:/@[9:45] # su wallet
wallet@electrum:/ % ee ~/.cshrc
#in the end of file proxy config
setenv http_proxy http://192.168.0.6:8123
setenv https_proxy http://192.168.0.6:8123Manje, igobolondo lizosebenza ngaphansi kommeleli. Uma sifuna ukufaka amaphakheji, kufanele sengeze kuwo /usr/local/etc/pkg.conf ngaphansi kwempande yekheji
pkg_env: {
http_proxy: "http://my_proxy_ip:8123",
}Hhayi-ke, manje sekuyisikhathi sokwengeza insiza efihliwe ye-TOR njengekheli lenkonzo yethu ye-SSH ekhejini lesikhwama.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/electrum/
HiddenServicePort 22 192.168.0.200:22tor:/@[10:01] # mkdir /var/db/tor/electrum
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/electrum
tor:/@[10:01] # chmod 700 /var/db/tor/electrum
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/electrum/hostname
mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onionLeli ikheli lethu lokuxhumana. Ake sihlole emshinini wendawo. Kepha okokuqala sidinga ukwengeza ukhiye wethu we-SSH:
wallet@electrum:/ % mkdir ~/.ssh
wallet@electrum:/ % ee ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAG9Fk2Lqi4GQ8EXZrsH3EgSrVIQPQaAlS38MmJLBabihv9KHIDGXH7r018hxqLNNGbaJWO/wrWk7sG4T0yLHAbdQAFsMYof9kjoyuG56z0XZ8qaD/X/AjrhLMsIoBbUNj0AzxjKNlPJL4NbHsFwbmxGulKS0PdAD5oLcTQi/VnNdU7iFw== user@localHhayi-ke, kusuka kumshini weklayenti le-Linux
user@local ~$ nano ~/.ssh/config
#remote electrum wallet
Host remotebtc
User wallet
Port 22
Hostname mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion
ProxyCommand /bin/ncat --proxy localhost:9050 --proxy-type socks5 %h %p
Asixhume (Ukuze lokhu kusebenze, udinga i-daemon yasendaweni ye-TOR elalela ku-9050)
user@local ~$ ssh remotebtc
The authenticity of host 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:iW8FKjhVF4yyOZB1z4sBkzyvCM+evQ9cCL/EuWm0Du4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'mdjus4gmduhofwcso57b3zl3ufoitguh2knitjco5cmgrokpreuxumad.onion' (ECDSA) to the list of known hosts.
FreeBSD 12.1-RELEASE-p1 GENERIC
To save disk space in your home directory, compress files you rarely
use with "gzip filename".
-- Dru <[email protected]>
wallet@electrum:~ % logout
Impumelelo!
Ukuze sisebenze ngezinkokhelo ezisheshayo nezincane, sidinga ne-node , empeleni, lokhu kuzoba ithuluzi lethu eliyinhloko lokusebenza nge-Bitcoin. U*esizoyisebenzisa njenge-daemon , okuyisixhumi esibonakalayo se-HTTP (REST) ββesigcwele futhi esikuvumela ukuthi usebenze ngakho kokubili ukuthengiswa kwe-off-chain kanye ne-on-chain. c-lightning edingekayo ekusebenzeni bitcoind kodwa yebo.
*Kukhona ukusetshenziswa okuhlukile kwe-Lightning Network protocol ngezilimi ezahlukene. Kulezo esizihlolile, i-c-mbani (ebhalwe ngo-C) ibonakala izinzile futhi isebenza kahle kakhulu
# cbsd jsconstruct-tui
# cbsd jstart cln
# jexec cln
lightning:/@[10:23] # adduser
Username: lightning
...lightning:/@[10:24] # pkg install git
lightning:/@[10:23] # su lightning
cd ~ && git clone https://github.com/ElementsProject/lightning
lightning@lightning:~ % exit
lightning:/@[10:30] # cd /home/lightning/lightning/
lightning:/home/lightning/lightning@[10:31] # pkg install autoconf automake gettext git gmp gmake libtool python python3 sqlite3 libsodium py36-mako bash bitcoin-utils
lightning:/home/lightning/lightning@[10:34] # ./configure && gmake && gmake install
Ngenkathi yonke into edingekayo ihlanganiswa futhi ifakiwe, masidale umsebenzisi we-RPC lightningd Π² bitcoind
# jexec bitcoind
bitcoind:/@[10:36] # ee /usr/local/etc/bitcoin.conf
rpcbind=192.168.0.1
rpcuser=test
rpcpassword=test
#allow only c-lightning
rpcallowip=192.168.0.7/32bitcoind:/@[10:39] # service bitcoind restart
Ukushintsha kwami ββisiphithiphithi phakathi kwamaseli kuvele kungabi nesiyaluyalu uma uqaphela ukusetshenziswa tmux, okukuvumela ukuthi udale amaseshini angaphansi kwetheminali amaningi phakathi neseshini eyodwa. I-analogue: screen
Ngakho-ke, asifuni ukuveza i-IP yangempela yenodi yethu, futhi sifuna ukwenza yonke imisebenzi yezezimali nge-TOP. Ngakho-ke, enye .anyanisi ayidingeki.
# jexec tor
tor:/@[9:59] # ee /usr/local/etc/tor/torrc
HiddenServiceDir /var/db/tor/cln/
HiddenServicePort 9735 192.168.0.7:9735tor:/@[10:01] # mkdir /var/db/tor/cln
tor:/@[10:01] # chown -R _tor:_tor /var/db/tor/cln
tor:/@[10:01] # chmod 700 /var/db/tor/cln
tor:/@[10:03] # service tor restart
tor:/@[10:04] # cat /var/db/tor/cln/hostname
en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onionManje ake sakhe isilungiselelo se-c-mbani
lightning:/home/lightning/lightning@[10:31] # su lightning
lightning@lightning:~ % mkdir .lightning
lightning@lightning:~ % ee .lightning/config
alias=My-LN-Node
bind-addr=192.168.0.7:9735
rgb=ff0000
announce-addr=en5wbkavnytti334jc5uzaudkansypfs6aguv6kech4hbzpcz2ove3yd.onion:9735
network=bitcoin
log-level=info
fee-base=0
fee-per-satoshi=1
proxy=192.168.0.2:9050
log-file=/home/lightning/.lightning/c-lightning.log
min-capacity-sat=200000
# sparko plugin
# https://github.com/fiatjaf/lightningd-gjson-rpc/tree/master/cmd/sparko
sparko-host=192.168.0.7
sparko-port=9737
sparko-tls-path=sparko-tls
#sparko-login=mywalletusername:mywalletpassword
#sparko-keys=masterkey;secretread:+listchannels,+listnodes;secretwrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
sparko-keys=masterkey;secretread:+listchannels,+listnodes;ultrawrite:+invoice,+listinvoices,+delinvoice,+decodepay,+waitpay,+waitinvoice
# for the example above the initialization logs (mixed with lightningd logs) should print something likelightning@lightning:~ % mkdir .lightning/plugins
lightning@lightning:~ % cd .lightning/plugins/
lightning@lightning:~/.lightning/plugins:% fetch https://github.com/fiatjaf/sparko/releases/download/v0.2.1/sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mkdir ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % cd ~/.lightning/sparko-tls
lightning@lightning:~/.lightning/sparko-tls % openssl genrsa -out key.pem 2048
lightning@lightning:~/.lightning/sparko-tls % openssl req -new -x509 -sha256 -key key.pem -out cert.pem -days 3650
lightning@lightning:~/.lightning/plugins % chmod +x sparko_full_freebsd_amd64
lightning@lightning:~/.lightning/plugins % mv sparko_full_freebsd_amd64 sparko
lightning@lightning:~/.lightning/plugins % cd ~
udinga futhi ukudala ifayela lokucushwa le-bitcoin-cli, insiza exhumana nayo bitcoind
lightning@lightning:~ % mkdir .bitcoin
lightning@lightning:~ % ee .bitcoin/bitcoin.conf
rpcconnect=192.168.0.1
rpcuser=test
rpcpassword=testhlola
lightning@lightning:~ % bitcoin-cli echo "test"
[
"test"
]qalisa lightningd
lightning@lightning:~ % lightningd --daemon
Uqobo lightningd ungakwazi ukulawula insiza lightning-cliisibonelo:
lightning-cli newaddr thola ikheli lenkokhelo entsha engenayo
{
"address": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv",
"bech32": "bc1q2n2ffq3lplhme8jufcxahfrnfhruwjgx3c78pv"
}lightning-cli withdraw bc1jufcxahfrnfhruwjgx3cq2n2ffq3lplhme878pv all thumela yonke imali esesikhwameni ekhelini (wonke amakheli aku-chain)
Futhi iyala imisebenzi ye-off-chain lightning-cli invoice, lightning-cli listinvoices, lightning-cli pay njll.
Yebo, ukuxhumana nohlelo lokusebenza sine-REST Api
curl -k https://192.168.0.7:9737/rpc -d '{"method": "pay", "params": ["lnbc..."]}' -H 'X-Access masterkey'
Ake sibambe imiphumela
# jls
JID IP Address Hostname Path
1 192.168.0.1 bitcoind.space.com /zroot/jails/jails/bitcoind
2 192.168.0.2 tor.space.com /zroot/jails/jails/tor
3 192.168.0.3 nginx-rev.space.com /zroot/jails/jails/nginx-rev
4 192.168.0.4 paygw.space.com /zroot/jails/jails/paygw
5 192.168.0.5 webapp.my.domain /zroot/jails/jails/webapp
7 192.168.0.200 electrum.space.com /zroot/jails/jails/electrum
8 192.168.0.6 polipo.space.com /zroot/jails/jails/polipo
9 192.168.0.7 lightning.space.com /zroot/jails/jails/cln
Sineqoqo leziqukathi, ngasinye sinezinga laso lokufinyelela kokubili ukusuka nokuya kunethiwekhi yendawo.
# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zroot 279G 1.48T 88K /zroot
zroot/ROOT 1.89G 1.48T 88K none
zroot/ROOT/default 1.89G 17.6G 1.89G /
zroot/home 88K 1.48T 88K /home
zroot/jails 277G 1.48T 404M /zroot/jails
zroot/jails/bitcoind 190G 1.48T 190G /zroot/jails/jails-data/bitcoind-data
zroot/jails/cln 653M 1.48T 653M /zroot/jails/jails-data/cln-data
zroot/jails/electrum 703M 1.48T 703M /zroot/jails/jails-data/electrum-data
zroot/jails/nginx-rev 190M 1.48T 190M /zroot/jails/jails-data/nginx-rev-data
zroot/jails/paygw 82.4G 1.48T 82.4G /zroot/jails/jails-data/paygw-data
zroot/jails/polipo 57.6M 1.48T 57.6M /zroot/jails/jails-data/polipo-data
zroot/jails/tor 81.5M 1.48T 81.5M /zroot/jails/jails-data/tor-data
zroot/jails/webapp 360M 1.48T 360M /zroot/jails/jails-data/webapp-dataNjengoba ubona, i-bitcoind ithatha wonke u-190 GB wesikhala. Kuthiwani uma sidinga enye i-node yokuhlola? Yilapho iZFS isiza khona. Ngosizo cbsd jclone old=bitcoind new=bitcoind-clone host_hostname=clonedbtc.space.com ungakha isifinyezo futhi unamathisele iseli entsha kulesi sifinyezo. Iseli elisha lizoba nesikhala salo, kodwa umehluko kuphela phakathi kwesimo samanje nesokuqala uzocatshangelwa ohlelweni lwefayela (sizogcina okungenani i-190 GB)
Iseli ngalinye liyidathasethi yalo ehlukile ye-ZFS, futhi lokhu kulula kakhulu. yenza ezinye izinto ezipholile ezahlukahlukene, njengokuthumela izifinyezo nge-SSH. Ngeke sikuchaze, sekuvele kuningi.
Kuyafaneleka futhi ukuqaphela isidingo sokuqapha okukude komsingathi, ngalezi zinhloso esinazo .
B - ukuphepha
Mayelana nokuphepha, ake siqale ezimisweni ezibalulekile kumongo wengqalasizinda:
Ukugcinwa kuyimfihlo - Amathuluzi ajwayelekile wezinhlelo ezifana ne-UNIX aqinisekisa ukusetshenziswa kwalesi simiso. Sihlukanisa ngokunengqondo ukufinyelela kwento ngayinye ehlukene ngokunengqondo yesistimu - iseli. Ukufinyelela kunikezwa ngokufakazela ubuqiniso komsebenzisi okujwayelekile kusetshenziswa okhiye bomuntu siqu babasebenzisi. Konke ukuxhumana phakathi namaseli kuya ekugcineni kwenzeka ngendlela ebethelwe. Ngenxa yokubethela kwediski, akudingekile ukuba sikhathazeke ngokuphepha kwedatha lapho sishintsha idiski noma sithuthela kwenye iseva. Ukufinyelela okubalulekile kuphela ukufinyelela kusistimu yokusingatha, njengoba ukufinyelela okunjalo ngokuvamile kunikeza ukufinyelela kudatha engaphakathi kweziqukathi.
Ubuqotho βUkuqaliswa kwalo mgomo kwenzeka emazingeni amaningana ahlukene. Okokuqala, kubalulekile ukuqaphela ukuthi esimweni se-hardware yesiphakeli, inkumbulo ye-ECC, i-ZFS kakade "ngaphandle kwebhokisi" inakekela ubuqotho bedatha ezingeni lezingcezu zolwazi. Izifinyezo ezisheshayo zikuvumela ukuthi wenze izipele nganoma yisiphi isikhathi undiza. Amathuluzi alula okuthumela iseli/ukungenisa enza ukuphindaphinda kweseli kube lula.
Ukutholakala - Lokhu sekuvele kuyinketho. Kuya ngezinga lodumo lwakho kanye neqiniso lokuthi unabazondayo. Esibonelweni sethu, siqinisekise ukuthi isikhwama semali sifinyeleleka ngokukhethekile kunethiwekhi ye-TOP. Uma kunesidingo, ungavimba yonke into ku-firewall futhi uvumele ukufinyelela kuseva kuphela ngemigudu (TOR noma i-VPN enye indaba). Ngakho-ke, iseva izonqanyulwa ezweni langaphandle ngangokunokwenzeka, futhi thina kuphela esizokwazi ukuthonya ukutholakala kwayo.
Ukungenzeki kokwenqaba - Futhi lokhu kuncike ekusebenzeni okuqhubekayo nokuhambisana nezinqubomgomo ezifanele zamalungelo abasebenzisi, ukufinyelela, njll. Kodwa ngendlela efanele, zonke izenzo zabasebenzisi ziyacwaningwa, futhi ngenxa yezixazululo ze-cryptographic kungenzeka ukukhomba ngokusobala ukuthi ubani owenza izenzo ezithile futhi nini.
Impela, ukucushwa okuchaziwe akusona isibonelo esiphelele sokuthi kufanele kuhlale kanjani, kodwa kuyisibonelo esisodwa sokuthi kungaba kanjani, kuyilapho kugcinwe amandla esikali aguquguqukayo kanye nokwenza ngendlela oyifisayo.
Kuthiwani nge-virtualization egcwele?
Mayelana ne-virtualization egcwele usebenzisa i-cbsd ongayenza . Ngizokwengeza lokho ngomsebenzi bhyve Udinga ukunika amandla ezinye izinketho ze-kernel.
# cat /etc/rc.conf
...
kld_list="vmm if_tap if_bridge nmdm"
...# cat /boot/loader.conf
...
vmm_load="YES"
...Ngakho-ke uma ngokuzumayo udinga ukuqala i-docker, bese ufaka i-debian futhi uhambe!
Yilokho kuphela
Ngicabanga ukuthi yilokho kuphela engangifuna ukwabelana ngakho. Uma usithandile lesi sihloko, ungangithumela ama-bitcoins - . Uma ufuna ukuzama amaseli esenzweni futhi ube nama-bitcoins athile, ungaya kweyami .
Source: www.habr.com