Ukuxilongwa kokuxhumana kwenethiwekhi kumzila obonakalayo we-EDGE

Kwezinye izimo, kungase kuphakame izinkinga lapho usetha irutha ebonakalayo. Isibonelo, ukuthunyelwa kwembobo (i-NAT) akusebenzi futhi/noma kunenkinga ekusetheni imithetho ye-Firewall ngokwayo. Noma udinga nje ukuthola izingodo zerutha, uhlole ukusebenza kwesiteshi, bese uhlola inethiwekhi. Umhlinzeki wamafu Cloud4Y uchaza ukuthi lokhu kwenziwa kanjani.

Ukusebenza ngerutha ebonakalayo

Okokuqala, sidinga ukulungiselela ukufinyelela kumzila obonakalayo - i-EDGE. Ukuze senze lokhu, sifaka izinsizakalo zayo bese siya kuthebhu efanele - Izilungiselelo ze-EDGE. Lapho sinika amandla Isimo Se-SSH, setha iphasiwedi, futhi uqiniseke ukuthi ulondoloza izinguquko.

Uma sisebenzisa imithetho eqinile ye-Firewall, lapho yonke into inqatshelwe ngokuzenzakalelayo, bese sengeza imithetho evumela ukuxhumeka kumzila uqobo ngembobo ye-SSH:

Bese sixhuma nanoma yiliphi iklayenti le-SSH, isibonelo i-PuTTY, bese sifika kukhonsoli.

Ku-console, imiyalo iyatholakala kithi, uhlu lwayo olungabonwa kusetshenziswa:
uhlu

Yimiphi imiyalo engaba usizo kithi? Nalu uhlu lwezinto eziwusizo kakhulu:

• bonisa isikhombimsebenzisi - izobonisa i-interface etholakalayo namakheli e-IP afakiwe kuzo
• bonisa log - izobonisa izingodo ze-router
• bonisa ukulandela kwelogi - izokusiza ukuthi ubuke i-log ngesikhathi sangempela ngezibuyekezo eziqhubekayo. Umthetho ngamunye, kungaba yi-NAT noma i-Firewall, unenketho ethi Nika amandla ukugawulwa kwemithi, uma inikwe amandla, imicimbi izorekhodwa kulogu, okuzovumela ukuxilonga.
• show flowtable - izokhombisa lonke ithebula lokuxhumana okumisiwe namapharamitha ako
  Isibonelo:1: tcp 6 21599 ESTABLISHED src=9Х.107.69.ХХХ dst=178.170.172.XXX sport=59365 dport=22 pkts=293 bytes=22496 src=178.170.172.ХХХ dst=91.107.69.173 sport=22 dport=59365 pkts=206 bytes=83569 [ASSURED] mark=0 rid=133427 use=1
• bonisa i-flowtable topN 10 - ikuvumela ukuthi ubonise inombolo edingekayo yemigqa, kulesi sibonelo 10
• bonisa i-flowtable topN 10 hlunga ngama-pkts — kuzosiza ukuhlela ukuxhumana ngenani lamaphakethe ukusuka kwencane kakhulu kuye kwenkulu
• bonisa i-flowtable topN 10 yokuhlunga ngamabhayithi - kuzosiza ukuhlunga ukuxhumeka ngenani lamabhayithi adluliselwe ukusuka kwencane kakhulu kuye kwenkulu
• bonisa i-ID ye-flowtable rule-id topN 10 — kuzosiza ekuboniseni ukuxhumana nge-ID yomthetho edingekayo
• bonisa i-flowtable flowspec SPEC — ukuze uthole ukuxhumeka okuguquguqukayo okwengeziwe, lapho i-SPEC — isetha imithetho yokuhlunga edingekayo, isibonelo proto=tcp:srcIP=9Х.107.69.ХХХ:sport=59365, ukuze ukhethe kusetshenziswa iphrothokholi ye-TCP kanye nekheli le-IP lomthombo 9Х.107.69. XX kusuka echwebeni lomthumeli 59365
  Isibonelo:> show flowtable flowspec proto=tcp:srcip=90.107.69.171:sport=59365
1: tcp 6 21599 ESTABLISHED src=9Х.107.69.XX dst=178.170.172.xxx sport=59365 dport=22 pkts=1659 bytes=135488 src=178.170.172.xxx dst=xx.107.69.xxx sport=22 dport=59365 pkts=1193 bytes=210361 [ASSURED] mark=0 rid=133427 use=1
Total flows: 1
• khombisa amaconsi ephakethe - kuzokuvumela ukuthi ubuke izibalo zamaphakheji
• bonisa ukugeleza kwe-firewall - Ibonisa izinto zokubala zephakethe le-firewall kanye nokugeleza kwephakethe.

Futhi singasebenzisa amathuluzi ayisisekelo okuxilonga inethiwekhi ngokuqondile kumzila we-EDGE:

• ping ip IZWI
• ping ip WORD Usayizi we-WORD SIZE isibalo COUNT nofrag - i-ping ekhombisa usayizi wedatha ethunyelwayo kanye nenani lamasheke, futhi ivimbela ukuhlukaniswa kosayizi wephakethe elimisiwe.
• traceroute ip WORD

Ukulandelana kokuhlonza ukusebenza kwe-Firewall ku-Edge

1. Yethula bonisa i-firewall futhi ubheke imithetho yokuhlunga ngokwezifiso efakiwe kuthebula le-usr_rules
2. Sibheka iketango le-POSTROOUTIN futhi silawula inani lamaphakethe awile sisebenzisa inkambu ye-DROP. Uma kunenkinga ngomzila we-asymmetric, sizorekhoda ukukhuphuka kwamanani.
   Ake senze ukuhlola okwengeziwe:
   • I-Ping izosebenza ohlangothini olulodwa hhayi kolunye uhlangothi
   • ping izosebenza, kodwa izikhathi ze-TCP ngeke zisungulwe.
3. Sibheka umphumela wolwazi mayelana namakheli e-IP - bonisa ipset
4. Nika amandla ukungena kumthetho we-firewall kumasevisi we-Edge
5. Sibheka izehlakalo ku-log - bonisa ukulandela kwelogi
6. Sihlola ukuxhumana sisebenzisa i-rule_id edingekayo - bonisa i-flowtable rule_id
7. Ngosizo luka bonisa izibalo zokugeleza Siqhathanisa uxhumo olufakiwe lwamanje Lokungenela Okugeleza kanye nobukhulu obuvunyelwe (Inani Lokugeleza Kwekhono) ekucushweni kwamanje. Ukucushwa okutholakalayo nemikhawulo kungabukwa ku-VMware NSX Edge. Uma unesithakazelo, ngingakhuluma ngalokhu esihlokweni esilandelayo.

Yini enye ongayifunda kubhulogi? Cloud4Y

→ Amagciwane amelana ne-CRISPR akha "izindawo zokukhosela" ukuvikela ama-genomes kuma-enzyme angena ku-DNA.
→ Ibhange lehlulekile kanjani?
→ I-Great Snowflake Theory
→ I-inthanethi kumabhaluni
→ AmaPentesters ahamba phambili ku-cybersecurity

Bhalisela yethu yocingo-isiteshi ukuze ungaphuthelwa yisihloko esilandelayo! Asibhali ngaphezu kokuphindwe kabili ngesonto futhi ngebhizinisi kuphela. Siyakukhumbuza ukuthi abaqalisi bangathola i-RUB 1. kusuka ku-Cloud000Y. Imibandela kanye nefomu lesicelo kulabo abanentshisekelo ingatholakala kuwebhusayithi yethu: bit.ly/2sj6dPK

Source: www.habr.com