I-ProHoster > Блог > Ukuphatha > Amathiphu namasu we-Linux: iseva, vula

Amathiphu namasu we-Linux: iseva, vula

Kulabo abadinga ukuzihlinzeka bona, abathandekayo babo, ngokufinyelela kumaseva abo kusuka noma yikuphi emhlabeni nge-SSH/RDP/enye, i-RTFM/spur encane.

Sidinga ukwenza ngaphandle kwe-VPN nezinye izinsimbi namakhwela, kunoma iyiphi idivayisi eseduze.

Futhi ukuze ungasebenzisi kakhulu ngeseva.

Konke okudingayo kulokhu wangqongqoza, izingalo eziqondile kanye nemizuzu engu-5 yomsebenzi.

"Yonke into iku-inthanethi," kunjalo (ngisho naku- UHabre), kepha uma kukhulunywa ngokuqaliswa okuthile, kulapho kuqala khona...

Sizojwayela ukusebenzisa i-Fedora/CentOS njengesibonelo, kodwa lokho akunandaba.

I-spur ifanele kokubili abaqalayo kanye nochwepheshe kule ndaba, ngakho-ke kuzoba namazwana, kodwa azoba mafushane.

1. Iseva

  • faka i-knock-server:
    yum/dnf install knock-server

  • yilungiselele (isibonelo ku-ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    Ingxenye "evulayo" isethwe ukuthi ivale ngokuzenzakalelayo ngemva kwehora elingu-1. Ngeke wazi...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • phambili:

    service iptables restart
service knockd start

  • ungakwazi ukwengeza i-RDP ku-virtual Windows Server spinning ngaphakathi (/etc/knockd.conf; shintsha igama lesixhumi esibonakalayo ukuze livumelane nokuthanda kwakho):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    Silandelela konke ukukhahlela kwethu kusuka kuklayenti kuseva ngomyalo iptables -S.

2. Umhlahlandlela wama-raki

knockd.conf:

I-mana nayo iqukethe yonke into (kodwa lokhu akunembile), kodwa ungqongqoza ungumngane onamahloni onemiyalezo, ngakho-ke udinga ukuqaphela kakhulu.

  • inguqulo
    Ezinqolobaneni ze-Fedora/CentOS, okwakamuva okungqongqoziwe kwanamuhla kungu-0.63. Ubani ofuna i-UDP - bheka amaphakethe angu-0.70.
  • Isikhombikubona
    Ekucushweni okuzenzakalelayo kwe-Fedora/CentOS lo mugqa akukho. Engeza ngezandla zakho, kungenjalo ngeke kusebenze.
  • isikhathi siphelile
    Lapha ungakhetha ngokuya ngokuthanda kwakho. Kudingeka ukuthi iklayenti libe nesikhathi esanele sakho konke ukukhahlela - futhi i-bot yesithwebuli sechweba izophuka (futhi i-146% izoskena).
  • qala/misa/siyala.
    Uma kunomyalo owodwa, khona-ke iyala, uma mibili, bese uqala_command+stop_command.
    Uma wenze iphutha, ukungqongqoza kuzothula, kodwa ngeke kusebenze.
  • iphrotho
    Ngokwethiyori, i-UDP ingasetshenziswa. Ngokuzijwayeza, ngixube i-tcp ne-udp, futhi iklayenti elivela ogwini lwase-Bali lakwazi ukuvula isango okwesihlanu kuphela. Ngoba i-TCP yafika lapho kudingeka, kodwa i-UDP ayilona iqiniso. Kodwa lokhu kuyindaba yokunambitha, futhi.
  • ukulandelana
    I-rake ecacile ukuthi ukulandelana akufanele kuphambane... ukuyibeka kanjani...

Ngokwesibonelo, lokhu:

open: 11111,22222,33333
close: 22222,11111,33333

Ngokukhahlela i-11111 evulekile izolinda ukukhahlela okulandelayo ku-22222. Nokho, ngemva kwalokhu (22222) ukukhahlela izoqala ukusebenza vala futhi konke kuzophuka. Lokhu kuncike ekubambezelekeni kweklayenti futhi. Izinto ezinjalo ©.

iptables

Uma ku-/etc/sysconfig/iptables lokhu:

*nat
:PREROUTING ACCEPT [0:0]

Akusikhathazi ngempela, ngakho-ke nansi:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

Kuyaphazamisa.

Njengoba i-knock ingeza imithetho ekugcineni kochungechunge lwe-INPUT, sizothola ukwenqatshwa.

Futhi ukucisha le reject kusho ukuvulela imoto yonke imimoya.

Ukuze ungalahleki kuma-iptables ukuthi yini okufanele uyifake ngaphambi kwalokho (njengalokhu abantu suggest) masenze kube lula:

  • okuzenzakalelayo ku-CentOS/Fedora owokuqala umthetho (“okungavinjelwe kuvunyelwe”) uzothathelwa indawo ngokuphambene,
  • futhi sisusa umthetho wokugcina.

Umphumela kufanele ube:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

Yebo, ungakwazi ukwenza REJECT esikhundleni sokuthi DROP, kodwa nge-DROP impilo izoba mnandi kakhulu kuma-bots.

3. Iklayenti

Le ndawo iyona ethakazelisa kakhulu (ngokombono wami), ngoba udinga ukusebenza hhayi kuphela kunoma yiluphi ulwandle, kodwa futhi kunoma iyiphi idivayisi.

Empeleni, inani lamaklayenti lifakwe ohlwini isayithi iphrojekthi, kodwa lokhu kuvela ochungechungeni olufanayo "konke kuku-inthanethi." Ngakho-ke, ngizobhala lokho okusebenza ezandleni zami lapha futhi manje.

Lapho ukhetha iklayenti, udinga ukwenza isiqiniseko sokuthi isekela inketho yokubambezeleka phakathi kwamaphakethe. Yebo, kunomehluko phakathi kwamabhishi nama-megabit angu-100 awalokothi aqinisekise ukuthi amaphakethe azofika ngendlela efanele ngesikhathi esifanele esuka endaweni ethile.

Futhi yebo, lapho usetha iklayenti, udinga ukukhetha ukubambezeleka ngokwakho. Isikhathi esiningi sokuvala - ama-bots azohlasela, kuncane kakhulu - iklayenti ngeke libe nesikhathi. Ukubambezeleka okukhulu - iklayenti ngeke lifike ngesikhathi noma kuzoba khona ukungqubuzana kwezilima (bona "ama-rakes"), kuncane kakhulu - amaphakethe azolahleka ku-inthanethi.

Ngokuvala isikhathi=5s, delay=100..500ms inketho esebenza ngokuphelele

Windows

Kungakhathaliseki ukuthi kuzwakala kuhlekisa kangakanani, akuyona into encane ku-Google iklayenti elicacile lale nkundla. Ukuze i-CLI isekele ukubambezeleka, i-TCP - futhi ngaphandle kweminsalo.

Kungenjalo, ungazama nazo ke. Ngokusobala i-Google yami ayilona ikhekhe.

Linux

Konke kulula lapha:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

I-MacOS

Indlela elula ukufaka ichweba kusuka ku-homebrew:
brew install knock
bese udweba amafayela e-batch adingekayo ukuze uthole imiyalo efana nale:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

Inketho yokusebenza yi-KnockOnD (mahhala, evela esitolo).

Android

"Knock on Ports" Hhayi ukukhangisa, kodwa kuyasebenza nje. Futhi onjiniyela bayasabela impela.

PS umaka phansi u-Habré, kunjalo, uNkulunkulu ambusise ngelinye ilanga...

UPD1: sibonga u kumuntu omuhle kutholiwe iklayenti elisebenzayo ngaphansi kweWindows.
UPD2: Enye indoda enhle wangikhumbuza ukuthi ukubeka imithetho emisha ekugcineni kwe-iptables akusizi ngaso sonke isikhathi. Kodwa - kuncike.

Source: www.habr.com

Engeza amazwana