ProHoster > Блог > Ukuphatha > Iseva yokuqinisekisa ye-LinOTP yezinto ezimbili

Iseva yokuqinisekisa ye-LinOTP yezinto ezimbili

Iseva yokuqinisekisa ye-LinOTP yezinto ezimbili

Namuhla ngifuna ukwabelana ngendlela yokusetha iseva yokuqinisekisa yezinto ezimbili ukuvikela inethiwekhi yenkampani, amasayithi, izinsizakalo, i-ssh. Iseva izosebenzisa inhlanganisela elandelayo: I-LinOTP + FreeRadius.

Kungani siyidinga?
Lesi yisixazululo samahhala, esikahle, ngaphakathi kwenethiwekhi yaso, esizimele kubahlinzeki bezinkampani zangaphandle.

Le sevisi ilula kakhulu, ibukeka kahle, ngokungafani neminye imikhiqizo yomthombo ovulekile, futhi futhi isekela inani elikhulu lemisebenzi nezinqubomgomo (Isibonelo, ngena+iphasiwedi+(I-PIN+OPTToken)). Nge-API, ihlanganisa nezinsizakalo zokuthumela i-sms (i-LinOTP Config->Provider Config->SMS Provider), ikhiqiza amakhodi ezinhlelo zokusebenza zeselula njenge-Google Authentificator nokunye okuningi. Ngicabanga ukuthi kulula kakhulu kunesevisi okuxoxwe ngayo kuyo isihloko.

Le seva isebenza kahle kakhulu ne-Cisco ASA, OpenVPN iseva, i-Apache2, futhi ngokuvamile cishe nayo yonke into esekela ukuqinisekiswa ngeseva ye-RADIUS (isibonelo, ye-SSH esikhungweni sedatha).

Kuyadingeka:

I-1) Debian 8 (uJessie) — Impela! (hlola ukufakwa kuvuliwe debian 9 ichazwe ekugcineni kwesihloko)

Qala:

Faka Debian 8.

Engeza inqolobane ye-LinOTP:

# echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list

Ukwengeza okhiye:

# gpg --search-keys 913DFF12F86258E5

Ngezinye izikhathi ngesikhathi sokufakwa "okuhlanzekile", ngemva kokusebenzisa lo myalo, Debian inikeza:

gpg: создан каталог `/root/.gnupg'
gpg: создан новый файл настроек `/root/.gnupg/gpg.conf'
gpg: ВНИМАНИЕ: параметры в `/root/.gnupg/gpg.conf' еще не активны при этом запуске
gpg: создана таблица ключей `/root/.gnupg/secring.gpg'
gpg: создана таблица ключей `/root/.gnupg/pubring.gpg'
gpg: не заданы серверы ключей (используйте --keyserver)
gpg: сбой при поиске на сервере ключей: плохой URI

Lokhu ukusethwa kokuqala kwe-gnupg. Kulungile. Vele usebenzise umyalo futhi.
Kumbuzo Debiana:

gpg: поиск "913DFF12F86258E5" на hkp сервере keys.gnupg.net
(1)	LSE LinOTP2 Packaging <linotp2@lsexperts.de>
	  2048 bit RSA key F86258E5, создан: 2010-05-10
Keys 1-1 of 1 for "913DFF12F86258E5".  Введите числа, N) Следующий или Q) Выход>

Siphendula: 1

Okulandelayo:

# gpg --export 913DFF12F86258E5 | apt-key add -

# apt-get update

Faka i-mysql. Ngombono, ungasebenzisa enye iseva ye-sql, kodwa ukuze kube lula ngizoyisebenzisa njengoba kunconyelwe i-LinOTP.

(ulwazi olwengeziwe, okuhlanganisa nokuhlela kabusha imininingwane egciniwe ye-LinOTP, lungatholakala emibhalweni esemthethweni ye- isixhumanisi. Lapho ungathola futhi umyalo: dpkg-reconfigure linotp ukuze ushintshe imingcele uma usuvele uyifakile i-mysql).

# apt-get install mysql-server

# apt-get update

(ngeke kube buhlungu ukuhlola izibuyekezo futhi)
Faka i-LinOTP namamojula engeziwe:

# apt-get install linotp

Siphendula imibuzo yomfaki:
Sebenzisa i-Apache2: yebo
Dala iphasiwedi ye-admin Linopt: “Iphasiwedi Yakho”
Khiqiza isitifiketi esizisayinele wena?: yebo
Sebenzisa i-MySQL?: yebo
Itholakala kuphi i-database: localhost
Dala isizindalwazi se-LinOTP (igama lesizinda) kuseva: I-LinOTP2
Dala umsebenzisi ohlukile wesizindalwazi: LinOTP2
Setha iphasiwedi yomsebenzisi: "Iphasiwedi Yakho"
Ingabe kufanele ngidale isizindalwazi manje? (into efana nokuthi “Uqinisekile ukuthi ufuna...”): yebo
Faka iphasiwedi yempande ye-MySQL oyidalile ngenkathi uyifaka: “YourPassword”
Kwenziwe.

(uma uthanda, akudingeki ukuthi uyifake)

# apt-get install linotp-adminclient-cli

(uma uthanda, akudingeki ukuthi uyifake)

# apt-get install libpam-linotp

Ngakho-ke i-interface yethu yewebhu ye-Linopt isiyatholakala ku:

"<b>https</b>: //IP_сервера/manage"

Ngizokhuluma ngezilungiselelo kusixhumi esibonakalayo sewebhu kamuva nje.

Manje, into ebaluleke kakhulu! Siphakamisa iFreeRadius futhi siyixhumanise neLinopt.

Faka i-FreeRadius kanye nemojula yokusebenza ne-LinOTP

# apt-get install freeradius linotp-freeradius-perl

yenza isipele iklayenti kanye nezilungiselelo zerediyasi yabasebenzisi.

# mv /etc/freeradius/clients.conf  /etc/freeradius/clients.old

# mv /etc/freeradius/users  /etc/freeradius/users.old

Dala ifayela leklayenti elingenalutho:

# touch /etc/freeradius/clients.conf

Ukuhlela ifayela lethu elisha lokumisa (ukulungiselelwa okwenziwe isipele kungasetshenziswa njengesibonelo)

# nano /etc/freeradius/clients.conf

client 192.168.188.0/24 {
secret  = passwd # пароль для подключения клиентов
}

Okulandelayo, dala ifayela labasebenzisi:

# touch /etc/freeradius/users

Sihlela ifayela, sitshela irediyasi ukuthi sizosebenzisa i-perl ukufakazela ubuqiniso.

# nano /etc/freeradius/users

DEFAULT Auth-type := perl

Okulandelayo, hlela ifayela /etc/freeradius/modules/perl

# nano /etc/freeradius/modules/perl

Sidinga ukucacisa indlela eya kusikripthi se-perl linotp kupharamitha yemojula:

Perl { .......
.........
<source lang="bash">module = /usr/lib/linotp/radius_linotp.pm

… ..
Okulandelayo, sakha ifayela lapho sithi (isizinda, isizindalwazi noma ifayela) ukuthatha idatha kulo.

# touch /etc/linotp2/rlm_perl.ini

# nano /etc/linotp2/rlm_perl.ini

URL=https://IP_вашего_LinOTP_сервера(192.168.X.X)/validate/simplecheck
REALM=webusers1c
RESCONF=LocalUser
Debug=True
SSL_CHECK=False

Ngizongena emininingwaneni eyengeziwe lapha ngoba ibalulekile:

Incazelo egcwele yefayela enamazwana:
#IP yeseva ye-linOTP (ikheli le-IP leseva yethu ye-LinOTP)
URL=https://172.17.14.103/validate/simplecheck
#Indawo yethu esizoyidala ku-inthanethi ye-LinOTP.)
INDAWO=ingalo1
#Igama leqembu labasebenzisi elakhiwe kumabhomu wewebhu we-LinOTP.
RESCONF=flat_file
#ongakukhetha: phawula uma yonke into ibonakala isebenza kahle
Debug=Iqiniso
#ongakukhetha: sebenzisa lokhu, uma unezitifiketi ozibhalisele, uma kungenjalo phawula (i-SSL uma sidala esethu isitifiketi futhi sifuna ukusiqinisekisa)
SSL_CHECK=Amanga

Okulandelayo, dala ifayela /etc/freeradius/sites-available/linop

# touch /etc/freeradius/sites-available/linotp

# nano /etc/freeradius/sites-available/linotp

Futhi kopisha ukulungiselelwa kuyo (asikho isidingo sokuhlela noma yini):

authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
#  If you are using multiple kinds of realms, you probably
#  want to set "ignore_null = yes" for all of them.
#  Otherwise, when the first style of realm doesn't match,
#  the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USERREALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
#  Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}

Okulandelayo sizodala isixhumanisi se-SIM:

# ln -s ../sites-available/linotp /etc/freeradius/sites-enabled

Ngokwami, ngibulala amasayithi weRadius azenzakalelayo, kepha uma uwadinga, ungahlela ukulungiselelwa kwawo noma uwakhubaze.

# rm /etc/freeradius/sites-enabled/default

# rm /etc/freeradius/sites-enabled/inner-tunnel

# service freeradius reload

Manje ake sibuyele ebusweni bewebhu futhi siyibheke ngemininingwane eyengeziwe:
Ekhoneni eliphezulu kwesokudla chofoza i-LinOTP Config -> UserIdResolvers -> Okusha
Sikhetha esikufunayo: i-LDAP (i-AD win, i-LDAP samba), noma i-SQL, noma abasebenzisi bendawo besistimu ye-Flatfile.

Gcwalisa izinkambu ezidingekayo.

Okulandelayo sidala i-REALMS:
Ekhoneni eliphezulu kwesokudla, chofoza i-LinOTP Config -> Realms -> New.
futhi unikeze igama ku-REALMS yethu, futhi uchofoze ku-UserIdResolvers edalwe ngaphambilini.

I-FreeRadius idinga yonke le datha kufayela /etc/linopt2/rlm_perl.ini, njengoba ngibhale ngenhla, ngakho-ke uma ungazange uyihlele ngaleso sikhathi, yenza manje.

Iseva ilungisiwe konke.

Ukwengeza:

Ukusetha i-LinOTP kuvuliwe Debian 9:

Ukufaka:

# echo 'deb http://linotp.org/apt/debian stretch linotp' > /etc/apt/sources.list.d/linotp.list 
# apt-get install dirmngr

# apt-key adv --recv-keys 913DFF12F86258E5

# apt-get update

# apt-get install mysql-server

(ngokuzenzakalelayo, ku Debian I-MySQL (i-mariaDB) ayinikezi ukusetha iphasiwedi eyinhloko. Ungalishiya lingenalutho, kodwa uma ufunda izindaba, lokhu kuvame ukuholela "ekuhlulekeni okukhulu," ngakho-ke sizolibeka noma kunjalo.

# mysql -u root -p
use mysql;
UPDATE user SET Password = PASSWORD('тут_пароль') WHERE User = 'root';

exit
# apt-get install linotp
# apt-get install linotp-adminclient-cli
# apt-get install python-ldap
# apt install freeradius
# nano /etc/freeradius/3.0/sites-enabled/linotp

Namathisela ikhodi (ethunyelwe ngu-JuriM, ngiyabonga ngalokho!):

iseva linotp {
lalela {
ipaddr = *
ichweba = 1812
uhlobo=igunya
}
lalela {
ipaddr = *
ichweba = 1813
uhlobo = act
}
gunyaza {
inqubo
buyekeza {
&control:Auth-Type := Perl
}
}
qinisekisa {
I-Auth-Type Perl {
i-perl
}
}
ukubalwa kwezimali {
unix
}
}

Hlela /etc/freeradius/3.0/mods-enabled/perl

perl {
Igama lefayela = /usr/share/linopp/radius_linopt.pm
func_authenticate = qinisekisa
func_authorize = gunyaza
}

Ngeshwa ku debian I-9 library radius_linotp.pm ayifakiwe kusuka ezindaweni zokugcina, ngakho-ke sizoyithatha ku-github.

# apt install git
# git clone https://github.com/LinOTP/linotp-auth-freeradius-perl
# cd linotp-auth-freeradius-perl/
# cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm

manje ake sihlele /etc/freeradius/3.0/clients.conf

amaseva weklayenti {
ipaddr = 192.168.188.0/24
secret = iphasiwedi yakho
}

Manje ake silungise i-nano /etc/linopt2/rlm_perl.ini

Sifaka ikhodi efanayo lapho lapho sifaka khona debian 8 (okuchazwe ngenhla)

konke lokho kuhambisana nombono. (ayikahlolwa okwamanje)

Ngizoshiya ngezansi izixhumanisi ezimbalwa zokusetha amasistimu adinga kakhulu ukuvikelwa ngokuqinisekiswa kwezinto ezimbili:
Isetha ukuqinisekiswa kwezinto ezimbili ku I-Apache2

Setha nge-Cisco ASA(iseva ehlukile yokukhiqiza ithokheni isetshenziswa lapho, kodwa izilungiselelo ze-ASA ngokwayo ziyefana).

I-VPN enokuqinisekiswa kwezinto ezimbili

Yenza ngokwezifiso ukuqinisekiswa kwezinto ezimbili ku-ssh (LinOTP isetshenziswa lapho) - sibonga umbhali. Lapho ungathola nezinto ezithakazelisayo mayelana nokusetha izinqubomgomo ze-LiOTP.

Futhi, i-CMS yamasayithi amaningi isekela ukuqinisekiswa kwezinto ezimbili (Nge-For WordPress I-LinOTP inemojuli yayo ekhethekile ku- github), isibonelo, uma ufuna ukwenza ingxenye evikelwe kuwebhusayithi yakho yenkampani yabasebenzi benkampani.
IQINISO ELIBALULEKILE! UNGATHI umaki ibhokisi elithi “Google autenteficator” ukuze usebenzise i-Google Authenticator! Ikhodi ye-QR ayifundeki ngaleso sikhathi... (iqiniso elimangalisayo)

Ukubhala lesi sihloko, kusetshenziswe ulwazi oluvela ezihlokweni ezilandelayo:
itnan.ru/post.php?c=1&p=270571
www.digitalbears.net/?p=469

Siyabonga kubabhali.

Source: www.habr.com

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster