Da farko dai, duk ƙididdiga suna zuwa @YukiteruAmano, saboda wannan rubutun yana dogara ne akan tutorial kun sanya a dandalin. Bambancin shine zan maida hankali a kai Arch, Kodayake tabbas zai yi aiki don sauran rikicewar da aka kafa akan tsarin tsarin.
Menene Firehol?
Wutar wuta, karamin aikace-aikace ne wanda yake taimaka mana wajen sarrafa bangon bango wanda aka haɗa cikin kwaya da kayan aikinta iptables. Firehol, ba shi da zane mai zane, duk daidaitawa dole ne a yi ta fayilolin rubutu, amma duk da wannan, daidaitawar har yanzu mai sauƙi ne ga masu amfani da ƙwarewa, ko kuma iko ga waɗanda ke neman zaɓuɓɓukan ci gaba. Duk abin da Firehol keyi shine sauƙaƙe ƙirƙirar ƙa'idodin ƙaura kamar yadda zai yiwu kuma yana ba da kyakkyawan katangar wuta ga tsarinmu.
Shigarwa da daidaitawa
Firehol ba ya cikin wuraren ajiyar Arch, don haka za mu koma AUR.
yaourt -S firehol
Sa'an nan kuma mu je fayil ɗin sanyi.
sudo nano /etc/firehol/firehol.conf
Kuma mun ƙara dokoki a can, zaka iya amfani da su estas.
Ci gaba da kunna Firehol don kowane farawa. Kyakkyawan sauƙi tare da tsarin.
sudo systemctl enable firehol
Mun fara Firehol.
sudo systemctl start firehol
A ƙarshe mun tabbatar da cewa an ƙirƙiri ƙa'idodin ƙaura kuma an ɗora su daidai.
sudo iptables -L
Kashe IPv6
Kamar yadda wuta ba ta rikewa ip6 tebur kuma tunda yawancin haɗinmu basu da tallafi IPv6, Shawarata ita ce ta musaki shi.
En Arch mun kara ipv6.disable = 1 zuwa layin kernel a cikin / etc / default / grub file
...
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="rw ipv6.disable=1"
GRUB_CMDLINE_LINUX=""
...
Yanzu mun sake sabonta gusa.cfg:
sudo grub-mkconfig -o /boot/grub/grub.cfg
En Debian isa tare da:
sudo echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
Ban gane ba. Shin kuna bin karatun kuma kun riga kun sami Firewall yana aiki kuma ya toshe duk hanyoyin haɗin? Wani abu Koyaswa don Arch yana da rikitarwa misali Ban taɓa amfani da sudo ko yaourt Firewall ba. Duk da haka an Fahimta shi. Ko wataƙila wani sabon ya rubuta yaourt kuma zai sami kuskure. Ga Manjaro ya fi daidai.
Kamar yadda kuka ce @felipe, bin koyarwar da sanya cikin /etc/firehol/firehol.conf shigar da dokokin da @cookie ya bayar a cikin manna, tuni kuna da madaidaicin katangar don kare tsarin a matakin asali. Wannan daidaitaccen aiki yana aiki ne ga kowane ɓoyayyen inda zaka sanya Firehol, tare da fifikon kowannensu harka iya sarrafa ayyukanta ta hanyoyi daban-daban (Debian ta hanyar sysvinit, Arch tare da systemd) kuma ga shigarwa, kowa ya san abin da suke dashi, a cikin Arch dole ne ka yi amfani da ajiyar AUR da yaourt, a cikin Debian jami'ai sun isa, kuma don haka a cikin wasu da yawa, kawai sai ku bincika kad'an a wuraren ajiyewa kuma ku daidaita umarnin shigarwa.
Ina tsammanin Yukiteru tuni ya bayyana muku shakku.
Yanzu, game da sudo da yaourt, a nawa bangare ban dauki sudo a matsayin matsala ba, kawai dai gani ya zo ta tsoho lokacin da ka girka tsarin tushe na Arch; kuma yaourt na zabi ne, zaka iya zazzage kwaltar, ka zazzage shi ka girka tare da makepkg -si.
godiya, Na lura.
Wani abu da na manta ban kara shi ba, amma ba zan iya gyara shi ba.
https://www.grc.com/x/ne.dll?bh0bkyd2
A wannan rukunin yanar gizon zaka iya gwada bangon ka 😉 (godiya ga Yukiteru).
Na gudanar da wadancan gwaje-gwaje a kan Xubuntu kuma komai ya fito daidai! Abin farin ciki ne amfani da Linux !!! 😀
Duk wannan yana da kyau ƙwarai ... amma mafi mahimmanci abu ya ɓace; yakamata kuyi bayanin yadda ake kirkirar dokoki !!, me suke nufi, yadda ake kirkirar sababbi ... Idan ba'a bayyana hakan ba, abin da kuka sanya bashi da amfani kadan: - /
Kirkirar sabbin ka'idoji abu ne mai sauki, takaddun goge-gora a bayyane suke kuma suna da kyau dangane da kirkirar dokokin al'ada, don haka karanta abu kadan zai zama mai sauki a gare ku don tsarawa da kuma daidaita shi da bukatunku.
Ina tsammanin dalilin farko na @cookie post kamar nawa a cikin tattaunawar, shine don bawa masu amfani da masu karatu kayan aikin da zai basu damar bawa kwamfutocin su littlearin tsaro, duk a matakin asali. Sauran an bar shi ne don shi don daidaitawa da bukatunku.
Idan kun karanta hanyar haɗin zuwa koyawa na Yukiteru, zaku gane cewa niyyar tallata aikace-aikacen ne da kuma daidaita katangar bango. Na fayyace cewa post dina kwafi ne kawai akan Arch.
Kuma wannan shine 'don mutane'? o_O
Gwada Gufw akan Arch: https://aur.archlinux.org/packages/gufw/ >> Danna kan Matsayi. Ko ufw idan kun fi son m: sudo ufw kunna
An riga an kare ka idan kai mai amfani ne na al'ada. Wannan 'ga mutane' 🙂
Firehol da gaske shine Front-End don IPTables kuma idan muka kwatanta shi da na ƙarshen, to mutum ne 😀
Ina la'akari da ufw (Gufw kawai tsinkaye ne na shi) azaman mummunan zaɓi game da tsaro. Dalili: don ƙarin ƙa'idodin tsaro da na rubuta a cikin ufw, ba zan iya hana hakan ba a gwaje-gwajen katangar na ta hanyar Yanar gizo da waɗanda na gudanar ta amfani da nmap, ayyuka kamar avahi-daemon da exim4 za su bayyana a buɗe, kuma kawai a Harin "ɓoyi" ya isa sanin ƙananan halaye na tsarina, kwaya da sabis ɗin da ya gudana, wani abu da bai taɓa faruwa da ni ba ta amfani da katangar wuta ko arno.
Da kyau, ban san ku ba, amma kamar yadda na rubuta a sama, ina amfani da Xubuntu kuma Firewall dina yana tare da GUFW kuma na tsallake DUK gwaje-gwajen mahaɗin da marubucin ya sanya ba tare da matsala ba. Duk sata. Babu abin da ya buɗe. Don haka, a cikin kwarewa ufw (sabili da haka gufw) suna da kyau a gare ni. Ba ni da sukunin amfani da wasu hanyoyin sarrafa bango, amma gufw yana aiki ba tare da ɓata lokaci ba kuma yana ba da kyakkyawan sakamako na tsaro.
Idan kuna da wasu gwaje-gwajen da kuke tsammanin zasu iya jefa rauni a cikin tsarina, ku gaya min menene su kuma zan yi farin cikin tafiyar da su anan kuma zan sanar da ku sakamakon.
A ƙasa ina yin sharhi game da batun ufw, inda na ce kuskuren da na gani a cikin 2008, ta amfani da Ubuntu 8.04 Hardy Heron. Me suka riga suka gyara? Abu mafi mahimmanci shine cewa haka ne, don haka babu wani dalilin damu, amma duk da haka, wannan ba yana nufin cewa kwaron yana nan ba kuma zan iya shaida shi, kodayake ba mummunan abu bane mutuwa, kawai na tsaya aljannu avahi-daemon da exim4, kuma tuni an warware matsalar. Abu mafi ban mamaki shi ne cewa waɗancan matakai guda biyu ne kawai ke da matsala.
Na ambaci gaskiyar a matsayin labari na sirri, kuma nayi tunani iri ɗaya yayin da na ce: «Na yi la’akari da ...»
Gaisuwa 🙂
+1
@Yukiteru: Shin kun gwada ta daga kwamfutar ku? Idan kuna kallo daga PC ɗinku, al'ada ne cewa zaku iya samun damar tashar sabis na X, tunda zirga-zirgar da aka toshe ta network ce, ba localhost ba:
http://www.ubuntu-es.org/node/140650#.UgJZ3cUyYZg
https://answers.launchpad.net/gui-ufw/+question/194272
Idan ba haka ba, da fatan za a kawo rahoton kwaro 🙂
Gaisuwa 🙂
Daga wata kwamfuta ta amfani da hanyar sadarwa ta Lan a cikin yanayin nmap, da kuma ta Yanar gizo ta amfani da wannan shafin https://www.grc.com/x/ne.dll?bh0bkyd2Amfani da zaɓin tashar tashar jiragen ruwa na al'ada, duka sun amince cewa avahi da exim4 suna sauraro daga raga duk da cewa ufw sun daidaita abubuwan toshewar su.
Wannan karamin dalla-dalla na avahi-daemon da exim4 na warware shi ta hanyar kawai nakasa ayyukan kuma shi ke nan ... Ban kawo rahoton kwaro ba a wancan lokacin, kuma ina tsammanin ba shi da ma'ana a yi shi yanzu, saboda hakan ya dawo cikin 2008, yana amfani da Hardy.
2008 shekaru 5 kenan da suka gabata; daga Hardy Heron zuwa Raring Ringtail akwai 10 * buntus. Wancan gwajin guda akan Xubuntu na, wanda aka yi jiya kuma aka maimaita shi yau (Agusta 2013) yana ba da cikakke a komai. Kuma ina amfani da UFW kawai.
Na sake cewa: Shin kuna da wasu ƙarin gwaje-gwaje da za ku yi? Tare da jin daɗi ina yin hakan kuma ina yin rahoton abin da ya fito daga wannan ɓangaren.
Yi SYN da IDLE na PC ɗinku ta amfani da nmap, hakan zai ba ku ra'ayin yadda tsarinku yake da tsaro.
Mutumin nmap yana da layi sama da 3000. Idan kun bani umarni don aiwatarwa cikin farin ciki, zanyi kuma zan kawo rahoton sakamakon.
Hmm Ban sani ba game da shafukan mutum 3000 don nmap. amma zenmap taimako ne don yin abin da na gaya muku, gaba ce ta ƙarshe don nmap, amma har yanzu zaɓi don SYN scan tare da nmap shine -sS, yayin da zaɓi don aikin rashi shine -sI, amma ainihin umarnin I zai kasance.
Yi hoton daga wata na'urar dake nuna ip na mashin din ku tare da ubuntu, kar kuyi hakan daga pc din ku, saboda ba haka yake aiki ba.
LOL !! Kuskurena game da shafi 3000, lokacin da suke layi 😛
Ban sani ba amma ina tsammanin GUI don hakan a cikin GNU / Linux don sarrafa bangon zai zama mai hankali kuma kada a bar komai a buɗe kamar yadda yake a cikin ubuntu ko duk abin da aka rufe kamar yadda yake a cikin fedora, ya kamata ku zama da kyau xD, ko wani abu don daidaitawa damn killer alternatives xD hjahjahjaja Yana da kadan da zanyi yaƙi dasu kuma a buɗe jdk amma a ƙarshe ku ma ku kiyaye ƙa'idar sumbatar
Godiya ga duk tuntuɓe da suka faru a baya tare da kayan karau, a yau zan iya fahimtar niverl raw, wato, yi magana kai tsaye da shi kamar yadda ya zo daga masana'anta.
Kuma ba wani abu bane mai rikitarwa ba, yana da sauƙin koya.
Idan marubucin gidan ya bani dama, zan sanya wani bangare na rubutun bango wanda nake amfani da shi a halin yanzu.
## Tsabtace Dokoki
iptable -F
iptable -X
iptable -Z
iptables -t nat -F
## Kafa tsoffin manufofin: DROP
iptables -P INPUT DOP
iptables -P SUTAR DA FITOWA
iptables -P GABA DAYA
# Yi aiki akan localhost ba tare da iyakancewa ba
iptables -A shigar da -i lo -j KARYA
iptables -A FITOWA -o lo -j KARYA
# Bada mashin din zuwa yanar gizo
iptables -A INPUT -p tcp -m tcp –sport 80 -m conntrack –tstate RELATED, Kafa -j GASKIYA
iptables -A KYAUTA -p tcp -m tcp –darwa 80 -j KYAUTA
# Tuni kuma don tabbatar da yanar gizo
iptables -A INPUT -p tcp -m tcp –sport 443 -m conntrack –tstate RELATED, Kafa -j GASKIYA
iptables -A KYAUTA -p tcp -m tcp –darwa 443 -j KYAUTA
# Bada ping daga ciki zuwa waje
iptables -AmUTUTUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j KARBAR
# Kariya ga SSH
#iptables -I INPUT -p tcp –dport 22 -m conntrack -tatstate SABUWAR -m iyaka -kawo 30 / minti -ramit-fashe 5 -m sharhi -comment "SSH-kick" -j ACCEPT
#iptables -A INPUT -p tcp -m tcp –dport 22 -j LOG –log-prefix "SSH ACCESS ATTEMPT:" -log-level 4
#abubuwan da za a iya amfani da su -An shigar da kayan -p tcp -m tcp –darwa 22 -j DROP
# Dokoki don amule don ba da izinin haɗin mai shigowa da shigowa a tashar jirgin ruwa
iptables -A INPUT -p tcp -m tcp –dport 16420 -m conntrack –stateat NEW -m sharhi –comment "aMule" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp –sport 16420 -m conntrack –tstate RELATED, Kafa sharhin -m sharhi –comment "aMule" -j ACCEPT
iptables -A INPUT -p udp –dport 9995 -m sharhi –comment "aMule" -j ACCEPT
iptables -AmUTUTUT -p udp –sport 9995 -j ACCEPT
iptables -A INPUT -p udp –dasar 16423 -j ACCEPT
iptables -AmUTUTUT -p udp –sport 16423 -j ACCEPT
Yanzu dan bayani. Kamar yadda kake gani, akwai dokoki tare da manufofin DROP ta tsohuwa, babu abin da ya fita ya shiga ƙungiyar ba tare da ka faɗa musu ba.
Bayan haka, an ƙaddamar da abubuwan yau da kullun, localhost da kewayawa zuwa cibiyar sadarwar hanyoyin sadarwa.
Kuna iya ganin cewa akwai kuma dokoki don ssh da amule. Idan suka duba da kyau yadda suke, zasu iya yin wasu dokokin da suke so.
Dabarar shine ganin tsarin dokoki da amfani da takamaiman nau'in tashar jiragen ruwa ko yarjejeniya, walau udp ko tcp.
Ina fatan zaku iya fahimtar wannan da na sanya anan.
Ya kamata ku yi rubutun bayanin sa 😉 zai yi kyau.
Ina da tambaya. Idan kuna son ƙin yarda da haɗin http da https na sanya:
uwar garke "http https" sauke?
Kuma haka tare da kowane sabis?
Gracias