Knocking Port: Mafi kyawun tsaro da zaka iya samu akan kwamfutarka ko sabarka (Depaddamarwa + Kanfigareshan)

Alejandro (a.k.a KZKG^Gaara)

5 minti

Bugun tashar jiragen ruwa (cikin Turanci tashar tashar jirgin ruwa) Tabbas aiki ne da yakamata dukkanmu masu kula da sabobin su sani sosai, anan nayi bayani dalla-dalla menene wannan kuma yadda za'a aiwatar da saita shi šŸ˜‰

A yanzu haka wadanda muke sarrafa sabar suna da damar SSH zuwa wannan sabar, wasu mun canza tsoho tashar jiragen ruwa na SSH kuma baya amfani da tashar jiragen ruwa 22 wasu kuma kawai suna barin shi kamar haka (wani abu da ba a ba da shawara ba), duk da haka sabar ta ba da damar samun damar SSH ta wasu tashar jiragen ruwa kuma wannan ya riga ya zama 'yanayin rauni'.

con Knocking tashar jirgin ruwa zamu iya cimma wadannan:

1. Ba a kunna damar SSH ta kowace tashar jiragen ruwa. Idan muna da SSH da aka saita don tashar 9191 (misali) wannan tashar (9191) za'a rufe ta ga kowa.
2. Idan wani yana son samun damar sabar ta hanyar SSH, a bayyane yake, ba za su iya ba, tunda tashar tashar 9191 a rufe take ... amma, idan muka yi amfani da 'sihiri' ko haɗakar ɓoye, za a buɗe wannan tashar, misali:

1. Na buga zuwa tashar jiragen ruwa 7000 na saba
2. Na sake yin wata waya don shigar da 8000 na sabar
3. Na sake yin wata waya don tashar 9000 na sabar
4. Sabar tana gano cewa wani yayi hadadden sirrin (tabo tashar jiragen ruwa 7000, 8000 da 9000 a wannan tsari) kuma zai bude tashar 9191 don SSH ya nemi shiga (zai bude shi ne kawai don IP din da akayi hada shi lambar tashar mai gamsarwa).
5. Yanzu don rufe SSH kawai nakan buga tashar 3500
6. Zan sake yin wata waya don tashar jirgin ruwa ta 4500
7. Kuma a ʙarshe wani waya zuwa tashar 5500
8. Yin wannan wani haɗin haɗin sirri wanda uwar garken ya gano zai sake rufe tashar 9191 kuma.

A wasu kalmomin, bayyana wannan har ma da sauʙin ...

con Knocking tashar jirgin ruwa uwar garkenmu na iya samun takamaiman mashigai, amma idan sabar ta gano hakan daga X IP an yi haɗin tashar tashar jiragen ruwa daidai (sanyi da aka riga aka bayyana a cikin fayil ɗin sanyi) zai aiwatar da wasu umarni akan kanta a bayyane (umurnin Har ila yau an bayyana a cikin fayil ɗin daidaitawa).

Shin ba a fahimta ba? šŸ™‚

Yadda ake girka daemon don Port Knocking?

Ina yin shi tare da kunshin kokd, wanda zai bamu damar ta hanya mai sauki, mai sauqi da sauri don aiwatarwa da daidaitawa Knocking tashar jirgin ruwa.

Sanya kunshin: knockd

Yadda ake tsara Knocking Port da knockd?

Da zarar an girka sai mu ci gaba don daidaita shi, saboda wannan za mu gyara (azaman tushen) fayil ɗin /etc/knockd.conf:

nano /etc/knockd.conf

Kamar yadda kake gani a cikin wannan fayil ɗin tuni akwai tsoho sanyi:

 Bayyana saitunan tsoho abu ne mai sauki.

- Na farko, UseSyslog yana nufin cewa don yin rikodin aiki (log) za mu yi amfani da shi / var / log / syslog.
- Na biyu, a cikin sashe [bude SSH] A nan ne bayyanannun umarnin buɗe SSH za su tafi, da farko muna da jerin tashoshin jiragen ruwa (haɗakar sirrin) waɗanda aka saita ta tsohuwa (tashar jiragen ruwa 7000, tashar jiragen ruwa 8000 kuma a ʙarshe tashar 9000). Babu shakka za'a iya canza tashoshin jiragen ruwa (a gaskiya ina ba da shawarar hakan) haka kuma ba lallai ne su zama 3 ba, suna iya zama ʙasa ko ʙasa da hakan, ya dogara da ku.
- Na uku, seq_timeout = 5 yana nufin lokacin jira don asirin haɗin tashar jirgin ruwa da zai faru. Ta hanyar tsoho an saita shi daʙiʙa 5, wannan yana nufin cewa da zarar mun fara aiwatar da ʙwanʙwasa tashar jiragen ruwa (ma'ana, lokacin da muka buga zuwa tashar 7000) muna da matsakaicin 5 seconds don gama daidai jerin, idan sakan 5 ya wuce kuma mu basu gama buga tashar jirgin ruwa ba to kawai zai zama kamar dai jerin ba su da inganci.
- Bedroom, umurnin ba ya buʙatar bayani mai yawa. Wannan zai zama kawai umarnin da sabar zata aiwatar lokacin da ta gano haɗin da aka bayyana a sama. Umurnin da aka saita ta tsohuwa, abin da yake yi shi ne bude tashar jiragen ruwa 22 (canza wannan tashar don tashar SSH ɗin ku) kawai ga IP ɗin da ya yi madaidaicin haɗin tashar jiragen ruwa.
- Na Biyar, tcpflags = syn Ta wannan layin ne muke tantance nau'in fakiti wanda sabar zata gane tana da inganci ga tashar buga lamba.

Sannan akwai sashin da zai rufe SSH, cewa tsoffin daidaito ba komai bane face jerin jerin tashoshin jiragen sama da ke sama amma a akasin hakan.

Anan akwai daidaitawa tare da wasu gyare-gyare:

 Yadda ake farawa daemon knockd?

Don fara shi dole ne mu fara gyara (azaman tushen) fayil ɗin / sauransu / tsoho / bugawa:

nano /etc/default/knockd

A can za mu canza layin lamba 12 wanda ke cewa: Ā«START_KNOCKD = 0Ā»Kuma canza 0 zuwa 1, zamu sami:Ā«START_KNOCKD = 1Ā«

Da zarar an gama wannan yanzu kawai zamu fara shi:

service knockd start

Kuma voila, an saita shi kuma yana aiki.

Knocking Port da buga ʙwanʙwasa da gudu!

Kamar yadda kake gani a tsarin daidaitawar da ta gabata, idan aka yi ʙwanʙwasa tashar jiragen ruwa zuwa tashar 1000, sannan zuwa 2000 kuma a ʙarshe zuwa 3000 sai tashar 2222 (my SSH) za ta buɗe, da kyau a nan kuma wata kwamfutar da ke aiwatar da ʙwanʙwasa tashar:

Da zarar na danna [Shigar] akan Knock No.1, akan No.2 kuma a ʙarshe akan No.3 tashar zata buɗe, ga log ɗin:

Kamar yadda kake gani, yayin buga tashar 1000, mataki na 1 an yi rijista, sannan 2000 zata kasance mataki na 2 kuma a karshe 3 tare da 3000, lokacin yin wannan umarnin da na ayyana a cikin .conf ana aiwatar dashi kuma hakane.

Sannan rufe tashar jirgin kawai zai iya buga 9000, 8000 kuma a karshe 7000, ga log ɗin:

Kuma da kyau anan bayanin amfani ya ʙare šŸ˜€

Kamar yadda kake gani, Knocking na Port yana da ban sha'awa da amfani, saboda duk da cewa bawai kawai muke so mu bude tashar jirgin ruwa ba bayan wani hadadden tashoshin jiragen ruwa, umarni ko umarnin da sabar zai aiwatar zai iya bambanta, ma'ana ... maimakon bude tashar jirgin ruwa zamu iya shelanta kashe wani tsari, dakatar da aiki kamar apache ko MySQL, da sauransu ... iyaka shine tunanin ku.

Port Knocking yana aiki ne kawai lokacin da kake da sabar jiki ko lokacin da sabar kama-da-wane fasahar KVM ce. Idan VPS ɗinku (uwar garken kama-da-wane) yana OpenVZ to Port Knocking bana tsammanin yana muku aiki saboda ba zaku iya sarrafa abubuwan ɓoye kai tsaye ba

Da kyau kuma ya zuwa yanzu labarinā€¦ Ni ba masani bane a cikin wannan lamarin amma ina so in sanar da ku wannan aikin mai ban sha'awa.

Gaisuwa šŸ˜€


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ɓngel GatĆ³n
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   erunamoJAZZ m
    sa 11 shekaru

    Kyakkyawan labari, abin birgewa ne kuma ban san akwai shi ba ... zai yi kyau idan kuka ci gaba da fitar da labarai don sabbin abubuwan sysadmin kuma hakan šŸ˜€

    Gaisuwa da godiya ^ _ ^

    Amsa ga ErunamoJAZZ
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Na gode da sharhi.
      Ee ... shine kenan tare da abubuwanda suke kan DNS na Fico, bana son a bar ni a baya LOL !!!

      Ba abu mai tsanani ba ne. Watanni da yawa da suka gabata naji wani abu game da Port Knocking kuma nan da nan ya dauke hankalina, amma tunda nayi tunanin zai kasance mai sarkakiya a lokacin ban yanke shawarar shiga ba, jiya kawai nayi bitar wasu kunshin daga repo na gano kwankwasa da yanke shawarar gwadawa, kuma ga koyawa.

      A koyaushe ina son sanya labaran fasaha, wasu na iya zama ba su da ban sha'awa ammaā€¦ Ina fata wasu suna šŸ˜‰

      gaisuwa

      Amsa wa KZKG ^ Gaara
    2.    Mario m
      sa 9 shekaru

      Barka dai, Na san cewa wannan labarin ya kasance na dan wani lokaci amma ina ʙaddamar da buʙata don ganin ko wani zai iya warware min.
      Gaskiyar ita ce na aiwatar da buga tashar jirgin ruwa zuwa ga rasberi don ʙoʙarin inganta tsaro lokacin da na haɗa ta da ita daga wajen hanyar sadarwar gida. Don wannan don aiki dole ne in buɗe kewayon tashar jiragen ruwa akan 7000-9990 na'ura mai ba da hanya tsakanin hanyoyin sadarwa da ke jagorantar na'ura. Shin yana da lafiya buɗe waɗannan tashoshin jiragen ruwa a kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ko, akasin haka, yayin ʙoʙarin samun ʙarin tsaro, ina yin akasin haka?

      Gaisuwa da godiya.

      Amsa wa Mario
  2.   eVR m
    sa 11 shekaru

    Mai girma, Na kasance sysadmin shekaru kuma ban san shi ba.
    Tambaya ɗaya ... yaya kuke yin "ʙwanʙwasawa"?
    Kuna bugawa kan waɗancan tashar jiragen ruwa? Me telnet yake amsa muku? Ko akwai wasu umarnin "bugawa"?
    Kyakkyawan sanyi shine labarin. Mai ban mamaki. Na gode sosai

    Amsa zuwa eVeR
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Na yi gwajin tare da telnet kuma komai yayi aiki na al'ajabi ... amma, abin al'ajabi, akwai umarnin 'bugawa', yi a mutum buga don haka zaka iya gani šŸ˜‰

      Telenet baya amsa min da gaske kwata-kwata, kayan magana tare da manufofin DROP sun sa baya amsawa kwata-kwata kuma telnet din yana nan yana jiran wasu martani (wanda ba zai taba zuwa ba), amma dan wasan da ake bugawa zai gane bugun koda kuwa babu wanda ya amsa shi šŸ˜€

      Na gode kwarai da bayaninka, abin farin ciki ne sanin cewa har yanzu rubutuna suna son ^ _ ^

      Amsa wa KZKG ^ Gaara
  3.   st0bayan4 m
    sa 11 shekaru

    Ara zuwa Waɗanda Aka fi so! : D!

    Gracias!

    Amsa zuwa st0rmt4il
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Godiya šŸ˜€

      Amsa wa KZKG ^ Gaara
  4.   nisanta m
    sa 11 shekaru

    Ahh tsaro, wannan jin daɗin lokacin da muka amintar da pc don yin ruwa, sannan kwanaki / makonni daga baya muna ʙoʙari haɗi daga wani wuri mai nisa ba za mu iya samun damar ba saboda Firewall yana cikin yanayin "ba wanda zai iya kowa", ana kiran wannan zama a waje da castle dangane da sysadmins. šŸ˜‰

    Wannan shine dalilin da ya sa wannan post ɗin yana da amfani, tare da buga ʙwanʙwasa zaka iya samun dama daga ko ina wanda zai iya aika fakiti zuwa ga hanyar sadarwarka ta gida, kuma maharan sun rasa sha'awa idan suka ga cewa tashar tashar ssh a rufe take, bana tsammanin zasu buga ʙarfi don buɗe tashar jiragen ruwa.

    Amsa wa dhunter
  5.   Manuel m
    sa 11 shekaru

    Kai, labarin yana da kyau.

    Abu daya: Shin yana aiki don haɗi daga wajen cibiyar sadarwar gida?

    Na faɗi haka ne saboda ina da na'ura mai ba da hanya tsakanin hanyoyin sadarwa tare da mashigai waɗanda aka rufe ba tare da wanda ya dace da ssh wanda aka miʙa shi zuwa sabar ba.

    Ina tsammanin cewa don yin aiki daga wajen cibiyar sadarwar gida, zai zama dole a buɗe mashigai na na'ura mai ba da hanya tsakanin hanyoyin sadarwa daidai da Port Knocking kuma a tura su zuwa sabar ita ma.

    Mmm ...

    Ban san yadda lafiya za ayi wannan ba.

    Me kuke tunani?

    Amsa zuwa Manuel
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Ba ni da tabbaci sosai, ban yi gwajin ba amma ina tsammanin eh, ya kamata ku buɗe tashoshi a kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa in ba haka ba ba za ku iya buga uwar garken ba.

      Yi gwajin ba tare da buɗe tashoshi a kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba, idan ba ya aiki a gare ku abin kunya ne, saboda na yarda da ku, ba kyau a buɗe waɗannan tashar jiragen ruwa a kan na'ura mai ba da hanya tsakanin hanyoyin sadarwa.

      Amsa wa KZKG ^ Gaara
      1.    Manuel m
        sa 11 shekaru

        Tabbas, dole ne mu buɗe tashoshin jiragen ruwa mu tura su zuwa kwamfutar da muke kira.

        Tausayi.

        Amsa zuwa Manuel
  6.   Rabba 08 m
    sa 11 shekaru

    Babban godiya sosai! Yanzu haka na fara karatun aikin yanar gizo kuma waɗannan koyarwar suna da kyau a gare ni! godiya don ɗaukar lokaci don raba ilimin

    Amsa zuwa Rabba08
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Na koyi abubuwa da yawa a cikin shekaru tare da ʙungiyar Linux ta duniya ... na foran shekaru na so in ba da gudummawa ma, wannan shine ainihin dalilin da yasa na rubuta šŸ˜€

      Amsa wa KZKG ^ Gaara
  7.   janus981 m
    sa 11 shekaru

    Na gode sosai, ba ku san yadda yake taimaka min ba, na kusan kafa sabar kuma wannan yana da kyau a gare ni.

    gaisuwa

    Amsa zuwa janus981
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Abinda muke kenan, don taimakawa šŸ˜‰

      Amsa wa KZKG ^ Gaara
  8.   Jean ventura m
    sa 11 shekaru

    Labari mai kyau! Ba ni da masaniya game da wannan kuma yana taimaka min sosai (Ina amfani da RackSpace da ke amfani da KVM, don haka ya dace da ni kamar safar hannu!). Ara wa fi so.

    Amsa wa Jean Ventura
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Godiya ga yin tsokaci šŸ™‚

      Amsa wa KZKG ^ Gaara
  9.   Algave m
    sa 11 shekaru

    Kamar yadda aka saba DesdeLinux nos trae excelentes post con tutoriales que son realmente utiles para poner en acciĆ³n, gracias por compartir!! šŸ™‚

    Amsa wa Algabe
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Na gode da bayaninka šŸ™‚
      Haka ne, koyaushe muna ʙoʙari mu gamsar da ʙishirwar ilimin da masu karatun mu ke da shi šŸ˜€

      Amsa wa KZKG ^ Gaara
  10.   Lokaci m
    sa 11 shekaru

    Abin sha'awa, Ban san zaɓi ba.
    Tsallake kai tsaye don kitso laburaren sara na.
    Gracias!

    Amsa zuwa Timbleck
    1.    KZKG ^ Gaara m
      sa 11 shekaru

      Jin daɗi a gare ni šŸ˜€
      gaisuwa

      Amsa wa KZKG ^ Gaara
  11.   Frederick. A. ValdĆ©s Toujague m
    sa 11 shekaru

    Gaisuwa KZKG ^ Gaara !!! Kin matse. Babban labarin don kiyaye sabobin. Babu @% * & ^ ra'ayin cewa akwai irin wannan abu. Zan gwada shi. na gode

    Amsa wa Federico. A. ValdƩs Toujague
  12.   White ^ abun wuya m
    sa 11 shekaru

    wannan yana da kyauā€¦. ^ - ^

    Amsa wa kwalar White
  13.   KoyiLinux m
    sa 11 shekaru

    Barka dai, zaku iya bayanin yadda ake girka shi a cikin CentOS 5.x?

    Na sauke rpm:
    http://pkgs.repoforge.org/knock/knock-0.5-3.el5.rf.x86_64.rpm

    An girka:
    rpm -i knock-0.5-3.el5.rf.x86_64.rpm

    Sanya fayil ɗin sanyi tare da daʙiʙa 15 na lokaci da tashar jiragen ruwa da nake amfani da su don haɗawa ta ssh zuwa vps dina

    Aljanin ya fara:
    / usr / sbin / bugawa & &

    Na buga da komai kuma tashar bata rufewa, ta hanyar bude tashar tana bude, amma baya rufewa.

    Shin ina yin wani abu ba daidai ba?

    Amsa zuwa AprendeLinux
  14.   hola m
    sa 11 shekaru

    Mmmm, buʙatun telnet zuwa waɗannan tashar jiragen ruwa za a iya koya daga manajan cibiyar sadarwarmu ta gida, ko kuma daga mai ba da sabis ɗinmu, a'a? Zai iya toshe mutane daga waje amma ba su ba, don haka idan suna son kunna tasharmu za su iya yi saboda ganin buʙatun da muke yi, mmm bari mu ce ya kare amma ba 100%

    Amsa sannu
    1.    Roberto m
      sa 11 shekaru

      Zai iya zama, amma banyi tsammanin zasuyi tunanin cewa wasu layukan waya suna aiwatar da aikin X ba. Sai dai idan sun ga cewa ana bin hanyoyin telnet iri ɗaya.

      Amsa wa Roberto
  15.   Pablo Andres Diaz Aramburo m
    sa 7 shekaru

    Labari mai ban sha'awa, Ina da tambaya. Ina tsammanin akwai kuskure a cikin hoton fayil ɗin sanyi, saboda idan ka bincika da kyau, a duka layukan umarnin kuna amfani da ACCEPT a cikin Iptables. Ina ganin daya yakamata ya Yarda wani kuma ya zama RASHI.

    In ba haka ba, kyakkyawan shiri. Na gode sosai da kuka ba da lokaci don bayyana iliminku ga wasu.

    gaisuwa

    Amsa wa Pablo Andres Diaz Aramburo