Okokuqala, onke amakhredithi aya kuwo @YukiteruAmano, kuba esi sithuba sisekwe kwi- tutorial uthumele kwiforum. Umahluko kukuba ndiza kugxila kuyo igophe, nangona kunokwenzeka ukuba isebenzela ezinye i-distros esekwe kwi inkqubo.
Yintoni iFirehol?
Umlilo, sisicelo esincinci esisinceda ukuba siphathe i-firewall edityaniswe kwikernel nakwisixhobo sayo iptables. I-Firehol, ayinalo ujongano lomzobo, lonke uqwalaselo kufuneka lwenziwe ngeefayile zombhalo, kodwa ngaphandle koku, ubumbeko luselula kubasebenzisi be-novice, okanye lunamandla kwabo bafuna iindlela eziphambili. Konke okwenziwa nguFirehol, kukwenza kube lula ukuyilwa kwemithetho ye-iptable kangangoko kunokwenzeka kunye nokwenza ukuba kubekho i-firewall elungileyo kwinkqubo yethu.
Ukufakwa kunye noqwalaselo
Umlilo awukho kwiindawo zokugcina ezisemthethweni zeArch, ke siza kubhekisa kuwo AUR.
yaourt -S firehol
Emva koko siya kwifayile yoqwalaselo.
sudo nano /etc/firehol/firehol.conf
Kwaye sidibanisa imigaqo apho, onokuyisebenzisa estas.
Qhubeka nokwenza iFirehol isiqalo ngasinye. Intle elula ngenkqubo.
sudo systemctl enable firehol
Saqala iFirehol.
sudo systemctl start firehol
Okokugqibela siyaqinisekisa ukuba imigaqo ye-iptables yenziwe kwaye yalayishwa ngokuchanekileyo.
sudo iptables -L
Khubaza i-IPv6
Njengoko umlilo awuphathi ip6i kwaye kuba uninzi lonxibelelwano lwethu alunankxaso IPv6, Ingcebiso yam kukuyikhubaza.
En igophe sidibanisa ipv6.disable = 1 kumgca we-kernel kwi / etc / default / grub file
...
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="rw ipv6.disable=1"
GRUB_CMDLINE_LINUX=""
...
Ngoku siyihlaziya igrub.cfg:
sudo grub-mkconfig -o /boot/grub/grub.cfg
En Debian kwanele nge:
sudo echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
Andiqondi. Ngaba ulandela isifundo kwaye sele unayo i-Firewall esebenzayo kwaye uvale lonke unxibelelwano? Enye into Isifundo seArch sinzima umzekelo andikaze ndisebenzise iSudo okanye iourour Firewall. Nangona kunjalo iyaqondwa. Okanye mhlawumbi umntu omtsha ubhala i-yogurt kwaye uya kufumana impazamo. KwiManjaro ichanekile ngakumbi.
Njengoko usitsho @felipe, ulandela isifundo kwaye ubeke /etc/firehol/firehol.conf fayile imigaqo enikezwe ngu @cookie kwindawo yokuncamathisela, uya kuba sele une-firewall elula yokukhusela inkqubo kwinqanaba elisisiseko. Oluqwalaselo lusebenza kuyo yonke i-distro apho unokubeka khona iFirehol, ngokungafaniyo nendawo nganye ephatha iinkonzo zayo ngeendlela ezahlukeneyo (iDebian nge-sysvinit, iArch ene-systemd) kunye nofakelo, wonke umntu uyazi into anayo, kwiArch kufuneka Sebenzisa i-AUR kunye ne-yaourt repos, kwi-Debian ezisemthethweni zanele, kwaye ke kwezinye ezininzi, kuya kufuneka ukhangele kancinane kwii-repositories kwaye uhlengahlengise umyalelo wokufaka.
Ndicinga ukuba iYukiteru sele icacisile ukungathandabuzeki kwakho.
Ngoku, malunga nesudo kunye neyourt, eyam indawo andiyithathi njengeSudo njengengxaki, kuya kufuneka ubone ukuba iza ngokungagqibekanga xa ufaka inkqubo yesiseko seArch; kwaye i-yogurt iyakhethwa, unokukhuphela i-tarball, uyivule kwaye uyifake nge-makepkg -si.
Enkosi, ndiyayiqaphela.
Into endiyilibeleyo ukuyongeza kwiposti, kodwa andikwazi ukuyihlela.
https://www.grc.com/x/ne.dll?bh0bkyd2
Kweso siza ungavavanya i-firewall yakho 😉 (enkosi kwakhona kwiYukiteru).
Ndabaleka ezo mvavanyo kuXubuntu wam kwaye yonke into yaphuma ngokugqibeleleyo! Kuluyolo ukusebenzisa iLinux !!! 😀
Yonke into intle kakhulu ... kodwa eyona nto ibalulekileyo ilahlekile; Kuya kufuneka uchaze ukuba yenziwe njani imigaqo !!, ukuba zithetha ntoni, uyenza njani emitsha ... Ukuba ayichazwanga, into oyibekayo ayisebenzi kangako: - /
Ukudala imigaqo emitsha kulula, uxwebhu lomlilo lucacile kwaye luchanekile ngokwemiqathango yokudala imigaqo yesiko, ke ukufunda kancinci kuya kwenza kube lula kuwe ukuba uzilungiselele kwaye uzilungelelanise neemfuno zakho.
Ndicinga ukuba isizathu sokuqala se @cookie seposi njengam kwiforum, yayikukunika abasebenzisi kunye nabafundi isixhobo esivumela ukuba banike iikhompyuter zabo ukhuseleko olungakumbi, konke kwinqanaba elisisiseko. Eminye ishiywe kukuhamba ukuze uvumelane neemfuno zakho.
Ukuba ufunda ikhonkco kwisifundo iYukiteru uyakuqonda ukuba injongo kukwazisa isicelo kunye noqwalaselo lwesiseko somlilo. Ndacacisa ukuba iposti yam ikopi kuphela egxile kwiArch.
Kwaye le yeyabantu '? o_O
Zama iGufw kwiArch: https://aur.archlinux.org/packages/gufw/ >> Cofa kwiMeko. Okanye ufw ukuba ukhetha i-terminal: Sudo ufw vumela
Sele ukhuselekile ukuba ungumsebenzisi oqhelekileyo. Oko kukuthi 'ngabantu'
I-Firehol ngokwenyani isiphelo esingaphambili se-IPTables kwaye ukuba siyithelekisa neyokugqibela, yeyomntu 😀
Ndithathela ingqalelo ufw (IGufw sisinxibelelanisi sayo) njengokhetho olubi malunga nokhuseleko. Isizathu: kwimithetho engaphezulu yokhuseleko endiyibhalileyo kwi-ufw, andinakukuthintela ukuba kuvavanyo lwe-firewall yam zombini kwiWebhu kunye nezo ndizenzileyo ndisebenzisa i-nmap, iinkonzo ezinje nge-avahi-daemon kunye ne-exim4 ziya kuvela zivulekile, kwaye kuphela Uhlaselo lwe "stealth" lwalwanele ukwazi ezona mpawu zincinci zenkqubo yam, i-kernel kunye neenkonzo ezibalekayo, into engazange yenzeke kum ndisebenzisa umlilo okanye i-firewall ye-arno.
Ewe, andazi ngawe, kodwa njengoko ndibhalile ngasentla, ndisebenzisa uXubuntu kwaye i-firewall yam ihamba ne-GUFW kwaye ndaziphumelela ZONKE iimvavanyo zekhonkco ezibekwe ngumbhali ngaphandle kwengxaki. Yonke into. Akukho nto ivulekileyo. Ke kumava am ufw (kwaye ke gufw) ndenza ngokumangalisayo. Andigxeki ekusebenziseni ezinye iindlela zolawulo lwe-firewall, kodwa i-gufw isebenza ngokungagungqiyo kwaye inika iziphumo ezikhuselekileyo.
Ukuba unayo nayiphi na imvavanyo ocinga ukuba inokubaphosa emngciphekweni kwinkqubo yam, ndixelele ukuba ziyintoni kwaye ndiya kubavuyela apha kwaye ndikwazise iziphumo.
Apha ngezantsi ndibeka into ngesihloko se-ufw, apho ndithi impazamo endiyibonileyo ngo-2008, ndisebenzisa Ubuntu 8.04 Hardy Heron. Yintoni esele bayilungisile? Eyona nto inokwenzeka kukuba kunjalo, akukho sizathu sakhathazeka, kodwa nangona kunjalo, oko akuthethi ukuba ibug yayikhona kwaye ndingayibonisa, nangona yayingeyonto imbi ukufa, ndayeka iidemon avahi-daemon kunye ne-exim4, kwaye ingxaki sele isonjululwe. Into ebaluleke kunazo zonke kukuba kuphela ezo nkqubo zimbini zinengxaki.
Ndikhankanye inyani njenge-anecdote yobuqu, kwaye ndacinga ngendlela efanayo xa ndisithi: «ndicinga ...»
Ukubulisa 🙂
+1
@Yukiteru: Ngaba uyizamile kwikhompyuter yakho? Ukuba ujonge kwi-PC yakho, kuyinto eqhelekileyo ukuba ungafikelela kwizibuko lenkonzo ye-X, kuba ukugcwala kwabantu kuvaliwe yile yenethiwekhi, hayi eyasekhaya:
http://www.ubuntu-es.org/node/140650#.UgJZ3cUyYZg
https://answers.launchpad.net/gui-ufw/+question/194272
Ukuba akunjalo, nceda unike ingxelo ngegciwane
Ukubulisa 🙂
Ukusuka kwenye ikhompyuter usebenzisa inethiwekhi ye-Lan kwimeko ye-nmap, nange-Web usebenzisa eli phepha https://www.grc.com/x/ne.dll?bh0bkyd2Sebenzisa ukhetho lwamazibuko esiko, bobabini bavumile ukuba i-avahi kunye ne-exim4 bemamele kumnatha nangona i-ufw ibinokuthintela ukuvimba kwabo.
Ndisombulule loo nkcukacha incinci ye-avahi-daemon kunye ne-exim4 ngokumane ndikhubaza iinkonzo kwaye yiyo ... khange ndixele bug emva koko, kwaye ndicinga ukuba akukho ngqiqweni ukuyenza ngoku, kuba ibibuyile Ngo-2008, usebenzisa i-Hardy.
U-2008 wayeneminyaka emi-5 eyadlulayo; ukusuka kwiHardy Heron ukuya kwiRaring Ringtail kukho i-10 * buntus. Oluvavanyo lunye kwi-Xubuntu yam, eyenziwe izolo kwaye iphindaphindwe namhlanje (Agasti 2013) inika ukugqibelela kuyo yonke into. Kwaye ndisebenzisa i-UFW kuphela.
Ndiyaphinda: Ngaba unalo naluphi na uvavanyo olongezelelweyo oza kulwenza? Ngovuyo ndiyayenza kwaye ndinika ingxelo yoko kuphuma kweli cala.
Yenza i-SYN kunye ne-IDLE yokukhangela kwi-PC yakho usebenzisa i-nmap, eya kukunika umbono wokuba ikhuseleke kangakanani inkqubo yakho.
Indoda ye-nmap inemigca engaphezulu kwama-3000. Ukuba undinika imiyalelo yokuphumeza ngovuyo, ndiza kuyenza kwaye ndiza kunika ingxelo ngeziphumo.
Hmm bendingazi malunga nephepha le-3000 lamadoda le-nmap. kodwa i-zenmap iluncedo ekwenzeni into endikuxelela yona, ngumphambili womzobo we-nmap, kodwa nangoku ukhetho lwe-SYN scan nge-nmap yi -sS, ngelixa ukhetho lokukhangela ungasebenzi lungu -s, kodwa owona myalelo Ndiza kuba.
Yenza iskena esivela komnye umatshini esalatha kwi-ip yomatshini wakho ngobuntu, ungayenzi eyakho ipc, kuba ayisebenzi njalo.
HLEKA KAKHULU!! Impazamo yam malunga namaphepha angama-3000, xa yayiyimigca 😛
Andazi kodwa ndicinga ukuba i-GUI yento kwi-GNU / Linux yokulawula i-firewall iya kuba yinto enengqiqo kwaye ungashiyi yonke into engatyhilwanga njengakwi-ubuntu okanye yonke into egutyungelwe njenge-fedora, kufanelekile ukuba ulunge xD, okanye into yokumisela ezinye iindlela zokubulala xD hjahjahjaja Kuncinci ukulwa nam nabo kunye ne-jdk evulekileyo kodwa nangona kunjalo kuya kufuneka ugcine umgaqo wokumanga
Ndiyabulela kuko konke ukukhubeka okwenzeke kwixa elidlulileyo ngee-iptables, namhlanje ndiyakwazi ukuqonda i-niverl eluhlaza, oko kukuthi, thetha ngqo kuye njengoko ivela kumzi-mveliso.
Kwaye ayisiyonto inzima, kulula kakhulu ukuyifunda.
Ukuba umbhali weposti uyandivumela, ndiza kuthumela ngaphandle isicatshulwa somlilo endisisebenzisayo ngoku.
Imigaqo # # yokucoca
iiptables -F
iiptables -X
iiptables -Z
iiptables -t nat -F
# # Cwangcisa umgaqo-nkqubo osisiseko: I-DROP
iptables -P Igalelo lokwenza
iptables -P ISIPHUMO SOKUQHUBA
iptables -P PHAMBILI NGOKUXELAYO
# Sebenza kwindawo yasekhaya ngaphandle kwemida
iptables -IGALELO -i lo -j YAMKELA
iptables -ISIPHUMO -o lo -j YAMKELA
# Vumela umatshini ukuba uye kwiwebhu
iptables -I-INPUT -p tcp -m tcp -sport 80 -m conntrack -ctstate RELATED, ESTABLISHED -j YAMKELA
iptables -I-OUTPUT -p tcp -m tcp-ingxelo 80 -j YAMKELA
# Sele ikhusele iwebhusayithi
iptables -I-INPUT -p tcp -m tcp -sport 443 -m conntrack -ctstate RELATED, ESTABLISHED -j YAMKELA
iptables -I-OUTPUT -p tcp -m tcp-ingxelo 443 -j YAMKELA
# Vumela ukuphuma ngaphakathi ngaphakathi
iptables -ISIPHUMO -p icmp -icmp-uhlobo echo-sicelo -j YAMKELE
iptables -I-INPUT -p icmp -icmp-uhlobo echo-phendula -j YAMKELA
# Ukukhuselwa kwe-SSH
#ifakwa -I-INPUT -p tcp -nika ingxelo 22 -m ukubuyela umva- indawo emitsha -m ukunciphisa -imitha engama-30 / ngomzuzu -ukuqhawuka -ku-5 -m ukuphawula -ukuphawula "i-SSH-kick" -j YAMKELA
#iptables -A INPUT -p tcp -m tcp -dport 22 -j LOG -log-prefix "SSH ACCESS ATTEMPT:" -log-level 4
#iptables -I-INPUT -p tcp -m tcp-ingxelo 22 -j DROP
# Imigaqo yesirhubhe ukuvumela unxibelelwano oluphumayo nolungenayo kwizibuko
iptables -I-INPUT -p tcp -m tcp -dport 16420 -m conntrack –ctstate NEW -m izimvo- ingxelo "aMule" -j YAMKELA
iptables -I-OUTPUT -p tcp -m tcp -sport 16420 -m conntrack -ctstate RELATED, ESTABLISHED -m comment -comment "aMule" -j YAMKELA
iptables -I-INPUT -p udp -dport 9995 -m izimvo -i-comment "aMule" -j YAMKELA
iptables -ISIPHUMO -p udp -sport 9995 -j YAMKELA
iptables -I-INPUT -p udp-ingxelo 16423 -j YAMKELA
iptables -ISIPHUMO -p udp -sport 16423 -j YAMKELA
Ngoku inkcazo encinci. Njengoko ubona, kukho imigaqo kunye nomgaqo-nkqubo we-DROP ongagqibekanga, akukho nto ishiya kwaye ingena kwiqela ngaphandle kokukuxelela.
Emva koko, iziseko zidlulisiwe, i-localhost kunye nokukhangela kwinethiwekhi yenethiwekhi.
Uyabona ukuba kukho imigaqo ye-ssh kunye ne-amule. Ukuba bajongeka kakuhle ukuba benziwe njani, banokwenza eminye imigaqo abayifunayo.
Icebo kukubona ubume bemigaqo kwaye usebenzise uhlobo oluthile lwezibuko okanye umthetho olandelwayo, nokuba yi-udp okanye i-tcp.
Ndiyathemba ukuba ungayiqonda le nto ndiyithumele apha.
Kuya kufuneka wenze iposti uyichaze 😉 ingalunga.
Ndinombuzo. Kwimeko apho ufuna ukwala uxhulumaniso lwe-http kunye nee-https ndibeke:
umncedisi "http https" yehla?
Kwaye nayiphi na inkonzo?
Gracias