Shigar kuma Sanya Tsaro na ConfigServer & Firewall (CSF) a cikin Linux
Idan kun kalli ayyukan da ke da alaƙa da IT a ko'ina, za ku lura da ci gaba da buƙatu na ribobi na tsaro. Wannan ba yana nufin cewa tsaro ta yanar gizo wani fanni ne mai ban sha'awa na nazari ba, har ma yana da fa'ida sosai.
Tare da wannan a zuciya, a cikin wannan labarin za mu yi bayanin yadda ake shigarwa da kuma daidaita ConfigServer Security & Firewall (wanda kuma aka sani da CSF a takaice), babban ɗakin tsaro mai cikakken ƙarfi don Linux, da raba wasu lokuta na yau da kullun na amfani. Sannan zaku iya amfani da CSF azaman bangon wuta da tsarin gano kutse/shiga shiga don taurare sabar da kuke da alhakinta.
Ba tare da ƙarin adieu ba, bari mu fara.
Shigarwa da Sanya CSF a cikin Linux
Don farawa, da fatan za a lura cewa Perl da libwww sharadi ne don shigar da CSF akan kowane rabon tallafi (RHEL da CentOS, openSUSE, Debian, da Ubuntu). Tun da ya kamata ya kasance ta tsohuwa, babu wani aikin da ake buƙata daga ɓangaren ku sai dai idan ɗayan matakan da ke biyowa ya dawo da kuskure mai ƙima (idan haka ne, yi amfani da tsarin sarrafa fakiti don shigar da abubuwan dogaro da suka ɓace).
# yum install perl-libwww-perl # apt install libwww-perl
# cd /usr/src # wget https://download.configserver.com/csf.tgz
# tar xzf csf.tgz # cd csf
Wannan ɓangaren tsarin zai duba cewa an shigar da duk abin dogaro, ƙirƙirar tsarin tsarin adireshi da fayiloli don mahaɗin yanar gizo, gano tashoshin jiragen ruwa da ke buɗe a halin yanzu, kuma ya tunatar da ku sake kunna csf da lfd daemons bayan kun gama tare da saitin farko.
# sh install.sh # perl /usr/local/csf/bin/csftest.pl
Fitowar da ake sa ran na wannan umarni na sama shine kamar haka:
Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
Kashe Firewalld idan yana gudana kuma saita CSF.
# systemctl stop firewalld # systemctl disable firewalld
Canja TESTING = \1 zuwa TESTING = \0 (in ba haka ba, lfd daemon ba zai fara farawa ba) da lissafin izinin shiga da tashar jiragen ruwa masu fita a matsayin Jerin waƙafi (TCP_IN da TCP_OUT, bi da bi) a cikin /etc/csf/csf.conf kamar yadda aka nuna a cikin fitarwa na ƙasa:
# Testing flag - enables a CRON job that clears iptables incase of # configuration problems when you start csf. This should be enabled until you # are sure that the firewall works - i.e. incase you get locked out of your # server! Then do remember to set it to 0 and restart csf when you're sure # everything is OK. Stopping csf will remove the line from /etc/crontab # # lfd will not start while this is enabled TESTING = "0" # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
Da zarar kun yi farin ciki da daidaitawa, ajiye canje-canje kuma ku koma layin umarni.
# systemctl restart {csf,lfd}
# systemctl enable {csf,lfd}
# systemctl is-active {csf,lfd}
# csf -v
A wannan lokacin muna shirye don fara saita Tacewar zaɓi da dokokin gano kutse kamar yadda aka tattauna a gaba.
Kafa CSF da Dokokin Gano Kutse
Da farko, za ku so ku duba dokokin Tacewar zaɓi na yanzu kamar haka:
# csf -l
Hakanan zaka iya dakatar dasu ko sake loda su da:
# csf -f # csf -r
bi da bi. Tabbatar cewa kun haddace waɗannan zaɓuɓɓukan - kuna buƙatar su yayin da kuke tafiya, musamman don bincika bayan yin canje-canje da sake kunna csf da lfd.
Don ba da damar haɗi masu shigowa daga 192.168.0.10.
# csf -a 192.168.0.10
Hakazalika, zaku iya musun haɗin da suka samo asali daga 192.168.0.11.
# csf -d 192.168.0.11
Kuna iya cire kowace ƙa'idodin da ke sama idan kuna son yin hakan.
# csf -ar 192.168.0.10 # csf -dr 192.168.0.11
Yi la'akari da yadda amfani da -ar ko -dr a sama yana cire izinin da ake ciki da ƙin ƙa'idodin da ke da alaƙa da adireshin IP da aka bayar.
Dangane da nufin amfani da uwar garken ku, ƙila za ku iya iyakance haɗi masu shigowa zuwa lamba mai aminci akan tashar tashar jiragen ruwa. Don yin haka, buɗe /etc/csf/csf.conf kuma bincika CONNLIMIT. Kuna iya ƙayyade tashar jiragen ruwa da yawa; haɗin haɗin kai nau'i-nau'i sun rabu da waƙafi. Misali,
CONNLIMIT = "22;2,80;10"
kawai zai ba da izinin haɗin shiga 2 da 10 daga tushe ɗaya zuwa tashar jiragen ruwa na TCP 22 da 80, bi da bi.
Akwai nau'ikan faɗakarwa da yawa waɗanda zaku iya zaɓar. Nemo saitunan EMAIL_ALERT a /etc/csf/csf.conf kuma a tabbata an saita su zuwa \1\ don karɓar faɗakarwar mai alaƙa. Misali,
LF_SSH_EMAIL_ALERT = "1" LF_SU_EMAIL_ALERT = "1"
zai sa a aika da faɗakarwa zuwa adireshin da aka kayyade a cikin LF_ALERT_TO duk lokacin da wani ya yi nasarar shiga ta hanyar SSH ko ya canza zuwa wani asusu ta amfani da umarnin su.
Zaɓuɓɓukan Kanfigareshan CSF da Amfani
Ana amfani da waɗannan zaɓuɓɓuka masu zuwa don gyarawa da sarrafa saitin csf. Duk fayilolin sanyi na csf suna ƙarƙashin /etc/csf directory. Idan kun canza kowane ɗayan fayiloli masu zuwa kuna buƙatar sake kunna csf daemon don ɗaukar canje-canje.
- csf.conf : Babban fayil ɗin daidaitawa don sarrafa CSF.
- csf.allow : Jerin adiresoshin IP da aka yarda da su da CIDR akan Tacewar zaɓi.
- csf.deny : Jerin adiresoshin IP da CIDR da aka hana a kan Tacewar zaɓi.
- csf.ignore: Jerin adiresoshin IP da CIDR da ba a kula da su a kan Tacewar zaɓi.
- csf.* watsi: Jerin fayiloli iri-iri na masu amfani, IP.
Cire CSF Firewall
Idan kuna son cire bangon wuta na CSF gaba ɗaya, kawai gudanar da rubutun da ke ƙarƙashin /etc/csf/uninstall.sh directory.
# /etc/csf/uninstall.sh
Umurnin da ke sama zai shafe CSF Tacewar zaɓi gaba ɗaya tare da duk fayiloli da manyan fayiloli.
A cikin wannan labarin mun bayyana yadda ake shigarwa, daidaitawa, da amfani da CSF azaman Tacewar zaɓi da tsarin gano kutse. Lura cewa an fayyace ƙarin fasali a csf.conf.
Misali, Idan kuna cikin kasuwancin yanar gizo, zaku iya haɗa CSF tare da hanyoyin gudanarwa kamar Webmin.
Kuna da wasu tambayoyi ko sharhi game da wannan labarin? Jin kyauta don aiko mana da sako ta amfani da fom na kasa. Muna jiran ji daga gare ku!