Yadda ake Toshe SSH da FTP damar zuwa takamaiman IP da kewayon hanyar sadarwa a cikin Linux


Yawanci dukkanmu muna amfani da sabis na SSH da FTP sau da yawa don samun dama ga sabar nesa da sabar masu zaman kansu. A matsayinka na mai gudanar da Linux, dole ne ka san yadda ake toshe damar SSH da FTP zuwa takamaiman IP ko kewayon cibiyar sadarwa a cikin Linux don ƙara ƙarfafa tsaro.

  1. 25 Tukwici na Tsaro na Hardening don Sabar Linux
  2. 5 Hanyoyi masu Fa'ida don Aminta da Kare Sabar SSH

Wannan koyawa za ta nuna maka yadda ake toshe damar SSH da FTP zuwa wani adireshin IP na musamman da/ko kewayon cibiyar sadarwa a uwar garken CentOS 6 da 7. An gwada wannan jagorar akan nau'ikan CentOS 6.x da 7.x, amma tabbas zaiyi aiki akan sauran rarrabawar Linux kamar Debian, Ubuntu, da SUSE/openSUSE da sauransu.

Za mu yi ta hanyoyi biyu. Hanyar farko ita ce ta amfani da IPTables/firewallD kuma hanya ta biyu tana amfani da TCP wrappers tare da taimakon hosts.allow da hosts.deny fayil.

Koma waɗannan jagororin don ƙarin sani game da IPTables da Firewalld.

  1. Jagora ta asali akan IPTables (Linux Firewall) Tukwici/Umurni
  2. Yadda Ake Saita Iptables Firewall don Ba da damar Nesa zuwa Sabis a Linux
  3. Yadda ake saita 'FirewallD' a cikin RHEL/CentOS 7 da Fedora 21
  4. Dokokin 'FirewallD' masu amfani don Sanyawa da Sarrafa Wuta a cikin Linux

Yanzu kun san menene IPTables da FirewallD kuma yana da mahimmanci.

Hanyar 1: Toshe SSH da FTP Amfani da IPTables/FirewallD

Yanzu bari mu ga yadda za a toshe SSH da FTP damar zuwa takamaiman IP (misali 192.168.1.100) da/ko kewayon cibiyar sadarwa (misali 192.168.1.0/24) ta amfani da IPtables akan RHEL/CentOS/Scientific Linux 6.x iri da kuma FirewallD akan CentOS 7.x.

--------------------- On IPtables Firewall ---------------------
# iptables -I INPUT -s 192.168.1.100 -p tcp --dport ssh -j REJECT
# iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport ssh -j REJECT
--------------------- On FirewallD ---------------------
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 22 -j REJECT
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 22 -j REJECT

Don aiwatar da sabbin dokoki, kuna buƙatar amfani da umarni mai zuwa.

# service iptables save         [On IPtables Firewall]
# firewall-cmd --reload         [On FirewallD]

Yanzu, gwada SSH uwar garken daga gidan da aka katange. Da fatan za a lura cewa a nan 192.168.1.150 shine katange mai masaukin baki.

# ssh 192.168.1.150

Ya kamata ku ga saƙo mai zuwa.

ssh: connect to host 192.168.1.150 port 22: Connection refused

Don buɗewa ko kunna damar SSH, je zuwa uwar garken nesa kuma gudanar da umarni mai zuwa:

--------------------- On IPtables Firewall ---------------------
# iptables -I INPUT -s 192.168.1.100 -p tcp --dport ssh -j ACCEPT
# iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport ssh -j ACCEPT
--------------------- On FirewallD ---------------------
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 22 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 22 -j ACCEPT

Ajiye canje-canje ta amfani da biyo baya don samun damar uwar garken ku ta hanyar SSH.

# service iptables save         [On IPtables Firewall]
# firewall-cmd --reload         [On FirewallD]

Yawanci, tsoffin tashoshin jiragen ruwa na FTP sune 20 da 21. Don haka, don toshe duk zirga-zirgar FTP ta amfani da IPTables suna gudanar da umarni mai zuwa:

--------------------- On IPtables Firewall ---------------------
# iptables -I INPUT -s 192.168.1.100 -p tcp --dport 20,21 -j REJECT
# iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport 20,21 -j REJECT
--------------------- On FirewallD ---------------------
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 20,21 -j REJECT
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 20,21 -j REJECT

Don aiwatar da sabbin dokoki, kuna buƙatar amfani da umarni mai zuwa.

# service iptables save         [On IPtables Firewall]
# firewall-cmd --reload         [On FirewallD]

Yanzu, gwada samun dama ga uwar garken daga gidan da aka katange (192.168.1.100), tare da umarni:

# ftp 192.168.1.150

Za ku sami saƙon kuskure wani abu kamar ƙasa.

ftp: connect: Connection refused

Don buɗewa da ba da damar shiga FTP baya, gudu:

--------------------- On IPtables Firewall ---------------------
# iptables -I INPUT -s 192.168.1.100 -p tcp --dport 20,21 -j ACCEPT
# iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport 20,21 -j ACCEPT
--------------------- On FirewallD ---------------------
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 20,21 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 20,21 -j ACCEPT

Ajiye canje-canje tare da umarni:

# service iptables save         [On IPtables Firewall]
# firewall-cmd --reload         [On FirewallD]

Yanzu, gwada samun dama ga uwar garken ta hanyar FTP:

# ftp 192.168.1.150

Shigar da sunan mai amfani da kalmar wucewa ta ftp.

Connected to 192.168.1.150.
220 Welcome to TecMint FTP service.
Name (192.168.1.150:sk): tecmint
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Hanyar 2: Toshe SSH da FTP Amfani da TCP Wrappers

Idan ba kwa son yin rikici tare da IPTables ko FirewallD, to TCP wrappers shine hanya mafi kyau don toshe damar SSH da FTP zuwa takamaiman IP da/ko kewayon hanyar sadarwa.

An haɗa OpenSSH da FTP tare da tallafin TCP, wanda ke nufin za ku iya ƙayyade waɗanne runduna ne aka yarda su haɗa ba tare da taɓa Tacewar zaɓinku ba a cikin mahimman fayiloli guda biyu masu zuwa kuma sune:

  1. /etc/hosts.allow
  2. /etc/hosts.deny

Kamar yadda sunan ke nunawa, fayil ɗin farko yana ƙunshe da shigarwar masu ba da izini, kuma na biyu ya ƙunshi adiresoshin runduna da aka katange.

Misali, bari mu toshe damar SSH da FTP zuwa mai masaukin baki wanda ke da adireshin IP 192.168.1.100 da kewayon cibiyar sadarwa 192.168.1.0. Wannan hanyar iri ɗaya ce ga jerin CentOS 6.x da 7.x. Kuma, ba shakka, zai yi aiki akan sauran rabawa kamar Debian, Ubuntu, SUSE, openSUSE da dai sauransu.

Bude fayil ɗin /etc/hosts.deny kuma ƙara adiresoshin IP masu zuwa ko kewayon cibiyar sadarwa da kuke son toshewa kamar yadda aka nuna a ƙasa.

##### To block SSH Access #####
sshd: 192.168.1.100
sshd: 192.168.1.0/255.255.255.0

##### To block FTP Access #####
vsftpd: 192.168.1.100
vsftpd: 192.168.1.0/255.255.255.0

Ajiye kuma fita fayil ɗin.

Yanzu, sake kunna sshd da sabis na vsftpd don ɗaukar sabbin canje-canje cikin tasiri.

--------------- For SSH Service ---------------
# service sshd restart        [On SysVinit]
# systemctl restart sshd      [On SystemD]
--------------- For FTP Service ---------------
# service vsftpd restart        [On SysVinit]
# systemctl restart vsftpd      [On SystemD]

Yanzu, gwada SSH uwar garken ko daga katange mai watsa shiri.

# ssh 192.168.1.150

Za ku ga fitarwa mai zuwa:

ssh_exchange_identification: read: Connection reset by peer

Yanzu, gwada FTP uwar garken ko daga katange mai watsa shiri.

# ftp 192.168.1.150

Za ku ga fitarwa mai zuwa:

Connected to 192.168.1.150.
421 Service not available.

Don sake buɗewa ko kunna sabis na SSH da FTP, shirya hosts.deny fayil kuma yi sharhi duk layi sannan a sake farawa vsftpd da sshd sabis.

Kammalawa

Shi ke nan a yanzu. Don taƙaitawa, a yau mun koyi yadda ake toshe takamaiman adireshin IP da kewayon cibiyar sadarwa ta amfani da IPTables, FirewallD, da TCP wrappers. Waɗannan hanyoyin suna da sauƙin sauƙi kuma madaidaiciya.

Ko da, novice mai kula da Linux na iya yin hakan a cikin mintuna biyu. Idan kun san wasu hanyoyin don toshe damar SSH da FTP, jin daɗin raba su a cikin sashin sharhi. Kuma kar ku manta da raba labaran mu a cikin dukkanin hanyoyin sadarwar ku.