Yadda ake Amfani da Knocking Port Don Aminta Sabis na SSH a Linux

Port Knocking wata babbar dabara ce ta sarrafa damar shiga tashar jiragen ruwa ta hanyar kyale halaltattun masu amfani kawai damar shiga sabis ɗin da ke gudana akan sabar. Yana aiki ta yadda lokacin da aka yi ƙoƙarin haɗin kai daidai, tacewar zaɓi yana buɗe tashar jiragen ruwa da farin ciki.

Hankalin da ke bayan ƙwanƙwasa tashar jiragen ruwa shine don tabbatar da sabis na SSH. Don dalilai na nunawa, za mu yi amfani da Ubuntu 18.04.

Mataki 1: Shigar kuma Sanya ƙwanƙwasawa

Don farawa, shiga cikin tsarin Linux ɗin ku kuma shigar da daemon da aka buga kamar yadda aka nuna.

$ sudo apt install knockd

Da zarar an shigar, buɗe saitin knockd.conf tare da editan layin umarni na vim.

$ sudo vim /etc/knockd.conf

Fayil ɗin daidaitawa na asali yana bayyana kamar haka.

Ƙarƙashin ɓangaren [openSSH], muna buƙatar musanya jerin ƙwanƙwasa tsoho - 7000,8000,9000 - zuwa wani abu dabam. Wannan saboda waɗannan dabi'un an riga an san su kuma suna iya yin illa ga tsaron tsarin ku.

Don dalilai na gwaji, mun saita ƙimar zuwa 10005, 10006, 10007. Wannan shine jerin da za a yi amfani da su don buɗe tashar jiragen ruwa na SSH daga tsarin abokin ciniki.

A cikin layi na uku - farawa da umarni, canza -A zuwa -I bayan umarnin /sbin/iptables kuma kafin INPUT .

Kuma a ƙarshe, a ƙarƙashin sashin [closeSSH], sake, canza tsarin tsoho zuwa zaɓin da kuka fi so. Wannan shine jerin da za a yi amfani da su don rufe haɗin SSH da zarar mai amfani ya yi kuma ya fita daga uwar garken.

Anan ga cikakken tsarin mu.

Da zarar kun gama, ajiye canje-canje kuma fita.

Wani sanyi da muke buƙatar gyara shine /etc/default/knockd. Har yanzu, buɗe shi ta amfani da editan rubutun ku.

$ sudo vim /etc/default/knockd

Nemo layin START_KNOCKD=0. Ba da amsa kuma saita ƙimar zuwa 1.

Na gaba, kan gaba zuwa layin KNOCKD_OPTS=”-i eth1” Rarraba shi kuma maye gurbin tsohowar darajar eth1 tare da aikin hanyar sadarwa na tsarin ku. Don duba hanyar sadarwar ku kawai gudanar da umarnin ifconfig.

Don tsarin mu, enp0s3 shine katin cibiyar sadarwa mai aiki.

Cikakken tsari yana kamar yadda aka nuna.

Ajiye canje-canje kuma fita.

Sannan fara kuma kunna daemon knocked kamar yadda aka nuna.

$ sudo systemctl start knockd
$ sudo systemctl enable knockd

Don duba halin daemon da aka buga, gudanar da umarni:

$ sudo systemctl status knockd

Mataki 2: Rufe SSH Port 22 Akan Tacewar zaɓi

Tunda makasudin sabis ɗin da aka buga shine ko dai bayarwa ko ƙin samun damar sabis na ssh, za mu rufe tashar ssh akan Tacewar zaɓi. Amma da farko, bari mu bincika matsayin UFW Tacewar zaɓi.

$ sudo ufw status numbered

Daga fitarwa, zamu iya gani a sarari cewa tashar SSH tashar jiragen ruwa 22 tana buɗe akan duka ka'idodin IPv4 da IPv6 masu lamba 5 da 9 bi da bi.

Muna buƙatar share waɗannan dokoki guda biyu kamar yadda aka nuna, farawa da mafi girman ƙimar - wanda shine 9.

$ sudo ufw delete 9
$ sudo ufw delete 5

Yanzu, idan kun yi ƙoƙarin shiga nesa zuwa uwar garken, za ku sami kuskuren ƙarewar haɗin gwiwa kamar yadda aka nuna.

Mataki 3: Sanya abokin ƙwanƙwasa don Haɗa zuwa SSH Server

A mataki na ƙarshe, za mu daidaita abokin ciniki kuma mu yi ƙoƙarin shiga ta hanyar aika jerin ƙwanƙwasa da muka saita akan sabar.

Amma da farko, shigar da ƙwanƙwasa daemon kamar yadda kuka yi akan sabar.

$ sudo apt install knockd

Da zarar an gama shigarwa, aika jerin ƙwanƙwasawa ta amfani da ma'anar da aka nuna

$ knock -v server_ip knock_sequence

A cikin yanayinmu, wannan yana fassara zuwa:

$ knock -v 192.168.2.105 10005 10006 10007

Ya kamata ku sami fitarwa kwatankwacin abin da muke da shi, ya danganta da tsarin ku. Wannan ya nuna cewa yunƙurin bugun ya yi nasara.

A wannan gaba, ya kamata ku kasance cikin matsayi don samun nasarar shiga uwar garken ta amfani da SSH.

Da zarar kun gama yin aikinku akan uwar garken nesa, rufe tashar jiragen ruwa ta SSH ta hanyar aika jerin ƙwanƙwasawa.

$ knock -v 192.168.2.105 10007 10006 10005

Duk wani ƙoƙari na shiga uwar garken zai gaza kamar yadda aka nuna.

Wannan yana kunshe wannan jagorar kan yadda ake yin amfani da ƙwanƙwasa tashar jiragen ruwa don amintar da sabis na SSH akan sabar ku. Hanya mafi kyau kuma mafi sauƙi ita ce saita kalmar sirri ta SSH ta amfani da maɓalli na SSH. Wannan yana tabbatar da cewa mai amfani da maɓalli na sirri ne kawai zai iya tantancewa tare da uwar garken da aka adana maɓalli na jama'a akansa.