Bii a ṣe le Dẹkun SSH ati Wiwọle FTP si IP Specific ati Ibiti Nẹtiwọọki ni Lainos
Ni igbagbogbo gbogbo wa lo awọn iṣẹ SSH ati FTP nigbagbogbo lati wọle si awọn olupin latọna jijin ati awọn olupin ikọkọ foju. Gẹgẹbi olutọju Linux, o gbọdọ mọ nipa bii o ṣe le dènà iraye si SSH ati FTP si IP kan pato tabi ibiti nẹtiwọọki ni Lainos lati le mu aabo diẹ sii.
- Awọn imọran Aabo lile 25 fun Awọn olupin Linux
- 5 Awọn imọran Wulo lati Ni ifipamo ati Idaabobo Olupin SSH
Ilana yii yoo fihan ọ bi o ṣe le dènà iraye si SSH ati FTP si adiresi IP kan pato ati/tabi ibiti nẹtiwọọki kan wa ni olupin CentOS 6 ati 7. Itọsọna yii ni idanwo lori awọn ẹya CentOS 6.x ati 7.x, ṣugbọn o ṣee ṣe yoo ṣiṣẹ lori awọn pinpin Lainos miiran bii Debian, Ubuntu, ati SUSE/openSUSE ati bẹbẹ lọ.
A yoo ṣe ni awọn ọna meji. Ọna akọkọ ni lilo IPTables/ogiriinaD ati ọna keji ni lilo awọn ohun elo TCP pẹlu iranlọwọ ti hosts.allow ati faili hosts.deny.
Tọkasi awọn itọsọna atẹle lati mọ diẹ sii nipa IPTables ati Firewalld.
- Itọsọna Ipilẹ lori IPTables (Firewall Linux) Awọn imọran/Awọn pipaṣẹ
- Bii o ṣe le Ṣeto ogiri ogiri Iptables lati muu Wiwọle Latọna jijin si Awọn iṣẹ ni Lainos Bii a ṣe le Tunto ‘FirewallD’ ni RHEL/CentOS 7 ati Fedora 21
- Awọn ofin ‘FirewallD’ Wulo lati Tunto ati Ṣakoso Firewall ni Lainos
Bayi o mọ nipa kini IPTables ati FirewallD ati pe o jẹ awọn ipilẹ.
Ọna 1: Dina SSH ati Wiwọle FTP Lilo IPTables/FirewallD
Bayi jẹ ki a wo bii a ṣe le dènà iraye si SSH ati FTP si IP kan pato (fun apẹẹrẹ 192.168.1.100) ati/tabi ibiti nẹtiwọọki (fun apẹẹrẹ 192.168.1.0/24) ni lilo awọn ohun elo IPt lori awọn ẹya RHEL/CentOS/Scientific Linux 6.x ati FirewallD lori CentOS 7.x.
--------------------- On IPtables Firewall --------------------- # iptables -I INPUT -s 192.168.1.100 -p tcp --dport ssh -j REJECT # iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport ssh -j REJECT
--------------------- On FirewallD --------------------- # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 22 -j REJECT # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 22 -j REJECT
Lati mu awọn ofin titun ṣiṣẹ, o nilo lati lo aṣẹ atẹle.
# service iptables save [On IPtables Firewall] # firewall-cmd --reload [On FirewallD]
Bayi, gbiyanju lati SSH olupin naa lati ọdọ olupin ti a ti dina. Jọwọ ṣe akiyesi pe nibi 192.168.1.150 ni ile-iṣẹ ti a ti dina.
# ssh 192.168.1.150
O yẹ ki o wo ifiranṣẹ atẹle.
ssh: connect to host 192.168.1.150 port 22: Connection refused
Lati ṣii tabi mu iraye si SSH, lọ si olupin latọna jijin ki o ṣiṣẹ aṣẹ wọnyi:
--------------------- On IPtables Firewall --------------------- # iptables -I INPUT -s 192.168.1.100 -p tcp --dport ssh -j ACCEPT # iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport ssh -j ACCEPT
--------------------- On FirewallD --------------------- # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 22 -j ACCEPT # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 22 -j ACCEPT
Fipamọ awọn ayipada ni lilo atẹle lati wọle si olupin rẹ nipasẹ SSH.
# service iptables save [On IPtables Firewall] # firewall-cmd --reload [On FirewallD]
Ni igbagbogbo, awọn ibudo aiyipada fun FTP jẹ 20 ati 21. Nitorinaa, lati dènà gbogbo ijabọ FTP nipa lilo IPTables ṣiṣe aṣẹ atẹle:
--------------------- On IPtables Firewall --------------------- # iptables -I INPUT -s 192.168.1.100 -p tcp --dport 20,21 -j REJECT # iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport 20,21 -j REJECT
--------------------- On FirewallD --------------------- # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 20,21 -j REJECT # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 20,21 -j REJECT
Lati mu awọn ofin titun ṣiṣẹ, o nilo lati lo aṣẹ atẹle.
# service iptables save [On IPtables Firewall] # firewall-cmd --reload [On FirewallD]
Bayi, gbiyanju lati wọle si olupin naa lati ọdọ olupin ti a ti dina (192.168.1.100), pẹlu aṣẹ:
# ftp 192.168.1.150
Iwọ yoo gba ifiranṣẹ aṣiṣe ni nkan bi isalẹ.
ftp: connect: Connection refused
Lati ṣii ati mu ki iraye FTP pada, ṣiṣe:
--------------------- On IPtables Firewall --------------------- # iptables -I INPUT -s 192.168.1.100 -p tcp --dport 20,21 -j ACCEPT # iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport 20,21 -j ACCEPT
--------------------- On FirewallD --------------------- # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 20,21 -j ACCEPT # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 20,21 -j ACCEPT
Fipamọ awọn ayipada pẹlu aṣẹ:
# service iptables save [On IPtables Firewall] # firewall-cmd --reload [On FirewallD]
Bayi, gbiyanju lati wọle si olupin nipasẹ FTP:
# ftp 192.168.1.150
Tẹ orukọ olumulo rẹ ati ọrọ igbaniwọle sii.
Connected to 192.168.1.150. 220 Welcome to TecMint FTP service. Name (192.168.1.150:sk): tecmint 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Ọna 2: Dina SSH ati Wiwọle FTP Lilo Awọn Trapa TCP
Ti o ko ba fẹ ṣe idotin pẹlu IPTables tabi FirewallD, lẹhinna awọn ohun elo TCP jẹ ọna ti o dara julọ lati dènà iraye SSH ati FTP si IP kan pato ati/tabi ibiti nẹtiwọọki kan wa.
OpenSSH ati FTP ni a ṣajọ pẹlu atilẹyin awọn ohun elo TCP, eyi ti o tumọ si pe o le ṣafihan iru awọn ogun ti o gba laaye lati sopọ laisi fọwọkan ogiriina rẹ ni awọn faili pataki meji wọnyi ati pe:
- /etc/hosts.allow
- /etc/hosts.deny
Bi orukọ ṣe tumọ si, faili akọkọ ni awọn titẹ sii ti awọn ọmọ-ogun ti a gba laaye laaye, ati ekeji ni awọn adirẹsi ti awọn ogun ti o dina mọ.
Fun apẹẹrẹ, jẹ ki a dènà iraye si SSH ati FTP lati gbalejo ti o ni adiresi IP 192.168.1.100 ati ibiti nẹtiwọọki wa 192.168.1.0. Ọna yii jẹ kanna fun CentOS 6.x ati 7.x jara. Ati pe, nitorinaa, yoo ṣiṣẹ lori awọn pinpin miiran bi Debian, Ubuntu, SUSE, openSUSE etc.
Ṣii faili /etc/hosts.deny ki o ṣafikun Awọn Adirẹsi IP wọnyi tabi ibiti nẹtiwọọki ti o fẹ lati dènà bi o ṣe han ni isalẹ.
##### To block SSH Access ##### sshd: 192.168.1.100 sshd: 192.168.1.0/255.255.255.0 ##### To block FTP Access ##### vsftpd: 192.168.1.100 vsftpd: 192.168.1.0/255.255.255.0
Fipamọ ki o jade kuro ni faili naa.
Bayi, tun bẹrẹ sshd ati iṣẹ vsftpd lati mu awọn ayipada tuntun sinu ipa.
--------------- For SSH Service --------------- # service sshd restart [On SysVinit] # systemctl restart sshd [On SystemD]
--------------- For FTP Service --------------- # service vsftpd restart [On SysVinit] # systemctl restart vsftpd [On SystemD]
Bayi, gbiyanju lati SSH olupin naa tabi lati ọdọ olupin ti o ni idiwọ.
# ssh 192.168.1.150
Iwọ yoo wo abajade wọnyi:
ssh_exchange_identification: read: Connection reset by peer
Bayi, gbiyanju lati FTP olupin naa tabi lati ọdọ olupin ti o ni idiwọ.
# ftp 192.168.1.150
Iwọ yoo wo abajade wọnyi:
Connected to 192.168.1.150. 421 Service not available.
Lati ṣii tabi mu awọn iṣẹ SSH ati FTP ṣiṣẹ lẹẹkansii, satunkọ faili hosts.deny ki o ṣalaye gbogbo awọn ila ati nikẹhin tun bẹrẹ vsftpd ati awọn iṣẹ sshd.
Ipari
Iyẹn ni gbogbo fun bayi. Lati ṣe akopọ, loni a kọ bi a ṣe le dènà adirẹsi IP kan pato ati ibiti nẹtiwọọki nipa lilo IPTables, FirewallD, ati awọn ohun elo TCP. Awọn ọna wọnyi jẹ irọrun rọrun ati taara.
Paapaa, alaṣẹ alakoso Linux kan le ṣe eyi ni iṣẹju meji. Ti o ba mọ diẹ ninu awọn ọna miiran lati dènà iraye si SSH ati FTP, ni ọfẹ lati pin wọn ni apakan asọye. Maṣe gbagbe lati pin awọn nkan wa ni gbogbo awọn nẹtiwọọki awujọ rẹ.