Otu esi egbochi SSH na FTP ohere ịnweta IP na netwọkụ dị na Linux
Ọ na-adịkarị, anyị niile na-eji ọrụ SSH na FTP iji nweta sava dịpụrụ adịpụ yana sava nkeonwe. Dịka onye nchịkwa Linux, ị ga-amarịrị otu esi egbochi SSH na FTP ịnweta IP ma ọ bụ netwọkụ dị na Linux iji mee ka nchekwa ahụ sie ike karị.
- 25 Ndụmọdụ nchekwa siri ike maka sava Linux
- 5 Ndụmọdụ bara uru iji chekwaa ma chekwaa sava SSH
Nkuzi a ga-egosi gị otu esi egbochi SSH na FTP ịnweta otu adreesị IP yana/ma ọ bụ nso netwọkụ na sava CentOS 6 na 7. A nwalere ntuziaka a na ụdị CentOS 6.x na 7.x, mana ọ ga-arụ ọrụ na nkesa Linux ndị ọzọ dị ka Debian, Ubuntu, na SUSE/openSUSE wdg.
Anyị ga-eme ya na ụzọ abụọ. Ụzọ mbụ bụ iji IPTables/firewallD na usoro nke abụọ na-eji TCP wrappers na enyemaka nke hosts.allow na hosts.deny faịlụ.
Rụtụ aka na ntuziaka ndị a ka ịmatakwu gbasara IPTables na Firewalld.
- Ntuziaka bụ isi na IPTables (Linux Firewall) Ndụmọdụ/Iwu
- Otu esi edobe ọkụ Iptables iji mee ka ịnweta ọrụ dị na Linux Otu esi ahazi 'FirewallD' na RHEL/CentOS 7 na Fedora 21
- Iwu ‘FirewallD’ bara uru iji hazie na jikwaa firewall na Linux
Ugbu a ị maara ihe bụ IPTables na FirewallD na ọ bụ isi.
Usoro 1: Gbochie SSH na FTP Access Iji IPTables/FirewallD
Ugbu a, ka anyị hụ ka esi egbochi SSH na FTP ịnweta IP kpọmkwem (dịka ọmụmaatụ 192.168.1.100) na/ma ọ bụ netwọk netwọk (dịka ọmụmaatụ 192.168.1.0/24) site na iji IPtables na RHEL/CentOS/Scientific Linux 6.x nsụgharị na FirewallD na CentOS 7.x.
--------------------- On IPtables Firewall --------------------- # iptables -I INPUT -s 192.168.1.100 -p tcp --dport ssh -j REJECT # iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport ssh -j REJECT
--------------------- On FirewallD --------------------- # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 22 -j REJECT # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 22 -j REJECT
Iji malite iwu ọhụrụ, ịkwesịrị iji iwu na-esonụ.
# service iptables save [On IPtables Firewall] # firewall-cmd --reload [On FirewallD]
Ugbu a, gbalịa SSH ihe nkesa site na onye ọbịa egbochiri. Biko buru n'uche na ebe a 192.168.1.150 bụ onye ọbịa egbochiri.
# ssh 192.168.1.150
Ị ga-ahụ ozi na-esonụ.
ssh: connect to host 192.168.1.150 port 22: Connection refused
Iji kpọghee ma ọ bụ mee ka ohere SSH, gaa na nkesa dịpụrụ adịpụ wee mee iwu a:
--------------------- On IPtables Firewall --------------------- # iptables -I INPUT -s 192.168.1.100 -p tcp --dport ssh -j ACCEPT # iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport ssh -j ACCEPT
--------------------- On FirewallD --------------------- # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 22 -j ACCEPT # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 22 -j ACCEPT
Chekwaa mgbanwe site na iji ndị a iji nweta ihe nkesa gị site na SSH.
# service iptables save [On IPtables Firewall] # firewall-cmd --reload [On FirewallD]
Dịka, ọdụ ụgbọ mmiri ndabara maka FTP bụ 20 na 21. Ya mere, iji gbochie okporo ụzọ FTP niile site na iji IPTables na-eme iwu a:
--------------------- On IPtables Firewall --------------------- # iptables -I INPUT -s 192.168.1.100 -p tcp --dport 20,21 -j REJECT # iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport 20,21 -j REJECT
--------------------- On FirewallD --------------------- # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 20,21 -j REJECT # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 20,21 -j REJECT
Iji malite iwu ọhụrụ, ịkwesịrị iji iwu na-esonụ.
# service iptables save [On IPtables Firewall] # firewall-cmd --reload [On FirewallD]
Ugbu a, gbalịa ịnweta ihe nkesa site na onye ọbịa egbochiri (192.168.1.100), na iwu:
# ftp 192.168.1.150
Ị ga-enweta ozi njehie ihe dị ka n'okpuru.
ftp: connect: Connection refused
Iji kpọghee ma mee ka ohere FTP laghachi azụ, gbaa ọsọ:
--------------------- On IPtables Firewall --------------------- # iptables -I INPUT -s 192.168.1.100 -p tcp --dport 20,21 -j ACCEPT # iptables -I INPUT -s 192.168.1.100/24 -p tcp --dport 20,21 -j ACCEPT
--------------------- On FirewallD --------------------- # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 20,21 -j ACCEPT # firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100/24 -p tcp --dport 20,21 -j ACCEPT
Jiri iwu chekwaa mgbanwe ndị a:
# service iptables save [On IPtables Firewall] # firewall-cmd --reload [On FirewallD]
Ugbu a, gbalịa ịnweta ihe nkesa site na FTP:
# ftp 192.168.1.150
Tinye aha njirimara na paswọọdụ ftp gị.
Connected to 192.168.1.150. 220 Welcome to TecMint FTP service. Name (192.168.1.150:sk): tecmint 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Usoro 2: Gbochie SSH na FTP Access Iji TCP Wrappers
Ọ bụrụ na ịchọghị ịmekọrịta na IPTables ma ọ bụ FirewallD, mgbe ahụ TCP wrappers bụ ụzọ kachasị mma iji gbochie SSH na FTP ịnweta IP na/ma ọ bụ ọtụtụ netwọk.
A na-ejikọta OpenSSH na FTP na nkwado TCP, nke pụtara na ị nwere ike ịkọwapụta ndị ọbịa ekwenyere ka ha jikọọ na-emetụghị firewall gị na faịlụ abụọ dị mkpa na-esote:
- /etc/hosts.ekwe
- /etc/hosts.deny
Dị ka aha ahụ pụtara, faịlụ nke mbụ nwere ndenye nke ndị ọbịa ekwenyere, nke abụọ nwere adreesị nke ndị ọbịa egbochiri.
Dịka ọmụmaatụ, ka anyị gbochie ohere SSH na FTP nke nwere adreesị IP 192.168.1.100 yana oke netwọk 192.168.1.0. Usoro a bụ otu maka usoro CentOS 6.x na 7.x. Na, n'ezie, ọ ga-arụ ọrụ na nkesa ndị ọzọ dị ka Debian, Ubuntu, SUSE, openSUSE wdg.
Mepee faịlụ /etc/hosts.deny wee gbakwunye adreesị IP ndị a ma ọ bụ oke netwọk ịchọrọ igbochi dị ka egosiri n'okpuru.
##### To block SSH Access ##### sshd: 192.168.1.100 sshd: 192.168.1.0/255.255.255.0 ##### To block FTP Access ##### vsftpd: 192.168.1.100 vsftpd: 192.168.1.0/255.255.255.0
Chekwaa wee pụọ na faịlụ ahụ.
Ugbu a, malitegharịa ọrụ sshd na vsftpd iji mee mgbanwe ọhụrụ n'ọrụ.
--------------- For SSH Service --------------- # service sshd restart [On SysVinit] # systemctl restart sshd [On SystemD]
--------------- For FTP Service --------------- # service vsftpd restart [On SysVinit] # systemctl restart vsftpd [On SystemD]
Ugbu a, gbalịa SSH ihe nkesa ma ọ bụ site na onye ọbịa egbochiri.
# ssh 192.168.1.150
Ị ga-ahụ mmepụta na-esonụ:
ssh_exchange_identification: read: Connection reset by peer
Ugbu a, nwaa FTP nkesa ma ọ bụ site na onye ọbịa egbochiri.
# ftp 192.168.1.150
Ị ga-ahụ mmepụta na-esonụ:
Connected to 192.168.1.150. 421 Service not available.
Iji kpọghee ma ọ bụ mee ka ọrụ SSH na FTP rụọ ọrụ ọzọ, dezie faịlụ hosts.deny wee kwuo ahịrị niile wee malitegharịa ọrụ vsftpd na sshd.
Mmechi
Nke ahụ bụ ihe niile ugbu a. N'ịchịkọta, taa anyị mụtara ka esi egbochi adreesị IP kpọmkwem na netwọk netwọk site na iji IPTables, FirewallD, na TCP wrappers. Usoro ndị a dị mfe ma kwụ ọtọ.
Ọbụna, onye nchịkwa Linux novice nwere ike ime nke a n'ime nkeji ole na ole. Ọ bụrụ na ịmara ụzọ ndị ọzọ iji gbochie ohere SSH na FTP, nweere onwe gị ịkekọrịta ha na ngalaba nkọwa. Echefukwala ịkekọrịta akụkọ anyị na netwọkụ mmekọrịta gị niile.