- Ba da fifikon ƙa'idar ƙin yarda da tsoho kuma yi amfani da jerin saɓo don SSH.
- Haɗa NAT + ACL: yana buɗe tashar jiragen ruwa da iyaka ta tushen IP.
- Tabbatar da nmap/ping kuma mutunta fifikon doka (ID).
- Ƙarfafa tare da sabuntawa, maɓallan SSH, da mafi ƙarancin sabis.
¿Yadda za a ƙuntata damar SSH zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa TP-Link zuwa amintattun IPs? Sarrafa wanda zai iya shiga hanyar sadarwar ku ta hanyar SSH ba abin sha'awa ba ne, yana da mahimmancin tsaro. Bada damar shiga kawai daga amintattun adiresoshin IP Yana rage kaifin harin, yana rage saurin bincike ta atomatik, kuma yana hana yunƙurin kutse daga Intanet akai-akai.
A cikin wannan jagorar mai amfani da cikakke za ku ga yadda ake yin shi a cikin yanayi daban-daban tare da kayan aikin TP-Link (SMB da Omada), abin da za ku yi la'akari da dokokin ACL da masu ba da izini, da kuma yadda za a tabbatar da cewa an rufe duk abin da kyau. Muna haɗa ƙarin hanyoyin kamar TCP Wrappers, iptables, da mafi kyawun ayyuka don haka za ku iya kiyaye muhallinku ba tare da barin kowane sako mara kyau ba.
Me yasa iyakance damar SSH akan masu amfani da TP-Link
Bayar da SSH zuwa intanit yana buɗe ƙofar ga ɗimbin ɓarke ta hanyar bots masu ban sha'awa tare da mugun nufi. Ba sabon abu ba ne don gano tashar tashar jiragen ruwa 22 mai isa ga WAN bayan dubawa, kamar yadda aka lura a [misali SSH]. kasawa mai mahimmanci a cikin hanyoyin sadarwa na TP-Link. Za a iya amfani da sauƙi mai sauƙi umarnin nmap don bincika idan adireshin IP na jama'a yana buɗe tashar jiragen ruwa 22.: yana aiwatar da wani abu kamar wannan akan injin waje nmap -vvv -p 22 TU_IP_PUBLICA kuma duba idan "bude ssh" ya bayyana.
Ko da kuna amfani da maɓallan jama'a, barin tashar jiragen ruwa 22 a buɗe yana gayyatar ƙarin bincike, gwada wasu tashoshin jiragen ruwa, da ayyukan gudanarwa masu kai hari. Maganin a bayyane yake: musun ta tsohuwa kuma kunna kawai daga IPs da aka yarda ko jeri.Zai fi dacewa gyarawa da sarrafa ku. Idan ba kwa buƙatar sarrafa nesa, kashe shi gaba ɗaya akan WAN.
Baya ga fallasa tashoshin jiragen ruwa, akwai yanayi inda za ku iya zargin canje-canjen mulki ko halayen da ba su dace ba (misali, modem na USB wanda ya fara “saukar da” zirga-zirgar zirga-zirga bayan ɗan lokaci). Idan ka lura cewa ping, traceroute, ko browsing ba su wuce modem ba, duba saitunan, firmware, kuma la'akari da maido da saitunan masana'anta. kuma rufe duk abin da ba ka amfani da.
Samfurin tunani: toshe ta tsohuwa kuma ƙirƙirar jerin farar fata
Falsafar nasara mai sauƙi ce: manufofin ƙaryata tsoho da keɓantacceA kan yawancin masu amfani da hanyoyin sadarwa na TP-Link tare da ci-gaba mai dubawa, zaku iya saita manufar shigar nesa ta nau'in Drop a cikin Tacewar zaɓi, sannan ku ba da izinin takamaiman adireshi akan jerin abubuwan gudanarwa don ayyukan gudanarwa.
A kan tsarin da suka haɗa da "Manufar Shigar da Nisa" da "Dokokin Masu Farawa" zaɓuɓɓuka (akan hanyar sadarwa - shafukan Firewall), Sauke alama a tsarin shigarwa mai nisa Kuma ƙara zuwa jerin sunayen IP na jama'a a cikin tsarin CIDR XXXX/XX waɗanda yakamata su iya isa ga daidaitawa ko ayyuka kamar SSH/Telnet/HTTP(S). Waɗannan shigarwar za su iya haɗawa da taƙaitaccen bayanin don guje wa rudani daga baya.
Yana da mahimmanci a fahimci bambanci tsakanin hanyoyin. Canza tashar tashar jiragen ruwa (NAT/DNAT) tana tura tashar jiragen ruwa zuwa injinan LANYayin da "Sharuɗɗan Tace" ke sarrafa WAN-to-LAN ko zirga-zirgar hanyar sadarwa, "Dokokin Whitelist" na Firewall suna sarrafa damar shiga tsarin sarrafa na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Dokokin tacewa ba sa toshe damar shiga na'urar kanta; don haka, kuna amfani da masu ba da izini ko takamaiman dokoki game da zirga-zirga mai shigowa zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
Don samun damar ayyukan cikin gida, an ƙirƙiri taswirar tashar jiragen ruwa a cikin NAT sannan an iyakance wanda zai iya isa ga wannan taswirar daga waje. Girke-girke shine: buɗe tashar da ake buƙata sannan kuma ƙuntata shi tare da ikon shiga. wanda ke ba da damar maɓuɓɓuka masu izini kawai su wuce ta tare da toshe sauran.
SSH daga amintattun IPs akan TP-Link SMB (ER6120/ER8411 da makamantansu)
A cikin masu amfani da hanyoyin SMB kamar TL-ER6120 ko ER8411, tsarin da aka saba don tallata sabis na LAN (misali, SSH akan sabar ciki) da iyakance shi ta tushen IP shine mataki biyu. Da farko, ana buɗe tashar ne da Virtual Server (NAT), sannan a tace ta da Access Control. dangane da kungiyoyin IP da nau'ikan sabis.
Mataki na 1 - Sabar Virtual: je zuwa Na ci gaba → NAT → Virtual Server kuma ya ƙirƙiri shigarwa don haɗin WAN daidai. Sanya tashar jiragen ruwa na waje 22 kuma nuna shi zuwa adireshin IP na ciki na uwar garken (misali, 192.168.0.2:22)Ajiye ƙa'idar don ƙara shi zuwa lissafin. Idan shari'ar ku tana amfani da tashar jiragen ruwa daban (misali, kun canza SSH zuwa 2222), daidaita ƙimar daidai.
Mataki na 2 - Nau'in sabis: shigar Zaɓuɓɓuka → Nau'in Sabis, ƙirƙiri sabon sabis da ake kira, misali, SSH, zaɓi TCP ko TCP/UDP kuma ayyana tashar tashar jiragen ruwa 22 (matsalar tashar tashar tashar zata iya zama 0-65535). Wannan Layer zai ba ku damar yin la'akari da tashar jiragen ruwa da tsabta a cikin ACL.
Mataki na 3 - Rukunin IP: je zuwa Abubuwan da ake so → Rukunin IP → Adireshin IP kuma ƙara shigarwar don tushen da aka yarda (misali IP ɗin ku na jama'a ko kewayo, mai suna "Access_Client") da albarkatun wurin da za a nufa (misali "SSH_Server" tare da IP na ciki na sabar). Sannan haɗa kowane adireshi da rukunin IP ɗin sa a cikin menu iri ɗaya.
Mataki na 4 - Ikon shiga: in Firewall → Ikon shiga Ƙirƙiri dokoki guda biyu. 1) Bada Doka: Bada tsari, sabon ma'anar sabis na "SSH", Source = Rukunin IP "Access_Client" da manufa = "SSH_Server". Ba shi ID 1. 2) Dokokin Kashewa: Tsarin toshewa tare da tushen = IPGROUP_ANY da manufa = "SSH_Server" (ko kuma kamar yadda ya dace) tare da ID 2. Ta wannan hanyar, kawai amintaccen IP ko kewayon zai shiga cikin NAT zuwa SSH ɗin ku; sauran za a toshe.
Tsarin kimantawa yana da mahimmanci. Ƙananan ID suna ɗaukar fifikoDon haka, dole ne dokar ba da izini ta riga (ƙananan ID) dokar Block. Bayan amfani da canje-canjen, zaku iya haɗawa zuwa adireshin IP na WAN na mai ba da hanya tsakanin hanyoyin sadarwa akan madaidaicin tashar jiragen ruwa daga adireshin IP ɗin da aka yarda, amma za a toshe haɗin kai daga wasu hanyoyin.
Model/firmware bayanin kula: Keɓancewar hanyar sadarwa na iya bambanta tsakanin hardware da nau'ikan. TL-R600VPN yana buƙatar hardware v4 don rufe wasu ayyukaKuma akan tsarin daban-daban, ana iya ƙaura menus. Ko da haka, kwararar iri ɗaya ce: nau'in sabis → ƙungiyoyin IP → ACL tare da Bada da Kashe. Kar a manta ajiye da nema domin dokokin su fara aiki.
Tabbatar da shawarar: Daga adireshin IP mai izini, gwada ssh usuario@IP_WAN kuma tabbatar da shiga. Daga wani adireshin IP, tashar tashar jiragen ruwa ya kamata ta zama ba za a iya shiga ba. (haɗin da ba ya zuwa ko aka ƙi, da kyau ba tare da tuta ba don guje wa ba da alamu).
ACL tare da Mai Kula da Omada: Lissafi, Jihohi, da Misalin Halittu
Idan kuna sarrafa ƙofofin TP-Link tare da Omada Controller, dabaru iri ɗaya ne amma tare da ƙarin zaɓuɓɓukan gani. Ƙirƙiri ƙungiyoyi (IP ko tashoshin jiragen ruwa), ayyana ƙofa ACLs, da tsara dokoki don ba da izinin mafi ƙanƙanta da ƙaryata duk wani abu.
Lissafi da ƙungiyoyi: in Saituna → Bayanan martaba → Ƙungiyoyi Kuna iya ƙirƙirar ƙungiyoyin IP (masu shiga yanar gizo ko runduna, kamar 192.168.0.32/27 ko 192.168.30.100/32) da kuma ƙungiyoyin tashar jiragen ruwa (misali, HTTP 80 da DNS 53). Waɗannan ƙungiyoyi suna sauƙaƙe ƙa'idodi masu rikitarwa ta sake amfani da abubuwa.
Gateway ACL: ku Kanfigareshan → Tsaron hanyar sadarwa → ACL Ƙara dokoki tare da LAN→WAN, LAN→LAN ko WAN→LAN LAN dangane da abin da kuke son karewa. Manufar kowace doka na iya zama Ba da izini ko Ƙi. kuma tsari yana ƙayyade ainihin sakamakon. Duba "Enable" don kunna su. Wasu nau'ikan suna ba ku damar barin dokokin da aka shirya kuma an kashe su.
Sharuɗɗan masu amfani (mai daidaitawa zuwa SSH): ba da izinin takamaiman ayyuka kawai kuma toshe sauran (misali, Bada DNS da HTTP sannan Ka Ƙin Duk). Don masu ba da izini na gudanarwa, ƙirƙira Bada izini daga Amintattun IPs zuwa "Shafin Gudanarwa na Ƙofar" sa'an nan gaba ɗaya ƙaryatãwa daga sauran cibiyoyin sadarwa. Idan firmware yana da wannan zaɓi. BidirectionalKuna iya ƙirƙirar ƙa'idar juzu'i ta atomatik.
Halin haɗin kai: ACLs na iya zama mai faɗi. Nau'o'in gama gari sababbi ne, Kafa, masu alaƙa, da mara inganci"Sabo" yana sarrafa fakitin farko (misali, SYN a cikin TCP), "Established" yana tafiyar da zirga-zirgar ababen hawa biyu a baya, "Masu alaƙa" suna sarrafa hanyoyin da suka dogara (kamar tashoshin bayanan FTP), da kuma "Invalid" yana sarrafa cunkoson ababen hawa. Yana da kyau gabaɗaya don kiyaye saitunan tsoho sai dai idan kuna buƙatar ƙarin ƙima.
VLAN da rarrabuwa: Omada da masu amfani da hanyar SMB suna goyan bayan yanayi unidirectional da bidirectional scenarios tsakanin VLANsKuna iya toshe Talla>R&D amma ba da izinin R&D→ Kasuwanci, ko toshe kwatance biyu kuma har yanzu ba da izini ga takamaiman mai gudanarwa. Ana amfani da hanyar LAN → LAN a cikin ACL don sarrafa zirga-zirga tsakanin hanyoyin sadarwa na ciki.
Ƙarin hanyoyin da ƙarfafawa: TCP Wrappers, iptables, MikroTik da classic Firewall
Baya ga ACLs na na'ura mai ba da hanya tsakanin hanyoyin sadarwa, akwai wasu yadudduka da ya kamata a yi amfani da su, musamman idan wurin SSH uwar garken Linux ce a bayan na'ura mai ba da hanya tsakanin hanyoyin sadarwa. TCP Wrappers yana ba da damar tacewa ta IP tare da runduna.allow da hosts.deny akan ayyuka masu jituwa (ciki har da OpenSSH a yawancin saitunan al'ada).
Fayilolin sarrafawa: idan babu su, ƙirƙira su da su sudo touch /etc/hosts.{allow,deny}. Mafi kyawun aiki: musun komai a hosts.deny kuma a bayyane yake ba da izini a cikin runduna.ba da izini. Misali: in /etc/hosts.deny tunani sshd: ALL da kuma cikin /etc/hosts.allow kara sshd: 203.0.113.10, 198.51.100.0/24Don haka, waɗancan IP ɗin ne kawai za su iya isa ga SSH daemon na sabar.
iptables na al'ada: Idan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ko uwar garken ku sun ba shi damar, ƙara dokoki waɗanda kawai ke karɓar SSH daga takamaiman tushe. Tsarin doka zai kasance: -I INPUT -s 203.0.113.10 -p tcp --dport 22 -j ACCEPT biye da tsohuwar manufar DROP ko ka'idar da ke toshe sauran. A kan hanyoyin sadarwa tare da shafin na Dokokin al'ada Kuna iya allurar waɗannan layin kuma kuyi amfani da su tare da "Ajiye & Aiwatar".
Mafi kyawun ayyuka a MikroTik (wanda aka zartar azaman jagora na gabaɗaya): canza tsoffin tashoshin jiragen ruwa idan ya yiwu, kashe Telnet (amfani da SSH kawai), yi amfani da kalmomin sirri masu ƙarfi ko, mafi kyau tukuna, Tabbatar da maɓalliIyakance shiga ta adireshin IP ta amfani da Tacewar zaɓi, kunna 2FA idan na'urar tana goyan bayan ta, kuma ci gaba da firmware/RouterOS har zuwa yau. Kashe damar WAN idan ba kwa buƙatarsaYana sa ido kan yunƙurin da ba a yi nasara ba kuma, idan ya cancanta, yana amfani da iyakokin ƙimar haɗin gwiwa don dakile hare-haren ƙarfi.
TP-Link Classic Interface (Tsohon Firmware): Shiga cikin panel ta amfani da adireshin IP na LAN (tsohuwar 192.168.1.1) da takaddun shaidar admin/ admin, sannan je zuwa Tsaro → FirewallKunna matatar IP kuma zaɓi samun fakitin da ba a bayyana ba suna bin manufofin da ake so. Sa'an nan, in Tace Adireshin IP, danna "Ƙara sabo" kuma ayyana wanda IPs za su iya ko ba za su iya amfani da tashar sabis ba akan WAN (na SSH, 22/tcp). Ajiye kowane mataki. Wannan yana ba ku damar aiwatar da ƙin yarda gabaɗaya kuma ƙirƙirar keɓancewa don ba da izinin amintattun IPs kawai.
Toshe takamaiman IPs tare da tsayayyen hanyoyi
A wasu lokuta yana da amfani don toshe masu fita zuwa takamaiman IPs don inganta kwanciyar hankali tare da wasu ayyuka (kamar yawo). Hanya ɗaya don yin wannan akan na'urorin TP-Link da yawa ita ce ta hanyar a tsaye., ƙirƙira / 32 hanyoyin da ke guje wa isa waɗancan wuraren ko shirya su ta hanyar da ba a cinye su ta hanyar tsohowar hanya (tallafi ya bambanta ta firmware).
Samfuran kwanan nan: je zuwa shafin Na ci gaba → Cibiyar sadarwa → Cigaban Hanyar Hanya → Tsayayyen Hanyar kuma danna "+ Add". Shigar da "Mazaunin Network" tare da adireshin IP don toshe, "Mask ɗin Subnet" 255.255.255.255, "Default Gateway" ƙofar LAN (yawanci 192.168.0.1) da "Interface" LAN. Zaɓi "Bada wannan shigarwa" kuma ajiyeMaimaita kowane adireshin IP na manufa dangane da sabis ɗin da kuke son sarrafawa.
Tsofaffin firmwares: je zuwa Na ci gaba → Lissafin tukwici, danna "Ƙara sabo" kuma cika filayen iri ɗaya. Kunna matsayin hanya kuma ajiyeTuntuɓi tallafin sabis ɗin ku don gano waɗanne IPs za ku bi, saboda waɗannan na iya canzawa.
Tabbatarwa: Buɗe tasha ko umarni da sauri kuma gwada tare da ping 8.8.8.8 (ko adireshin IP ɗin da kuka toshe). Idan kun ga "Timeout" ko "Ba a iya isa wurin mai masaukin baki"Katange yana aiki. Idan ba haka ba, bita matakan kuma sake kunna na'ura mai ba da hanya tsakanin hanyoyin sadarwa don duk allunan suyi tasiri.
Tabbatarwa, gwaji, da warware matsalar
Don tabbatar da cewa jerin saƙo na SSH na aiki, gwada amfani da adireshin IP mai izini. ssh usuario@IP_WAN -p 22 (ko tashar jiragen ruwa da kuke amfani da shi) kuma tabbatar da samun dama. Daga adireshin IP mara izini, tashar tashar jiragen ruwa bai kamata ta ba da sabis ba.. Amurka nmap -p 22 IP_WAN don duba yanayin zafi.
Idan wani abu baya amsawa kamar yadda ya kamata, duba fifikon ACL. Ana aiwatar da ƙa'idodin bi da bi, kuma waɗanda ke da mafi ƙarancin ID suna nasara.Ƙin da ke sama da Izinin ku yana lalata jerin abubuwan da aka ba da izini. Har ila yau, duba cewa "Nau'in Sabis" yana nuna tashar tashar daidai kuma cewa "Rukunin IP" naku sun ƙunshi kewayon da suka dace.
A cikin yanayin halayen da ake tuhuma (asarar haɗin kai bayan ɗan lokaci, ƙa'idodin da ke canzawa da kansu, zirga-zirgar LAN da ke faɗuwa), la'akari. sabunta firmwareKashe ayyukan da ba ku amfani da su (sabis na yanar gizo / Telnet/SSH mai nisa), canza takaddun shaida, duba cloning MAC idan an zartar, kuma a ƙarshe, Dawo zuwa saitunan masana'anta kuma a sake saitawa tare da saitunan ƙarami da tsayayyen jerin abubuwan farin ciki.
Daidaituwa, samfuri, da bayanin samuwa
Samuwar fasalulluka (ACLs na asali, bayanan martaba, masu ba da izini, gyara PVID akan tashar jiragen ruwa, da sauransu) Yana iya dogara da samfurin hardware da sigarA wasu na'urori, kamar TL-R600VPN, ana samun wasu iyakoki ne kawai daga sigar 4 zuwa gaba. Abubuwan mu'amalar mai amfani kuma suna canzawa, amma tsarin asali iri ɗaya ne: toshewa ta tsohuwa, ayyana ayyuka da ƙungiyoyi, ba da izini daga takamaiman IPs kuma toshe sauran.
A cikin yanayin yanayin TP-Link, akwai na'urori da yawa da ke da hannu a hanyoyin sadarwar kasuwanci. Samfuran da aka ambata a cikin takaddun sun haɗa da TL-SG2216 T2600G-28TS, TL-SG2210P T2600G-28MPS T1500G-10MPS T1700G-28TQ T1500-28PCT Saukewa: T3700G-28TQ.da sauransu. Ka tuna cewa tayin ya bambanta da yanki. kuma wasu bazai samuwa a yankinku ba.
Don ci gaba da sabuntawa, ziyarci shafin goyan bayan samfurin ku, zaɓi sigar kayan masarufi daidai, sannan duba bayanin kula na firmware da ƙayyadaddun fasaha tare da sabbin abubuwan ingantawa. Wani lokaci sabuntawa yana faɗaɗa ko tace Tacewar zaɓi, ACL, ko fasalulluka na gudanarwa na nesa.
Rufe wa SSH Don duka amma takamaiman IPs, tsara ACL yadda yakamata da fahimtar abin da tsarin ke sarrafa kowane abu yana ceton ku daga abubuwan ban mamaki mara kyau. Tare da tsohowar manufar ƙin yarda, madaidaitan masu ba da izini, da tabbaci na yau da kullunNa'ura mai ba da hanya tsakanin hanyoyin sadarwa na TP-Link da ayyukan da ke bayansa za su kasance mafi kyawun kariya ba tare da daina sarrafa lokacin da kuke buƙata ba.
Sha'awar fasaha tun yana karami. Ina son zama na zamani a cikin sashin kuma, sama da duka, sadarwa da shi. Abin da ya sa na sadaukar da kai ga sadarwa a shafukan yanar gizo na fasaha da na wasan bidiyo shekaru da yawa. Kuna iya samuna na rubutu game da Android, Windows, MacOS, iOS, Nintendo ko duk wani batu mai alaƙa da ke zuwa hankali.