- Isa pamberi pekuramba mutemo uye shandisa whitelists yeSSH.
- Inosanganisa NAT + ACL: inovhura chiteshi uye miganhu nesource IP.
- Simbisa nenmap/ping uye remekedza mutemo wekutanga (ID).
- Simbisa nekuvandudzwa, makiyi eSSH, uye mashoma masevhisi.
¿Nzira yekudzivirira sei SSH kupinda kune TP-Link router kune yakavimbika IPs? Kudzora kuti ndiani anogona kuwana network yako kuburikidza neSSH hachisi chishuwo, chinhu chakakosha chekuchengetedza. Bvumira kupinda chete kubva kune akavimbika IP kero Iyo inoderedza nzvimbo yekurwisa, inoderedza otomatiki scans, uye inodzivirira inogara ichipinda kuedza kubva paInternet.
Mugwaro rino rinoshanda uye rakazara uchaona kuti ungazviita sei mumamiriro akasiyana neTP-Link midziyo (SMB neOmada), zvekufunga nezvemitemo ye ACL uye whitelists, uye maitiro ekuona kuti zvese zvakavharwa nemazvo. Isu tinobatanidza dzimwe nzira dzakadai seTCP Wrappers, iptables, uye maitiro akanaka saka iwe unogona kuchengetedza nharaunda yako pasina kusiya chero yakasununguka magumo.
Nei uchiganhurira kuwana SSH paTP-Link routers
Kufumura SSH kuinternet kunovhura musuwo wekutsvaira kukuru nemabhoti anotoda kuziva aine chinangwa chakaipa. Hazvishamisi kuona port 22 inowanikwa paWAN mushure mekuongororwa, sezvakaonekwa mu [mienzaniso yeSSH]. kukanganisa kwakanyanya muTP-Link routers. Murairo wakapfava wenmap unogona kushandiswa kutarisa kana yako yeruzhinji IP kero ine port 22 yakavhurika.: anoita chimwe chinhu chakadai pamushini wekunze nmap -vvv -p 22 TU_IP_PUBLICA uye tarisa kana "vhura ssh" ichioneka.
Kunyangwe iwe ukashandisa makiyi eruzhinji, uchisiya port 22 yakavhurika inokoka kumwe kuongorora, kuyedza mamwe madoko, uye kurwisa manejimendi masevhisi. Mhinduro yacho yakajeka: ramba nekusarudzika uye gonesa chete kubva kune inobvumidzwa IPs kana masanji.Zviri nani kugadziriswa uye kudzorwa newe. Kana iwe usingade kure manejimendi, dzima zvachose paWAN.
Pamusoro pekufumura zviteshi, pane mamiriro ezvinhu apo iwe unogona kufungidzira shanduko yekutonga kana maitiro asina kunaka (semuenzaniso, tambo modem inotanga "kudonha" inobuda traffic mushure mechinguva). Kana iwe ukaona kuti ping, traceroute, kana kubhurawuza isiri kupfuura modem, tarisa marongero, firmware, uye funga kudzoreredza marongero efekitori. uye vhara zvese zvausingashandisi.
Mental model: block by default uye gadzira whitelist
Uzivi hunokunda huri nyore: default kuramba mutemo uye pachenaPane akawanda TP-Link ma routers ane advanced interface, unogona kuseta Drop-type kuremote ingress policy mufirewall, wobva wabvumira kero dzakananga pane whitelist yemanejimendi masevhisi.
Pane masisitimu anosanganisira "Remote Input Policy" uye "Whitelist mitemo" sarudzo (paNetwork - Firewall mapeji), Donhedza brand mune remote entry policy Uye wedzera kune whitelist IPs yeruzhinji muCIDR fomati XXXX/XX iyo inofanirwa kukwanisa kusvika pakumisikidzwa kana masevhisi seSSH/Telnet/HTTP(S). Aya mapindiro anogona kusanganisira tsananguro pfupi kudzivirira kuvhiringika gare gare.
Zvakakosha kunzwisisa mutsauko uripo pakati pemameshini. Port forwarding (NAT/DNAT) inodzosera madoko kumichina yeLANNepo "Mitemo yekusefa" inodzora WAN-ku-LAN kana yepakati-netiweki traffic, firewall's "Whitelist mitemo" inotonga kuwana kune iyo router's management system. Kusefa mitemo haivharidzi kuwana mudziyo pachayo; nokuda kweizvozvo, unoshandisa whitelists kana mitemo chaiyo maererano nekupinda traffic kune router.
Kuti uwane masevhisi emukati, mepu yechiteshi inogadzirwa muNAT uyezve inoganhurwa ndiani anogona kusvika iyo mepu kubva kunze. Iyo yekubikira ndeye: vhura inodiwa chiteshi uye wozoimisa nekutonga kwekuwana. izvo zvinobvumira chete masosi ane mvumo kupfuura uye anovharira mamwe ese.
SSH kubva kune akavimbika IPs paTP-Link SMB (ER6120/ER8411 uye zvakafanana)
MuSMB marouters akadai seTL-ER6120 kana ER8411, iyo yakajairwa pateni yekushambadza sevhisi yeLAN (semuenzaniso, SSH paserver yemukati) nekuimisa nesosi IP izvikamu zviviri. Kutanga, chiteshi chinovhurwa neVirtual Server (NAT), uye ipapo inosefa neAccess Control. zvichibva pamapoka eIP uye marudzi ebasa.
Chikamu 1 - Virtual Server: enda ku Yepamberi → NAT → Virtual Server uye inogadzira yekupinda yeiyo inoenderana WAN interface. Gadzira yekunze port 22 uye inongedze kune server yemukati IP kero (semuenzaniso, 192.168.0.2:22)Chengetedza mutemo kuti uuwedzere pane rondedzero. Kana nyaya yako ichishandisa chiteshi chakasiyana (semuenzaniso, wachinja SSH kusvika 2222), gadzirisa kukosha kwayo.
Chikamu 2 - Mhando yebasa: pinda Zvaunoda → Rudzi rweSevhisi, gadzira sevhisi nyowani inonzi, semuenzaniso, SSH, sarudza TCP kana TCP/UDP uye tsanangura chiteshi chengarava 22 (iyo sosi yechiteshi inogona kuva 0–65535). Iyi layer ichakubvumidza kuti utarise chiteshi zvakachena mu ACL.
Chikamu 3 - IP Boka: enda ku Zvaunoda → IP Boka → IP Kero uye wedzera mapindiro ezvose anotenderwa sosi (semuenzaniso IP yako yeruzhinji kana renji, ine zita rekuti "Access_Client") uye nzvimbo yekuenda (e.g. "SSH_Server" ine server yemukati IP). Wobva wabatanidza kero yega yega neiyo IP Group inoenderana mukati meimwe menyu.
Chikamu chechina - Kupinda kutonga: mukati Firewall → Kupinda Kudzora Gadzira mitemo miviri. 1) Bvumira Rule: Bvumira mutemo, ichangobva kutsanangurwa "SSH" sevhisi, Kwakabva = IP boka "Access_Client" uye kwekuenda = "SSH_Server". Ipe iyo ID 1. 2) Kuvharira Rule: Vimba mutemo ne kunobva = IPGROUP_ANY uye kwakuenda = "SSH_Server" (kana sezviri kushanda) ne ID 2. Nenzira iyi, chete IP yakavimbika kana kuti mararamiro achapfuura neNAT kune SSH yako; zvimwe zvichadziviswa.
Kurongeka kwekuongorora kwakakosha. Ma ID epasi anokoshesaNaizvozvo, iyo Bvumira mutemo unofanirwa kutangira (yepasi ID) mutemo weBlock. Mushure mekushandisa shanduko, iwe uchave unokwanisa kubatana kune router yeWAN IP kero pane yakatsanangurwa chiteshi kubva kune inobvumidzwa IP kero, asi kubatana kubva kune mamwe masosi kuchavharwa.
Model/firmware notes: Iyo interface inogona kusiyana pakati pehardware neshanduro. TL-R600VPN inoda hardware v4 kuvhara mamwe mabasaUye pane akasiyana masisitimu, menyu anogona kutamiswa. Kunyange zvakadaro, kuyerera kwakafanana: sevhisi mhando → IP mapoka → ACL ine Bvumira uye Bvisa. Usakanganwe chengetedza uye shandisa kuti mitemo itange kushanda.
Inokurudzirwa simbisa: Kubva kune yakatenderwa IP kero, edza ssh usuario@IP_WAN uye chengetedza kupinda. Kubva kune imwe kero yeIP, chiteshi chinofanira kusasvikika. (kubatanidzwa kusingasviki kana kurambwa, zvakanaka pasina banner kudzivirira kupa zviratidzo).
ACL ine Omada Controller: Mazita, Nyika, uye Mienzaniso Mamiriro
Kana iwe ukabata TP-Link magedhi neOmada Controller, pfungwa yacho yakafanana asi ine mamwe maitiro ekuona. Gadzira mapoka (IP kana zviteshi), tsanangura gedhi ACLs, uye kuronga mitemo kubvumira zvishoma zvishoma uye kuramba zvimwe zvose.
Mazita nemapoka: in Zvirongwa → Profiles → Mapoka Unogona kugadzira IP mapoka (subnets kana mauto, akadai 192.168.0.32/27 kana 192.168.30.100/32) uyewo mapoka mapoka (somuenzaniso, HTTP 80 uye DNS 53). Aya mapoka anorerutsa mitemo yakaoma nokushandisazve zvinhu.
Gateway ACL: on Kugadzirisa → Network Security → ACL Wedzera mitemo ine LAN → WAN, LAN→ LAN kana WAN → LAN nzira zvichienderana nezvaunoda kuchengetedza. Iyo mutemo wemutemo wega wega unogona Kubvumidza kana Kuramba. uye kurongeka kunotema mhedzisiro chaiyo. Tarisa "Enable" kuti uzvishandise. Dzimwe shanduro dzinokubvumira kuti usiye mitemo yakagadzirirwa uye yakaremara.
Makesi anobatsira (anochinjika kuSSH): bvumidza chete masevhisi chaiwo uye vhara mamwe ese (semuenzaniso, Bvumira DNS neHTTP wozoramba Zvese). Kune manejimendi whitelists, gadzira Bvumira kubva kuTrusted IPs kuenda ku "Gateway Administration Peji" uyezve kuramba kubva kune mamwe manetwork. Kana firmware yako ine iyo sarudzo. BidirectionalIwe unogona kugadzira otomatiki iyo inverse mutemo.
Connection mamiriro: ACLs anogona stateful. Mhando dzakajairwa ndeidzi Itsva, Yakasimwa, Yakabatana, uye Haisizvo"Itsva" inobata packet yekutanga (semuenzaniso, SYN muTCP), "Yakagadzirwa" inobata yakambosangana nebidirectional traffic, "Inoenderana" inobata zvinomisikidzwa (seFTP data channels), uye "Invalid" inobata zvisingaite. Zvakanyanya kunaka kuchengetedza zvigadziriso zvekutanga kunze kwekunge iwe uchida kuwedzera granularity.
VLAN uye segmentation: Omada uye SMB routers inotsigira unidirectional uye bidirectional scenarios pakati peVLANsUnogona kuvharisa Kushambadzira → R&D asi bvumidza R&D → Kushambadzira, kana kuvharira mafambiro ese uye uchiri kubvumidza mumwe maneja. Iyo LAN → LAN kutungamira muACL inoshandiswa kudzora traffic pakati pemukati subnets.
Dzimwe nzira nekusimbisa: TCP Wrappers, iptables, MikroTik uye yekare firewall.
Pamusoro peiyo router's ACLs, pane mamwe akaturikidzana anofanirwa kuiswa, kunyanya kana iyo SSH yekuenda iri Linux sevha kuseri kwe router. TCP Wrappers inobvumira kusefa neIP ine host.allow uye host.deny pamasevhisi anoenderana (kusanganisira OpenSSH mune akawanda echinyakare zvigadziriso).
Dzora mafaira: kana asipo, gadzira nawo sudo touch /etc/hosts.{allow,deny}. Maitiro akanaka: ramba zvese zviri muhost.deny uye inoibvumira zvakajeka mumasiti.bvumira. Somuenzaniso: in /etc/hosts.deny isa sshd: ALL and in /etc/hosts.allow wedzera sshd: 203.0.113.10, 198.51.100.0/24Nekudaro, iwo maIP chete ndiwo achakwanisa kusvika server's SSH daemon.
Tsika iptables: Kana router yako kana sevha ichibvumira, wedzera mitemo inongogamuchira SSH kubva kune chaiwo masosi. Mutemo chaiwo waizova: -I INPUT -s 203.0.113.10 -p tcp --dport 22 -j ACCEPT inoteverwa neiyo default DROP mutemo kana mutemo unovharira zvimwe. Pama routers ane tab ye Mitemo yetsika Unogona kubaya mitsara iyi woishandisa ne "Chengetedza & Nyorera".
Maitiro akanakisa muMikroTik (inoshanda segwaro rakazara): shandura default ports kana zvichibvira, deactivate Telnet (shandisa SSH chete), shandisa mapassword akasimba kana, zviri nani zvakadaro, key authenticationDeredza kupinda neIP kero uchishandisa firewall, gonesa 2FA kana chishandiso ichichitsigira, uye chengeta iyo firmware/RouterOS inoenderana. Dzima kuwana WAN kana usiri kuidaIyo inoongorora yakakundikana kuedza uye, kana zvichidikanwa, inoshandisa chiyero chekubatanidza kumisa kurwiswa kwechisimba.
TP-Link Classic Interface (Yekare Firmware): Pinda mupaneru uchishandisa LAN IP kero (default 192.168.1.1) uye admin/admin magwaro, wozoenda ku. Chengetedzo → FirewallGonesa iyo IP sefa uye sarudza kuve nemapaketi asina kutaurwa anotevera mutemo waunoda. Zvadaro, mu IP Kero Sefa, tinya "Wedzera chitsva" uye tsanangura iyo IPs inogona kana isingakwanise kushandisa chiteshi chebasa paWAN (yeSSH, 22/tcp). Sevha nhanho imwe neimwe. Izvi zvinokutendera kuti ushandise kuramba kwakawanda uye kugadzira kusarudzika kubvumidza chete maIP akavimbika.
Vimba maIP chaiwo ane static nzira
Mune zvimwe zviitiko zvinobatsira kuvhara kubuda kune chaiyo IPs kuvandudza kugadzikana nemamwe masevhisi (akadai sekushambadzira). Imwe nzira yekuita izvi pane akawanda TP-Link zvishandiso ndeye static routing., kugadzira / 32 nzira dzinodzivirira kusvika kunzvimbo idzodzo kana kudzitungamira nenzira yekuti dzirege kudyiwa neiyo nzira yekusarudzika (rutsigiro rwunosiyana ne firmware).
Zvichangoburwa mhando: enda kune tab Yepamberi → Network → Yepamberi Routing → Static Routing uye tinya "+ Wedzera". Pinda "Network Destination" neIP kero kuvhara, "Subnet Mask" 255.255.255.255, "Default Gateway" iyo LAN gedhi (kazhinji 192.168.0.1) uye "Interface" LAN. Sarudza "Bvumira iyi yekupinda" uye chengetedzaDzokorora kune yega yega IP kero zvinoenderana nesevhisi yaunoda kudzora.
Vakwegura firmwares: enda ku Yepamberi nzira → Static routing runyorwa, dzvanya "Wedzera nyowani" uye uzadze minda yakafanana. Shandisa chimiro chenzira uye chengetedzaBvunza rutsigiro rwesevhisi yako kuti uzive kuti ndeapi maIPs ekurapa, sezvo aya anogona kuchinja.
Verification: Vhura terminal kana yekuraira nekukurumidza uye kuyedza nayo ping 8.8.8.8 (kana iyo IP yekuenda yawakavharira). Kana iwe ukaona "Timeout" kana "Yekuenda mubati isingasvikike"Kuvhara kuri kushanda. Kana zvisina kudaro, dzokorora matanho uye tangazve router kuti matafura ose aite.
Verification, kuedza, uye chiitiko kugadzirisa
Kuti uone kuti whitelist yako yeSSH iri kushanda, edza kushandisa kero yeIP yakatenderwa. ssh usuario@IP_WAN -p 22 (kana chiteshi chaunoshandisa) uye simbisa kuwana. Kubva kune isina kutenderwa IP kero, chiteshi hachifanirwe kupa sevhisi.. USA nmap -p 22 IP_WAN kutarisa mamiriro ekupisa.
Kana chimwe chinhu chisiri kupindura sezvachinofanirwa, tarisa kukosha kwe ACL. Mitemo inogadziriswa sequentially, uye avo vane yakaderera ID vanohwina.Kuramba pamusoro pemvumo yako kunobvisa iyo whitelist. Zvakare, tarisa kuti "Service Type" inonongedza pachiteshi chaicho uye kuti "IP Groups" yako ine mitsara yakakodzera.
Muchiitiko chekufungira maitiro (kurasikirwa kwekubatana mushure mechinguva, mitemo inoshanduka yega, LAN traffic inodonha), funga gadziridza iyo firmwareDzima masevhisi ausingashandise (kure webhu/Telnet/SSH manejimendi), shandura zvitupa, tarisa MAC cloning kana zvichiita, uye pakupedzisira, Dzosera kune zvigadziriso zvefekitori uye gadzirisa zvakare neashoma marongero uye yakaomesesa whitelist.
Kuenderana, mhando, uye kuwanikwa manotsi
Kuvepo kwezvinhu (zvakaremekedza ACLs, profiles, whitelists, PVID editing pazviteshi, nezvimwewo) Zvinogona kuenderana neiyo hardware modhi uye shanduroMune mamwe maturusi, akadai seTL-R600VPN, mamwe masimba anongowanikwa kubva mushanduro 4 zvichienda mberi. Mashandisirwo emushandisi anochinjawo, asi maitiro ekutanga akafanana: kuvharira nekukasira, tsanangura masevhisi nemapoka, bvumira kubva kune chaiyo IPs uye uvhare zvakasara.
Mukati meTP-Link ecosystem, kune akawanda madivayiri anobatanidzwa mumabhizinesi network. Mienzaniso yakataurwa muzvinyorwa inosanganisira T1600G-18TS, T1500G-10PS, TL-SG2216, T2600G-52TS, T2600G-28TS, TL-SG2210P, T2500-28TC, T2700G-28TQ, T2500G-104TS,10TS,1 T2600G-28MPS, T1500G-10MPS, SG2210P, S4500-8G, T1500-28TC, T1700X-16TS, T1600G-28TS, TL-SL3452, TL-SG3216, T57T000G, T37200G T1700G-28TQ, T1500-28PCT, T2600G-18TS, T1600G-28PS, T2500G-10MPS, Festa FS310GP, T1600G-52MPS, T1600G-52PS, T1600G-28PS, T2500G-10MPS. T3700G-28TQ, T1500G-8T, T1700X-28TQpakati pevamwe. Ramba uchifunga izvozvo Mupiro unosiyana nenharaunda. uye mamwe anogona kunge asiri kuwanikwa munharaunda yako.
Kuti ugare uchifambirana nenguva, shanyira peji retsigiro yechigadzirwa chako, sarudza iyo chaiyo hardware vhezheni, uye tarisa firmware manotsi uye tekinoroji yakatarwa nekuvandudzwa kwazvino. Dzimwe nguva zvigadziriso zvinowedzera kana kunatsa firewall, ACL, kana kure manejimendi maficha.
Close the SSH Kune ese asi chaiwo maIP, kuronga nemazvo ACLs uye kunzwisisa kuti ndeipi michina inodzora chinhu chimwe nechimwe inokuponesa kubva kune zvisingafadzi zvinoshamisa. Nechigadziro chekuramba mutemo, mawhitelists chaiwo, uye kugaro simbisaYako TP-Link router uye masevhisi ari kumashure ayo anozove akadzivirirwa zvirinani pasina kusiya manejimendi paunenge uchiida.
Aida nezve tekinoroji kubva achiri mudiki. Ini ndinoda kuva nemazuva ano muchikamu uye, pamusoro pezvose, kutaura nezvazvo. Ndokusaka ndakazvipira kutaurirana pane tekinoroji uye vhidhiyo mutambo mawebhusaiti kwemakore mazhinji ikozvino. Unogona kundiwana ndichinyora nezve Android, Windows, MacOS, iOS, Nintendo kana chero imwe nyaya ine hukama inouya mupfungwa.