- Mudnaanta sii siyaasadda diidmada caadiga ah oo isticmaal liisaska cadcad ee SSH.
- Isku darka NAT + ACL: waxay furtaa dekedda waxayna xaddidaysaa isha IP.
- Ku xaqiiji nmap/ping oo ixtiraam mudnaanta sharciga (ID).
- Ku xooji cusbooneysiinta, furayaasha SSH, iyo adeegyada ugu yar.
¿Sidee loo xaddidaa gelitaanka SSH ee TP-Link router-ka IP-yada la aamini karo? Xakamaynta cidda ku geli karta shabakadaada SSH maahan wax la yaab leh, waa lakabka muhiimka ah ee amniga. Oggolow gelida kaliya ee ciwaanada IP-ga ee lagu kalsoon yahay Waxay yaraynaysaa oogada weerarka, waxay hoos u dhigtaa baadhista tooska ah, waxayna ka hortagtaa isku dayga faragelinta joogtada ah ee internetka.
Tilmaamahan wax ku ool ah oo dhammaystiran waxaad ku arki doontaa sida loo sameeyo xaalado kala duwan oo leh qalabka TP-Link (SMB iyo Omada), waxa la tixgelinayo sharciyada ACL iyo liisaska cadcad, iyo sida loo xaqiijiyo in wax walba si sax ah loo xiray. Waxaan isku darnaa habab dheeraad ah sida TCP Wrappers, iptables, iyo hababka ugu fiican si aad u ilaaliso deegaankaaga adigoon ka tagin cidlo dabacsan.
Waa maxay sababta loo xaddidayo gelitaanka SSH ee TP-Link router-yada
Soo bandhigida SSH ee intarneedka waxa ay albaabka u furto xaaqid mug leh oo ay samaynayaan bots aad u xiiso badan oo leh ujeedo xaasidnimo ah. Maaha wax aan caadi ahayn in la ogaado dekedda 22 ee laga heli karo WAN ka dib iskaanka, sida lagu arkay [tusaale SSH]. Guuldarrooyinka muhiimka ah ee router-yada TP-Link. Amarka fudud ee nmap-ka ayaa loo isticmaali karaa si loo hubiyo in ciwaanka IP-gaagu uu furan yahay dekedda 22.: wuxuu ku sameeyaa wax sidan oo kale ah mashiinka dibadda ah nmap -vvv -p 22 TU_IP_PUBLICA oo hubi haddii "furan ssh" uu muuqdo.
Xitaa haddii aad isticmaasho furayaasha dadweynaha, ka tagista dekedda 22 oo furan waxay ku martiqaadaysaa sahaminta dheeraadka ah, tijaabinta dekedaha kale, iyo weerarrada adeegyada maamulka. Xalku waa cad yahay: u diid si caadi ah oo awood ka geli kaliya IP-yada la oggol yahay ama kala duwanaanta.Si fiican u go'an oo aad maamusho. Haddii aadan u baahnayn maarayn fog, gabi ahaanba dami WAN-ga.
Marka laga soo tago daah-furka dekedaha, waxaa jira xaalado laga yaabo inaad ka shakiso in qaanuunka isbedelay ama dabeecad aan caadi ahayn (tusaale ahaan, modem-ka cable-ka oo bilaaba inuu "soo saaro" taraafikada bixisa muddo ka dib). Haddii aad aragto in ping, traceroute, ama browsing aysan dhaafin modem-ka, hubi goobaha, firmware, oo tixgeli soo celinta goobaha warshadaha. oo xidh wax kasta oo aadan isticmaalin.
Qaabka maskaxeed: si caadi ah u xannib oo samee liis cad
Falsafadda guushu waa mid fudud: Nidaamka diidmada caadiga ah iyo ka-reebis cadDumar badan oo TP-Link ah oo leh is-dhexgal horumarsan, waxaad dejin kartaa nidaamka gelitaanka fog ee nooca Drop-ka ee dab-darka, ka dibna u oggolow ciwaanno gaar ah liiska cad ee adeegyada maamulka.
Nidaamyada ay ku jiraan "Siyaasadda Gelitaanka Fog" iyo "Xeerarka Liistada Cad" ee ikhtiyaarrada (ee Shabakadda - bogagga Firewall), Ku rid summada siyaasadda gelitaanka fog Oo ku dar liiska cad ee IP-yada dadweynaha ee qaabka CIDR ee XXXX/XX kuwaas oo awood u leh inay gaaraan qaabeynta ama adeegyada sida SSH/Telnet/HTTP(S). Galitaankan waxaa ku jiri kara sharraxaad kooban si looga fogaado jahawareer hadhow.
Waa muhiim in la fahmo farqiga u dhexeeya hababka. Soo gudbinta dekeda (NAT/DNAT) waxay dekedaha u jihaysaa mishiinada LANIyadoo "Sharciyada Shaandhaynta" ay gacanta ku hayaan WAN-to-LAN ama taraafikada shabakadaha dhexdooda, dab-damiska "xeerarka liiska cad" ayaa xukuma gelitaanka nidaamka maamulka router. Xeerarka shaandhaynta ma xannibaan gelitaanka qalabka laftiisa; Taas awgeed, waxaad isticmaashaa liisaska cadcad ama sharciyo gaar ah oo khuseeya taraafikada soo galaya router-ka.
Si loo helo adeegyada gudaha, khariidaynta dekedda ayaa lagu abuuray NAT ka dibna waa xaddidan tahay cidda gaari karta khariidaddaas dibadda. Cuntadani waa: fur dekedda lagama maarmaanka ah ka dibna ku xaddid xakamaynta gelitaanka. taas oo u ogolaanaysa kaliya ilaha idman inay dhex maraan oo xannibaado inta kale.
SSH oo ka yimid IPS-yada la aamini karo ee TP-Link SMB (ER6120/ER8411 iyo wixii la mid ah)
Raadka SMB sida TL-ER6120 ama ER8411, qaabka caadiga ah ee xayeysiinta adeegga LAN (tusaale, SSH ee server-ka gudaha) iyo xaddididda isha IP waa laba weji. Marka hore, dekedda waxaa lagu furayaa Virtual Server (NAT), ka dibna waxaa lagu sifeeyaa Access Control. ku salaysan kooxaha IP iyo noocyada adeegga.
Wajiga 1 – Server Virtual: u tag Sare → NAT → Server Virtual wuxuuna abuuraa gelitaan u dhigma WAN interface. Habee dekedda 22 ee dibadda oo u tilmaan ciwaanka IP-ga ee server-ka gudaha (tusaale, 192.168.0.2:22)Kaydi sharciga si aad ugu darto liiska. Haddii kiiskaagu isticmaalo deked kale (tusaale, waxaad u beddeshay SSH 2222), u hagaaji qiimaha si waafaqsan.
Marxaladda 2 - Nooca adeegga: geli Dookhyada → Nooca Adeegga, samee adeeg cusub oo la yiraahdo, tusaale ahaan, SSH, dooro TCP ama TCP/UDP oo qeex dekedda aad ku socoto 22 (inta kala duwan ee dekeddu waxay noqon kartaa 0-65535). Lakabkani wuxuu kuu ogolaanayaa inaad si nadiif ah u tixraacdo dekedda ACL.
Wajiga 3 – Kooxda IP: tag Dookhyada → Kooxda IP → Ciwaanka IP oo ku dar gelinta labada isha la oggol yahay (tusaale, IP-gaaga dadweynaha ama kala duwan, oo lagu magacaabo "Access_Client") iyo kheyraadka meesha loo socdo (tusaale "SSH_Server" oo wata IP-ga gudaha ee server-ka). Kadibna ku xidhiidho ciwaan kasta iyo kooxda IP ee u dhiganta gudaha isla menu.
Marxaladda 4 – Xakamaynta gelitaanka: gudaha Firewall → Xakamaynta gelitaanka Samee laba xeer. 1) Oggolow Rule: Oggolow siyaasadda, adeegga "SSH" ee dhowaan la qeexay, Isha = Kooxda IP-ga "Gelitaanka_Client" iyo meesha loo socdo = "SSH_Server". Sii aqoonsiga 1. 2) Xeerka xannibidda: Siyaasadda xannibidda isha = IPGROUP_ANY iyo meesha loo socdo = "SSH_Server" (ama sida lagu dabaqi karo) oo wata aqoonsiga 2. Sidan, kaliya IP-ga lagu kalsoon yahay ayaa u sii mari doona NAT ilaa SSH-gaaga; inta kale waa la xannibi doonaa.
Habka qiimayntu waa muhiim. Aqoonsiga hoose ayaa mudnaanta lehSidaa darteed, sharciga Allow waa inuu ka hormaraa (ID hoose) xeerka Block. Ka dib markaad codsato isbeddelada, waxaad awoodi doontaa inaad ku xidho router's WAN IP cinwaanka dekedda la qeexay ee cinwaanka IP-ga la oggol yahay, laakiin xidhiidhada ilaha kale waa la xannibi doonaa.
Qoraalada Model/firmware: Interface-ku waxa uu ku kala duwanaan karaa qalabka iyo noocyada. TL-R600VPN waxay u baahan tahay hardware v4 si ay u daboosho hawlaha qaarkoodNidaamyo kala duwanna, menu-yada waa la rari karaa. Si kastaba ha ahaatee, socodka waa isku mid: nooca adeegga → kooxaha IP → ACL oo leh Allow iyo Block. Ha iloobin kaydso oo codso si xeerku u dhaqan galo.
Xaqiijinta lagu taliyay: Laga soo bilaabo cinwaanka IP-ga la oggol yahay, isku day ssh usuario@IP_WAN oo xaqiiji gelitaanka Cinwaanka IP-ga kale, dekeddu waa inay noqotaa mid aan la geli karin. (xidhiidh aan iman ama la diido, oo aan lahayn banner si looga fogaado bixinta tilmaamo).
ACL oo leh Omada Controller: Liisaska, Gobolada, iyo Tusaalooyinka Tusaalooyinka
Haddii aad maamusho albaabada TP-Link ee Omada Controller, caqligu waa la mid laakiin leh doorashooyin badan oo muuqaal ah. Abuur kooxo (IP ama dekedo), qeex albaabka ACL-yada, oo habayso sharciyada si loo oggolaado waxa ugu yar oo loo diido wax kasta oo kale.
Liisaska iyo kooxaha: gudaha Dejinta → Profile → Kooxo Waxaad abuuri kartaa kooxaha IP (subnets ama martigeliyaha, sida 192.168.0.32/27 ama 192.168.30.100/32) iyo sidoo kale kooxaha dekedda (tusaale, HTTP 80 iyo DNS 53). Kooxahani waxay fududeeyaan xeerar adag iyadoo dib loo isticmaalo walxaha.
Gateway ACL: waa Habaynta → Ammaanka Shabakadda → ACL Ku dar shuruuc leh LAN → WAN, LAN→LAN ama WAN LAN jihada iyadoo ku xiran waxaad rabto inaad ilaaliso. Siyaasadda xeer kastaa waxay noqon kartaa Oggolow ama Diid. amarkuna wuxuu go'aamiyaa natiijada dhabta ah. Sax "Enable" si aad u dhaqaajiso. Noocyada qaarkood waxay kuu oggolaanayaan inaad ka tagto sharciyada la diyaariyay oo naafo ah.
Kiisaska waxtarka leh (la qabsan kara SSH): u oggolow oo keliya adeegyo gaar ah oo xannib inta soo hadhay (tusaale, Oggolow DNS iyo HTTP ka dibna Diid Dhammaan). Liisaska cad cad ee maamulka, ka samee Oggolow IP-yada la aamini karo ilaa "Bogga Maamulka Gateway" ka dibna diidmo guud ee shabakadaha kale. Haddii firmware-kaagu leeyahay ikhtiyaarkaas. Laba jihoWaxaad si toos ah u dhalin kartaa xeerka ka soo horjeeda.
Heerka isku xirka: ACLs waxay noqon karaan kuwo sheegi kara. Noocyada caadiga ah waa Cusub, La aasaasay, La Xidhiidha, iyo Ansax"Cusub" waxay gacanta ku haysaa baakidhka kowaad (tusaale, SYN ee TCP), "Established" waxa uu qabtaa taraafikada labada dhinac ee hore ula kulmay, "La xidhiidha" waxa ay qabataa xidhiidhada ku tiirsan (sida xogta FTP), iyo "Invalid" waxa uu qabtaa taraafig aan caadi ahayn. Guud ahaan way fiican tahay in la ilaaliyo habaynta caadiga ah ilaa aad u baahan tahay granularity dheeraad ah.
VLAN iyo qaybinta: Omada iyo router-yada SMB waxay taageeraan muuqaalo jiho iyo laba jiho ah oo u dhexeeya VLANsWaxaad xannibi kartaa Suuqgeynta → R&D laakiin u oggolow R&D → Suuqgeynta, ama xannibi labada jiho oo weli waxaad oggolaataa maamule gaar ah. Jihada LAN→LAN ee ACL waxa loo isticmaalaa in lagu xakameeyo taraafikada u dhexeeya shabakadaha hoose.
Hababka dheeraadka ah iyo xoojinta: Duubabka TCP, iptables, MikroTik iyo firewall-ka caadiga ah
Marka lagu daro ACL-yada router-ka, waxaa jira lakabyo kale oo ay tahay in lagu dabaqo, gaar ahaan haddii meesha SSH ay tahay server Linux ah oo ka dambeeya router. Duubista TCP waxay ogolaataa shaandhaynta IP-ga oo leh hosts.allow iyo hosts.deny adeegyada ku habboon (oo ay ku jirto OpenSSH qaab-dhismeedyo dhaqameed oo badan).
Xakamee faylasha: haddii aysan jirin, ku samee sudo touch /etc/hosts.{allow,deny}. Dhaqanka ugu fiican: diid wax kasta oo ku jira hosts.deny oo si cad ugu ogolaato martida loo yahay.ogow. Tusaale ahaan: in /etc/hosts.deny daanyeer sshd: ALL iyo /etc/hosts.allow ku dar sshd: 203.0.113.10, 198.51.100.0/24Markaa, IP-yadaas oo keliya ayaa awood u yeelan doona inay gaadhaan server-ka SSH daemon.
Iptables-ka gaarka ah: Haddii routerkaaga ama server-kaagu oggolaado, ku dar shuruuc ka aqbalaya SSH ilo gaar ah. Xeerka caadiga ah wuxuu noqon lahaa: -I INPUT -s 203.0.113.10 -p tcp --dport 22 -j ACCEPT oo ay ku xigto siyaasad DROP ah ama xeer xannibaya inta kale. On router leh tab ah Xeerarka gaarka ah Waxaad duri kartaa sadarradan oo waxaad ku dabaqi kartaa "Save & Codso".
Dhaqannada ugu wanaagsan ee MikroTik (oo lagu dabaqi karo hage guud): beddel dekedaha caadiga ah haddii ay suurtagal tahay, dami Telnet (isticmaal SSH kaliya), isticmaal furaha sirta ah ee adag ama, ka sii fiican, xaqiijinta muhiimka ahXaddid gelitaanka ciwaanka IP-ga adigoo isticmaalaya dab-damiska, awood 2FA haddii qalabku taageerayo, oo ku hay firmware/RouterOS ilaa taariikhda. Jooji gelitaanka WAN haddii aadan u baahnaynWaxay la socotaa isku dayga guul-darraystay, haddii loo baahdo, waxay khusaysaa xadka heerka xidhiidhka si loo xakameeyo weerarrada xoogga ah.
Interface Classic TP-Link (Older Firmware): Gal guddida addoo isticmaalaya ciwaanka IP-ga ee LAN (default 192.168.1.1) iyo aqoonsiga maamulka/maamulka, ka dib gal Amniga → FirewallDaar shaandhada IP-ga oo dooro inaad haysato baakado aan la cayimin oo raac siyaasadda la rabo. Kadib, gudaha Shaandhaynta Ciwaanka IP-ga, taabo "Ku dar cusub" oo qeex kuwaas oo IP-yada isticmaali kara ama aan isticmaali karin dekedda adeegga on WAN (loogu talagalay SSH, 22/tcp). Tallaabo kasta badbaadi. Tani waxay kuu ogolaaneysaa inaad dalbato diidmo guud oo aad abuurto waxyaabo ka reeban si aad u ogolaato kaliya IP-yada la aamini karo.
Xiro IP-yo gaar ah oo leh dariiqyo taagan
Xaaladaha qaarkood waxaa faa'iido leh in la xannibo u bixista IIP-yada gaarka ah si loo horumariyo xasilloonida adeegyada qaarkood (sida qulqulka). Hal dariiqo oo tan lagu sameeyo aalado badan oo TP-Link ah ayaa ah iyada oo loo maro marin toos ah., abuurista / 32 waddooyin ka fogaanaya inay gaaraan meelahaas ama u hagaya si aysan u isticmaalin dariiqa caadiga ah (taageerada waxay ku kala duwan tahay firmware).
Moodooyinka dhawaa: tag tab Sare → Shabakad → Jid heer sare ah → Marin joogto ah oo taabo "+ Add". Geli "Destination Network" oo leh ciwaanka IP-ga si aad u xannibto, "Mask Subnet" 255.255.255.255, "Default Gateway" albaabka LAN (sida caadiga ah 192.168.0.1) iyo "Interface" LAN. Dooro "ogolow gelitaan" oo kaydiKu soo celi ciwaanka IP-ga bartilmaameed kasta iyadoo ku xiran adeegga aad rabto inaad maamusho.
Firmware-yadii hore: tag Jid heer sare ah → Liistada hagidda taagan, taabo "Ku dar cusub" oo buuxi isla goobahaas. Daar heerka marinka oo kaydiLa tasho taageerada adeeggaaga si aad u ogaato IP-yada la daweynayo, maxaa yeelay kuwani way isbedeli karaan.
Xaqiijinta: Fur terminal ama amar degdeg ah oo ku tijaabi ping 8.8.8.8 (ama IP-ga u socday ee aad xannibtay). Haddii aad aragto "Timeout" ama "Destination host aan la gaari karin"Xannibaadda ayaa shaqaynaysa. Haddaysan ahayn, dib u eeg tillaabooyinka oo dib u billow router si dhammaan miisaska ay u hirgalaan.
Xaqiijinta, tijaabinta, iyo xallinta shilka
Si loo xaqiijiyo in liiskaaga cad ee SSH uu shaqaynayo, isku day inaad isticmaasho ciwaanka IP-ga ee idman. ssh usuario@IP_WAN -p 22 (ama dekedda aad isticmaasho) oo xaqiiji gelitaanka. Laga soo bilaabo ciwaanka IP-ga aan la ogalayn, dekeddu waa inaysan bixin adeeg.. USA nmap -p 22 IP_WAN si loo hubiyo xaalada kulul.
Haddii shay uusan uga jawaabin sidii la rabay, hubi mudnaanta ACL. Xeerarka waxaa loo habeeyaa si isdaba joog ah, iyo kuwa haysta aqoonsiga ugu hooseeya ayaa guuleysta.Diidmo ka sarreeya Oggolaanshahaaga waxay burinaysaa liiska caddaynta. Sidoo kale, hubi in "Nooca Adeegga" uu tilmaamayo dekedda saxda ah iyo in "Kooxaha IP-gaagu" ay ka kooban yihiin qiyaasaha ku habboon.
Haddii ay dhacdo dabeecad shaki leh (luminta isku xirnaanta muddo ka dib, xeerarka iskood isu beddelaya, taraafikada LAN ee hoos u dhacda), tixgeli cusboonaysiinta qalabka shirkaddaDami adeegyada aadan isticmaalin (maamulka shabakada fog/Telnet/SSH), beddel shahaadooyinka, hubi MAC cloning haddii ay khuseyso, iyo ugu dambeyntii, Ku soo celi goobaha warshadda oo dib u habayn leh dejimaha ugu yar iyo liis cadcad oo adag.
Waafaqid, moodooyinka, iyo qoraallada la heli karo
Helitaanka sifooyin (ACLs dawladeed, profiles, liisaska cadcad, tafatirka PVID ee dekedaha, iwm.) Waxay ku xiran tahay nooca hardware iyo noocaAaladaha qaarkood, sida TL-R600VPN, awoodaha qaarkood ayaa la heli karaa oo keliya laga bilaabo nooca 4 iyo wixii ka dambeeya. Is-dhexgalka isticmaalaha sidoo kale wuu isbedelaa, laakiin habka aasaasiga ah waa isku mid: xannibaadda by default, qeex adeegyada iyo kooxahaKa oggolow IP-yada gaarka ah oo xannib inta kale.
Gudaha nidaamka deegaanka ee TP-Link, waxaa jira aalado badan oo ku lug leh shabakadaha ganacsiga. Moodooyinka lagu xusay dukumeentiyada waxaa ka mid ah T1600G-18TS, T1500G-10PS, TL-SG2216, T2600G-52TS, T2600G-28TS, TL-SG2210P, T2500-28TC, T2700G-28TQ, T2500G-2S5G1 T2600G-28MPS, T1500G-10MPS, SG2210P, S4500-8G, T1500-28TC, T1700X-16TS, T1600G-28TS, TL-SL3452, TL-SG3216,-T370GQ0,TL T1700G-28TQ, T1500-28PCT, T2600G-18TS, T1600G-28PS, T2500G-10MPS, Festa FS310GP, T1600G-52MPS, T1600G-52PS, TL-SL2420, T3700G-28TQ, T1500G-8T, T1700X-28TQiyo kuwo kale. Maskaxda ku hay taas Deeqdu way kala duwan tahay gobol ahaan. qaarna waxaa laga yaabaa inaan laga heli karin aaggaaga.
Si aad ula socoto wax cusub, booqo bogga taageerada alaabtaada, dooro nooca qalabka saxda ah, oo hubi qoraalada firmware iyo tilmaamo farsamo oo leh horumarkii ugu dambeeyay. Mararka qaarkood cusboonaysiintu way balaartaa ama nadiifisaa firewall, ACL, ama sifooyinka maamulka fog.
Xir SSH Dhammaan laakiin IP-yada gaarka ah, si habboon u habeynta ACLs iyo fahamka habka xakameynaya shay kasta ayaa kaa badbaadinaya yaabab aan fiicnayn. Iyada oo leh siyaasad diidmo ah, liisyo cadcad, iyo xaqiijin joogto ahRouter-kaaga TP-Link iyo adeegyada ka dambeeya ayaa si aad u wanaagsan loo ilaalin doonaa adiga oo aan ka tanaasulin maamulka marka aad u baahan tahay.
Jacaylka ku saabsan tiknoolajiyada tan iyo markii uu yaraa. Waxaan jeclahay inaan ku cusub yahay qaybta iyo, ka sarreeya, la xiriirinta. Taasi waa sababta aan ugu go'ay isgaarsiinta tignoolajiyada iyo mareegaha ciyaaraha fiidyowga sanado badan. Waxaad iga heli kartaa anigoo wax ka qoraya Android, Windows, MacOS, iOS, Nintendo ama mowduuc kasta oo la xiriira oo maskaxda ku soo dhaca.