Mokhoa oa ho thibela phihlello ea SSH ho router ea TP-Link ho li-IP tse tšepahalang

Beha pele leano la ho hana le ho sebelisa li-whitelist bakeng sa SSH.
E kopanya NAT + ACL: e bula boema-kepe le meeli ka mohloli oa IP.
Netefatsa ka nmap/ping 'me u hlomphe molao o tlang pele (ID).
Matlafatsa ka lintlafatso, linotlolo tsa SSH, le lits'ebeletso tse fokolang.

¿U ka thibela phihlello ea SSH joang ho router ea TP-Link ho li-IP tse tšepahalang? Ho laola hore na ke mang ea ka fihlelang marang-rang a hau ka SSH ha se taba, ke karolo ea bohlokoa ea ts'ireletso. Lumella ho kena feela ho tsoa ho liaterese tsa IP tse tšepahalang E fokotsa sebaka sa tlhaselo, e fokotsa lebelo la ho hlahloba ka mokhoa o itekanetseng, 'me e thibela boiteko bo sa khaotseng ba ho kena Inthaneteng.

Tataisong ena e sebetsang le e pharaletseng u tla bona mokhoa oa ho e etsa maemong a fapaneng ka lisebelisoa tsa TP-Link (SMB le Omada), seo u lokelang ho se nahana ka melao ea ACL le whitelists, le mokhoa oa ho netefatsa hore ntho e 'ngoe le e' ngoe e koetsoe hantle. Re kopanya mekhoa e meng e kang TCP Wrappers, iptables, le mekhoa e metle kahoo o ka boloka tikoloho ea hau ntle le ho siea lipheletsong tse hlephileng.

Hobaneng o fokotsa phihlello ea SSH ho li-routers tsa TP-Link

Ho pepesa SSH marang-rang ho bula monyetla oa ho fiela ho hoholo ka bots e seng e ntse e le bohelehele ka sepheo se sebe. Ho tloaelehile ho bona boema-kepe ba 22 bo fumaneha ho WAN kamora ho skena, joalo ka ha ho hlokometsoe ho [mehlala ea SSH]. ho hlōleha ha bohlokoa ho li-routers tsa TP-Link. Taelo e bonolo ea nmap e ka sebelisoa ho lekola hore na aterese ea hau ea IP ea sechaba e na le port 22 e bulehileng.: e etsa ntho e kang ena mochining o kantle nmap -vvv -p 22 TU_IP_PUBLICA 'me u hlahlobe hore na "open ssh" e hlaha.

Leha o sebelisa linotlolo tsa sechaba, o siea koung ea 22 e bulehile memo e tsoelang pele, ho leka likou tse ling, le lits'ebeletso tsa taolo tse hlaselang. Tharollo e hlakile: hana ka ho sa feleng 'me u nolofalletse feela ho tsoa ho li-IP kapa mekhahlelo e lumelletsoeng.Ka ho khetheha e lokisitsoe le ho laoloa ke uena. Haeba o sa hloke taolo e hole, e tima ka botlalo ho WAN.

Ntle le ho pepesa likou, ho na le maemo ao u ka 'nang ua belaela hore melao e fetoha kapa boitšoaro bo sa tloaelehang (mohlala, modem ea cable e qalang ho "theola" sephethephethe se tsoang ka mor'a nakoana). Haeba u hlokomela hore ping, traceroute, kapa browsing e khomaretsoe modem, hlahloba litlhophiso, firmware, 'me u nahane ka ho tsosolosa litlhophiso tsa fektheri. 'me u koale tsohle tseo u sa li sebeliseng.

Mohlala oa kelello: thibela ka mokhoa o ikhethileng 'me u thehe lethathamo le lesoeu

Filosofi e atlehang e bonolo: kamehla hanela leano le mekhelo e hlakilengHo li-routers tse ngata tsa TP-Link tse nang le sebopeho se tsoetseng pele, u ka seta leano la "Drop-type ingress ingress" ka har'a firewall, ebe u lumella liaterese tse khethehileng lethathamong le tšoeu bakeng sa lits'ebeletso tsa taolo.

Litsamaisong tse kenyelletsang likhetho tsa "Remote Input Policy" le "Whitelist melao" (ho Network - Firewall pages), Lahlela lebitso ho leano la ho kena u le hole 'Me u kenye lenaneng le soeufetseng li-IP tsa sechaba ka sebopeho sa CIDR XXXX/XX tse lokelang ho khona ho fihlela tlhophiso kapa litšebeletso tse kang SSH/Telnet/HTTP(S). Maikutlo ana a ka kenyelletsa tlhaloso e khuts'oane ho qoba pherekano hamorao.

Ke habohlokoa ho utloisisa phapang pakeng tsa mechine. Phatlalatso ea boema-kepe (NAT/DNAT) e khutlisetsa likou ho mechini ea LANLe ha "melao ea ho sefa" e laola sephethephethe sa WAN-to-LAN kapa marang-rang a marang-rang, "Melao ea Whitelist" ea firewall e laola phihlello ea sistimi ea taolo ea router. Melao ea ho hloekisa ha e thibele ho fumana sesebelisoa ka boeona; bakeng sa seo, o sebelisa whitelists kapa melao e tobileng mabapi le sephethephethe se kenang ho router.

Ho fihlella lits'ebeletso tsa kahare, 'mapa oa boema-kepe o etsoa ho NAT, ebe ho na le moeli oa hore na ke mang ea ka fihlelang 'mapa oo a le kantle. Recipe ke: bula kou e hlokahalang ebe o e thibela ka taolo ea phihlello. e lumellang mehloli e lumelletsoeng feela ho feta le ho thibela tse ling kaofela.

Litaba tse ikhethileng - Tobetsa Mona Mekhoa e meng e metle ea ho uBlock Origin

ACL le taolo ea phihlello ho TP-Link SMB

SSH ho tsoa ho li-IP tse tšepahalang ho TP-Link SMB (ER6120/ER8411 le tse ling tse tšoanang)

Ho li-routers tsa SMB tse kang TL-ER6120 kapa ER8411, mokhoa o tloaelehileng oa ho bapatsa tšebeletso ea LAN (mohlala, SSH ho seva sa ka hare) le ho e fokotsa ka mohloli oa IP ke mekhahlelo e 'meli. Taba ea pele, boema-kepe bo buloa ka Virtual Server (NAT), ebe e sefuoa ka Access Control. e ipapisitse le lihlopha tsa IP le mefuta ea litšebeletso.

Mohato oa 1 - Seva ea Virtual: ea ho E tsoetseng pele → NAT → Virtual Server mme e theha keno bakeng sa sebopeho se tsamaisanang sa WAN. Lokisa boema-kepe ba kantle ba 22 'me u bo supe ho aterese ea IP ea kahare ea seva (mohlala, 192.168.0.2:22)Boloka molao ho o kenya lenaneng. Haeba nyeoe ea hau e sebelisa boema-kepe bo fapaneng (mohlala, u fetotse SSH ho 2222), fetola boleng ka nepo.

Mokhahlelo oa 2 - Mofuta oa tšebeletso: kena Likhetho → Mofuta oa Tšebeletso, theha tšebeletso e ncha e bitsoang, ho etsa mohlala, SSH, khetha TCP kapa TCP/UDP le ho hlalosa boema-kepe ba 22 (boema-kepe ba mohloli e ka ba 0–65535). Lera lena le tla u lumella ho supa boema-kepe ka mokhoa o hloekileng ho ACL.

Mokhahlelo oa 3 - Sehlopha sa IP: ea ho Likhetho → Sehlopha sa IP → Aterese ea IP 'me u kenye likenyo bakeng sa mohloli o lumelletsoeng (ka mohlala, IP ea hau ea sechaba kapa mofuta, o bitsoang "Access_Client") le mohloli oa sebaka (mohlala, "SSH_Server" e nang le IP ea ka hare ea seva). Ebe o amahanya aterese ka 'ngoe le Sehlopha sa eona sa IP se tsamaisanang ka har'a menu e tšoanang.

Mokhahlelo oa 4 - Taolo ea phihlello: ho Firewall → Taolo ea ho kena Etsa melao e 'meli. 1) Lumella Molao: Lumella leano, tšebeletso ea "SSH" e sa tsoa hlalosoa, Mohloli = sehlopha sa IP "Access_Client" le moo u eang = "SSH_Server". E fane ka ID 1. 2) Ho thibela Molao: Thibela leano le mohloli = IPGROUP_ANY le moo le eang = "SSH_Server" (kapa ha ho hlokahala) ka ID 2. Ka tsela ena, IP feela e tšeptjoang kapa sebaka se tla feta NAT ho SSH ea hau; tse ling kaofela li tla thijoa.

Tatelano ea tlhahlobo ke ea bohlokoa. Li-ID tse tlase li tla peleKa hona, molao oa Lumella o tlameha ho etella pele (ID e tlase) molao oa Block. Ka mor'a ho sebelisa liphetoho, u tla khona ho hokahanya le aterese ea WAN IP ea router ho koung e hlalositsoeng ho tloha atereseng e lumelletsoeng ea IP, empa likhokahano tse tsoang mehloling e meng li tla thibeloa.

Lintlha tsa mohlala / firmware: Sehokelo se ka fapana lipakeng tsa Hardware le mefuta. TL-R600VPN e hloka hardware v4 ho koahela mesebetsi e itseng'Me lits'ebetsong tse fapaneng, menyetla e ka fallisetsoa sebakeng se seng. Leha ho le joalo, ho phalla hoa tšoana: mofuta oa tšebeletso → lihlopha tsa IP → ACL e nang le Lumella le Thibela. Se lebale boloka le ho kenya kopo hore melao e qale ho sebetsa.

Netefatso e khothalelitsoeng: Ho tsoa atereseng e lumelletsoeng ea IP, leka ssh usuario@IP_WAN le ho netefatsa phihlello. Ho tsoa atereseng e 'ngoe ea IP, boema-kepe bo tlameha ho se fumanehe. (khokahanyo e sa fihleng kapa e hanoang, hantle ntle le banner ho qoba ho fana ka lintlha).

ACL e nang le Omada Controller: Lists, States, le mehlala ea mehlala

Haeba o laola liheke tsa TP-Link ka Omada Controller, mohopolo oa ts'oana empa o na le likhetho tse ngata tse bonoang. Theha lihlopha (IP kapa likou), hlalosa li-ACL tsa liheke, 'me u hlophise melao ho dumella bonyane ba letho le ho latola tse ding tsohle.

Manane le lihlopha: ho Litlhophiso → Liprofaele → Lihlopha U ka theha lihlopha tsa IP (li-subnet kapa li-host, tse kang 192.168.0.32/27 kapa 192.168.30.100/32) le lihlopha tsa boema-kepe (mohlala, HTTP 80 le DNS 53). Lihlopha tsena li nolofatsa melao e rarahaneng ka ho sebedisa dintho hape.

Gateway ACL: ka Tlhophiso → Ts'ireletso ea Network → ACL Kenya melao ka LAN→WAN, LAN→LAN kapa WAN→LAN ho latela hore na u batla ho sireletsa eng. Leano la molao ka mong e ka ba Lumella kapa Latola. mme taelo e etsa qeto ea sephetho sa sebele. Sheba "Enable" ho li kenya tshebetsong. Liphetolelo tse ling li u lumella ho tlohela melao e lokisitsoeng le e holofetseng.

Litaba tse ikhethileng - Tobetsa Mona Joang ho sireletsa komporo ea ka ho livaerase?

Linyeoe tse molemo (tse ikamahanyang le SSH): lumella litšebeletso tse khethehileng feela 'me u thibele tse ling (mohlala, Lumella DNS le HTTP ebe u Latola Tsohle). Bakeng sa li-whitelists tsa tsamaiso, theha Lumella ho tloha ho li-IP tse Tšeptjoang ho ea "Leqephe la Tsamaiso ea Gateway" ebe ho hana ka kakaretso ho tsoa ho marang-rang a mang. Haeba firmware ea hau e na le khetho eo. Ea mahlakore a mabeliU ka iketsetsa molao o fapaneng.

Boemo ba khokahanyo: ACLs e ka ba e hlakileng. Mefuta e tloaelehileng ke e Ncha, E Thehiloe, E Amanang, le e Fosahetseng"Ncha" e sebetsana le pakete ea pele (mohlala, SYN ho TCP), "E thehiloe" e sebetsana le sephethephethe sa mahlakore a mabeli, "Related" e sebetsana le likhokahano tse itšetlehileng ka (joalo ka likanale tsa data tsa FTP), 'me "Invalid" e sebetsana le sephethephethe se makatsang. Ka kakaretso ho molemo ho boloka litlhophiso tsa kamehla ntle le haeba o hloka granularity e eketsehileng.

VLAN le karohano: Li-routers tsa Omada le SMB li tšehetsa maemo a unidirectional le a mabeli lipakeng tsa VLANU ka thibela Papatso→R&D empa u lumelle R&D→Papatso, kapa ua thibela litsela tseo ka bobeli u ntse u fana ka tumello ho molaoli ea itseng. The LAN→ LAN tataiso ho ACL e sebelisoa ho laola sephethephethe pakeng tsa subnets ka hare.

SSH le iptables mekhoa e metle

Mekhoa e meng le likhothaletso: TCP Wrappers, iptables, MikroTik le firewall ea khale.

Ho phaella ho li-ACL tsa router, ho na le likarolo tse ling tse lokelang ho sebelisoa, haholo-holo haeba sebaka sa SSH e le seva sa Linux ka mor'a router. TCP Wrappers e lumella ho sefa ka IP ka li-hosts.allow le host.deny lits'ebeletso tse tsamaellanang (ho kenyeletsoa OpenSSH mekhoeng e mengata ea setso).

Laola lifaele: haeba li le sieo, li thehe ka sudo touch /etc/hosts.{allow,deny}. Mokhoa o motle ka ho fetisisa: hana ntho e 'ngoe le e 'ngoe ho baeti.latola mme e e dumella ka ho hlaka ho baamoheli.dumella. Ka mohlala: ka /etc/hosts.deny pon sshd: ALL le ho /etc/hosts.allow eketsa sshd: 203.0.113.10, 198.51.100.0/24Kahoo, ke li-IP feela tse tla khona ho fihlela daemon ea SSH ea seva.

Li-iptables tse tloaelehileng: Haeba router kapa seva sa hau se e lumella, eketsa melao e amohelang SSH feela mehloling e itseng. Molao o tloaelehileng e ka ba: -I INPUT -s 203.0.113.10 -p tcp --dport 22 -j ACCEPT e lateloe ke leano la kamehla la DROP kapa molao o thibelang tse ling kaofela. Ho li-routers tse nang le tab ea Melao e tloaelehileng U ka kenya mela ena 'me ua e sebelisa ka "Save & Apply".

Mekhoa e metle ho MikroTik (e sebetsa joalo ka tataiso e akaretsang): fetola likou tsa kamehla haeba ho khonahala, tima Telnet (sebelisa SSH feela), sebelisa li-password tse matla kapa, ho betere, netefatso ea bohlokoaFokotsa phihlello ka aterese ea IP u sebelisa firewall, nolofalletsa 2FA haeba sesebelisoa se e tšehetsa, 'me u boloke firmware/RouterOS e ntse e le teng. Tlosa phihlello ea WAN haeba u sa e hlokeE lekola liteko tse hlōlehileng, 'me, ha ho hlokahala, e sebelisa meeli ea sekhahla sa khokahanyo ho thibela litlhaselo tse sehlōhō.

TP-Link Classic Interface (Firmware ea Khale): Kena phanele u sebelisa aterese ea IP ea LAN (ea kamehla 192.168.1.1) le lintlha tsa admin/admin, ebe u ea ho Tshireletso → FirewallNumella sefahla sa IP ebe u khetha ho etsa hore lipakete tse sa hlalosoang li latele leano le lakatsehang. Ebe, ho Sefa Aterese ea IP, tobetsa "Add new" 'me u hlalose tseo IPs li ka li sebelisang kapa li ke keng tsa sebelisa boema-kepe ba lits'ebeletso ho WAN (bakeng sa SSH, 22/tcp). Boloka mohato ka mong. Sena se o lumella ho etsa kopo ea ho hana ka kakaretso le ho theha mekhelo ho lumella li-IP tse tšepahalang feela.

Thibela li-IP tse ikhethileng ka litsela tse sa fetoheng

Maemong a mang ho molemo ho thibela ho tsoa ho li-IP tse itseng ho ntlafatsa botsitso ka litšebeletso tse itseng (tse kang ho phallela). Tsela e 'ngoe ea ho etsa sena ka lisebelisoa tse ngata tsa TP-Link ke ka ho tsamaisa static., ho theha /32 litsela tse qobang ho fihla libakeng tseo kapa ho li tsamaisa ka tsela eo li se ke tsa sebelisoa ke tsela ea kamehla (tšehetso e fapana ho ea ka firmware).

Litaba tse ikhethileng - Tobetsa Mona U ka hloela WhatsApp joang

Mefuta ea morao-rao: e-ea ho tab E tsoetseng pele → Netweke → Mokhoa o tsoetseng pele oa ho tsamaisa → Mokhoa o tsitsitseng ebe o tobetsa "+ Add". Kenya "Network Destination" ka aterese ea IP ho thibela, "Subnet Mask" 255.255.255.255, "Default Gateway" the LAN gateway (hangata 192.168.0.1) le "Interface" LAN. Khetha "Lumella sena ho kena" 'me u bolokePheta bakeng sa aterese e 'ngoe le e 'ngoe ea IP ho latela tšebeletso eo u batlang ho e laola.

Li-firmware tsa khale: e ea ho Litsela tse tsoetseng pele → Lethathamo la litsela tse tsitsitseng, tobetsa "Eketsa e ncha" 'me u tlatse libaka tse tšoanang. Kenya tshebetsong boemo ba tsela mme o bolokeIkopanye le ts'ehetso ea litšebeletso tsa hau ho fumana hore na ke li-IP life tseo u lokelang ho li phekola, kaha li ka fetoha.

Netefatso: Bula terminal kapa molaetsa oa taelo 'me u leke ka ping 8.8.8.8 (kapa IP ea sebaka seo u e thibileng). Haeba u bona "Timeout" kapa "Sebaka seo u eang ho sona se sa fihlellehe"Ho thibela ho sebetsa. Haeba ho se joalo, hlahloba mehato ebe u qala router hape hore litafole tsohle li sebetse.

Netefatso, liteko, le tharollo ea liketsahalo

Ho netefatsa hore SSH whitelist ea hau ea sebetsa, leka ho sebelisa aterese ea IP e lumelletsoeng. ssh usuario@IP_WAN -p 22 (kapa boemakepe boo o bo sebedisang) ebe o netefatsa phihlello. Ho tsoa ho aterese ea IP e sa lumelloeng, boema-kepe ha boa lokela ho fana ka litšebeletso.. USA nmap -p 22 IP_WAN ho hlahloba boemo bo chesang.

Haeba ho na le ho hong ho sa arabeleng kamoo ho lokelang, sheba pele ho ACL. Melao e sebetsoa ka tatellano, 'me ba nang le ID e tlase ba tla hlola.Ho hana ka holim'a Tumello ea hau ho etsa hore lenane le soeufetseng le se sebetse. Hape, hlahloba hore "Mofuta oa Ts'ebeletso" o supa boema-kepe bo nepahetseng le hore "Lihlopha tsa hau tsa IP" li na le mekhahlelo e loketseng.

Haeba ho na le boits'oaro bo belaetsang (tahlehelo ea khokahano kamora nakoana, melao e fetohang ka bo eona, sephethephethe sa LAN se theoha), nahana ntjhafatsa firmwareTlosa lits'ebeletso tseo u sa li sebeliseng (tsamaiso ea marang-rang e hole / Telnet / SSH), fetola lintlha, hlahloba ho kopanya ha MAC haeba ho hlokahala, 'me qetellong, Khutlisa ho litlhophiso tsa feme 'me u hlophise bocha ka li-setting tse nyane le whitelist e thata.

Ho lumellana, mehlala, le lintlha tsa ho fumaneha

Ho fumaneha ha likarolo (li-ACL tse hlakileng, li-profiles, whitelists, PVID editing likoung, joalo-joalo) E ka itšetleha ka mofuta oa hardware le phetoleloLisebelisoa tse ling, joalo ka TL-R600VPN, bokhoni bo itseng bo fumaneha feela ho tloha ho mofuta oa 4 ho ea pele. Lisebelisoa tsa mosebelisi le tsona lia fetoha, empa ts'ebetso ea mantlha e ea ts'oana: ho thibela ka boiketsetso, hlalosa litšebeletso le lihlopha, lumella ho tsoa ho li-IP tse itseng 'me u thibele tse ling kaofela.

Ka har'a TP-Link ecosystem, ho na le lisebelisoa tse ngata tse amehang marangrang a likhoebo. Mehlala e boletsoeng litokomaneng e kenyelletsa T1600G-18TS, T1500G-10PS, TL-SG2216, T2600G-52TS, T2600G-28TS, TL-SG2210P, T2500-28TC, T2700G-28TQ, T2500G-5412TS, 10TS,2008 T2600G-28MPS, T1500G-10MPS, SG2210P, S4500-8G, T1500-28TC, T1700X-16TS, T1600G-28TS, TL-SL3452, TL-SG3216, T52T2428G, T1600G T1700G-28TQ, T1500-28PCT, T2600G-18TS, T1600G-28PS, T2500G-10MPS, Festa FS310GP, T1600G-52MPS, T1600G-52PS, TL-SL52TS3700 T3700G-28TQ, T1500G-8T, T1700X-28TQhara tse ding. Hopola seo Theko e fapana ho ea ka libaka. ’me tse ling li ka ’na tsa se be teng sebakeng sa heno.

Ho lula u tseba, etela leqephe la tšehetso la sehlahisoa sa hau, khetha mofuta o nepahetseng oa hardware, 'me u hlahlobe lintlha tsa firmware le litlhaloso tsa tekheniki ka lintlafatso tsa moraorao. Ka linako tse ling lintlafatso li holisa kapa li ntlafatsa firewall, ACL, kapa likarolo tsa taolo ea hole.

Koala the SSH Bakeng sa li-IP tsohle ntle le tse tobileng, ho hlophisa li-ACL ka nepo le ho utloisisa hore na ke mochine ofe o laolang ntho e 'ngoe le e' ngoe ho u pholosa linthong tse makatsang tse sa thabiseng. Ka leano la kamehla la ho hana, li-whitelist tse nepahetseng, le netefatso ea kamehlaRouta ea hau ea TP-Link le lits'ebeletso tse ka morao ho eona li tla sireletsoa hamolemo ntle le ho tela taolo ha u e hloka.

Li-routers tsa TP-Link li ka thibeloa ka mabaka a ts'ireletso

Sehlooho se amanang:

TP-Link e tobane le mefokolo e matla ho li-routers tsa likhoebo le khatello e ntseng e hola ea taolo

Mokreste garcia

O ne a rata theknoloji ho tloha ha a sa le monyenyane. Ke rata ho ba tsa morao-rao lefapheng lena, 'me ka holim'a tsohle, ho buisana le lona. Ke ka lebaka leo ke 'nileng ka inehela ho puisano ka theknoloji le liwebsaete tsa lipapali tsa video ka lilemo tse ngata. U ka mphumana ke ngola ka Android, Windows, MacOS, iOS, Nintendo kapa sehlooho sefe kapa sefe se amanang le seo se tlang kelellong.