终于学会了端口敲击技术,服务器安全大大增强了
2024/07/20 18:51:00
md鍐欑殑锛岃鍧涗紶涓婃潵灏变贡浜嗭紝涓嶇浜嗭紝鏈夊叴瓒e氨鐪嬬湅鍚с
1.闃茬伀澧欏噯澶
鏀捐涓嶈瀹夊叏鐨勭鍙o紝鍏跺畠绔彛鍏堝叏閮ㄦ嫆缁
鏂规硶1锛氭垜鏄畨瑁呬簡鍙鍖栫殑闃茬伀澧欒蒋浠秅ufw锛屼絾鑷繁鍏跺畠鐨勮櫄鎷熸満鎬绘湁闂銆
gufw瀹夎鏂规硶濡備笅锛
apt-get install gufw
娉ㄦ剰锛
鍙﹀锛屽鏋滃凡杩炴帴涓婃湇鍔″櫒锛屼笉鏂紑鐨勮瘽锛屾庝箞鎿嶄綔鏈嶅姟鍣ㄩ兘涓嶄細鏂紑銆
鏂规硶2锛氱洿鎺ョ敤ufw鐨勫懡浠ゅ涓嬶細
ufw allow 22 /tcp
ufw allow 10000:10010 /tcp
搴旇鏄叧闂澧炲己閮ㄥ垎绔彛锛屽嵆鍙紝浣嗘垜璇曚簡涓涓嬶紝涓嶈銆
2.瀹夎 knockd骞堕厤缃
鍦ㄥ熀浜嶥ebian鐨勭郴缁熶笂锛屽彲浠ヤ娇鐢ㄤ互涓嬪懡浠ゅ畨瑁 knockd锛
apt-get install knockd
缂栬緫 knockd 閰嶇疆鏂囦欢锛
nano /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
鈥
[open8080]
sequence = 30212
seq_timeout = 10
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 8080 -j ACCEPT; sleep 60; /sbin/iptables -D INPUT -s %IP% -p tcp --dport 8080 -j ACCEPT
tcpflags = syn
鈥
[open63000]
sequence = 30212
seq_timeout = 10
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 63000:63999 -j ACCEPT; sleep 60; /sbin/iptables -D INPUT -s %IP% -p tcp --dport 63000:63999 -j ACCEPT
tcpflags = syn
鈥
鈥
鈥
淇敼閰嶇疆鏂囦欢骞堕噸鍚湇鍔
systemctl daemon-reload & systemctl restart knockd
绔彛鏁插嚮鍚庝竴瀹氳鏌ョ湅鏃ュ織锛岀湅鏄惁鏈夎褰
nano /var/log/knockd.log
姣斿鎴戠殑
root@VM-4-4-debian:~# cat /var/log/knockd.log
[2024-07-20 14:14] 49.89.xx.xx: open8080: Stage 1
[2024-07-20 14:14] 49.89.xx.xx: open8080: OPEN SESAME
[2024-07-20 14:14] 49.89.xx.xx: open63000: Stage 1
[2024-07-20 14:14] 49.89.xx.xx: open63000: OPEN SESAME
[2024-07-20 14:14] open8080: running command: /sbin/iptables -A INPUT -s 49
3.濡備綍浣跨敤
鍐嶉檮甯︿竴涓嚜宸卞啓鐨刡at鑴氭湰锛屽彟瀛樹负bat鍗冲彲銆
curl --max-time 1 http://aaa.com:30212
start mstsc
1.闃茬伀澧欏噯澶
鏀捐涓嶈瀹夊叏鐨勭鍙o紝鍏跺畠绔彛鍏堝叏閮ㄦ嫆缁
鏂规硶1锛氭垜鏄畨瑁呬簡鍙鍖栫殑闃茬伀澧欒蒋浠秅ufw锛屼絾鑷繁鍏跺畠鐨勮櫄鎷熸満鎬绘湁闂銆
gufw瀹夎鏂规硶濡備笅锛
apt-get install gufw
娉ㄦ剰锛
鍙﹀锛屽鏋滃凡杩炴帴涓婃湇鍔″櫒锛屼笉鏂紑鐨勮瘽锛屾庝箞鎿嶄綔鏈嶅姟鍣ㄩ兘涓嶄細鏂紑銆
鏂规硶2锛氱洿鎺ョ敤ufw鐨勫懡浠ゅ涓嬶細
ufw allow 22 /tcp
ufw allow 10000:10010 /tcp
搴旇鏄叧闂澧炲己閮ㄥ垎绔彛锛屽嵆鍙紝浣嗘垜璇曚簡涓涓嬶紝涓嶈銆
2.瀹夎 knockd骞堕厤缃
鍦ㄥ熀浜嶥ebian鐨勭郴缁熶笂锛屽彲浠ヤ娇鐢ㄤ互涓嬪懡浠ゅ畨瑁 knockd锛
apt-get install knockd
缂栬緫 knockd 閰嶇疆鏂囦欢锛
nano /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
鈥
[open8080]
sequence = 30212
seq_timeout = 10
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 8080 -j ACCEPT; sleep 60; /sbin/iptables -D INPUT -s %IP% -p tcp --dport 8080 -j ACCEPT
tcpflags = syn
鈥
[open63000]
sequence = 30212
seq_timeout = 10
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 63000:63999 -j ACCEPT; sleep 60; /sbin/iptables -D INPUT -s %IP% -p tcp --dport 63000:63999 -j ACCEPT
tcpflags = syn
鈥
鈥
鈥
淇敼閰嶇疆鏂囦欢骞堕噸鍚湇鍔
systemctl daemon-reload & systemctl restart knockd
绔彛鏁插嚮鍚庝竴瀹氳鏌ョ湅鏃ュ織锛岀湅鏄惁鏈夎褰
nano /var/log/knockd.log
姣斿鎴戠殑
root@VM-4-4-debian:~# cat /var/log/knockd.log
[2024-07-20 14:14] 49.89.xx.xx: open8080: Stage 1
[2024-07-20 14:14] 49.89.xx.xx: open8080: OPEN SESAME
[2024-07-20 14:14] 49.89.xx.xx: open63000: Stage 1
[2024-07-20 14:14] 49.89.xx.xx: open63000: OPEN SESAME
[2024-07-20 14:14] open8080: running command: /sbin/iptables -A INPUT -s 49
3.濡備綍浣跨敤
鍐嶉檮甯︿竴涓嚜宸卞啓鐨刡at鑴氭湰锛屽彟瀛樹负bat鍗冲彲銆
curl --max-time 1 http://aaa.com:30212
start mstsc