前面同大家一齊做起佐firewall及reverse proxy既OS setup及基本software installation, 咁我地就開始著手做application configuration啦, 須要做application configuration既分別有ufw, fail2ban及nginx
ufw
先講一下簡稱UFW既uncomplicated Firewall, ufw 本身都係一個open source 既software, 可以加rulesets 做ACL. 如果你個appliance外向internet的話, 真係唔會唔安裝ufw的, 如果唔係就等比人hack硬.jpg, 因為ufw除佐可以幫手filter unsolicited traffic仲可以用ACL控制network traffic.
既然前面已經交代如何安裝, 咁我係呢道講講點initiate同config個ufw. 首先我地請講一下點知個ufw既狀況, 想知ufw 既service level 情況可以用 service ufw status 呢個command
root@NanoPi-NEO2-Black:/boot# service ufw status ● ufw.service - Uncomplicated firewall Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2016-02-11 16:28:01 UTC; 4 years 9 months ago Main PID: 288 (code=exited, status=0/SUCCESS) CGroup: /system.slice/ufw.service Feb 11 16:28:01 NanoPi-NEO2-Black systemd[1]: Started Uncomplicated firewall. Nov 27 08:54:42 NanoPi-NEO2-Black systemd[1]: Started Uncomplicated firewall. root@NanoPi-NEO2-Black:/boot# ufw status Status: inactive
至於要踢著隻ufw就要用ufw enable呢個command
root@NanoPi-NEO2-Black:/boot# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
當ufw已經進入運作前後, 大家首先要allow ssh access, 因為我試過唔記得allow ssh之後就要重新再做過晒base OS setup及所有follow up 既application configuration. 容許ssh access既command係 ufw allow ssh 另外我都智主動allow http(port 80) 及 https(port 443)
ufw allow ssh ufw allow http ufw allow https
fail2ban
雖然ufw已經係可以做到port level既blocking, 但只限於開放或based on ACL去做traffic control, 如果有人有心做brute-force attack, 唔好理你個password有幾complicated都總智有機會比人hack到.
順便一提password可以用廣東話字源instead, 因為dictonary attack唔到, 返黎fail2ban先, fail2ban係一個log monitor及network blockage tool, 大致上既運作係佢會mon住好幾個/var/log/*.log, 例如 syslog, auth.log, mail.log等. 我地須要動手做既事就係set filter rule同set blockage時間, 當然仲有exclude IP啦.
想知個fail2ban有無運作? 大家可以做兩件事, 第一個方法係打 fail2ban-client status呢個command
root@NanoPi-NEO2-Black:~# fail2ban-client status Status |- Number of jail: 6 `- Jail list: insecured-SSL, postfix-auth, postfix-sasl, postfix-unknown, sendmail-auth, sshd
而另一個方法就係直接睇log啦, 您可以打 tail /var/log/fail2ban.log 呢個command.
root@NanoPi-NEO2-Black:/var/log# tail fail2ban.log 2020-11-30 09:06:12,561 fail2ban.actions [1099]: NOTICE [sshd] Ban 220.76.192.95 2020-11-30 09:51:53,857 fail2ban.actions [1099]: NOTICE [sshd] Ban 128.199.177.52 2020-11-30 10:03:24,197 fail2ban.actions [1099]: NOTICE [sshd] Ban 161.35.132.178 2020-11-30 10:18:17,219 fail2ban.actions [1191]: NOTICE [postfix-auth] Ban 13.111.2.177 2020-11-30 10:30:48,679 fail2ban.actions [1099]: NOTICE [sshd] Ban 168.61.40.250 2020-11-30 10:56:35,245 fail2ban.actions [1099]: NOTICE [sshd] Ban 170.210.221.48 2020-11-30 11:00:08,928 fail2ban.actions [1099]: NOTICE [sshd] Ban 118.89.153.32 2020-11-30 11:06:30,815 fail2ban.actions [1099]: NOTICE [sshd] Ban 95.181.172.124 2020-11-30 11:07:27,267 fail2ban.actions [1099]: NOTICE [sshd] Ban 203.141.155.139 2020-11-30 11:07:59,484 fail2ban.actions [1099]: NOTICE [sshd] Ban 117.57.94.223 2020-11-30 11:12:28,228 fail2ban.actions [1099]: NOTICE [sshd] Ban 210.14.77.48
係上面您見我有6條rules in action, 分別係 insecured-SSL, postfix-auth, postfix-sasl, postfix-unknown, sendmail-auth 及 sshd, 為佐方便大家唔好煩, 你地可以直接用我呢set profile. 而你需要做既事就係爆開佢再copy返去/etc/fail2ban同再restart/reload隻fail2ban
tar xfvz fail2ban_template.tgz cp -R fail2ban /etc/ fail2ban-client restart
我個setting 係10分鐘內一連3次fail就會ban足6年, 如果你想修改就自己動手edit 呢個configuration file: /etc/fail2ban/jail.conf
bantime = 31536000 findtime = 600 maxretry = 3
reverse proxy/nginx
Reverse proxy主要係唔想張後排intranet既instance disclose出internet而又可以做到port mapping效果,對我黎講係多一個layer去protect intranet既instance.
假設你有一隻NAS (ip: 192.168.8.200)用port 80做UI, 而NAS入面有個VM instance (192.168.8.201)用port 80做UI. 如果想分別redirect/reverse proxy去呢兩台機, 你可以係nginx用吒個config, 第一組係用port 80張inbound traffic轉入192.168.8.200, 而第二組係用port 8080張inbound traffic轉入192.168.8.201既port 80.
/etc/nginx/sites-enabled/default server { listen 80; server_name xxx.unixwise.xyz; # auth_basic "Restricted Access"; # auth_basic_user_file /etc/nginx/htpasswd.users; location / { proxy_pass http://192.168.8.200:80; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 8080; location / { proxy_pass http://192.168.8.201:80; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
上面呢個config雖然會redirect port 8080去192.168.8.201既port 80, 但因為ufw未容許port 8080既access, 所以您需要issue ufw既command比ufw accept port 8080既traffic
ufw allow 8080