# 計算機系統管理 SA HW5 2021 ###### tags: `NYCU SA` ## references > [參考](https://people.freebsd.org/~rodrigc/doc/data/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html) > [參考2](https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/) > [參考3(log)](https://www.openbsd.org/faq/pf/logging.html) > [疑似往年參考](https://yilianwu.io/posts/sa-nis-nfs-firewall-freebsd/) > [blacklistd reference](https://cryptomonkeys.com/2018/05/freebsd-blacklistd/) ## 題目 > [link](https://nasa.cs.nctu.edu.tw/sa/2021/slides/HW5.pdf) ## autostart wireguard 1. 執行`sudo crontab -e` 2. 新增這一行: `@reboot wg-quick up wg0` ## NFS ### NFS server 1. exports table: `sudo vim /etc/exports` ``` V4: / /vol/stu130 -maproot=nobody -network 10.113.0.130 -mask 255.255.255.255 /vol/public1 /vol/public2 -ro -maproot=nobody -network 10.113.0.0 -mask 255.255.255.0 ``` 2. 強制使用至少v4的nfs `sudo vim /etc/sysctl.conf` 新增這一行 `vfs.nfsd.server_min_nfsvers=4` 4. 編輯/etc/rc.conf，插入 ```python= nfs_server_enable="YES" nfs_server_flags="-u -t -n 10" rpcbind_enable="YES" nfsv4_server_enable="YES" # nfs version=4 nfsuserd_enable="YES" # nfs version=4 nfs_reserved_port_only="YES" # reserve port mountd_enable="YES" mountd_flags="-r -p 87" # bind port=87 ``` 5. 建立資料夾 ```bash= sudo mkdir /vol cd /vol sudo chmod o+w public1 public2 stu130 sudo chmod g+w public1 public2 stu130 ``` ### NFS client 1. 編輯/etc/rc.conf，插入 ```conf= nfs_client_enable="YES" nfsuserd_enable="YES" # nfs version=4 autofs_enable="YES" # nfs version=4 nfscbd_enable="YES" # nfs version=4 ``` 2. 修改 /etc/auto_master(把/net註解，加上最後一行) 將/net註解是因為等等要mount在他的子資料夾 ```conf= # $FreeBSD$ # # Automounter master map, see auto_master(5) for details. # #/net -hosts -nobrowse,nosuid,intr # When using the -media special map, make sure to edit devd.conf(5) # to move the call to "automount -c" out of the comments section. #/media -media -nosuid,noatime,autoro #/- -noauto /- /etc/auto.map -intr,nosuid,rw,nfsv4 ``` 3. 編輯/etc/auto.map: `sudo vim /etc/auto.map` ```conf= /net/data/stu130 -rw 10.113.254.130:/vol/stu130 /net/data/public1 -ro 10.113.254.130:/vol/public1 /net/data/public2 -ro 10.113.254.130:/vol/public2 ``` ## firewall ### enable pf 1. 編輯 `/etc/rc.conf` 新增下面這幾行 ```conf= pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup ``` :::info :bulb: **Hint:** 因為log是packet header，不是printable。可以使用 `sudo tcpdump -n -e -ttt -r /var/log/pflog` 讀log file。如果想即時查看log可執行 `tcpdump -n -e -ttt -i pflog0` 2. 參考 `/usr/share/examples/pf/*` 再編輯 `/etc/pf.conf` ```conf= block out log proto {icmp, icmp6} all pass out proto icmp from any to 10.113.0.254 pass in proto tcp from any to any port {80,443} ``` ### 自動block ssh 1. enable blacklistd >a. 在 `/etc/pf.conf`新增`anchor "blacklistd/*" in`這一行 >b. 編輯`/etc/blacklistd.conf`達到自動鎖SSH 1分鐘 > ```conf= ># $FreeBSD$ > # ># Blacklist rule ># adr/mask:port type proto owner name nfail disable >[local] >ssh stream * * * 3 1m >ftp stream * * * 3 24h >smtp stream * * * 3 24h >submission stream * * * 3 24h >#6161 stream tcp6 christos * 2 10m >* * * * * 3 60 > ># adr/mask:port type proto owner name nfail disable >[remote] >#129.168.0.0/16 * * * = * * >#6161 = = = =/24 = = >#* stream * * * 3 1m > ``` 2. 編輯/etc/rc.conf，插入 ```conf= blacklistd_enable="YES" blacklistd_flags="-r" ``` 3. 讓SSH有blacklistd: ```conf= sudo sysrc sshd_flags="-o UseBlacklist=yes" sudo service sshd restart ``` 4. iamgoodguy command解除block `sudo vim /usr/local/bin/iamgoodguy` ```script= #!/bin/sh pfctl -a blacklistd/22 -t port22 -T delete "$1" ``` ```script= sudo chmod u+x /usr/local/bin/iamgoodguy sudo chmod o+x /usr/local/bin/iamgoodguy sudo chmod g+x /usr/local/bin/iamgoodguy ``` 5. `sudo reboot` :arrow_right: 套用`/etc/rc.conf` ## 使用vscode 編輯FreeBSD的檔案 ### linux 1. 安裝sshfs `sudo apt install sshfs` 2. mkdir freebsd 3. mount freebsd `sshfs -p [SSH_port] [freeBSD_USER]@[freeBSD_IP]:[freeBSD_dir]` EX: `sshfs -p 12345 yourname@localhost:/` 這樣會把freeBSD的'/'mount到linux的freebsd資料夾 freeBSD的ip,port已經透過前面virtualbox NAT到localhost, port=12345 4. code freebsd ### windows 1. 開啟WSL的terminal 2. 安裝sshfs `sudo apt install sshfs` 3. mkdir freebsd 4. 取得windows IP `awk 'NR==4{print $2}' /etc/resolv.conf` 5. mount freebsd `sshfs -p [SSH_port] [freeBSD_USER]@[windows_IP]:[f5reeBSD_dir]` EX: `sshfs -p 12345 yourname@172.24.112.1:/` 這樣會把freeBSD的'/'mount到wsl的freebsd資料夾 freeBSD的ip,port已經透過前面virtualbox NAT到windows IP, port=12345 4. code freebsd