Chomik
Administracja
Za administrację serwera odpowiada Wsparcie ICT.
Aplikacja
Na serwerze nie ma dodatkowo uruchomionych usług. Użytkownicy łącząc się za pomocą SSH korzystają ze standardowych komend linuksowych (ping, mtr).
Środowisko deweloperskie
Na serwerze nie ma dodatkowo uruchomionych aplikacji więc nie ma potrzeby uruchamiania środowiska deweloperskiego.
Środowisko produkcyjne
Informacje ogólne
| VM NAME / COMPUTER NAME | vAPP | GUEST OS | STORAGE POLICY | VMWARE TOOLS | VIRTUAL HARDWERE VERSION |
|---|---|---|---|---|---|
| Chomik | Chomik | Ubuntu 24.04.1 LTS (64 bit) | S1 | 12421 | 19 |
uname -a
Linux Chomik 6.8.0-52-generic #53-Ubuntu SMP PREEMPT_DYNAMIC Sat Jan 11 00:06:25 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Podzespoły
| CPU | CORES PER SOCKET | RAM | STORAGE SIZE | |
|---|---|---|---|---|
| 4 | 1 | 8 GB | 50 GB |
Adapter sieciowy
| NETWORK | NETWORK ADPATER TYPE | IP MODE | IP ADDRESS | EXTERNAL IP ADDRESS | MAC ADDRESS |
|---|---|---|---|---|---|
| ICT_local | VMXNET3 | Static - Manual | 10.10.10.6 | - | 00:50:56:01:18:69 |
Sieć
| NETWORK NAME | ICT_local |
|---|---|
| GATEWAY CIDR | 10.10.10.1/26 |
| NETWORK TYPE | Routed |
| CONNECTED TO | edge-Uslugi_DOKB-NG9488369-934956751 |
| STATIC IP POOLS | 10.10.10.2 - 10.10.10.63 |
| TOTAL IP ADDRESSES | 62 |
| PRIMARY DNS | 10.10.0.2 (Adres wew. ICT-TOOLS z AdGuard) |
| SECONDARY DNS | 1.1.1.1 |
Wykorzystane adresy
| IP Address | Deployed | VM | vApp |
|---|---|---|---|
| 10.10.10.1 | ✓ | NSX Edge | |
| 10.10.10.6 | ✓ | Chomik | Chomik |
Edge
NAT
| NAME | STATE | TYPE | EXTERNAL IP | APPLICATION | INTERNAL IP | EXTERNAL PORT |
|---|---|---|---|---|---|---|
| Chomik_DNAT-HTTP | Enabled | DNAT | 217.30.138.16 | HTTP | 10.10.10.6 | 80 |
| Chomik_DNAT-HTTPS | Enabled | DNAT | 217.30.138.16 | HTTPS | 10.10.10.6 | 443 |
| Chomik_DNAT-SSH | Enabled | DNAT | 217.30.138.16 | SSH | 10.10.10.6 | 22 |
| Chomik_SNAT | Enabled | SNAT | 217.30.138.16 | - | 10.10.10.0/26 | Any |
Firewall
| NAME | STATE | APPLICATIONS | SOURCE | DESTINATION | ACTION |
|---|---|---|---|---|---|
| Chomik_vm-rules | Enabled | SSH, HTTPS, HTTP | Corpo_proxy | Chomik_vm, 217.30.138.16_pub | Allow |
| Chomik_vms-out | Enabled | - | Chomik_Network | Any | Allow |
| default_rule | Enabled | - | Any | Any | Drop |
IP Sets
| NAME | DESCRIPTION |
|---|---|
| 217.30.138.16_pub | 217.30.138.16 |
| Chomik_vm | 10.10.10.6 |
| Chomik_Network | 10.10.10.1/26 |
Użytkownik chomik
Ograniczenia
Użytkownik chomik korzysta z powłoki rbash ograniczającej możliwości wykonywania komend. Zostało to zrealizowane poprzez dodanie poniższych dwóch linii na końcu pliku .profile w katalogu domowym użytkownika.
PATH=$HOME/programs
export PATH
Dozwolone komendy
W katalogu /home/chomik/programs utworzono dowiązania symboliczne do poleceń jakie może wykonywać użytkownik chomik:
- clear
- curl
- dig
- host
- httping
- ls
- mtr
- mtr-packet
- nmap
- nslookup
- p
- paping
- ping
- traceroute
- tarceroute6
- whois
Firewall maszyny
user.rules
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow any 22 0.0.0.0/0 any 217.30.138.17 in
-A ufw-user-input -p tcp --dport 22 -s 217.30.138.17 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 217.30.138.17 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.133 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.133 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.133 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.134 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.134 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.134 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.130 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.130 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.130 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.135 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.135 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.135 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.136 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.136 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.136 -j ACCEPT
### tuple ### allow any 22 0.0.0.0/0 any 195.114.160.137 in
-A ufw-user-input -p tcp --dport 22 -s 195.114.160.137 -j ACCEPT
-A ufw-user-input -p udp --dport 22 -s 195.114.160.137 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 87.205.112.20 in
-A ufw-user-input -p tcp --dport 80 -s 87.205.112.20 -j ACCEPT
-A ufw-user-input -p udp --dport 80 -s 87.205.112.20 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 195.114.160.130 in
-A ufw-user-input -p tcp --dport 80 -s 195.114.160.130 -j ACCEPT
-A ufw-user-input -p udp --dport 80 -s 195.114.160.130 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 195.114.160.133 in
-A ufw-user-input -p tcp --dport 80 -s 195.114.160.133 -j ACCEPT
-A ufw-user-input -p udp --dport 80 -s 195.114.160.133 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 195.114.160.134 in
-A ufw-user-input -p tcp --dport 80 -s 195.114.160.134 -j ACCEPT
-A ufw-user-input -p udp --dport 80 -s 195.114.160.134 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 195.114.160.135 in
-A ufw-user-input -p tcp --dport 80 -s 195.114.160.135 -j ACCEPT
-A ufw-user-input -p udp --dport 80 -s 195.114.160.135 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 195.114.160.136 in
-A ufw-user-input -p tcp --dport 80 -s 195.114.160.136 -j ACCEPT
-A ufw-user-input -p udp --dport 80 -s 195.114.160.136 -j ACCEPT
### tuple ### allow any 80 0.0.0.0/0 any 195.114.160.137 in
-A ufw-user-input -p tcp --dport 80 -s 195.114.160.137 -j ACCEPT
-A ufw-user-input -p udp --dport 80 -s 195.114.160.137 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 87.205.112.20 in
-A ufw-user-input -p tcp --dport 443 -s 87.205.112.20 -j ACCEPT
-A ufw-user-input -p udp --dport 443 -s 87.205.112.20 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 195.114.160.130 in
-A ufw-user-input -p tcp --dport 443 -s 195.114.160.130 -j ACCEPT
-A ufw-user-input -p udp --dport 443 -s 195.114.160.130 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 195.114.160.133 in
-A ufw-user-input -p tcp --dport 443 -s 195.114.160.133 -j ACCEPT
-A ufw-user-input -p udp --dport 443 -s 195.114.160.133 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 195.114.160.134 in
-A ufw-user-input -p tcp --dport 443 -s 195.114.160.134 -j ACCEPT
-A ufw-user-input -p udp --dport 443 -s 195.114.160.134 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 195.114.160.135 in
-A ufw-user-input -p tcp --dport 443 -s 195.114.160.135 -j ACCEPT
-A ufw-user-input -p udp --dport 443 -s 195.114.160.135 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 195.114.160.136 in
-A ufw-user-input -p tcp --dport 443 -s 195.114.160.136 -j ACCEPT
-A ufw-user-input -p udp --dport 443 -s 195.114.160.136 -j ACCEPT
### tuple ### allow any 443 0.0.0.0/0 any 195.114.160.137 in
-A ufw-user-input -p tcp --dport 443 -s 195.114.160.137 -j ACCEPT
-A ufw-user-input -p udp --dport 443 -s 195.114.160.137 -j ACCEPT
### tuple ### deny any 22 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 22 -j DROP
-A ufw-user-input -p udp --dport 22 -j DROP
### tuple ### deny any 53 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 53 -j DROP
-A ufw-user-input -p udp --dport 53 -j DROP
### tuple ### deny any 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j DROP
-A ufw-user-input -p udp --dport 80 -j DROP
### tuple ### deny any 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j DROP
-A ufw-user-input -p udp --dport 443 -j DROP
### tuple ### allow any any 0.0.0.0/0 any 10.10.2.2 in
-A ufw-user-input -s 10.10.2.2 -j ACCEPT
### tuple ### allow any any 0.0.0.0/0 any 10.10.0.2 in
-A ufw-user-input -s 10.10.0.2 -j ACCEPT
### END RULES ###
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT
user6.rules
*filter
:ufw6-user-input - [0:0]
:ufw6-user-output - [0:0]
:ufw6-user-forward - [0:0]
:ufw6-before-logging-input - [0:0]
:ufw6-before-logging-output - [0:0]
:ufw6-before-logging-forward - [0:0]
:ufw6-user-logging-input - [0:0]
:ufw6-user-logging-output - [0:0]
:ufw6-user-logging-forward - [0:0]
:ufw6-after-logging-input - [0:0]
:ufw6-after-logging-output - [0:0]
:ufw6-after-logging-forward - [0:0]
:ufw6-logging-deny - [0:0]
:ufw6-logging-allow - [0:0]
:ufw6-user-limit - [0:0]
:ufw6-user-limit-accept - [0:0]
### RULES ###
### tuple ### deny any 22 ::/0 any ::/0 in
-A ufw6-user-input -p tcp --dport 22 -j DROP
-A ufw6-user-input -p udp --dport 22 -j DROP
### tuple ### deny any 53 ::/0 any ::/0 in
-A ufw6-user-input -p tcp --dport 53 -j DROP
-A ufw6-user-input -p udp --dport 53 -j DROP
### tuple ### deny any 80 ::/0 any ::/0 in
-A ufw6-user-input -p tcp --dport 80 -j DROP
-A ufw6-user-input -p udp --dport 80 -j DROP
### tuple ### deny any 443 ::/0 any ::/0 in
-A ufw6-user-input -p tcp --dport 443 -j DROP
-A ufw6-user-input -p udp --dport 443 -j DROP
### END RULES ###
### LOGGING ###
-A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw6-user-limit -j REJECT
-A ufw6-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT