{"id":1576,"date":"2025-11-09T18:25:05","date_gmt":"2025-11-09T15:25:05","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/nftables-ile-vps-guvenlik-duvari-rehberi-rate-limit-port-knocking-ve-ipv6-kurallari-nasil-tatli-tatli-kurulur\/"},"modified":"2025-11-09T18:25:05","modified_gmt":"2025-11-09T15:25:05","slug":"nftables-ile-vps-guvenlik-duvari-rehberi-rate-limit-port-knocking-ve-ipv6-kurallari-nasil-tatli-tatli-kurulur","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/nftables-ile-vps-guvenlik-duvari-rehberi-rate-limit-port-knocking-ve-ipv6-kurallari-nasil-tatli-tatli-kurulur\/","title":{"rendered":"nftables ile VPS G\u00fcvenlik Duvar\u0131 Rehberi: Rate Limit, Port Knocking ve IPv6 Kurallar\u0131 Nas\u0131l Tatl\u0131 Tatl\u0131 Kurulur?"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Giris_Uzak_Bir_VPS_Acik_Bir_Port_ve_Kafaya_Takilan_Bir_Soru\"><span class=\"toc_number toc_depth_1\">1<\/span> Giri\u015f: Uzak Bir VPS, A\u00e7\u0131k Bir Port ve Kafaya Tak\u0131lan Bir Soru<\/a><\/li><li><a href=\"#Neden_nftables_Birkac_Sade_Cumleyle\"><span class=\"toc_number toc_depth_1\">2<\/span> Neden nftables? Birka\u00e7 Sade C\u00fcmleyle<\/a><\/li><li><a href=\"#Hazirlik_Kucuk_Adimlar_Buyuk_Rahatlik\"><span class=\"toc_number toc_depth_1\">3<\/span> Haz\u0131rl\u0131k: K\u00fc\u00e7\u00fck Ad\u0131mlar, B\u00fcy\u00fck Rahatl\u0131k<\/a><ul><li><a href=\"#Servisi_etkinlestir_ve_bir_yedek_al\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Servisi etkinle\u015ftir ve bir yedek al<\/a><\/li><\/ul><\/li><li><a href=\"#Iskelet_Temiz_Mantikli_ve_Sakin_Bir_Kurallar_Dizisi\"><span class=\"toc_number toc_depth_1\">4<\/span> \u0130skelet: Temiz, Mant\u0131kl\u0131 ve Sakin Bir Kurallar Dizisi<\/a><\/li><li><a href=\"#Rate_Limit_Saldirgani_Yormak_Mesru_Kullaniciyi_Uzmeyecek_Kadar\"><span class=\"toc_number toc_depth_1\">5<\/span> Rate Limit: Sald\u0131rgan\u0131 Yormak, Me\u015fru Kullan\u0131c\u0131y\u0131 \u00dczmeyecek Kadar<\/a><\/li><li><a href=\"#Port_Knocking_Kapiyi_Gizleyip_Dogru_Ritmi_Calana_Acmak\"><span class=\"toc_number toc_depth_1\">6<\/span> Port Knocking: Kap\u0131y\u0131 Gizleyip Do\u011fru Ritmi \u00c7alana A\u00e7mak<\/a><ul><li><a href=\"#Dinamik_set8217lerle_iki_adimli_bir_oyun\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Dinamik set&#8217;lerle iki ad\u0131ml\u0131 bir oyun<\/a><\/li><\/ul><\/li><li><a href=\"#IPv6_Kurallari_Yeni_Mahallede_Yol_Isaretlerini_Dogru_Okumak\"><span class=\"toc_number toc_depth_1\">7<\/span> IPv6 Kurallar\u0131: Yeni Mahallede Yol \u0130\u015faretlerini Do\u011fru Okumak<\/a><\/li><li><a href=\"#Kalici_Yapilandirma_Dosyayi_Anlasilir_Tut_Yuklemeyi_Tek_Hamlede_Yap\"><span class=\"toc_number toc_depth_1\">8<\/span> Kal\u0131c\u0131 Yap\u0131land\u0131rma: Dosyay\u0131 Anla\u015f\u0131l\u0131r Tut, Y\u00fcklemeyi Tek Hamlede Yap<\/a><\/li><li><a href=\"#Gunlukleme_Log_Gurultuyu_Suz_Sinyali_Yakalayalim\"><span class=\"toc_number toc_depth_1\">9<\/span> G\u00fcnl\u00fckleme (Log): G\u00fcr\u00fclt\u00fcy\u00fc S\u00fcz, Sinyali Yakalayal\u0131m<\/a><\/li><li><a href=\"#Gercek_Hayattan_Kucuk_Sahneler_Port_Kapandi_Panik_Yok\"><span class=\"toc_number toc_depth_1\">10<\/span> Ger\u00e7ek Hayattan K\u00fc\u00e7\u00fck Sahneler: Port Kapand\u0131, Panik Yok<\/a><\/li><li><a href=\"#Kucuk_Iyilestirmeler_Servis_Bazli_Ac-Kapa_Saglikli_Varsayilanlar\"><span class=\"toc_number toc_depth_1\">11<\/span> K\u00fc\u00e7\u00fck \u0130yile\u015ftirmeler: Servis Bazl\u0131 A\u00e7-Kapa, Sa\u011fl\u0131kl\u0131 Varsay\u0131lanlar<\/a><\/li><li><a href=\"#Kaynaklar_ve_Kucuk_Notlar\"><span class=\"toc_number toc_depth_1\">12<\/span> Kaynaklar ve K\u00fc\u00e7\u00fck Notlar<\/a><\/li><li><a href=\"#Toparlama_Ufak_Dokunuslarla_Buyuk_Sukunet\"><span class=\"toc_number toc_depth_1\">13<\/span> Toparlama: Ufak Dokunu\u015flarla B\u00fcy\u00fck S\u00fckunet<\/a><\/li><\/ul><\/div>\n<h2 id='section-1'><span id=\"Giris_Uzak_Bir_VPS_Acik_Bir_Port_ve_Kafaya_Takilan_Bir_Soru\">Giri\u015f: Uzak Bir <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a>, A\u00e7\u0131k Bir Port ve Kafaya Tak\u0131lan Bir Soru<\/span><\/h2>\n<p>Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? Gece yar\u0131s\u0131 bir bildirim d\u00fc\u015fer: sunucunda garip ba\u011flant\u0131 denemeleri var. Ben ilk fark etti\u011fimde, sanki pencereden i\u00e7eri usulca bak\u0131p giden biri gibi hissetmi\u015ftim. Birka\u00e7 dakika bak\u0131nd\u0131m, log&#8217;lar\u0131 kurcalad\u0131m ve d\u00fc\u015f\u00fcnd\u00fcm: bunca i\u015fin aras\u0131nda \u015fu g\u00fcvenlik duvar\u0131n\u0131 <strong>do\u011fru<\/strong> ve <strong>ak\u0131ll\u0131<\/strong> \u015fekilde kurmak neden bu kadar erteleniyor? Asl\u0131nda mesele zor de\u011fil; do\u011fru ara\u00e7, net bir iskelet ve birka\u00e7 p\u00fcf noktas\u0131. \u0130\u015fte bu yaz\u0131da, tam da bunlar\u0131 beraber ad\u0131m ad\u0131m kuraca\u011f\u0131z.<\/p>\n<p>Elimizdeki ara\u00e7 <strong>nftables<\/strong>. Sisteminizde zaten var olma ihtimali y\u00fcksek, \u00fcstelik bir ta\u015fla iki ku\u015f: IPv4 ve IPv6 i\u00e7in tek bir dil. Rate limit ile sald\u0131r\u0131 denemelerini yumu\u015fataca\u011f\u0131z, <strong>port knocking<\/strong> ile kap\u0131lar\u0131 gizli bir t\u0131klamayla a\u00e7t\u0131raca\u011f\u0131z, IPv6 kurallar\u0131yla da o yeni ve geni\u015f d\u00fcnyada i\u015fleri ray\u0131na oturtaca\u011f\u0131z. Arada ger\u00e7ek hayattan \u00f6rnekler, birka\u00e7 pratik uyar\u0131 ve ba\u015f\u0131ma gelen ufak tefek aksilikler de olacak. Hadi gelin, \u00f6nce k\u00fc\u00e7\u00fck bir iskelet kural seti olu\u015fturup sonra \u00fcst\u00fcne kat \u00e7\u0131kal\u0131m.<\/p>\n<h2 id='section-2'><span id=\"Neden_nftables_Birkac_Sade_Cumleyle\">Neden nftables? Birka\u00e7 Sade C\u00fcmleyle<\/span><\/h2>\n<p>\u0130tiraf edeyim, ben de uzun s\u00fcre eski al\u0131\u015fkanl\u0131klar\u0131n konforunda kald\u0131m. Sonra bir g\u00fcn yeni bir VPS kurarken, tek bir <strong>inet<\/strong> tablosuyla hem IPv4 hem IPv6 i\u00e7in kurallar\u0131 yazman\u0131n verdi\u011fi huzuru ya\u015fad\u0131m. Tek bir dosya, tek bir ak\u0131\u015f, daha az kafa kar\u0131\u015f\u0131kl\u0131\u011f\u0131. Bir s\u00fcre sonra, log&#8217;lar\u0131 okurken kurallar\u0131n dilinin ne kadar okunabilir oldu\u011funu fark ettim: chain&#8217;ler, set&#8217;ler, map&#8217;ler\u2026 karma\u015f\u0131k de\u011fil, sadece al\u0131\u015fkanl\u0131k gerektiriyor.<\/p>\n<p>Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: SSH kap\u0131s\u0131n\u0131 a\u00e7acaks\u0131n\u0131z, ama sadece belirli bir h\u0131zda yeni ba\u011flant\u0131 denemesine izin verip gerisini nazik\u00e7e bekleteceksiniz. Nftables ile bu i\u015fi tek bir sat\u0131rda yapabiliyorsunuz. Ya da IP&#8217;yi ge\u00e7ici bir listeye ekleyip ikinci bir porta t\u0131klay\u0131nca kap\u0131y\u0131 a\u00e7an k\u00fc\u00e7\u00fck bir port knocking oyunu kurmak istiyorsunuz. Yine m\u00fcmk\u00fcn. Ba\u015flang\u0131\u00e7ta sihir gibi geliyor, sonra <strong>k\u00fc\u00e7\u00fck ama g\u00fc\u00e7l\u00fc<\/strong> pratikler b\u00fct\u00fcn\u00fc oldu\u011funu g\u00f6r\u00fcyorsunuz.<\/p>\n<h2 id='section-3'><span id=\"Hazirlik_Kucuk_Adimlar_Buyuk_Rahatlik\">Haz\u0131rl\u0131k: K\u00fc\u00e7\u00fck Ad\u0131mlar, B\u00fcy\u00fck Rahatl\u0131k<\/span><\/h2>\n<h3><span id=\"Servisi_etkinlestir_ve_bir_yedek_al\">Servisi etkinle\u015ftir ve bir yedek al<\/span><\/h3>\n<p>\u00d6nce sistemde nftables servisinin haz\u0131r oldu\u011fundan emin olun. \u00c7ok s\u00fcrpriz \u00e7\u0131kmaz; ama kurallar\u0131n\u0131z\u0131 kal\u0131c\u0131 hale getirmek i\u00e7in servisin etkin olmas\u0131 iyi fikir. Bir de kendinize iyilik yap\u0131n: halihaz\u0131rdaki kurallar\u0131 bir dosyaya kaydedin. Bir \u015feyler ters giderse geri d\u00f6n\u00fc\u015f\u00fcn\u00fcz olsun.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">nft list ruleset &gt; \/root\/nft.backup\nsystemctl enable --now nftables\n<\/code><\/pre>\n<p>Kural dosyas\u0131yla \u00e7al\u0131\u015f\u0131rken de\u011fi\u015fiklikleri tek at\u0131\u015fta y\u00fcklemek g\u00fcven verir. Ancak en kritik uyar\u0131 \u015fu: SSH eri\u015fimini kaybetmemek i\u00e7in \u00f6nce yeni kurallar\u0131 test edin, ard\u0131ndan <strong>ayakta bir SSH oturumunu a\u00e7\u0131k b\u0131rak\u0131n<\/strong>. Hatta bazen kendime k\u00fc\u00e7\u00fck bir g\u00fcvenlik kemeri ba\u011flar\u0131m: bir geri d\u00f6n\u00fc\u015f komutu planlar, e\u011fer 60 saniye i\u00e7inde her \u015fey yolunda de\u011filse eski kurallara d\u00f6nd\u00fcr\u00fcr\u00fcm.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">( sleep 60; nft -f \/root\/nft.backup ) &amp;\n# 60 saniye i\u00e7inde i\u015fler yolundaysa, bu geri d\u00f6n\u00fc\u015f\u00fc iptal edersiniz\n<\/code><\/pre>\n<h2 id='section-4'><span id=\"Iskelet_Temiz_Mantikli_ve_Sakin_Bir_Kurallar_Dizisi\">\u0130skelet: Temiz, Mant\u0131kl\u0131 ve Sakin Bir Kurallar Dizisi<\/span><\/h2>\n<p>\u015eimdi temel bir iskelet kural seti yazal\u0131m. Varsay\u0131lan politikalar s\u0131k\u0131 olsun: gelenleri d\u00fc\u015f\u00fcr, giden serbest kals\u0131n, forward genelde yok. Loopback&#8217;e dokunma, established\/related trafi\u011fe yol ver, ard\u0131ndan bildi\u011fimiz servisleri s\u0131rayla a\u00e7al\u0131m.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">flush ruleset\n\ntable inet filter {\n  sets {\n    # Port knocking i\u00e7in IPv4 ve IPv6 set'leri (a\u015fa\u011f\u0131da dolduraca\u011f\u0131z)\n    knock1_v4 { type ipv4_addr; flags timeout; }\n    knock2_v4 { type ipv4_addr; flags timeout; }\n    knock1_v6 { type ipv6_addr; flags timeout; }\n    knock2_v6 { type ipv6_addr; flags timeout; }\n  }\n\n  chains {\n    input {\n      type filter hook input priority 0; policy drop;\n\n      # Kendimiz konu\u015fabilelim\n      iif lo accept\n\n      # Halihaz\u0131rda kurulmu\u015f oturumlara dokunma\n      ct state { established, related } accept\n\n      # Ping ve arkada\u015flar\u0131 - rate limit ile\n      ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, destination-unreachable } limit rate 10\/second burst 20 packets accept\n      ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, neighbor-solicitation, neighbor-advertisement, router-solicitation, router-advertisement } limit rate 10\/second burst 20 packets accept\n\n      # HTTP\/HTTPS - \u00f6rnek olarak a\u00e7\u0131k\n      tcp dport { 80, 443 } ct state new limit rate 300\/second burst 600 packets accept\n      tcp dport { 80, 443 } accept\n\n      # SSH: bunu ileride port knocking ile daha ak\u0131ll\u0131 a\u00e7aca\u011f\u0131z\n      tcp dport 22 ct state new limit rate 20\/minute burst 10 packets accept\n      tcp dport 22 accept\n\n      # Gereksiz her \u015feyi d\u00fc\u015f\u00fcr, \u00e7ok konu\u015fmadan\n      counter drop\n    }\n\n    forward {\n      type filter hook forward priority 0; policy drop;\n    }\n\n    output {\n      type filter hook output priority 0; policy accept;\n    }\n  }\n}\n<\/code><\/pre>\n<p>Burada iki k\u00fc\u00e7\u00fck detay var. \u0130lki, ICMP ve ICMPv6 mesajlar\u0131n\u0131 tamamen kapatmay\u0131n; \u00f6zellikle IPv6 i\u00e7in bu mesajlar a\u011f\u0131n temel i\u015faretleri gibi \u00e7al\u0131\u015f\u0131r. \u0130kincisi, rate limit&#8217;i HTTP\/HTTPS i\u00e7in biraz y\u00fcksek b\u0131rakt\u0131m, \u00e7\u00fcnk\u00fc ger\u00e7ek trafik dalgalanmalar\u0131 moral bozmas\u0131n. SSH taraf\u0131nda ise daha s\u0131k\u0131 bir limit var. Birazdan port knocking ekleyince SSH&#8217;u daha da saklayaca\u011f\u0131z.<\/p>\n<h2 id='section-5'><span id=\"Rate_Limit_Saldirgani_Yormak_Mesru_Kullaniciyi_Uzmeyecek_Kadar\">Rate Limit: Sald\u0131rgan\u0131 Yormak, Me\u015fru Kullan\u0131c\u0131y\u0131 \u00dczmeyecek Kadar<\/span><\/h2>\n<p>Rate limit deyince akla bazen kap\u0131y\u0131 zorla kilitlemek geliyor, halbuki niyet ba\u015fka: servisinizin nefesini dengeli tutmak. Bir kap\u0131dan saniyede y\u00fczlerce yeni deneme akarsa, CPU&#8217;ya gereksiz y\u00fck biner. Birka\u00e7 basit kural, hem sald\u0131rgan\u0131 yorar hem de me\u015fru kullan\u0131c\u0131n\u0131n deneyimini bozmaz.<\/p>\n<p>SSH i\u00e7in genelde dakikada belli say\u0131da yeni <strong>ct state new<\/strong> ba\u011flant\u0131ya izin verip geri kalan\u0131 bekletmek iyi sonu\u00e7 veriyor. Benim tecr\u00fcbemde, dakikada 20 yeni deneme \u00e7o\u011fu ortam i\u00e7in yeterli. Birka\u00e7 kez bu say\u0131y\u0131 d\u00fc\u015f\u00fcrd\u00fc\u011f\u00fcm oldu, ard\u0131ndan yeni bir geli\u015ftirici eklenince s\u0131n\u0131rlar kendini belli etti; bu y\u00fczden ortam\u0131n\u0131za g\u00f6re ayarlay\u0131n.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># SSH - yeni ba\u011flant\u0131lar\u0131 s\u0131n\u0131rl\u0131 h\u0131zda kabul et\nadd rule inet filter input tcp dport 22 ct state new limit rate 20\/minute burst 10 packets accept\n<\/code><\/pre>\n<p>Ping taraf\u0131nda da benzer bir strateji i\u015f g\u00f6r\u00fcr. Tamamen kapatmak yerine, hem v4 hem v6 i\u00e7in makul bir h\u0131z. \u00c7\u00fcnk\u00fc bazen <strong>uptime<\/strong> kontrol eden sistemler veya otomasyon ara\u00e7lar\u0131 ping atar; onlar\u0131n kalbini k\u0131rmayal\u0131m.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># ICMP ve ICMPv6 - nazik bir s\u0131n\u0131r\nadd rule inet filter input ip protocol icmp icmp type echo-request limit rate 10\/second burst 20 packets accept\nadd rule inet filter input ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 10\/second burst 20 packets accept\n<\/code><\/pre>\n<p>Bu arada, uygulama seviyesinde rate limit bamba\u015fka bir d\u00fcnya. HTTP i\u00e7in Nginx ya da uygulama \u00e7er\u00e7evesinde farkl\u0131 stratejiler gerekir. Sunucunun giri\u015f kap\u0131s\u0131nda yapt\u0131\u011f\u0131m\u0131z limit, a\u011f seviyesinde k\u00fc\u00e7\u00fck bir filtre gibi d\u00fc\u015f\u00fcn\u00fclmeli.<\/p>\n<h2 id='section-6'><span id=\"Port_Knocking_Kapiyi_Gizleyip_Dogru_Ritmi_Calana_Acmak\">Port Knocking: Kap\u0131y\u0131 Gizleyip Do\u011fru Ritmi \u00c7alana A\u00e7mak<\/span><\/h2>\n<p>Port knocking&#8217;i ilk kez kurdu\u011fumda, sanki gizli bir kul\u00fcp kap\u0131s\u0131 gibi hissettim. Do\u011fru kap\u0131y\u0131 \u00f6nce \u015f\u00f6yle bir t\u0131klars\u0131n\u0131z, sonra bir di\u011ferini, en son as\u0131l kap\u0131 size a\u00e7\u0131l\u0131r. Temel fikir bu. G\u00fcvenlik tekni\u011fi olarak mucize de\u011fil; sadece gizlili\u011fi art\u0131ran pratik bir katman. Hatal\u0131 yap\u0131land\u0131r\u0131l\u0131rsa can s\u0131kabilir, o y\u00fczden \u00e7ok net ad\u0131mlar atal\u0131m.<\/p>\n<h3><span id=\"Dinamik_set8217lerle_iki_adimli_bir_oyun\">Dinamik set&#8217;lerle iki ad\u0131ml\u0131 bir oyun<\/span><\/h3>\n<p>Amac\u0131m\u0131z \u015fu: belirledi\u011fimiz iki farkl\u0131 porta s\u0131ras\u0131yla t\u0131klayan IP adresini, belirledi\u011fimiz s\u00fcre boyunca bir set&#8217;te tutal\u0131m. \u0130lk t\u0131klamada knock1 set&#8217;ine, ikinci t\u0131klamada knock2 set&#8217;ine ge\u00e7sin. Sonra SSH&#8217;\u0131 sadece knock2&#8217;daki adreslere a\u00e7al\u0131m. IPv4 ve IPv6&#8217;y\u0131 ayr\u0131 ayr\u0131 d\u00fc\u015f\u00fcnmek i\u015fimizi kolayla\u015ft\u0131r\u0131yor.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># \u00d6nce set'lerimizi tan\u0131mlad\u0131k (\u00fcstte). \u015eimdi kurallar:\n\n# 1. t\u0131k: IPv4\nadd rule inet filter input tcp dport 31001 ct state new add @knock1_v4 { ip saddr timeout 20s } counter drop\n# 2. t\u0131k: IPv4 (ilk t\u0131k atanlar ikinci porta vurunca terfi eder)\nadd rule inet filter input ip saddr @knock1_v4 tcp dport 31002 ct state new add @knock2_v4 { ip saddr timeout 30s } counter drop\n\n# 1. t\u0131k: IPv6\nadd rule inet filter input tcp dport 31001 ct state new add @knock1_v6 { ip6 saddr timeout 20s } counter drop\n# 2. t\u0131k: IPv6\nadd rule inet filter input ip6 saddr @knock1_v6 tcp dport 31002 ct state new add @knock2_v6 { ip6 saddr timeout 30s } counter drop\n\n# SSH'\u0131, sadece ikinci set'te olanlara a\u00e7\nadd rule inet filter input ip saddr @knock2_v4 tcp dport 22 accept\nadd rule inet filter input ip6 saddr @knock2_v6 tcp dport 22 accept\n\n# Ve son olarak, SSH'a kalan herkesi d\u00fc\u015f\u00fcr (ya da alt tarafta varsay\u0131lan drop'a b\u0131rakal\u0131m)\n<\/code><\/pre>\n<p>Burada s\u00fcreleri k\u0131sa tuttum. \u00c7\u00fcnk\u00fc ama\u00e7 kap\u0131y\u0131 s\u00fcrekli a\u00e7\u0131k b\u0131rakmak de\u011fil, do\u011fru t\u0131klamay\u0131 yapanlar\u0131n birka\u00e7 dakika i\u00e7inde SSH&#8217;a ba\u011flanmas\u0131n\u0131 sa\u011flamak. Ben bazen ikinci set&#8217;in s\u00fcresini 120 saniyeye \u00e7\u0131kar\u0131yorum. B\u00f6ylece t\u0131klama s\u0131ras\u0131n\u0131 bilenler rahat\u00e7a giri\u015fini yap\u0131yor, ba\u015fkas\u0131 ise kap\u0131n\u0131n a\u00e7\u0131k oldu\u011funu fark etmiyor bile.<\/p>\n<p>Port knocking&#8217;i kullan\u0131rken bir mini not: Bir yerlerde t\u0131klama s\u0131ras\u0131n\u0131 otomatik yapan bir k\u00fc\u00e7\u00fck script ta\u015f\u0131y\u0131n. Benimkisi \u015f\u00f6yle basit; netcat ya da curl ile iki porta birden dokundurup ard\u0131ndan SSH denemesi yap\u0131yor. B\u00f6ylece yeni bir VPS&#8217;e ba\u011flan\u0131rken tak\u0131lm\u0131yorum.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Basit bir knocking \u00f6rne\u011fi (IPv4\/IPv6 ayn\u0131 portlar\u0131 kullan\u0131r)\n# \u0130lk t\u0131k\nnc -zv YOUR_SERVER 31001 || true\n# \u0130kinci t\u0131k\nnc -zv YOUR_SERVER 31002 || true\n# Ard\u0131ndan SSH\nssh user@YOUR_SERVER\n<\/code><\/pre>\n<p>Ve tekrar alt\u0131n\u0131 \u00e7izeyim: bu bir maske. As\u0131l g\u00fcvenlik, g\u00fc\u00e7l\u00fc anahtarlar ve iyi SSH ayarlar\u0131ndan gelir. SSH taraf\u0131n\u0131 derinlemesine d\u00fczenlemek isterseniz, \u015fu yaz\u0131da ho\u015f bir yolculuk var: <a href=\"https:\/\/www.dchost.com\/blog\/vpste-ssh-guvenligi-nasil-saglamlasir-fido2-anahtarlari-ssh-ca-ve-rotasyonun-sicacik-yolculugu\/\">VPS&#8217;te SSH g\u00fcvenli\u011fi nas\u0131l sa\u011flamla\u015f\u0131r, FIDO2 anahtarlar\u0131 ve rotasyon<\/a>.<\/p>\n<h2 id='section-7'><span id=\"IPv6_Kurallari_Yeni_Mahallede_Yol_Isaretlerini_Dogru_Okumak\">IPv6 Kurallar\u0131: Yeni Mahallede Yol \u0130\u015faretlerini Do\u011fru Okumak<\/span><\/h2>\n<p>IPv6 bazen g\u00f6z korkutuyor. En \u00e7ok g\u00f6rd\u00fc\u011f\u00fcm hata, ICMPv6&#8217;y\u0131 toptan kapat\u0131p sonra &#8216;niye baz\u0131 \u015feyler \u00e7al\u0131\u015fm\u0131yor&#8217; diye d\u00fc\u015f\u00fcnmek oluyor. IPv6 d\u00fcnyas\u0131nda ICMPv6, adres \u00e7\u00f6z\u00fcmlemeden yola kadar bir\u00e7ok \u015feyi ta\u015f\u0131yor. O y\u00fczden baz\u0131 t\u00fcrleri \u00f6zellikle <strong>izinli<\/strong> b\u0131rakmak gerekiyor. \u00dcstteki iskelette bu izinler var ama bir paragrafa d\u00f6kelim ki neyi niye yapt\u0131\u011f\u0131m\u0131z net olsun.<\/p>\n<p>Neighbor Discovery mesajlar\u0131 (neighbor-solicitation, neighbor-advertisement), router duyurular\u0131 (router-solicitation, router-advertisement) ve temel echo-request\/echo-reply paketleri, a\u011f\u0131n selamla\u015fma kurallar\u0131 gibi. Bunlar\u0131 k\u0131s\u0131tlarken tamamen kapatmay\u0131n. Sadece rate limit ekleyin, log&#8217;lamay\u0131 abartmay\u0131n. ICMPv6&#8217;y\u0131 bo\u011farsan\u0131z, kendi kendinizi yormu\u015f olursunuz.<\/p>\n<p>Bir de ufak bir DNS ve AAAA kayd\u0131 notu: IPv6&#8217;y\u0131 a\u00e7t\u0131\u011f\u0131n\u0131z anda d\u0131\u015f d\u00fcnyadan eri\u015filebilecek yeni bir kap\u0131n\u0131z var demektir. DNS&#8217;e ekleyece\u011finiz k\u00fc\u00e7\u00fck bir AAAA kayd\u0131, bazen b\u00fcy\u00fck bir ayd\u0131nlanma yarat\u0131r. Hem performans hem de y\u00f6nlendirme davran\u0131\u015flar\u0131 a\u00e7\u0131s\u0131ndan ilgin\u00e7 sonu\u00e7lar g\u00f6rebilirsiniz. Ben ilk kez bunu kurcalarken \u015funa denk gelmi\u015ftim: <a href='https:\/\/www.dchost.com\/blog\/kucuk-bir-aaaa-kaydi-buyuk-bir-aydinlanma\/'>k\u00fc\u00e7\u00fck bir AAAA kayd\u0131 ve b\u00fcy\u00fck bir ayd\u0131nlanma<\/a>.<\/p>\n<h2 id='section-8'><span id=\"Kalici_Yapilandirma_Dosyayi_Anlasilir_Tut_Yuklemeyi_Tek_Hamlede_Yap\">Kal\u0131c\u0131 Yap\u0131land\u0131rma: Dosyay\u0131 Anla\u015f\u0131l\u0131r Tut, Y\u00fcklemeyi Tek Hamlede Yap<\/span><\/h2>\n<p>Gelelim kal\u0131c\u0131l\u0131\u011fa. \u00c7o\u011fu da\u011f\u0131t\u0131mda <strong>\/etc\/nftables.conf<\/strong> dosyas\u0131na yazd\u0131\u011f\u0131n\u0131z kurallar, servis aya\u011fa kalk\u0131nca otomatik y\u00fcklenir. Ben i\u015fimi bitirince kural setimi iki ad\u0131ma b\u00f6lerim: \u00f6nce bir dosyada tertemiz yazar\u0131m, sonra tek hamlede y\u00fcklerim. Arada sentaks kontrol\u00fc de iyi gider.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Yazd\u0131\u011f\u0131n\u0131z dosyay\u0131 s\u0131nay\u0131n ve y\u00fckleyin\nnft -c -f \/etc\/nftables.conf   # -c ile kontrol\nnft -f \/etc\/nftables.conf      # her \u015fey yolundaysa uygulay\u0131n\nsystemctl restart nftables     # servis \u00fczerinden yenilemek isterseniz\n<\/code><\/pre>\n<p>Dosyan\u0131n i\u00e7inde ba\u015fta yapt\u0131\u011f\u0131m\u0131z gibi &#8216;flush ruleset&#8217; yazarak temiz bir ba\u015flang\u0131\u00e7 almak iyi al\u0131\u015fkanl\u0131k. Ayr\u0131ca kural setini mant\u0131ksal bloklara ay\u0131r\u0131n: \u00fcstte set tan\u0131mlar\u0131, sonra chain&#8217;ler, en sonda ekledi\u011finiz \u00f6zel istisnalar. Bir g\u00fcn sonra d\u00f6n\u00fcp bakt\u0131\u011f\u0131n\u0131zda kendinize te\u015fekk\u00fcr edersiniz.<\/p>\n<h2 id='section-9'><span id=\"Gunlukleme_Log_Gurultuyu_Suz_Sinyali_Yakalayalim\">G\u00fcnl\u00fckleme (Log): G\u00fcr\u00fclt\u00fcy\u00fc S\u00fcz, Sinyali Yakalayal\u0131m<\/span><\/h2>\n<p>\u0130lk kurulumlarda log&#8217;u hevesle a\u00e7\u0131p bir s\u00fcre sonra &#8216;bu kadar\u0131 da fazla&#8217; dedi\u011fimiz \u00e7ok olur. Dozu iyi ayarlay\u0131n. Paketlerin d\u00fc\u015f\u00fcr\u00fcld\u00fc\u011f\u00fc yerde k\u00fc\u00e7\u00fck bir prefix ile log eklemek, hata ay\u0131klarken ila\u00e7 gibi. Ama rate limit&#8217;i log&#8217;lara da uygulay\u0131n ki g\u00fcnl\u00fckler kendi kuyru\u011funu yemesin.<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># D\u00fc\u015fen paketleri s\u0131n\u0131rl\u0131 \u015fekilde log'la\nadd rule inet filter input limit rate 5\/second burst 10 packets log prefix 'nft-drop ' level info\n<\/code><\/pre>\n<p>G\u00fcnl\u00fckleri bir yerde toplamak, \u00f6zellikle birden fazla VPS&#8217;e sahipseniz, ba\u015fka bir huzur veriyor. Ben bu noktada Grafana Loki + Promtail ikilisinden \u00e7ok keyif ald\u0131m. Ad\u0131m ad\u0131m bir kurulum i\u00e7in \u015fu rehber inan\u0131lmaz yard\u0131mc\u0131: <a href='https:\/\/www.dchost.com\/blog\/vps-log-yonetimi-nasil-rayina-oturur-grafana-loki-promtail-ile-merkezi-loglama-tutma-sureleri-ve-alarm-kurallari\/'>VPS log y\u00f6netimini ray\u0131na oturtmak: Loki, Promtail, alarm kurallar\u0131<\/a>. Bir kez kurunca, nftables prefix&#8217;leriyle filtreleme yapmak \u00e7ocuk oyunca\u011f\u0131 oluyor.<\/p>\n<h2 id='section-10'><span id=\"Gercek_Hayattan_Kucuk_Sahneler_Port_Kapandi_Panik_Yok\">Ger\u00e7ek Hayattan K\u00fc\u00e7\u00fck Sahneler: Port Kapand\u0131, Panik Yok<\/span><\/h2>\n<p>Bir keresinde SSH portunu sadece port knocking ile a\u00e7\u0131l\u0131r yapt\u0131m, sonra knock dizisini unuttum. Evet, g\u00fcl\u00fcn\u00e7 ama oluyor. Kurtaran \u015fey, a\u00e7\u0131k b\u0131rakt\u0131\u011f\u0131m bir SSH oturumu ve haz\u0131rlad\u0131\u011f\u0131m bir geri d\u00f6n\u00fc\u015f komutuydu. Bir ba\u015fka sefer, ICMPv6&#8217;y\u0131 fazla k\u0131s\u0131p konteynerlar\u0131n birbirini g\u00f6rmesini zorla\u015ft\u0131rd\u0131m; birka\u00e7 dakika &#8216;niye bu kadar yava\u015f&#8217; diye d\u00fc\u015f\u00fcnd\u00fck durduk. Derken akl\u0131ma geldi, ICMPv6&#8217;ya \u00e7ok cimri davranm\u0131\u015f\u0131m. S\u0131n\u0131r\u0131 geni\u015fletince her \u015fey normale d\u00f6nd\u00fc.<\/p>\n<p>Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: yeni bir uygulamay\u0131 canl\u0131ya alacaks\u0131n\u0131z, arada bir iki port a\u00e7man\u0131z gerekiyor, firewall&#8217;\u0131 g\u00fcncellediniz. O anda yapt\u0131\u011f\u0131n\u0131z en iyi \u015fey, s\u0131k kullan\u0131lan ba\u011flant\u0131lara k\u00fc\u00e7\u00fck bir <strong>sa\u011fl\u0131k kontrol\u00fc<\/strong> turu atmak. HTTP 200 d\u00f6n\u00fcyor mu, SSH hala girilebilir mi, ping&#8217;ler makul h\u0131zda m\u0131? E\u011fer bir de servislerinizi sakince y\u00f6neten bir da\u011f\u0131t\u0131m s\u00fcreciniz varsa, i\u015fler \u00e7ok daha huzurlu. Ben b\u00f6yle anlarda \u015funa g\u00f6z k\u0131rp\u0131yorum: <a href='https:\/\/www.dchost.com\/blog\/node-jsi-canliya-alirken-panik-yapma-pm2-systemd-nginx-ssl-ve-sifir-kesinti-deploy-nasil-kurulur\/'>canl\u0131ya al\u0131rken panik yapmamak<\/a>. Firewall ile uygulama da\u011f\u0131t\u0131m\u0131 yan yana y\u00fcr\u00fcy\u00fcnce keyifli oluyor.<\/p>\n<h2 id='section-11'><span id=\"Kucuk_Iyilestirmeler_Servis_Bazli_Ac-Kapa_Saglikli_Varsayilanlar\">K\u00fc\u00e7\u00fck \u0130yile\u015ftirmeler: Servis Bazl\u0131 A\u00e7-Kapa, Sa\u011fl\u0131kl\u0131 Varsay\u0131lanlar<\/span><\/h2>\n<p>\u0130skeleti kurduk, knocking ile kap\u0131y\u0131 gizledik, IPv6&#8217;daki i\u015faretleri do\u011fru okuduk. Bundan sonras\u0131 ince ayar. Servisleri tek tek a\u00e7arken <strong>ihtiyac\u0131n\u0131z kadar<\/strong> a\u00e7\u0131n. Mesela sadece 443 \u00fczerinden servis veriyorsan\u0131z, 80&#8217;i a\u00e7\u0131k tutman\u0131z gerekmeyebilir; ya da 80&#8217;i 443&#8217;e y\u00f6nlendiren bir reverse proxy kullan\u0131yorsan\u0131z bir s\u00fcre kontroll\u00fc b\u0131rak\u0131p sonra kapatmay\u0131 deneyin. Ayn\u0131 \u015fekilde, UDP&#8217;ye mecbur kalmad\u0131k\u00e7a kapal\u0131 davranmak da hayat kurtar\u0131r. QUIC\/HTTP3 kullan\u0131yorsan\u0131z, 443\/udp gerekti\u011fini unutmay\u0131n.<\/p>\n<p>Bir ba\u015fka ince ayar da \u00fclke veya a\u011f bazl\u0131 k\u0131s\u0131tlama. Bunu nftables i\u00e7inde set&#8217;lerle yapmak m\u00fcmk\u00fcn ama y\u00f6netmesi zorla\u015fabilir. Ben genelde uygulama katman\u0131nda veya upstream&#8217;de \u00e7\u00f6z\u00fcyorum. Firewall, en sade haliyle a\u011f kap\u0131s\u0131ndaki ilk s\u00fczgeciniz. Sade olan, s\u00fcrd\u00fcr\u00fclebilir oland\u0131r.<\/p>\n<h2 id='section-12'><span id=\"Kaynaklar_ve_Kucuk_Notlar\">Kaynaklar ve K\u00fc\u00e7\u00fck Notlar<\/span><\/h2>\n<p>nftables konusunda resmi belgeler olduk\u00e7a anla\u015f\u0131l\u0131r. Ben g\u00f6z atarken en \u00e7ok buralardan faydalan\u0131yorum: <a href=\"https:\/\/www.netfilter.org\/projects\/nftables\/\" rel=\"nofollow noopener\" target=\"_blank\">Netfilter\/nftables proje sayfas\u0131<\/a>, daha pratik \u00f6rnekler i\u00e7in <a href=\"https:\/\/wiki.nftables.org\/wiki-nftables\/index.php\/Main_Page\" rel=\"nofollow noopener\" target=\"_blank\">nftables wiki<\/a> ve g\u00fcnl\u00fck kullan\u0131m notlar\u0131 a\u00e7\u0131s\u0131ndan <a href=\"https:\/\/wiki.archlinux.org\/title\/Nftables\" rel=\"nofollow noopener\" target=\"_blank\">ArchWiki nftables sayfas\u0131<\/a>. Hepsini sat\u0131r sat\u0131r ezberlemeye gerek yok; kafan\u0131za tak\u0131lan yeri bir \u00f6rnekle peki\u015ftirmek \u00e7o\u011fu zaman yeterli.<\/p>\n<p>Bu arada, IPv6 ile DNS taraf\u0131 el ele y\u00fcr\u00fcr. Trafi\u011finizin nereden nas\u0131l geldi\u011fini anlamak i\u00e7in DNS ve y\u00f6nlendirme stratejileriyle ufak denemeler yapmak ufuk a\u00e7\u0131yor. E\u011fer bu taraf ilginizi \u00e7ekiyorsa, \u015furadaki derlemeyi seversiniz: <a href=\"https:\/\/www.dchost.com\/blog\/gelismis-dns-yonlendirme-nasil-akillanir-cloudflare-route-53-ile-cografi-agirlikli-ve-split%E2%80%91horizon-uzerine-sicacik-bir-yolculuk\/\">geli\u015fmi\u015f DNS y\u00f6nlendirme ve ak\u0131ll\u0131 stratejiler<\/a>.<\/p>\n<h2 id='section-13'><span id=\"Toparlama_Ufak_Dokunuslarla_Buyuk_Sukunet\">Toparlama: Ufak Dokunu\u015flarla B\u00fcy\u00fck S\u00fckunet<\/span><\/h2>\n<p>Bir VPS&#8217;i g\u00fcvenceye almak g\u00f6z korkutucu olmak zorunda de\u011fil. nftables ile tek bir dosyada hem IPv4 hem IPv6 i\u00e7in ak\u0131c\u0131 bir kurallar b\u00fct\u00fcn\u00fc yazabiliyorsunuz. Rate limit&#8217;ler, port knocking ve do\u011fru ICMPv6 izinleri bir araya gelince, hem sald\u0131r\u0131lara kar\u015f\u0131 daha \u00e7evik hem de me\u015fru trafi\u011fe kar\u015f\u0131 daha nazik bir sistem ortaya \u00e7\u0131k\u0131yor. Benim i\u00e7in en b\u00fcy\u00fck rahatl\u0131k, kurallar\u0131 net bloklara b\u00f6l\u00fcp dosyay\u0131 kendi kendini anlat\u0131r hale getirmek oldu. Bir ak\u015fam yorgun d\u00f6nd\u00fc\u011f\u00fcmde bile neyin nerede oldu\u011funu aramadan bulabiliyorum.<\/p>\n<p>Pratik bir kapan\u0131\u015f tavsiyesi: de\u011fi\u015fiklik yaparken her zaman a\u00e7\u0131k bir SSH oturumu b\u0131rak\u0131n, m\u00fcmk\u00fcnse k\u0131sa bir geri d\u00f6n\u00fc\u015f komutunu arka planda \u00e7al\u0131\u015ft\u0131r\u0131n. Log&#8217;lar\u0131 a\u015f\u0131r\u0131ya ka\u00e7madan toplay\u0131n, gerekti\u011finde bakabilece\u011finiz bir d\u00fczende tutun. Merak etti\u011finizde, ICMPv6 ve AAAA kay\u0131tlar\u0131 gibi konular\u0131 ufak ufak kurcalay\u0131n; bazen tek bir sat\u0131r\u0131n b\u00fct\u00fcn resmi de\u011fi\u015ftirdi\u011fine \u015fahit olursunuz. Daha derinle\u015fmek isterseniz, \u015fu yaz\u0131lar da ho\u015f e\u015flik eder: <a href=\"https:\/\/www.dchost.com\/blog\/merkezi-loglama-ve-gozlemlenebilirlik-vpste-loki-promtail-grafana-ile-sakin-kalan-bir-zihin\/\">merkezi loglama ve g\u00f6zlemlenebilirlik<\/a> ile beraber, g\u00fcvenlik katman\u0131n\u0131 tamamlayan <a href=\"https:\/\/www.dchost.com\/blog\/vpste-ssh-guvenligi-nasil-saglamlasir-fido2-anahtarlari-ssh-ca-ve-rotasyonun-sicacik-yolculugu\/\">SSH g\u00fcvenli\u011finin s\u0131cak yolculu\u011fu<\/a>.<\/p>\n<p>Umar\u0131m bu rehber, kafan\u0131zdaki d\u00fc\u011f\u00fcm\u00fc \u00e7\u00f6zm\u00fc\u015f ve elinizi g\u00fc\u00e7lendirmi\u015ftir. Bir dahaki bulu\u015fmam\u0131zda belki de k\u00fc\u00e7\u00fck bir servis a\u011fac\u0131n\u0131n arka bah\u00e7esinde dola\u015f\u0131r, CDN ya da ters proxy \u00f6n\u00fcnde firewall stratejilerini konu\u015furuz. \u015eimdilik, ufak d\u00fczenlemeler yap\u0131n, nefes al\u0131n, gecenin sessizli\u011finde log&#8217;lara bir g\u00f6z at\u0131n. Her \u015fey yolundaysa, kendinize g\u00fczel bir \u00e7ay \u0131smarlay\u0131n.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 Giri\u015f: Uzak Bir VPS, A\u00e7\u0131k Bir Port ve Kafaya Tak\u0131lan Bir Soru2 Neden nftables? Birka\u00e7 Sade C\u00fcmleyle3 Haz\u0131rl\u0131k: K\u00fc\u00e7\u00fck Ad\u0131mlar, B\u00fcy\u00fck Rahatl\u0131k3.1 Servisi etkinle\u015ftir ve bir yedek al4 \u0130skelet: Temiz, Mant\u0131kl\u0131 ve Sakin Bir Kurallar Dizisi5 Rate Limit: Sald\u0131rgan\u0131 Yormak, Me\u015fru Kullan\u0131c\u0131y\u0131 \u00dczmeyecek Kadar6 Port Knocking: Kap\u0131y\u0131 Gizleyip Do\u011fru Ritmi \u00c7alana A\u00e7mak6.1 Dinamik set&#8217;lerle [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1577,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1576","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1576"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1576\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1577"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}