Tha mi airson dòigh shìmplidh agus obrach a cho-roinn leis a’ choimhearsnachd air mar a chleachdas tu Mikrotik gus do lìonra agus na seirbheisean a dhìon “a’ coimhead a-mach às a dhèidh bho ionnsaighean bhon taobh a-muigh. Is e sin, dìreach trì riaghailtean airson poit meala a chuir air dòigh air Mikrotik.
Mar sin, smaoinichidh sinn gu bheil oifis bheag againn, le IP taobh a-muigh air a bheil frithealaiche RDP airson luchd-obrach a bhith ag obair air astar. Is e a 'chiad riaghailt, gu dearbh, port 3389 atharrachadh air an eadar-aghaidh taobh a-muigh gu fear eile. Ach cha mhair seo fada; às deidh latha no dhà, tòisichidh log sgrùdaidh frithealaiche crìochnachaidh a’ nochdadh grunn ùghdaran a dh’ fhàillig gach diog bho luchd-dèiligidh neo-aithnichte.
Suidheachadh eile, tha rionnag agad falaichte air cùl Mikrotik, gu dearbh chan ann air a’ phort 5060 udp, agus às deidh latha no dhà bidh an sgrùdadh facal-faire cuideachd a’ tòiseachadh... tha, tha, tha fios agam, is e fail2ban a h-uile dad a th’ againn, ach feumaidh sinn fhathast obraich air ... airson “reasabaidhean” deiseil nach eil ag obair tuilleadh, tha na h-àireamhan airson fiosan a’ fàs thar nam bliadhnaichean, agus chan eil artaigilean le “reasabaidhean” airson seann dreachan ag obair tuilleadh, agus cha mhòr nach eil feadhainn ùra a’ nochdadh...
Mar sin, dè a th’ ann am poit meala gu h-aithghearr - is e poit meala a th’ ann, anns a’ chùis againn, port mòr-chòrdte sam bith air IP taobh a-muigh, bidh iarrtas sam bith chun phort seo bho neach-dèiligidh bhon taobh a-muigh a ’cur an seòladh src chun liosta dhubh. Uile.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Bidh a’ chiad riaghailt air puirt TCP mòr-chòrdte 22, 3389, 8291 den eadar-aghaidh taobh a-muigh ether4-wan a’ cur an IP “aoigh” chun liosta “Honeypot Hacker” (tha puirt airson ssh, rdp agus winbox ciorramach ro làimh no air an atharrachadh gu feadhainn eile). Bidh an dàrna fear a’ dèanamh an aon rud air an UDP 5060 mòr-chòrdte.
Tha an treas riaghailt aig an ìre ro-slighe a’ fàgail phasganan bho “aoighean” aig a bheil an seòladh srs air a ghabhail a-steach don “Honeypot Hacker”.
Às deidh dà sheachdain de bhith ag obair leis an dachaigh Mikrotik agam, bha an liosta “Honeypot Hacker” a ’toirt a-steach timcheall air mìle gu leth seòlaidhean IP dhaibhsan a tha dèidheil air“ cumail leis an udder ”na goireasan lìonra agam (aig an taigh tha am fòn agam fhèin, post, nextcloud, rdp) Sguir ionnsaighean feachd brùideil, thàinig aoibhneas.
Aig an obair, cha robh a h-uile dad cho sìmplidh, an sin tha iad a 'leantainn air adhart a' briseadh an fhrithealaiche rdp le faclan-faire brùideil.
A rèir coltais, chaidh àireamh a’ phuirt a dhearbhadh leis an sganair fada mus deach am poit meala a thionndadh air, agus rè cuarantine chan eil e cho furasta ath-dhealbhadh a dhèanamh air còrr air 100 neach-cleachdaidh, le 20% dhiubh sin nas sine na 65 bliadhna. Anns a 'chùis nuair nach urrainnear am port atharrachadh, tha reasabaidh obrach beag ann. Tha mi air rudeigin coltach ris fhaicinn air an eadar-lìn, ach tha beagan cur-ris agus gleusadh a bharrachd ann:
Riaghailtean airson Port Knocking a rèiteachadh
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Ann an 4 mionaidean, chan fhaod an neach-dèiligidh iomallach ach 12 “iarrtas” ùr a dhèanamh don t-seirbheisiche RDP. Tha aon oidhirp logadh a-steach bho 1 gu 4 “iarrtasan”. Aig an 12mh "iarrtas" - bacadh airson 15 mionaidean. Anns a 'chùis agam, cha do chuir an luchd-ionnsaigh stad air a bhith a' slaodadh an fhrithealaiche, rinn iad atharrachadh air na timers agus a-nis ga dhèanamh gu math slaodach, tha astar taghadh mar sin a 'lùghdachadh èifeachdas an ionnsaigh gu neoni. Cha mhòr nach eil luchd-obrach na companaidh a’ faighinn mì-ghoireasachd sam bith san obair bho na ceumannan a chaidh a ghabhail.
Cleas beag eile
Bidh an riaghailt seo a’ tionndadh air adhart a rèir clàr-ama aig 5m agus a’ tionndadh dheth aig XNUMXm, nuair a tha fìor dhaoine gu cinnteach nan cadal, agus luchd-togail fèin-ghluasadach fhathast nan dùisg.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8A-cheana air a’ cheangal 8th, tha IP an neach-ionnsaigh air liosta dhubh airson seachdain. Bòidhchead!
Uill, a bharrachd air na tha gu h-àrd, cuiridh mi ceangal ri artaigil Wiki le suidheachadh obrach airson Mikrotik a dhìon bho sganairean lìonra.
Air na h-innealan agam, bidh an suidheachadh seo ag obair còmhla ris na riaghailtean meala a tha air am mìneachadh gu h-àrd, gan cur gu math riutha.
UPD: Mar a chaidh a mholadh anns na beachdan, chaidh an riaghailt tuiteam pacaid a ghluasad gu RAW gus an luchd air an router a lughdachadh.
Source: www.habr.com