Tabbatar da abubuwa biyu na masu amfani da VPN ta hanyar MikroTik da SMS

Sannu abokan aiki! A yau, lokacin da tsananin sha'awar da ke kewaye da "aiki mai nisa" ya ragu kaɗan, yawancin admins sun sami nasarar aikin samun dama ga ma'aikata zuwa cibiyar sadarwar kamfanoni, lokaci ya yi da zan raba gwaninta na dadewa na inganta tsaro na VPN. Wannan labarin ba zai zama na zamani ba yanzu IPSec IKEv2 da xAuth. Yana da game da gina wani tsari. Tabbatar da abubuwa biyu (2FA) Masu amfani da VPN lokacin da MikroTik ke aiki azaman uwar garken VPN. Wato, lokacin da ake amfani da ka'idojin "classic" kamar PPP.

A yau zan gaya muku yadda ake kare MikroTik PPP-VPN ko da an “sata” asusun mai amfani. Lokacin da aka gabatar da wannan makirci ga ɗaya daga cikin abokan cinikina, a taƙaice ya kwatanta shi da "da kyau, yanzu ya zama kamar a banki!".

Hanyar ba ta amfani da sabis na tabbatarwa na waje. Ana yin ayyukan a ciki ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kanta. Babu farashi ga abokin ciniki mai haɗawa. Hanyar tana aiki ga abokan cinikin PC da na'urorin hannu.

Tsarin kariya gabaɗaya shine kamar haka:

1. Adireshin IP na ciki na mai amfani wanda ya yi nasarar haɗi zuwa uwar garken VPN yana yin launin toka ta atomatik.
2. Lamarin haɗin kai yana haifar da lambar lokaci ɗaya ta atomatik wanda aka aika zuwa mai amfani ta amfani da ɗayan hanyoyin da ake da su.
3. Adireshi a cikin wannan jeri suna da iyakataccen damar zuwa albarkatun cibiyar sadarwar gida, ban da sabis na “mai tabbatarwa”, wanda ke jiran karɓar lambar wucewa ta lokaci ɗaya.
4. Bayan gabatar da lambar, mai amfani yana da damar yin amfani da albarkatun ciki na cibiyar sadarwa.

Na farko karamar matsalar da na fuskanta ita ce adana bayanan tuntuɓar mai amfani don aika masa lambar 2FA. Tun da yake ba shi yiwuwa a ƙirƙiri filayen bayanan sabani da suka dace da masu amfani a cikin Mikrotik, an yi amfani da filin “sharhinin” da ke akwai:

/ppp asirin ƙara suna = Petrov kalmar sirri = 4M @ ngr! sharhi = "89876543210"

Na biyu matsalar ta zama mafi tsanani - zaɓi na hanya da hanyar isar da lambar. A halin yanzu ana aiwatar da tsare-tsare guda uku: a) SMS ta hanyar USB-modem b) e-mail c) SMS ta e-mail akwai don abokan cinikin kamfani na afaretan wayar salula.

Ee, tsarin SMS yana kawo farashi. Amma idan ka duba, "tsaro kullum game da kudi" (c).
Ni da kaina ba na son tsarin tare da imel. Ba don yana buƙatar sabar saƙon ya kasance samuwa ga abokin ciniki yana samun ingantacciyar hanyar ba - ba matsala ba ne don raba zirga-zirgar. Koyaya, idan abokin ciniki ya yi sakaci ya ajiye duka vpn da kalmomin shiga ta imel a cikin mai bincike sannan ya rasa kwamfutar tafi-da-gidanka, maharin zai sami cikakkiyar damar shiga hanyar sadarwar kamfani daga gare ta.

Don haka, an yanke shawarar - muna isar da lambar lokaci ɗaya ta amfani da saƙonnin SMS.

Na uku Matsalar ta kasance a ina yadda ake samar da lambar bazuwar-bazuwar don 2FA a cikin MikroTik. Babu kwatankwacin aikin bazuwar () a cikin yaren Rubutun Rubutun na RouterOS, kuma na ga manyan masu samar da lambar bazuwar lambobi da yawa a baya. Ban son ko ɗaya daga cikinsu saboda dalilai daban-daban.

A zahiri, akwai janareta na bazuwar-bazuwar a cikin MikroTik! An ɓoye shi daga kallon sama-sama a cikin mahallin / takaddun shaida ss-server. Hanyar farko samun kalmar sirri ta lokaci ɗaya abu ne mai sauƙi kuma mai sauƙi - tare da umarnin /certificates scep-server otp haifar. Idan muka yi aiki mai sauƙi mai sauƙi, za mu sami ƙima mai ƙima wacce za a iya amfani da ita daga baya a cikin rubutun.

Hanya na biyu samun kalmar sirri na lokaci ɗaya wanda kuma yana da sauƙin amfani - ta amfani da sabis na waje bazuwar don samar da jerin da ake so na lambobi bazuwar. Anan an sauƙaƙa cantilevered misali na shigar da bayanai a cikin wani m:

Lambar
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6] :put $rnd1

Buƙatun da aka tsara don na'ura wasan bidiyo (za a buƙaci guje wa haruffa na musamman a cikin jikin rubutun) yana karɓar kirtani na lambobi shida cikin m $rnd1. Umurnin "saka" mai zuwa yana nuna kawai mai canzawa a cikin na'ura mai kwakwalwa ta MikroTik.

Matsala ta hudu wanda dole ne a warware shi cikin sauri - wannan shine yadda kuma inda abokin ciniki da aka haɗa zai canza lambar ta lokaci ɗaya a mataki na biyu na tabbatarwa.

Dole ne a sami sabis akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa na MikroTik wanda zai iya karɓar lambar kuma ya dace da shi tare da takamaiman abokin ciniki. Idan lambar da aka bayar ta yi daidai da abin da ake tsammani, adireshin abokin ciniki ya kamata a saka shi cikin wani takamaiman jerin "farar", adiresoshin da aka ba da izinin shiga cibiyar sadarwar cikin gida na kamfanin.

Saboda rashin kyawun zaɓi na ayyuka, an yanke shawarar karɓar lambobin ta hanyar http ta amfani da gidan yanar gizon da aka gina a cikin Mikrotik. Kuma tun da Tacewar zaɓi na iya aiki tare da lissafin adiresoshin IP masu ƙarfi, ita ce Tacewar zaɓi wanda ke yin binciken lambar, daidaita shi tare da abokin ciniki IP kuma ƙara shi zuwa jerin "farar" ta amfani da Layer7 regexp. Na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kanta an sanya ma'anar sunan DNS "gw.local", an ƙirƙiri rikodi na A tsaye akansa don bayarwa ga abokan cinikin PPP:

DNS
/ip dns static add name=gw.local address=172.31.1.1

Ɗaukar zirga-zirgar abokan cinikin da ba a tantance ba akan wakili:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128


A wannan yanayin, wakili yana da ayyuka biyu.

1. Bude haɗin tcp tare da abokan ciniki;

2. Idan an sami nasara izini, tura mai binciken abokin ciniki zuwa shafi ko hoto mai sanarwa game da ingantaccen tabbaci:

Saitin wakili
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0

Zan lissafa mahimman abubuwan daidaitawa:

1. dubawa-jerin "2fa" - jerin tsauri na abokin ciniki musaya, zirga-zirga daga wanda bukatar aiki tsakanin 2FA;
2. jerin adireshi "2fa_jailed" - "launin toka" jerin adiresoshin IP na abokan ciniki na VPN;
3. address_list "2fa_approved" - "farar" jerin adiresoshin IP na rami na abokan ciniki na VPN waɗanda suka sami nasarar wuce tantance abubuwa biyu.
4. Sarkar Firewall "input_2fa" - tana bincika fakitin tcp don kasancewar lambar izini kuma ta dace da adireshin IP na mai aikawa da lambar tare da wanda ake buƙata. Ana ƙara dokoki a cikin sarkar kuma an cire su da ƙarfi.

Sauƙaƙen jadawalin sarrafa fakiti yayi kama da haka:

Don shiga cikin Layer7 rajistan zirga-zirga daga abokan ciniki daga jerin "launin toka" waɗanda ba su wuce mataki na biyu na tabbatarwa ba, an ƙirƙiri wata doka a cikin daidaitaccen sarkar "shigarwa":

Lambar
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa

Yanzu bari mu fara haɗa duk wannan dukiya zuwa sabis na PPP. MikroTik yana ba ku damar amfani da rubutun a cikin bayanan martaba (ppp-profile) da sanya su ga abubuwan da suka faru na kafa da karya haɗin ppp. Za a iya amfani da saitunan bayanan martaba na ppp zuwa duka uwar garken PPP gabaɗaya da kuma ga masu amfani guda ɗaya. A lokaci guda, bayanin martaba da aka ba mai amfani yana da fifiko, yana ƙetare sigogi na bayanin martaba da aka zaɓa don uwar garke gaba ɗaya tare da ƙayyadaddun sigogi.

A sakamakon wannan hanya, za mu iya ƙirƙirar wani musamman profile don tabbatar da abubuwa biyu da kuma sanya shi ba ga duk masu amfani ba, amma ga waɗanda suka yi la'akari da cewa wajibi ne don yin haka. Wannan na iya zama dacewa idan kun yi amfani da sabis na PPP ba kawai don haɗa masu amfani na ƙarshe ba, amma a lokaci guda don gina haɗin yanar gizo-zuwa-gila.

A cikin sabon bayanin martaba na musamman da aka ƙirƙira, muna amfani da ƙara mai ƙarfi na adireshi da mu'amalar mai amfani da aka haɗa zuwa jerin adireshi na "launin toka" da musaya:

winbox

Lambar
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1

Wajibi ne a yi amfani da jerin "jerin adireshi" da "jerin-interface-jerin" don ganowa da kama zirga-zirga daga abokan cinikin VPN marasa na biyu a cikin sarkar dstnat (prerouting).

Lokacin da aka kammala shirye-shiryen, an ƙirƙiri ƙarin sarƙoƙi na Tacewar zaɓi da bayanin martaba, za mu rubuta rubutun da ke da alhakin ƙirƙira ta atomatik na lambar 2FA da ƙa'idodin Tacewar zaɓi na kowane mutum.

Takardun wiki.mikrotik.com akan Bayanan martaba na PPP yana wadatar mana da bayanai game da masu canji masu alaƙa da abubuwan haɗin haɗin abokin ciniki na PPP "Yi aikin rubutun akan taron shiga mai amfani. Waɗannan sunaye masu canji waɗanda ke da damar rubutun taron: mai amfani, adireshin gida, adireshin nesa, mai kira-id, kira-id, dubawa.". Wasu daga cikinsu suna da amfani sosai a gare mu.

Lambar da aka yi amfani da ita a cikin bayanan martaba don taron haɗin kai na PPP

#Логируем для отладки полученные переменные 
:log info (

quot;local-address")

:log info (

quot;remote-address")

:log info (

quot;caller-id")

:log info (

quot;called-id")

:log info ([/int pptp-server get (

quot;interface") name])

#Объявляем свои локальные переменные

:local listname "2fa_jailed"

:local viamodem false

:local modemport "usb2"

#ищем автоматически созданную запись в адрес-листе "2fa_jailed"

:local recnum1 [/ip fi address-list find address=(

quot;remote-address") list=$listname]
#получаем псевдослучайный код через random.org

#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4]
#либо получаем псевдослучайный код через локальный генератор

#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]
#Ищем и обновляем коммент к записи в адрес-листе. Вносим искомый код для отладки

/ip fir address-list set $recnum1 comment=$rnd1

#получаем номер телефона куда слать SMS

:local vphone [/ppp secret get [find name=$user] comment]
#Готовим тело сообщения. Если клиент подключается к VPN прямо с телефона ему достаточно

#будет перейти прямо по ссылке из полученного сообщения

:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")
# Отправляем SMS по выбранному каналу - USB-модем или email-to-sms

if $viamodem do={

/tool sms send phone-number=$vphone message=$msgboby port=$modemport }

else={

/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }
#Генерируем Layer7 regexp

local vregexp ("otp\/".$comm1)

:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall layer7-protocol add name=(

quot;vcomment") comment=(

quot;remote-address") regexp=(

quot;vregexp")
#Генерируем правило проверяющее по Layer7 трафик клиента в поисках нужного кода

#и небольшой защитой от брутфорса кодов с помощью dst-limit

/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(

quot;vcomment") protocol=tcp src-address=(

quot;remote-address") dst-limit=1,1,src-address/1m40s



Musamman ga waɗanda suke son yin kwafin-manna ba tare da tunani ba, ina faɗakar da ku - an ɗauko lambar daga sigar gwaji kuma tana iya ƙunshi ƙananan rubutun rubutu. Ba zai yi wahala mai fahimta ya gane ainihin inda ba.
Lokacin da mai amfani ya cire haɗin, ana haifar da taron "On-Down" kuma ana kiran rubutun da ya dace tare da sigogi. Ayyukan wannan rubutun shine tsaftace ƙa'idodin Tacewar zaɓi da aka ƙirƙira don mai amfani da aka cire.
Lambar da aka yi amfani da ita a cikin bayanan martaba don taron haɗin kan-ƙasa na PPP
:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall address-list remove [find address=(

quot;remote-address") list=2fa_approved]
/ip firewall filter remove [find chain="input_2fa" src-address=(

quot;remote-address") ]
/ip firewall layer7-protocol remove [find name=$vcomment]


Kuna iya ƙirƙirar masu amfani kuma sanya duk ko wasu daga cikinsu zuwa bayanin martaba mai abubuwa biyu.
winbox


Lambar

/ppp secrets set [find name=Petrov] profile=2FA
Yadda yake kallon gefen abokin ciniki.
Lokacin da aka kafa haɗin VPN, wayar Android/iOS/ kwamfutar hannu mai katin SIM tana karɓar SMS kamar haka:
SMS


Idan an kafa haɗin kai tsaye daga wayar / kwamfutar hannu, to zaku iya shiga ta 2FA kawai ta danna hanyar haɗin yanar gizo daga saƙon. Yana da dadi.
Idan an kafa haɗin VPN daga PC, to za a buƙaci mai amfani ya shigar da ƙaramin kalmar sirri. Ana ba da ƙaramin tsari a cikin nau'in fayil ɗin HTML ga mai amfani lokacin saita VPN. Har ila yau ana iya aika fayil ɗin ta wasiƙa domin mai amfani ya adana shi kuma ya ƙirƙiri gajeriyar hanya a wuri mai dacewa. Ga alama kamar haka:
Lakabi akan tebur


Mai amfani ya danna kan gajeriyar hanyar, sigar shigarwar lamba mai sauƙi tana buɗewa, wanda zai liƙa lambar a cikin URL ɗin da aka buɗe:
Sigar allo


An ba da mafi girman siga a matsayin misali. Wadanda suke so za su iya gyara wa kansu.
2fa_login_mini.html
<html>
<head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head>
<body>
<form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(‘text').value"  method="post"
 <input id="text" type="text"/> 
<input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> 
</form>
</body>
</html>

Idan izinin ya yi nasara, mai amfani zai ga tambarin MikroTik a cikin mai binciken, wanda ya kamata ya nuna alamar ingantaccen aiki:

Lura cewa an dawo da hoton daga ginanniyar sabar gidan yanar gizo ta MikroTik ta amfani da WebProxy Deny Redirect.
Ina tsammanin za a iya canza hoton ta amfani da kayan aikin "hotspot", zazzage sigar ku a wurin da saita URL ɗin Neman Redirect zuwa gare shi tare da WebProxy.
Babban buƙatu ga waɗanda ke ƙoƙarin siyan "abin wasa" Mikrotik mafi arha akan $20 kuma su maye gurbin na'ura mai ba da hanya tsakanin hanyoyin sadarwa na $ 500 da shi - kar ku yi haka. Na'urori kamar "hAP Lite" / "hAP mini" (maganin shiga gida) suna da CPU mai rauni sosai (smips), kuma da alama ba za su iya jure nauyin da ke cikin sashin kasuwanci ba.
Gargadi!  Wannan bayani yana da koma baya guda ɗaya: lokacin da abokan ciniki suka haɗa ko cire haɗin, canje-canjen sanyi suna faruwa, wanda na'ura mai ba da hanya tsakanin hanyoyin sadarwa ke ƙoƙarin adanawa a cikin ƙwaƙwalwar ajiyarsa mara ƙarfi. Tare da babban adadin abokan ciniki da haɗin kai akai-akai da katsewa, wannan na iya haifar da lalacewa na ajiya na ciki a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
PS: Hanyoyi don isar da lamba ga abokin ciniki ana iya faɗaɗawa da ƙari gwargwadon ƙarfin shirye-shiryen ku. Misali, zaku iya aika saƙonni zuwa telegram ko ... ba da shawarar zaɓuɓɓuka!
Ina fatan labarin zai kasance da amfani a gare ku kuma zai taimaka wajen sanya hanyoyin sadarwar kanana da matsakaitan 'yan kasuwa su ɗan sami kwanciyar hankali.
source: www.habr.com