Ina so in raba tare da al'umma hanya mai sauƙi da aiki ta yadda ake amfani da Mikrotik don kare hanyar sadarwar ku da ayyukan "fitowa" daga bayanta daga hare-haren waje. Wato, kawai dokoki guda uku don tsara tukunyar zuma a kan Mikrotik.
Don haka, bari mu yi tunanin cewa muna da ƙaramin ofishi, tare da IP na waje wanda akwai sabar RDP don ma'aikata suyi aiki nesa. Ka'idar farko ita ce, ba shakka, don canza tashar jiragen ruwa 3389 akan keɓancewar waje zuwa wani. Amma wannan ba zai daɗe ba; bayan kwanaki biyu, rajistan binciken sabar uwar garken zai fara nuna izini da yawa da suka gaza a sakan daya daga abokan cinikin da ba a san su ba.
Wani yanayi kuma, kuna da alamar alama a ɓoye a bayan Mikrotik, ba shakka ba a tashar tashar 5060 udp ba, kuma bayan kwanaki biyu ana fara binciken kalmar sirri... eh, eh, na sani, fail2ban shine komai namu, amma har yanzu dole ne muyi. yi aiki a kai… misali, kwanan nan na shigar da shi akan ubuntu 18.04 kuma nayi mamakin gano cewa daga cikin akwatin fail2ban baya ƙunshi saitunan yanzu don alamar alama daga akwatin guda na rarraba ubuntu iri ɗaya… don shirye-shiryen "kayan girke-girke" ba ya aiki, lambobi don sakewa suna girma a cikin shekaru da yawa, kuma labarai tare da " girke-girke" don tsofaffin nau'ikan ba sa aiki, kuma sababbi kusan ba su bayyana ... Amma na digress ...
Don haka, menene tukunyar zuma a taƙaice - tukunyar zuma ce, a cikin yanayinmu, kowane mashahurin tashar jiragen ruwa akan IP na waje, duk wani buƙatun zuwa wannan tashar jiragen ruwa daga abokin ciniki na waje yana aika da adireshin src zuwa blacklist. Duka.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Dokar farko akan mashahuran tashoshin TCP 22, 3389, 8291 na ether4-wan na waje na waje yana aika da "baƙo" IP zuwa jerin "Honeypot Hacker" (masu amfani da tashar jiragen ruwa don ssh, rdp da winbox a gaba ko canza zuwa wasu). Na biyu yana yin haka akan mashahurin UDP 5060.
Doka ta uku a mataki na farko tana sauke fakiti daga “baƙi” waɗanda adireshin srs-address ɗin ya haɗa cikin “Honeypot Hacker”.
Bayan makonni biyu na aiki tare da gidana Mikrotik, jerin "Honeypot Hacker" sun haɗa da adiresoshin IP kusan dubu ɗaya da rabi na waɗanda suke son "riƙe da nono" albarkatun hanyar sadarwa na (a gida akwai wayar hannu ta, wasiku, nextcloud, rdp) An daina kai hare-hare, ni'ima ta zo.
A wurin aiki, ba komai ya zama mai sauƙi ba, a can suna ci gaba da karya uwar garken rdp ta hanyar tilasta kalmomin shiga.
A bayyane yake, na'urar daukar hotan takardu ta tantance lambar tashar jiragen ruwa tun kafin a kunna tukunyar zuma, kuma a lokacin keɓe ba abu ne mai sauƙi ba don sake saita masu amfani da sama da 100, waɗanda kashi 20% sun haura shekaru 65. A cikin yanayin lokacin da ba za a iya canza tashar jiragen ruwa ba, akwai ƙaramin girke-girke na aiki. Na ga wani abu makamancin haka akan Intanet, amma akwai ƙarin ƙarin ƙari da daidaitawa mai kyau da ke ciki:
Dokokin daidaita Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
A cikin mintuna 4, abokin ciniki na nesa yana ba da izinin yin sabbin “buƙatun” guda 12 kawai zuwa sabar RDP. Ƙoƙarin shiga ɗaya daga 1 zuwa 4 "buƙatun". A 12th "buƙatun" - toshewa na mintina 15. A halin da nake ciki, maharan ba su daina shiga sabar uwar garken ba, sun daidaita da masu ƙidayar lokaci kuma yanzu suna yin shi a hankali sosai, irin wannan saurin zaɓin yana rage tasirin harin zuwa sifili. Ma'aikatan kamfanin kusan babu wata damuwa a wurin aiki daga matakan da aka ɗauka.
Wani dan dabara
Wannan doka tana kunna bisa ga jadawali da ƙarfe 5 na safe kuma tana kashewa da ƙarfe XNUMX na safe, lokacin da mutane na gaske suke barci, kuma masu zaɓe masu sarrafa kansu suna ci gaba da farkawa.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Tuni a kan haɗin 8th, IP ɗin maharin yana da baƙar fata har tsawon mako guda. Kyakkyawan!
Da kyau, ban da abin da ke sama, zan ƙara hanyar haɗi zuwa labarin Wiki tare da saitin aiki don kare Mikrotik daga na'urar daukar hotan takardu.
A kan na'urori na, wannan saitin yana aiki tare da ka'idodin saƙar zuma da aka kwatanta a sama, yana cika su da kyau.
UPD: Kamar yadda aka ba da shawara a cikin sharhi, an matsar da dokar sauke fakiti zuwa RAW don rage nauyi akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
source: www.habr.com