Sakamakon kamuwa da cutar ta covid-19 da keɓe baki ɗaya a ƙasashe da yawa, hanya ɗaya tilo da kamfanoni da yawa za su ci gaba da aiki ita ce shiga wuraren aiki ta hanyar Intanet. Akwai hanyoyi masu aminci da yawa don aiki mai nisa - amma idan aka ba da girman matsalar, abin da ake buƙata shine hanya mai sauƙi ga kowane mai amfani don haɗawa da ofishin da nisa kuma ba tare da buƙatar ƙarin saitunan ba, bayani, shawarwari masu ban sha'awa da tsayi. umarnin. Yawancin masu gudanarwa RDP (Protocol Nesa) suna son wannan hanyar. Haɗa kai tsaye zuwa wurin aiki ta hanyar RDP yana magance matsalarmu, sai dai babban ƙuda ɗaya a cikin maganin shafawa - buɗe tashar RDP don Intanet ba shi da haɗari sosai. Saboda haka, a ƙasa na ba da shawarar hanya mai sauƙi amma abin dogara na kariya.
Tun da sau da yawa na gamu da kananan kungiyoyi inda ake amfani da na'urorin Mikrotik azaman hanyar haɗin Intanet, a ƙasa zan nuna yadda ake aiwatar da wannan akan Mikrotik, amma ana iya aiwatar da hanyar kariya ta Port Knocking cikin sauƙi akan sauran na'urori masu daraja masu girma tare da saitunan shigar da na'ura mai ba da hanya tsakanin hanyoyin sadarwa Tacewar zaɓi
A taƙaice game da Knocking na Port. Kyakkyawan kariyar waje na hanyar sadarwar da aka haɗa da Intanet ita ce lokacin da duk albarkatun da tashoshin jiragen ruwa ke rufe daga waje ta hanyar wuta. Kuma ko da yake na'ura mai ba da hanya tsakanin hanyoyin sadarwa da irin wannan saita Firewall baya mayar da martani ta kowace hanya ga fakitin da ke fitowa daga waje, yana sauraron su. Don haka, zaku iya saita na'ura mai ba da hanya tsakanin hanyoyin sadarwa ta yadda lokacin da ya karɓi takamaiman (lambar) jeri na fakiti na cibiyar sadarwa a tashar jiragen ruwa daban-daban, shi (na'ura mai ba da hanya tsakanin hanyoyin sadarwa) don IP daga inda fakitin ya fito, ya hana samun damar wasu albarkatu (tashoshi, ka'idoji, da sauransu). .).
Yanzu ga batu. Ba zan ba da cikakken bayani game da kafa bangon wuta akan Mikrotik ba - Intanet cike take da ingantattun tushe don wannan. Fi dacewa, Tacewar zaɓi yana toshe duk fakiti masu shigowa, amma
/ip firewall filter
add action=accept chain=input comment="established and related accept" connection-state=established,relatedYana ba da izinin zirga-zirga masu shigowa daga haɗin da aka riga aka kafa (kafa, masu alaƙa).
Yanzu mun saita Port Knocking akan Mikrotik:
/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
move [/ip firewall filter find comment=RemoteRules] 1
/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389Yanzu da cikakken bayani:
dokoki biyu na farko
/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRuleshana fakiti masu shigowa daga adiresoshin IP waɗanda aka baƙaƙe yayin binciken tashar jiragen ruwa;
Doka ta uku:
add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
yana ƙara ip zuwa jerin rundunonin da suka yi daidai bugun farko a tashar da ake so (19000);
Ka'idoji guda hudu masu zuwa:
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRulesƙirƙirar tashoshin tarko ga waɗanda suke so su duba tashar jiragen ruwa, kuma lokacin da aka gano irin waɗannan yunƙurin, sai su sanya adireshin IP ɗin su na tsawon mintuna 60, lokacin da ka'idoji biyu na farko ba za su ba irin waɗannan runduna damar buga madaidaitan tashoshin jiragen ruwa ba;
Ka'ida ta gaba:
add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRulesyana sanya ip a cikin jerin sunayen da aka ba da izini na minti 1 (isasshen kafa haɗin gwiwa), tun lokacin da aka buga daidai na biyu akan tashar da ake so (16000);
Umurni na gaba:
move [/ip firewall filter find comment=RemoteRules] 1yana motsa ka'idodin mu sama da sarkar sarrafa wuta, tunda da alama za mu riga mun tsara wasu ƙa'idodi masu hanawa waɗanda za su hana sabbin waɗanda aka ƙirƙira suyi aiki. Doka ta farko a Mikrotik tana farawa daga sifili, amma akan na'urara sifili ta kasance ta hanyar ginanniyar ka'ida kuma ba shi yiwuwa a motsa shi - Na matsar da shi zuwa 1. Don haka, muna duba saitunan mu - inda zamu iya motsa shi. kuma nuna lambar da ake so.
Saiti na gaba:
/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp_to_33" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389tura tashar tashar jiragen ruwa 33890 da aka zaɓa zuwa tashar RDP na yau da kullun 3389 da IP na kwamfuta ko uwar garken tashar da muke buƙata. Muna ƙirƙira irin waɗannan ƙa'idodin don duk albarkatu na ciki da ake buƙata, zai fi dacewa saita tashar jiragen ruwa marasa daidaituwa (da daban-daban). A zahiri, IP na albarkatun ciki dole ne ya kasance ko dai a tsaye ko sanya shi zuwa uwar garken DHCP.
Yanzu an saita Mikrotik ɗin mu kuma muna buƙatar hanya mai sauƙi don mai amfani don haɗawa zuwa RDP na ciki. Tun da yawancin masu amfani da Windows, muna ƙirƙirar fayil ɗin jemage mai sauƙi kuma mu kira shi StartRDP.bat:
1.htm
1.rdpdon haka 1.htm ya ƙunshi lambar:
<img src="http://my_router.sn.mynetname.net:19000/1.jpg">
нажмите обновить страницу для повторного захода по RDP
<img src="http://my_router.sn.mynetname.net:16000/2.jpg">Anan ya ƙunshi hanyoyi guda biyu zuwa hotuna masu ƙima waɗanda ke a adireshin my_router.sn.mynetname.net - muna ɗaukar wannan adireshin daga tsarin DDNS na Mikrotik bayan kunna wannan a cikin Mikrotik ɗinmu: je zuwa IP-> Menu na girgije - duba DDNS Enabled akwatin, danna Aiwatar kuma ku kwafi sunan DNS ɗin mu. Amma wannan ya zama dole ne kawai lokacin da IP na waje na na'ura mai ba da hanya tsakanin hanyoyin sadarwa ke da ƙarfi ko aka yi amfani da wani tsari tare da masu samar da Intanet da yawa.
Tashar tashar jiragen ruwa a cikin hanyar haɗin farko: 19000 yayi daidai da tashar farko da kuke buƙatar buga, a cikin na biyu ya dace da na biyu. Tsakanin hanyoyin haɗin yanar gizon akwai taƙaitaccen umarni wanda ke nuna abin da za a yi idan ba zato ba tsammani haɗin yanar gizonmu ya katse saboda gajerun matsalolin cibiyar sadarwa - muna sabunta shafin, an sake buɗe tashar tashar RDP a gare mu na minti 1 kuma an dawo da zamanmu. Har ila yau, rubutun tsakanin tags img yana haifar da jinkiri ga mai binciken, wanda ke rage yiwuwar isar da fakitin farko zuwa tashar jiragen ruwa ta biyu (16000) - ya zuwa yanzu ba a sami irin waɗannan lokuta a cikin makonni biyu na amfani ba (30). mutane).
Na gaba ya zo fayil ɗin 1.rdp, wanda za mu iya saita ɗaya don kowa ko kuma daban ga kowane mai amfani (abin da na yi ke nan - yana da sauƙin ciyar da ƙarin mintuna 15 fiye da sa'o'i da yawa don tuntuɓar waɗanda ba su iya gane shi ba)
screen mode id:i:2
use multimon:i:1
.....
connection type:i:6
networkautodetect:i:0
.....
disable wallpaper:i:1
.....
full address:s:my_router.sn.mynetname.net:33890
.....
username:s:myuserlogin
domain:s:mydomainƊaya daga cikin saitunan masu ban sha'awa a nan shine amfani da multimon: i: 1 - wannan ya haɗa da amfani da na'urori masu yawa - wasu mutane suna buƙatar wannan, amma ba sa tunanin juya shi a kansu.
nau'in haɗin: i: 6 da networkautodetect: i: 0 - tunda yawancin Intanet yana sama da 10 Mbit, sannan kunna nau'in haɗin kai 6 (nau'in cibiyar sadarwar gida 10 Mbit da sama) sannan a kashe networkautotect, tunda idan tsoho shine (atomatik). to, ko da ƙananan ƙarancin latency na hanyar sadarwa ta atomatik yana saita saurin zaman mu a ƙaramin gudu na dogon lokaci, wanda zai iya haifar da jinkiri a cikin aiki, musamman a cikin shirye-shiryen zane-zane.
musaki fuskar bangon waya:i:1 - kashe hoton tebur
Sunan mai amfani:s:myuserlogin - muna nuna shigar mai amfani, tun da wani muhimmin sashi na masu amfani da mu ba su san shigar su ba.
domain:s:mydomain - nuna yankin ko sunan kwamfuta
Amma idan muna son sauƙaƙe aikin ƙirƙirar hanyar haɗi, za mu iya kuma amfani da PowerShell - StartRDP.ps1
Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 19000
Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 16000
mstsc /v:my_router.sn.mynetname.net:33890Hakanan kadan game da abokin ciniki na RDP a cikin Windows: MS ya yi nisa sosai wajen inganta yarjejeniya da uwar garken sa da sassan abokin ciniki, aiwatar da abubuwa masu amfani da yawa - kamar aiki tare da 3D hardware, inganta ƙudurin allo don duba ku, Multi-allon, da dai sauransu. Amma ba shakka, ana aiwatar da komai a yanayin daidaitawa na baya kuma idan abokin ciniki shine Windows 7 kuma PC mai nisa shine Windows 10, to RDP zai yi aiki ta amfani da sigar yarjejeniya ta 7.0. Amma an yi sa'a, za ku iya sabunta nau'ikan RDP zuwa wasu nau'ikan kwanan nan - alal misali, zaku iya haɓaka sigar yarjejeniya daga 7.0 (Windows 7) zuwa 8.1. Don haka, don dacewa da abokan ciniki, kuna buƙatar haɓaka juzu'in ɓangaren uwar garken, da kuma samar da hanyoyin haɗi don sabuntawa zuwa sabbin nau'ikan abokan ciniki na yarjejeniyar RDP.
Sakamakon haka, muna da fasaha mai sauƙi kuma mai inganci don haɗin nesa zuwa PC ɗin aiki ko sabar tasha. Amma don ingantacciyar hanyar haɗin kai, hanyar mu ta Port Knocking za a iya ƙara wahalar kaiwa hari ta umarni masu girma da yawa, ta hanyar ƙara tashar jiragen ruwa don dubawa - ta amfani da dabaru iri ɗaya, zaku iya ƙara 3,4,5,6 ... tashar jiragen ruwa da tashar jiragen ruwa. a wannan yanayin, kutsawa kai tsaye a cikin hanyar sadarwar ku ba zai yuwu ba .
.
source: www.habr.com