Na sha karanta ra'ayin cewa ajiye tashar tashar RDP (Protocol Nesa) a buɗe ga Intanet ba shi da aminci sosai kuma bai kamata a yi ba. Amma kuna buƙatar ba da damar yin amfani da RDP ko dai ta hanyar VPN, ko kuma daga wasu adiresoshin IP na "farar fata".
Ina gudanar da Sabar Windows da yawa don ƙananan kamfanoni inda aka ba ni aikin samar da hanya mai nisa zuwa Windows Server don masu lissafi. Wannan shine yanayin zamani - aiki daga gida. Da sauri, na gane cewa azabtar da masu lissafin VPN aiki ne mara godiya, kuma tattara duk IPs don jerin fararen ba zai yi aiki ba, saboda adiresoshin IP na mutane suna da ƙarfi.
Saboda haka, na ɗauki hanya mafi sauƙi - tura tashar RDP zuwa waje. Don samun dama, masu lissafin yanzu suna buƙatar gudanar da RDP kuma shigar da sunan mai masauki (ciki har da tashar jiragen ruwa), sunan mai amfani da kalmar wucewa.
A cikin wannan labarin zan raba kwarewa ta (tabbatacce kuma ba haka ba) da shawarwari.
Risks
Me kuke haɗari ta hanyar buɗe tashar RDP?
1) Samun dama ga mahimman bayanai mara izini
Idan wani ya hango kalmar sirri ta RDP, za su iya samun bayanan da kuke son kiyaye sirri: matsayin asusun, ma'auni, bayanan abokin ciniki, ...
2) Asarar bayanai
Misali, sakamakon kwayar cutar ransomware.
Ko wani mataki na gangan da maharin ya yi.
3) Asarar wurin aiki
Ma'aikata suna buƙatar yin aiki, amma tsarin ya lalace kuma yana buƙatar sake shigar da / dawo da / daidaita shi.
4) Amincewa da hanyar sadarwar gida
Idan maharin ya sami damar shiga kwamfutar Windows, to daga wannan kwamfutar zai iya shiga tsarin da ba zai iya shiga daga waje ba, daga Intanet. Misali, don shigar da hannun jari, zuwa firintocin sadarwa, da sauransu.
Ina da shari'ar da Windows Server ta kama abin fansa
kuma wannan ransomware ya fara rufaffen yawancin fayilolin da ke kan drive ɗin C: sannan ya fara ɓoye fayilolin akan NAS akan hanyar sadarwa. Tunda NAS ta kasance Synology, tare da daidaita hotuna, na mayar da NAS a cikin mintuna 5, kuma na sake shigar da Windows Server daga karce.
Dubawa da Shawarwari
Ina saka idanu akan Windows Servers ta amfani da , wanda ke aika rajistan ayyukan zuwa ElasticSearch. Kibana yana da abubuwan gani da yawa, kuma na kafa dashboard na al'ada.
Kulawa da kanta ba ya karewa, amma yana taimakawa wajen ƙayyade matakan da suka dace.
Ga wasu abubuwan lura:
a) RDP za a tilasta masa.
A daya daga cikin sabobin, na shigar da RDP ba akan daidaitaccen tashar jiragen ruwa 3389 ba, amma akan 443 - da kyau, zan canza kaina azaman HTTPS. Wataƙila yana da daraja canza tashar jiragen ruwa daga daidaitaccen ɗaya, amma ba zai yi kyau sosai ba. Anan ga ƙididdiga daga wannan uwar garken:
Ana iya ganin cewa a cikin mako guda an sami kusan 400 ƙoƙarin shiga ta RDP da bai yi nasara ba.
Ana iya ganin cewa an yi ƙoƙarin shiga daga adiresoshin IP 55 (wasu adiresoshin IP na riga sun toshe su).
Wannan kai tsaye yana nuna ƙarshen cewa kuna buƙatar saita fail2ban, amma
Babu irin wannan amfanin don Windows.
Akwai wasu ayyukan da aka yi watsi da su akan Github waɗanda ke neman yin wannan, amma ban ma yi ƙoƙarin shigar da su ba:
Hakanan akwai kayan aikin da aka biya, amma ban yi la'akari da su ba.
Idan kun san buɗaɗɗen kayan amfani don wannan dalili, da fatan za a raba shi a cikin sharhi.
Update: Bayanan sun nuna cewa tashar jiragen ruwa 443 shine zaɓi mara kyau, kuma yana da kyau a zabi manyan tashoshin jiragen ruwa (32000+), saboda 443 ana dubawa sau da yawa, kuma fahimtar RDP akan wannan tashar jiragen ruwa ba matsala ba ce.
ta karshe: Bayanan sun nuna cewa akwai irin wannan kayan aiki:
b) Akwai wasu sunayen masu amfani waɗanda maharan suka fi so
Ana iya ganin cewa ana gudanar da binciken ne a cikin ƙamus mai suna daban-daban.
Amma ga abin da na lura: babban adadin yunƙurin yin amfani da sunan uwar garken azaman shiga. Shawara: Kada ku yi amfani da suna iri ɗaya don kwamfuta da mai amfani. Bugu da ƙari, wani lokacin yana kama da suna ƙoƙarin tantance sunan uwar garken ko ta yaya: misali, ga tsarin mai suna DESKTOP-DFTHD7C, mafi yawan ƙoƙarin shiga tare da sunan DFTHD7C:
Don haka, idan kuna da kwamfutar DESKTOP-MARIA, tabbas kuna ƙoƙarin shiga a matsayin mai amfani da MARIA.
Wani abu da na lura daga rajistan ayyukan: a kan mafi yawan tsarin, yawancin ƙoƙarin shiga suna tare da sunan "mai gudanarwa". Kuma wannan ba ba tare da dalili ba, saboda a yawancin nau'ikan Windows, wannan mai amfani yana wanzu. Bugu da ƙari, ba za a iya share shi ba. Wannan yana sauƙaƙa aikin ga maharan: maimakon kintata suna da kalmar sirri, kawai kuna buƙatar tantance kalmar sirri.
Af, tsarin da ya kama kayan fansa yana da Mai Gudanar da mai amfani da kalmar sirri Murmansk#9. Har yanzu ban tabbatar da yadda aka yi kutse a wannan tsarin ba, saboda na fara sa ido ne bayan faruwar lamarin, amma ina ganin akwai yuwuwar yawan kisa.
Don haka idan ba za a iya share mai amfani da Administrator ba, to me ya kamata ku yi? Kuna iya sake suna!
Shawarwari daga wannan sakin layi:
- kar a yi amfani da sunan mai amfani a cikin sunan kwamfuta
- tabbatar da cewa babu mai amfani da Gudanarwa akan tsarin
- yi amfani da kalmomin sirri masu ƙarfi
Don haka, ina kallon Sabbin Windows da yawa a ƙarƙashin ikona ana tursasa su kusan shekaru biyu yanzu, kuma ba tare da nasara ba.
Ta yaya zan san ba a yi nasara ba?
Domin a cikin hotunan kariyar kwamfuta da ke sama za ku iya ganin cewa akwai rajistan ayyukan kiran RDP masu nasara, waɗanda ke ɗauke da bayanan:
- daga wanda IP
- daga wane kwamfuta (sunan mai masauki)
- Sunan mai amfani
- GeoIP bayanai
Kuma ina duba can akai-akai - ba a sami wani abu mara kyau ba.
Af, idan ana tilasta wani IP na musamman musamman mai wahala, to zaku iya toshe IPs guda ɗaya (ko subnets) kamar wannan a cikin PowerShell:
New-NetFirewallRule -Direction Inbound -DisplayName "fail2ban" -Name "fail2ban" -RemoteAddress ("185.143.0.0/16", "185.153.0.0/16", "193.188.0.0/16") -Action BlockAf, Elastic, ban da Winlogbeat, yana da , wanda zai iya saka idanu fayiloli da matakai akan tsarin. Hakanan akwai aikace-aikacen SIEM (Bayanin Tsaro & Gudanar da Matsala) a Kibana. Na gwada duka biyun, amma ban ga fa'ida da yawa ba - yana kama da Auditbeat zai fi amfani ga tsarin Linux, kuma SIEM bai nuna mani wani abu mai hankali ba tukuna.
To, shawarwarin ƙarshe:
- Yi madadin atomatik na yau da kullun.
- shigar da Sabunta Tsaro a kan lokaci
Bonus: jerin masu amfani 50 waɗanda aka fi amfani da su don ƙoƙarin shiga RDP
"user.name: Saukowa"
count
dfthd7c (sunan mai masauki)
842941
winsrv1 (sunan mai masauki)
266525
MAI GABATARWA
180678
shugaba
163842
Administrator
53541
michael
23101
uwar garken
21983
steve
21936
Yahaya
21927
Paul
21913
liyafar
21909
mike
21899
ofishin
21888
na'urar daukar hotan takardu
21887
scan
21867
david
21865
Chris
21860
owner
21855
kocin
21852
gudanarwa
21841
Brian
21839
shugaba
21837
mark
21824
ma'aikatan
21806
ADMIN
12748
Akidar
7772
MAI GABATARWA
7325
TAIMAKO
5577
TAMBAYA
5418
Mai amfani
4558
admin
2832
TEST
1928
MySql
1664
Admin
1652
GASKIYA
1322
MAI AMFANI1
1179
SAURARA
1121
SCAN
1032
MAI GABATARWA
842
ADMIN1
525
Ajiyayyen
518
MySqlAdmin
518
KARBA
490
MAI AMFANI2
466
TEMP
452
SQLADMIN
450
MAI AMFANI3
441
1
422
MANAJIRA
418
MAI ABU
410
source: www.habr.com