Makemake au e kaʻana like me ke kaiāulu i kahi ala maʻalahi a me ka hana o ka hoʻohana ʻana iā Mikrotik e pale aku i kāu pūnaewele a me nā lawelawe "nānā" mai hope mai nā hoʻouka ʻana o waho. ʻO ia, ʻekolu mau lula e hoʻonohonoho i kahi honeypot ma Mikrotik.
No laila, e noʻonoʻo kākou he keʻena liʻiliʻi kā mākou, me kahi IP waho ma hope o kahi kikowaena RDP no nā limahana e hana mamao. ʻO ke kānāwai mua, ʻoiaʻiʻo, e hoʻololi i ke awa 3389 ma ka ʻaoʻao waho i kekahi. Akā ʻaʻole lōʻihi kēia; ma hope o ʻelua mau lā, e hoʻomaka ana ka log audit server terminal e hōʻike i nā ʻae i hāʻule ʻole i kēlā me kēia kekona mai nā mea kūʻai aku ʻike ʻole.
ʻO kekahi kūlana, loaʻa iā ʻoe ka asterisk huna ma hope o Mikrotik, ʻoiaʻiʻo ʻaʻole ma ka 5060 udp port, a ma hope o kekahi mau lā e hoʻomaka ai ka huli ʻōlelo huna ... ʻae, ʻae, ʻike wau, ʻo fail2ban kā mākou mea āpau, akā pono mākou e hana ma ia ... no ka laʻana, ua hoʻokomo wau iā ia ma ubuntu 18.04 a ua kahaha i ka ʻike ʻana ʻaʻole i loko o ka pahu fail2ban ʻaʻole i loaʻa nā hoʻonohonoho o kēia manawa no ka asterisk mai ka pahu like o ka hoʻohele ubuntu like ... no ka mea, ʻaʻole hana hou nā "recipes" i hoʻomākaukau ʻia, ke ulu nei nā helu no ka hoʻokuʻu ʻana i nā makahiki, a ʻaʻole hana hou nā ʻatikala me nā "mea hoʻomaʻamaʻa" no nā mana kahiko, a ʻaneʻane ʻaʻole ʻike ʻia nā mea hou ...
No laila, he aha ka honeypot ma kahi pōkole - he honeypot ia, i kā mākou hihia, kekahi awa kaulana ma kahi IP waho, kekahi noi i kēia awa mai kahi mea kūʻai aku waho e hoʻouna i ka helu src i ka papa inoa ʻeleʻele. ʻO nā mea a pau.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
ʻO ka lula mua ma nā awa TCP kaulana 22, 3389, 8291 o ka ether4-wan waho waho e hoʻouna i ka IP "malihini" i ka papa inoa "Honeypot Hacker" (ua pio nā awa no ssh, rdp a me winbox ma mua a hoʻololi ʻia i nā mea ʻē aʻe). Hana like ka lua ma ka UDP 5060 kaulana.
ʻO ke kolu o ka lula ma ka pae ma mua o ka hoʻokuʻu ʻana i nā ʻeke mai "nā malihini" nona ka srs-address i loko o ka "Honeypot Hacker".
Ma hope o ʻelua pule o ka hana ʻana me koʻu home Mikrotik, ʻo ka papa inoa "Honeypot Hacker" i hoʻokomo ʻia ma kahi o hoʻokahi a me ka hapa tausani mau IP address o ka poʻe makemake e "paʻa i ka udder" i kaʻu mau kumuwaiwai pūnaewele (ma ka home aia kaʻu kelepona ponoʻī, leka uila, nextcloud, rdp). Ua kū ka hoʻouka kaua ʻana, ua hiki mai ka hauʻoli.
Ma ka hana, ʻaʻole i maʻalahi nā mea a pau, ma laila lākou e hoʻomau ai i ka haki ʻana i ka server rdp e nā ʻōlelo huna hoʻoweliweli.
ʻIke ʻia, ua hoʻoholo ʻia ka helu awa e ka scanner ma mua o ka hoʻomaka ʻana o ka honeypot, a i ka wā quarantine ʻaʻole maʻalahi ka hoʻonohonoho hou ʻana ma mua o 100 mau mea hoʻohana, nona ka 20% ma mua o 65 mau makahiki. I ka wā hiki ʻole ke hoʻololi ʻia ke awa, aia kahi papa hana liʻiliʻi. Ua ʻike au i kekahi mea like ma ka Pūnaewele, akā aia kekahi mau mea hoʻohui a me ke kani maikaʻi ʻana e pili ana:
Nā lula no ka hoʻonohonoho ʻana i ka Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
I nā minuke 4, ʻae ʻia ka mea kūʻai mamao e hana i nā "noi" hou he 12 i ka server RDP. Hoʻokahi ho'āʻo komo mai ka 1 a hiki i ka 4 "noi". Ma ka 12th "noi" - kaohi no 15 mau minuke. I koʻu hihia, ʻaʻole i hoʻōki ka poʻe hoʻouka i ka hacking i ka server, ua hoʻoponopono lākou i nā timers a i kēia manawa e hana mālie loa, ʻo ka wikiwiki o ke koho e hōʻemi i ka hopena o ka hoʻouka ʻana i ka zero. ʻAʻohe pilikia o nā limahana o ka hui ma ka hana mai nā hana i hana ʻia.
ʻO kekahi hana liʻiliʻi
Huli kēia lula e like me ka papa kuhikuhi ma ka hola 5 a.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8
Aia ma ka pili 8, ua papa inoa ʻia ka IP o ka mea hoʻouka no hoʻokahi pule. Nani!
ʻAe, ma waho aʻe o ka mea i luna, e hoʻohui wau i kahi loulou i kahi ʻatikala Wiki me kahi hoʻonohonoho hana no ka pale ʻana iā Mikrotik mai nā scanners pūnaewele.
Ma kaʻu mau polokalamu, hana pū kēia hoʻonohonoho me nā lula honeypot i hōʻike ʻia ma luna, e hoʻokō pono ana iā lākou.
UPD: E like me ka manaʻo i loko o nā ʻōlelo, ua hoʻoneʻe ʻia ka lula packet drop i RAW e hōʻemi i ka ukana ma ke alalai.
Source: www.habr.com