ProHoster > Pūnaewele > Nā Administration > ʻO kaʻu papahana i hoʻokō ʻole ʻia. Pūnaewele o 200 MikroTik routers

ʻO kaʻu papahana i hoʻokō ʻole ʻia. Pūnaewele o 200 MikroTik routers

ʻO kaʻu papahana i hoʻokō ʻole ʻia. Pūnaewele o 200 MikroTik routers

Aloha kākou. Ua manaʻo ʻia kēia ʻatikala no ka poʻe i loaʻa nā mea Mikrotik he nui i ko lākou mau moku, a makemake lākou e hoʻohui i ka hui nui i ʻole e hoʻopili i kēlā me kēia mea. Ma kēia ʻatikala e wehewehe wau i kahi papahana, akā naʻe, ʻaʻole i hiki i nā kūlana hakakā ma muli o nā kumu kanaka. I ka pōkole: ʻoi aku ma mua o 200 mau mea ala, hoʻonohonoho wikiwiki a me ka hoʻomaʻamaʻa limahana, hoʻohui ʻia e ka ʻāina, kānana pūnaewele a me nā pūʻali kikoʻī, ka hiki ke hoʻohui maʻalahi i nā lula i nā hāmeʻa a pau, ka hoʻopaʻa inoa ʻana a me ke kaohi ʻana.

ʻO ka mea i hōʻike ʻia ma lalo nei ʻaʻole ia e hoʻohālike i kahi hihia i hoʻomākaukau ʻia, akā ke manaʻolana nei au e pono ia iā ʻoe i ka wā e hoʻolālā ai i kāu pūnaewele a me ka hōʻemi ʻana i nā hewa. Malia paha ʻaʻole pololei loa kekahi mau ʻōlelo a me nā hoʻonā iā ʻoe - inā pēlā, e kākau i nā manaʻo. ʻO ka hoʻohewa ʻana i kēia hihia e lilo ia i ʻike no ka waihona maʻamau. No laila, e ka mea heluhelu, e nānā i nā manaʻo, ua kuhi hewa paha ka mea kākau - e kōkua ke kaiāulu.

ʻO 200-300 ka helu o nā mea hoʻokele, hoʻopuehu ʻia ma nā kūlanakauhale like ʻole me nā ʻano like ʻole o nā pilina pūnaewele. Pono e hana i nā mea a pau me ka nani a me ka wehewehe pono i nā mea hoʻokele kūloko pehea e hana ai nā mea āpau.

No laila, ma hea kahi e hoʻomaka ai kekahi papahana? ʻOiaʻiʻo, me TK.

  1. ʻO ka hoʻonohonoho ʻana i kahi hoʻolālā pūnaewele no nā lālā āpau e like me nā koi o ka mea kūʻai aku, ka hoʻokaʻawale ʻana o ka pūnaewele (mai ka 3 a hiki i ka 20 pūnaewele ma nā lālā e pili ana i ka nui o nā mea hana).
  2. Hoʻonohonoho i nā mea hana i kēlā me kēia lālā. Ke nānā nei i ka wikiwiki maoli o ka mea hoʻolako ma lalo o nā kūlana hana like ʻole.
  3. ʻO ka hoʻonohonoho ʻana i ka pale ʻana o ka hāmeʻa, ka hoʻokele whitelist, ka ʻike ʻana i nā hoʻouka ʻana me ka papa inoa ʻeleʻele no kekahi manawa, e hōʻemi ana i ka hoʻohana ʻana i nā ʻano ʻenehana like ʻole i hoʻohana ʻia no ka intercept control access a hōʻole i ka lawelawe.
  4. Hoʻonohonoho i nā pilina VPN palekana me ka kānana pūnaewele e like me nā koi o ka mea kūʻai aku. ʻO ka liʻiliʻi he 3 VPN pili mai kēlā me kēia lālā i ke kikowaena.
  5. Ma muli o nā helu 1, 2. E koho i nā ala maikaʻi loa e kūkulu ai i nā VPN hoʻomanawanui hewa. Inā ʻae pololei ʻia, hiki ke koho ʻia ka ʻenehana hoʻokele ikaika e ka mea hana ʻaelike.
  6. ʻO ka hoʻonohonoho ʻana i ka hoʻonohonoho mua ʻana o nā kaʻa e nā protocols, ports, hosts a me nā lawelawe kikoʻī i hoʻohana ʻia e ka mea kūʻai. (VOIP, nā mea hoʻokipa me nā lawelawe koʻikoʻi)
  7. Hoʻonohonoho i ka nānā ʻana a me ka hoʻopaʻa ʻana i nā hanana router no ka pane ʻana o nā limahana kākoʻo ʻenehana.

E like me kā mākou e hoʻomaopopo ai, i kekahi mau hihia, ua huki ʻia nā kikoʻī ʻenehana ma muli o nā koi. Ua hoʻokumu wau i kēia mau koi iaʻu iho, ma hope o ka hoʻolohe ʻana i nā pilikia nui. Ua ʻae ʻo ia i ka hiki i kekahi ke mālama i kēia mau wahi.

He aha nā mea hana e hoʻokō ai i kēia mau koi:

  1. ELK stack (ma hope o kekahi manawa, ua maopopo e hoʻohana ʻia ka fluentd ma kahi o ka logstash).
  2. Ansible. No ka maʻalahi o ka hoʻokele a me ke kaʻana like ʻana, e hoʻohana mākou i ka AWX.
  3. GITLAB. ʻAʻohe pono e wehewehe maanei. Ma hea mākou me ka ʻole o ka mana mana o kā mākou configs?
  4. PowerShell. E loaʻa kahi palapala maʻalahi no ka hanauna mua o ka config.
  5. Doku wiki, no ke kākau palapala a me nā alakaʻi. I kēia hihia, hoʻohana mākou i habr.com.
  6. E mālama ʻia ka nānā ʻana ma o zabbix. E kaha ʻia hoʻi kahi kiʻi hoʻohui ma laila no ka ʻike ākea.

Nā wahi hoʻonohonoho EFK

E pili ana i ka helu mua, e wehewehe wale wau i ka manaʻo e kūkulu ʻia ai nā helu. He nui
ʻatikala maikaʻi loa e pili ana i ka hoʻonohonoho ʻana a me ka loaʻa ʻana o nā lāʻau mai nā polokalamu e holo ana i ka mikrotik.

E noʻonoʻo wau i kekahi mau mea:

1. E like me ke kiʻikuhi, pono e noʻonoʻo i ka loaʻa ʻana o nā lāʻau mai nā wahi like ʻole a ma nā awa like ʻole. No kēia, e hoʻohana mākou i kahi log aggregator. Makemake nō hoʻi mākou e hana i nā kiʻi kiʻi honua no nā mea ala āpau me ka hiki ke kaʻana like. A laila kūkulu mākou i nā indexes penei:

eia kahi ʻāpana o ka config me ka fluentd ʻano elasticsearch
logstash_format ʻoiaʻiʻo
index_name mikrotiklogs.north
logstash_prefix mikrotiklogs.north
flush_interval 10s
kaua ʻasticlaau: 9200
helu 9200

Ma kēia ala e hiki ai iā mākou ke hoʻohui i nā mea hoʻokele a me ka ʻāpana e like me ka hoʻolālā - mikrotiklogs.west, mikrotiklogs.south, mikrotiklogs.east. No ke aha e paʻakikī loa ai? Hoʻomaopopo mākou e loaʻa iā mākou he 200 a ʻoi aku paha nā mea hana. ʻAʻole hiki iā ʻoe ke mālama i nā mea a pau. Me ka mana 6.8 o ka elasticsearch, loaʻa iā mākou nā hoʻonohonoho palekana (me ka ʻole o ke kūʻai ʻana i laikini), no laila hiki iā mākou ke puʻunaue i nā kuleana nānā ma waena o nā limahana kākoʻo ʻenehana a i ʻole nā ​​​​luna hoʻonohonoho kūloko.
Nā papa, nā kiʻi - pono ʻoe e ʻae - e hoʻohana i nā mea like, a i ʻole nā ​​​​mea a pau e hana i ka mea kūpono iā ia.

2. Ma ke kālai lāʻau. Inā hiki iā mākou ke hoʻopaʻa inoa i nā lula ahi, a laila hana mākou i nā inoa me ka ʻole o nā hakahaka. Hiki ke ʻike ʻia ma ka hoʻohana ʻana i kahi config maʻalahi i fluentd, hiki iā mākou ke kānana i ka ʻikepili a hana i nā panela kūpono. ʻO ke kiʻi ma lalo nei koʻu mea hoʻokele home.

ʻO kaʻu papahana i hoʻokō ʻole ʻia. Pūnaewele o 200 MikroTik routers

3. Ma kahi i noho ʻia a me nā lāʻau. Ma ka awelika, me 1000 mau memo i kēlā me kēia hola, lawe nā lāʻau i ka 2-3 MB i kēlā me kēia lā, ʻaʻole ʻoe e ʻike. Elasticsearch mana 7.5.

ANSIBLE.AWX

ʻO ka pōmaikaʻi no mākou, loaʻa iā mākou kahi module i mākaukau no nā routeros
Ua ʻōlelo wau e pili ana iā AWX, akā ʻo nā kauoha ma lalo nei e pili ana i ka ansible i kona ʻano maʻemaʻe - manaʻo wau ʻaʻole pilikia ka poʻe i hana me ansible i ka hoʻohana ʻana i ka awx ma o ka gui.

ʻO kaʻoiaʻiʻo, ma mua o kēia, ua nānā au i nā alakaʻi ʻē aʻe kahi i hoʻohana ai lākou i ka ssh, a loaʻa iā lākou nā pilikia like ʻole me ka manawa pane a me kahi hui o nā pilikia ʻē aʻe. Ke'ōlelo hou nei au,ʻaʻole i hele mai i kahi hakakā , e lawe i kēiaʻike ma keʻano he hoʻokolohuaʻaʻole iʻoi aku ma mua o kahi kū o 20 routers.

Pono mākou e hoʻohana i kahi palapala hōʻoia a i ʻole moʻokāki. Nau nō e hoʻoholo, no nā palapala hōʻoia wau. ʻO kekahi manaʻo maʻalahi e pili ana i nā pono. Hāʻawi wau i nā kuleana kākau - ma ka liʻiliʻi "reset config" ʻaʻole e hana.

ʻAʻohe pilikia i ka hana ʻana, ke kope ʻana a me ka lawe ʻana mai i ka palapala hōʻoia:

Papa kuhikuhi kauoha pōkoleMa kāu PC
ssh-keygen -t RSA, pane i nā nīnau, mālama i ke kī.
E kope i ka mikrotik:
mea hoʻohana ssh-keys import public-key-file=id_mtx.pub user=ansible
Pono mua ʻoe e hana i kahi moʻokāki a hāʻawi i nā kuleana iā ia.
Ke nānā nei i ka pilina me ka hoʻohana ʻana i ka palapala hōʻoia
ssh -p 49475 -i /kī/mtx [pale ʻia ka leka uila]

E hoʻopaʻa inoa vi /etc/ansible/hosts
MT01 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= hiki
MT02 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= hiki
MT03 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= hiki
MT04 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= hiki

ʻAe, he laʻana puke pāʻani: - inoa: add_work_sites
pūʻali koa: testmt
kaila: 1
pili: network_cli
remote_user: mikrotik.west
gather_facts: ʻae
nā hana:
- inoa: hoʻohui Work_sites
routeros_command:
kauoha:
— /ip firewall address-list add address=gov.ru list=work_sites comment=Ticket665436_Ochen_nado
— /ip firewall address-list add address=habr.com list=work_sites comment=for_habr

E like me kāu e ʻike ai mai ka hoʻonohonoho ʻana i luna, ʻaʻole paʻakikī ka hana ʻana i kāu mau puke pāʻani ponoʻī. Ua lawa ia e haku pono i ka cli mikrotik. E noʻonoʻo kākou i kahi kūlana kahi e pono ai ʻoe e wehe i ka papa inoa helu wahi me kekahi mau ʻikepili ma nā mea ala āpau, a laila:

E huli a wehe/ip firewal address-list e wehe [e huli i kahi papa inoa = "gov.ru"]

ʻAʻole wau i hoʻokomo i ka papa inoa o ka pā ahi holoʻokoʻa ma ʻaneʻi no ka mea... e hoʻokahi no kēlā me kēia papahana. Akā hoʻokahi mea hiki iaʻu ke ʻōlelo maopopo, e hoʻohana wale i ka papa inoa helu wahi.

Wahi a GITLAB ua maopopo nā mea a pau. ʻAʻole wau e noʻonoʻo ma kēia wahi. He nani nā mea a pau no nā hana pākahi, nā mamana, nā mea lawelawe.

ʻO Powershell

Aia he 3 faila maanei. No ke aha ʻo powershell? Hiki iā ʻoe ke koho i kekahi mea hana no ka hana ʻana i nā configs, ʻoi aku ka maʻalahi iā ʻoe. I kēia hihia, loaʻa iā Windows nā mea āpau ma kā lākou PC, no laila no ke aha e hana ai i ka bash inā ʻoi aku ka maʻalahi o ka powershell. ʻO wai ka mea maʻalahi?

ʻO ka palapala ponoʻī (maʻalahi a maopopo):[cmdletBinding()] Param(
[Parameter(Mandatory=$true)] [string]$EXTERNALIPADDDRESS,
[Parameter(Mandatory=$true)] [string]$EXTERNALIPROUTE,
[Parameter(Mandatory=$true)] [string]$BWorknets,
[Parameter(Mandatory=$true)] [string]$CWorknets,
[Parameter(Mandatory=$true)] [string]$BVoipNets,
[Parameter(Mandatory=$true)] [string]$CVoipNets,
[Parameter(Mandatory=$true)] [string]$CClients,
[Parameter(Mandatory=$true)] [string]$BVPNWORKs,
[Parameter(Mandatory=$true)] [string]$CVPNWORKs,
[Parameter(Mandatory=$true)] [string]$BVPNCLIENTSs,
[Parameter(Mandatory=$true)] [string]$cVPNCLIENTSs,
[Parameter(Mandatory=$true)] [string]$NAMEROUTER,
[Parameter(Mandatory=$true)] [string]$ServerCertificate,
[Parameter(Mandatory=$true)] [string]$infile,
[Parameter(Mandatory=$true)] [string]$outfile
)

Loaʻa-maʻiʻo $infile | Foreach-Object {$_.Replace("EXTERNIP", $EXTERNALIPADDRESS)} |
Foreach-Object {$_.Replace("EXTROUTE", $EXTERNALIPROUTE)} |
Foreach-Object {$_.Replace("BWorknet", $BWorknets)} |
Foreach-Object {$_.Replace("CWorknet", $CWorknets)} |
Foreach-Object {$_.Replace("BVoipNet", $BVoipNets)} |
Foreach-Object {$_.Replace("CVoipNet", $CVoipNets)} |
Foreach-Object {$_.Replace("CClients", $CClientss)} |
Foreach-Object {$_.Replace("BVPNWORK", $BVPNWORKs)} |
Foreach-Object {$_.Replace("CVPNWORK", $CVPNWORKs)} |
Foreach-Object {$_.Replace("BVPNCLIENTS", $BVPNCLIENTSs)} |
Foreach-Object {$_.Replace("CVPNCLIENTS", $cVPNCLIENTSs)} |
Foreach-Object {$_.Replace("MYNAMERROUTER", $NAMEROUTER)} |
Foreach-Object {$_.Replace("ServerCertificate", $ServerCertificates)} | E hoʻonohonoho i ka waihona $outfile

E kala mai iaʻu, ʻaʻole hiki iaʻu ke kau i nā lula a pau no ka mea... ʻaʻole e nani loa. Hiki iā ʻoe ke hana i nā lula iā ʻoe iho, i alakaʻi ʻia e nā hana maikaʻi loa.

Eia kekahi laʻana, eia ka papa inoa o nā loulou aʻu i hahai ai:wiki.mikrotik.com/wiki/Manual:Hoʻopaʻa_kou_Router
wiki.mikrotik.com/wiki/Manual:IP/Pakuahi/Kāna
wiki.mikrotik.com/wiki/Manual:OSPF-nā hiʻohiʻona
wiki.mikrotik.com/wiki/Drop_port_scanners
wiki.mikrotik.com/wiki/Manual:Wina pahu
wiki.mikrotik.com/wiki/Manual: Hoʻonui_RouterOS
wiki.mikrotik.com/wiki/Manual: IP/Fasttrack - pono ʻoe e ʻike i ka wā e hoʻohana ʻia ai ka wikiwiki, ʻaʻole e holo ka hoʻonohonoho ʻana o nā kaʻa a me nā lula - pono no nā mea nāwaliwali.

Nā hōʻailona no nā mea hoʻololi:Lawe ʻia kēia mau pūnaewele ma ke ʻano he laʻana:
192.168.0.0/24 pūnaewele hana
172.22.4.0/24 VOIP pūnaewele
10.0.0.0/24 pūnaewele no nā mea kūʻai aku me ke komo ʻole i ka pūnaewele kūloko
192.168.255.0/24 VPN pūnaewele no nā lālā nui
172.19.255.0/24 VPN pūnaewele no ka liʻiliʻi

ʻO ka helu helu pūnaewele he 4 mau helu decimal, ʻo ia hoʻi ʻo ABCD, hana ka mea pani ma ka loina like, inā i ka hoʻomaka ʻana e noi iā B, a laila pono ʻoe e komo i ka helu 192.168.0.0 no ka pūnaewele 24/0, a no C. = 0.
$EXTERNALIPADDDRESS - ka helu i hoʻolaʻa ʻia mai ka mea hāʻawi.
$EXTERNALIPROUTE - ala paʻamau i ka pūnaewele 0.0.0.0/0
$BWorknets - Pūnaewele hana, ma kā mākou laʻana he 168
$CWorknets - Helu hana, ma kā mākou laʻana he 0 kēia
$BVoipNets - Pūnaewele VOIP i kā mākou laʻana ma ʻaneʻi 22
$CVoipNets - Pūnaewele VOIP i kā mākou laʻana ma ʻaneʻi 4
$CClientss - Pūnaewele no nā mea kūʻai aku - Loaʻa i ka pūnaewele wale nō, ma kā mākou hihia maanei 0
$BVPNWORKs - Pūnaewele VPN no nā lālā nui, i kā mākou laʻana 20
$CVPNWORKs - Pūnaewele VPN no nā lālā nui, i kā mākou laʻana 255
$BVPNCLIENTS - Pūnaewele VPN no nā lālā liʻiliʻi, ʻo ia ka 19
$CVPNCLIENTS - Pūnaewele VPN no nā lālā liʻiliʻi, ʻo ia ka 255
$NAMEROUTER - inoa mea hoʻokele
$ServerCertificate - ka inoa o ka palapala hōʻoia āu i lawe mua mai ai
$infile - E wehewehe i ke ala i ka faila kahi a mākou e heluhelu ai i ka config, no ka laʻana D:config.txt (ʻoi aku ka maikaʻi o ke ala Pelekane me ka ʻole o nā huaʻōlelo a me nā hakahaka)
$outfile - e kuhikuhi i ke ala e mālama ai, no ka laʻana D:MT-test.txt

Ua hoʻololi maoli au i nā ʻōlelo i loko o nā laʻana no nā kumu maopopo.

Ua hala au i ka manaʻo e pili ana i ka ʻike ʻana i nā hoʻouka kaua a me nā ʻano anomalous - pono kēia i kahi ʻatikala kaʻawale. Akā he mea kūpono ke kuhikuhi ʻana i kēia ʻāpana hiki iā ʻoe ke hoʻohana i ka nānā ʻana i nā waiwai ʻikepili mai Zabbix + kaʻina curl data mai elasticsearch.

He aha nā mea āu e nānā ai:

  1. Hoʻolālā pūnaewele. ʻOi aku ka maikaʻi o ka haku mele koke ʻana ma ke ʻano hiki ke heluhelu ʻia. Ua lawa ka Excel. ʻO ka mea pōʻino, ʻike pinepine wau ua kūkulu ʻia nā pūnaewele e like me ke kumu "Ua puka mai kahi lālā hou, eia /24 no ʻoe." ʻAʻohe mea e noʻonoʻo ana i ka nui o nā mea hana i manaʻo ʻia ma kahi wahi i hāʻawi ʻia a i ʻole e ulu hou ana. No ka laʻana, wehe ʻia kahi hale kūʻai liʻiliʻi kahi i ʻike mua ʻia ʻaʻole ʻoi aku ka nui o ka mea ma mua o 10, no ke aha e hoʻokaʻawale ai /24? No nā lālā nui, ʻokoʻa, hoʻokaʻawale lākou / 24, a aia nā mea 500 - hiki iā ʻoe ke hoʻohui i kahi pūnaewele, akā makemake ʻoe e noʻonoʻo i nā mea āpau i ka manawa hoʻokahi.
  2. Nā lula kānana. Inā manaʻo ka papahana e hoʻokaʻawale ʻia nā pūnaewele a me ka mahele ʻoi loa. Hoʻololi nā hana maikaʻi loa i ka wā. Ma mua, ua hoʻokaʻawale ʻia kahi pūnaewele PC a me kahi pūnaewele paʻi, akā i kēia manawa he mea maʻamau ka ʻole e hoʻokaʻawale i kēia mau pūnaewele. Pono ka hoʻohana ʻana i ka noʻonoʻo maʻamau a ʻaʻole e hana i nā subnets he nui kahi i pono ʻole ai lākou a ʻaʻole hoʻohui i nā mea āpau i hoʻokahi pūnaewele.
  3. Nā hoʻonohonoho "Golden" ma nā ala ala āpau. ʻO kēlā mau. inā ua hoʻoholo ʻoe i kahi hoʻolālā. Pono e ʻike mua i nā mea āpau a me ka hoʻāʻo e hōʻoia i ka like o nā hoʻonohonoho āpau - ʻokoʻa wale ka papa inoa helu a me nā helu IP. Inā kū mai nā pilikia, e emi ana ka manawa debugging.
  4. ʻAʻole i emi iki nā pilikia hoʻonohonoho ma mua o nā mea ʻenehana. Hoʻohana pinepine ka poʻe palaualelo i kēia mau ʻōlelo aʻoaʻo "manual", me ka hoʻohana ʻole ʻana i nā hoʻonohonoho a me nā palapala i hoʻomākaukau ʻia, kahi e alakaʻi ai i nā pilikia mai kahi ʻole.

Ma ka hoʻokele ʻana. Ua hoʻohana ʻia ʻo OSPF me ka mahele ʻāpana. Akā he papa hoʻāʻo kēia; i nā kūlana hakakā ʻoi aku ka hoihoi o ka hoʻonohonoho ʻana i ia mau mea.

Manaʻo wau ʻaʻohe mea huhū no ka mea ʻaʻole wau i kau i nā hoʻonohonoho router. Manaʻo wau e lawa nā loulou, a laila pili nā mea āpau i nā koi. A ʻoiaʻiʻo hoʻāʻo, pono nā hoʻokolohua hou aku.

Makemake au i nā mea a pau e hoʻokō i kā lākou mau papahana i ka makahiki hou. Loaʻa ka loaʻa me ʻoe!!!

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka