ProHoster > He pōʻino paha ka wehe ʻana o RDP ma ka pūnaewele?

He pōʻino paha ka wehe ʻana o RDP ma ka pūnaewele?

Ua heluhelu pinepine au i ka manaʻo ʻo ka mālama ʻana i kahi awa RDP (Remote Desktop Protocol) i wehe ʻia i ka Pūnaewele he palekana loa a ʻaʻole pono e hana ʻia. Akā, pono ʻoe e hāʻawi i ke komo i ka RDP ma o ka VPN, a i ʻole mai kekahi mau helu IP "keʻokeʻo".

Hoʻokele au i kekahi mau Windows Servers no nā ʻoihana liʻiliʻi kahi i hāʻawi ʻia iaʻu i ka hāʻawi ʻana i kahi mamao mamao i ka Windows Server no nā mea helu. ʻO kēia ke ʻano hou - hana mai ka home. ʻO ka wikiwiki, ʻike wau ʻo ka hōʻeha ʻana i nā mea helu VPN he hana mahalo ʻole, a ʻo ka hōʻiliʻili ʻana i nā IP āpau no ka papa inoa keʻokeʻo ʻaʻole e hana, no ka mea he ikaika nā helu IP o nā kānaka.

No laila, lawe au i ke ala maʻalahi loa - hoʻouna i ke awa RDP i waho. No ka loaʻa ʻana, pono nā mea helu kālā e holo i ka RDP a komo i ka inoa host (me ke awa), inoa inoa a me ka ʻōlelo huna.

Ma kēia ʻatikala e hōʻike wau i kaʻu ʻike (maikaʻi a ʻaʻole maikaʻi loa) a me nā ʻōlelo paipai.

Nā Risks

He aha kāu pilikia ma ka wehe ʻana i ke awa RDP?

1) ʻAʻohe ʻae ʻia i ka ʻikepili koʻikoʻi
Inā manaʻo kekahi i ka ʻōlelo huna RDP, hiki iā lākou ke loaʻa ka ʻikepili āu e makemake ai e mālama pilikino: ke kūlana moʻokāki, ke kaulike, ka ʻikepili o ka mea kūʻai aku, ...

2) Pohō ʻikepili
No ka laʻana, ma muli o ka ransomware virus.
A i ʻole he hana i manaʻo ʻia e ka mea hoʻouka.

3) Nalo o ka hale hana
Pono nā mea hana e hana, akā ua hoʻopilikia ʻia ka ʻōnaehana a pono e hoʻokomo hou / hoʻihoʻi / hoʻonohonoho.

4) Hoʻololi i ka pūnaewele kūloko
Inā loaʻa i kahi mea hoʻouka ke komo i kahi kamepiula Windows, a laila mai kēia kamepiula e hiki iā ia ke komo i nā ʻōnaehana hiki ʻole ke loaʻa mai waho, mai ka Pūnaewele. No ka laʻana, e waiho i nā ʻāpana, i nā mea paʻi pūnaewele, etc.

Ua loaʻa iaʻu kahi hihia kahi i loaʻa ai iā Windows Server kahi ransomware

a ua hoʻopili mua kēia ransomware i ka hapa nui o nā faila ma ka C: drive a laila hoʻomaka e hoʻopili i nā faila ma ka NAS ma luna o ka pūnaewele. ʻOiai ʻo ka NAS ʻo Synology, me nā kiʻi paʻi i hoʻonohonoho ʻia, hoʻihoʻi au i ka NAS i 5 mau minuke, a hoʻokomo hou i ka Windows Server mai ka wā ʻōpala.

Nā Nānā a me nā Manaʻo

Nānā wau i nā Windows Servers e hoʻohana ana Winlogbeat, e hoʻouna i nā lāʻau i ElasticSearch. He nui nā hiʻohiʻona o Kibana, a ua hoʻonohonoho pū wau i kahi dashboard maʻamau.
ʻAʻole pale ka nānā ʻana iā ia iho, akā kōkua ia e hoʻoholo i nā mea e pono ai.

Eia kekahi mau ʻike.
a) E hoʻoikaika ʻia ka RDP.
Ma kekahi o nā kikowaena, ua hoʻokomo wau i ka RDP ʻaʻole ma ke awa maʻamau 3389, akā ma 443 - maikaʻi, e hoʻololi wau iaʻu iho he HTTPS. Pono paha e hoʻololi i ke awa mai ka mea maʻamau, akā ʻaʻole ia e hana maikaʻi. Eia nā ʻikepili mai kēia kikowaena:

He pōʻino paha ka wehe ʻana o RDP ma ka pūnaewele?

Hiki ke ʻike ʻia i loko o hoʻokahi pule ma kahi o 400 mau hoʻāʻo kūleʻa e komo ma o RDP.
Hiki ke ʻike ʻia aia nā hoʻāʻo e komo mai 55 IP address (ua pāpā ʻia kekahi mau IP address e aʻu).

Hōʻike pololei kēia i ka hopena e pono ai ʻoe e hoʻonohonoho i fail2ban, akā

ʻAʻohe mea hoʻohana like no Windows.

Aia kekahi mau papahana i haʻalele ʻia ma Github e hana nei i kēia, akā ʻaʻole wau i hoʻāʻo e hoʻokomo iā lākou:
https://github.com/glasnt/wail2ban
https://github.com/EvanAnderson/ts_block

Aia kekahi mau pono uku, akā ʻaʻole wau i noʻonoʻo iā lākou.

Inā ʻike ʻoe i kahi hāmeʻa open source no kēia kumu, e ʻoluʻolu e kaʻana like ma nā manaʻo.

Kiʻi hou: Ua manaʻo nā manaʻo he koho maikaʻi ʻole ke awa 443, a ʻoi aku ka maikaʻi o ke koho ʻana i nā awa kiʻekiʻe (32000+), no ka mea, ʻoi aku ka nānā ʻana o 443, a ʻo ka ʻike ʻana iā RDP ma kēia awa ʻaʻole ia he pilikia.

Kiʻi hou: Ua hōʻike ʻia nā manaʻo e loaʻa ana kēia mea pono:
https://github.com/digitalruby/ipban

b) Aia kekahi mau inoa inoa i makemake ʻia e nā mea hoʻouka
Hiki ke ʻike ʻia ke hana ʻia ka ʻimi ʻana ma ka puke wehewehe ʻōlelo me nā inoa like ʻole.
Eia naʻe kaʻu mea i ʻike ai: he helu nui o nā hoʻāʻo e hoʻohana ana i ka inoa kikowaena ma ke ʻano he komo. Manaʻo: Mai hoʻohana i ka inoa like no ka kamepiula a me ka mea hoʻohana. Eia kekahi, ʻike ʻia i kekahi manawa ke hoʻāʻo nei lākou e hoʻokaʻawale i ka inoa kikowaena: no ka laʻana, no kahi ʻōnaehana me ka inoa DESKTOP-DFTHD7C, ʻo ka nui o nā hoʻāʻo e komo me ka inoa DFTHD7C:

He pōʻino paha ka wehe ʻana o RDP ma ka pūnaewele?

No laila, inā loaʻa iā ʻoe kahi kamepiula DESKTOP-MARIA, e hoʻāʻo paha ʻoe e komo ma ke ʻano he mea hoʻohana MARIA.

ʻO kekahi mea aʻu i ʻike ai mai nā lāʻau: ma ka hapa nui o nā ʻōnaehana, ʻo ka hapa nui o nā hoʻāʻo e hoʻopaʻa inoa me ka inoa "administrator". ʻAʻole kēia me ke kumu ʻole, no ka mea ma nā ʻano he nui o Windows, aia kēia mea hoʻohana. Eia kekahi, ʻaʻole hiki ke holoi ʻia. Hoʻomaʻamaʻa kēia i ka hana no nā mea hoʻouka: ma kahi o ka koho ʻana i kahi inoa a me ka ʻōlelo huna, pono ʻoe e koho wale i ka ʻōlelo huna.
Ma ke ala, ʻo ka ʻōnaehana i hopu i ka ransomware ka mea hoʻohana Administrator a me ka ʻōlelo huna Murmansk#9. ʻAʻole maopopo iaʻu pehea ka hacked ʻana o kēlā ʻōnaehana, no ka mea, hoʻomaka wau e nānā ma hope o kēlā hanana, akā manaʻo wau ua hiki ke overkill.
No laila inā ʻaʻole hiki ke hoʻopau ʻia ka mea hoʻohana Administrator, a laila he aha kāu e hana ai? Hiki iā ʻoe ke hoʻololi i ka inoa!

Manaʻo manaʻo mai kēia paukū:

  • mai hoʻohana i ka inoa inoa ma ka inoa kamepiula
  • e hōʻoia ʻaʻohe mea hoʻohana Administrator ma ka ʻōnaehana
  • hoʻohana i nā ʻōlelo huna ikaika

No laila, ke nānā nei au i kekahi mau Windows Servers ma lalo o koʻu mana e hoʻomāinoino ʻia no kahi mau makahiki ʻelua i kēia manawa, a ʻaʻohe kūleʻa.

Pehea wau e ʻike ai ʻaʻole i kūleʻa?
No ka mea ma nā kiʻi paʻi kiʻi ma luna hiki iā ʻoe ke ʻike aia nā lāʻau o nā kelepona RDP kūleʻa, aia ka ʻike:

  • mai kahi IP
  • mai kahi kamepiula (hostname)
  • Inoa mea hoʻohana
  • ʻIke GeoIP

A ke nānā mau nei au ma laila - ʻaʻohe mea i ʻike ʻia.

Ma ke ala, inā ʻoi aku ka paʻakikī o kahi IP, a laila hiki iā ʻoe ke kāohi i nā IP pilikino (a i ʻole subnets) e like me kēia ma PowerShell:

New-NetFirewallRule -Direction Inbound -DisplayName "fail2ban" -Name "fail2ban" -RemoteAddress ("185.143.0.0/16", "185.153.0.0/16", "193.188.0.0/16") -Action Block

Ma ke ala, loaʻa iā Elastic, ma kahi o Winlogbeat Hoʻoponopono, hiki ke nānā i nā faila a me nā kaʻina hana ma ka ʻōnaehana. Aia kekahi palapala noi SIEM (Security Information & Event Management) ma Kibana. Ua ho'āʻo wau i nā mea ʻelua, akā ʻaʻole i ʻike i ka pōmaikaʻi nui - ʻike ʻia e ʻoi aku ka maikaʻi o Auditbeat no nā ʻōnaehana Linux, a ʻaʻole i hōʻike mai ʻo SIEM iaʻu i kekahi mea hiki ke hoʻomaopopo.

ʻAe, nā ʻōlelo aʻoaʻo hope:

  • E hana i nā waihona ʻakomi maʻamau.
  • e hoʻouka i nā mea hou palekana i ka manawa kūpono

Bonus: papa inoa o nā mea hoʻohana 50 i hoʻohana pinepine ʻia no ka hoʻāʻo ʻana i ka RDP

"user.name: Ke iho nei"
Helu

dfthd7c (inoa hookipa)
842941

winsrv1 (inoa hookipa)
266525

LUNA HOOPONOPONO
180678

luna hoʻomalu
163842

luna
53541

Michael
23101

kikowaena
21983

Steve
21936

Ioane
21927

paul
21913

? eaia
21909

Mike
21899

oihana
21888

polokalamu uila
21887

scan NineManga.com
21867

ʻo Dāvida
21865

Chris
21860

ka mea nāna
21855

manakia
21852

luna hoʻomalu
21841

Beriana
21839

luna hoʻomalu
21837

mark
21824

koʻokoʻo
21806

ADMIN
12748

aa
7772

LUNAHOOPONOPONO
7325

kokua
5577

MEDIUM
5418

Mea hoʻohana
4558

Keʻena Luna
2832

KEKAHI
1928

MySql
1664

Keʻena Luna
1652

KA MANUHU
1322

Mea hoʻohana1
1179

PALAPALA
1121

SCAN
1032

LUNAHOOPONOPONO
842

ADMIN1
525

KANAKA
518

MySqlAdmin
518

ʻĀPAU
490

Mea hoʻohana2
466

TEMP
452

SQLADMIN
450

Mea hoʻohana3
441

1
422

LUNA
418

ʻona
410

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka