🥇Two-factor authentication rau cov neeg siv VPN ntawm MikroTik thiab SMS

Nyob zoo cov npoj yaig! Niaj hnub no, thaum qhov kev mob siab rau ib puag ncig "kev ua haujlwm nyob deb" txo qis me ntsis, feem ntau ntawm cov thawj coj tau yeej txoj haujlwm ntawm kev nkag mus rau thaj chaw deb ntawm cov neeg ua haujlwm rau lub tuam txhab network, nws yog lub sijhawm los qhia kuv cov kev paub ntev hauv kev txhim kho VPN kev ruaj ntseg. Kab lus no yuav tsis zam tam sim no IPSec IKEv2 thiab xAuth. Nws yog hais txog kev tsim lub system. Ob-factor authentication (2FA) Cov neeg siv VPN thaum MikroTik ua raws li VPN server. Namely, thaum "classic" raws tu qauv xws li PPP siv.

Hnub no kuv yuav qhia koj yuav ua li cas tiv thaiv MikroTik PPP-VPN txawm tias "hijacking" ntawm tus neeg siv nyiaj. Thaum lub tswv yim no tau qhia rau ib tus ntawm kuv cov neeg siv khoom, nws tau piav qhia luv luv tias "zoo, tam sim no nws zoo li hauv txhab nyiaj!"

Cov txheej txheem tsis siv cov kev pabcuam kev lees paub sab nraud. Cov dej num yog ua nyob rau hauv lub router nws tus kheej. Tsis muaj nqi rau tus neeg siv khoom txuas. Txoj kev ua haujlwm rau ob qho tib si PC cov neeg siv khoom thiab cov khoom siv mobile.

Txoj kev tiv thaiv dav dav yog raws li nram no:

Qhov chaw nyob IP sab hauv ntawm tus neeg siv uas tau ua tiav txuas nrog VPN server tau txais greylisted.
Cov xwm txheej kev sib txuas cia li tsim ib qho code ib zaug uas xa mus rau tus neeg siv uas siv ib txoj hauv kev muaj.
Cov chaw nyob hauv daim ntawv teev npe no muaj kev txwv tsis pub nkag mus rau cov peev txheej hauv zos hauv zos, tshwj tsis yog cov kev pabcuam "authenticator", uas tos kom tau txais ib zaug passcode.
Tom qab nthuav tawm cov cai, tus neeg siv tau nkag mus rau cov peev txheej sab hauv ntawm lub network.

Ua Ntej Qhov teeb meem me tshaj plaws uas kuv yuav tsum tau ntsib yog khaws cov ntaub ntawv tiv tauj ntawm tus neeg siv kom xa nws 2FA code. Txij li thaum nws tsis tuaj yeem tsim cov ntaub ntawv tsis txaus ntseeg sib xws rau cov neeg siv hauv Mikrotik, qhov "comment" tam sim no tau siv:

/ppp secrets ntxiv lub npe = Petrov password = 4M@ngr! comment = "89876543210"

Qhov thib ob qhov teeb meem tau dhau los ua qhov hnyav dua - qhov kev xaiv ntawm txoj kev thiab txoj kev xa cov cai. Peb lub tswv yim tam sim no tau ua tiav: a) SMS ntawm USB-modem b) e-mail c) SMS ntawm e-mail muaj rau cov neeg siv khoom ntawm cov neeg siv xov tooj liab.

Yog lawm, SMS schemes coj cov nqi. Tab sis yog tias koj saib, "kev ruaj ntseg yog ib txwm hais txog nyiaj" (c).
Kuv tus kheej tsis nyiam lub tswv yim nrog e-mail. Tsis yog vim nws xav kom cov neeg xa ntawv tuaj yeem muaj rau cov neeg siv khoom raug lees paub - nws tsis yog teeb meem rau kev faib tsheb. Txawm li cas los xij, yog tias tus neeg siv tsis quav ntsej khaws cov passwords rau ob qho tib si VPN thiab email hauv qhov browser, thiab tom qab ntawd poob nws lub laptop, tus neeg tawm tsam yuav tau txais kev nkag mus rau cov tuam txhab network los ntawm nws.

Yog li, nws tau txiav txim siab - peb xa cov lej ib zaug siv SMS lus.

Thib peb Qhov teeb meem nyob qhov twg Yuav ua li cas los tsim ib tug pseudo-random code rau 2FA hauv MikroTik. Tsis muaj qhov sib piv ntawm random() muaj nuj nqi hauv RouterOS scripting lus, thiab kuv tau pom ob peb lub crutch tsab ntawv pseudo-random tooj generators ua ntej. Kuv tsis nyiam ib qho ntawm lawv vim ntau yam.

Qhov tseeb, muaj pseudo-random generator hauv MikroTik! Nws tau muab zais los ntawm qhov pom qhov muag pom nyob rau hauv cov ntsiab lus ntawm / ntawv pov thawj scep-server. Thawj txoj kev tau txais ib lo lus zais ib zaug yog qhov yooj yim thiab yooj yim - nrog cov lus txib /certificates scep-server otp tsim. Yog tias peb ua qhov kev ua haujlwm yooj yim sib txawv, peb yuav tau txais tus nqi array uas tuaj yeem siv tom qab hauv cov ntawv sau.

Qhov thib ob tau txais ib lo lus zais ib zaug uas kuj yooj yim rau kev thov - siv cov kev pabcuam sab nraud random.org los tsim cov yam xav tau ntawm cov kab ke ntawm pseudo-random tus lej. Ntawm no yog ib qho yooj yim cantilevered piv txwv ntawm kev muab cov ntaub ntawv rau hauv ib qho kev sib txawv:

code
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da ta") 1 6] :put $rnd1

Ib daim ntawv thov formatted rau lub console (tseem ceeb cov cim tshwj xeeb yuav tsum tau nyob rau hauv tsab ntawv lub cev) tau txais ib txoj hlua ntawm rau tus lej rau hauv $ rnd1 sib txawv. Cov lus txib "muab" hauv qab no tsuas yog qhia qhov sib txawv hauv MikroTik console.

Qhov teeb meem plaub uas yuav tsum tau daws sai sai yog yuav ua li cas thiab qhov twg cov neeg siv txuas txuas yuav xa nws cov lej ib zaug ntawm theem thib ob ntawm kev lees paub.

Yuav tsum muaj kev pabcuam ntawm MikroTik router uas tuaj yeem lees txais cov cai thiab sib phim nrog tus neeg siv khoom tshwj xeeb. Yog hais tias cov cai muab tau raws li qhov xav tau, tus neeg siv khoom qhov chaw nyob yuav tsum tau muab tso rau hauv cov npe "dawb", qhov chaw nyob uas tau tso cai nkag mus rau lub tuam txhab sab hauv network.

Vim qhov kev xaiv tsis zoo ntawm cov kev pabcuam, nws tau txiav txim siab lees txais cov lej ntawm http siv lub webproxy ua rau hauv Mikrotik. Thiab txij li thaum lub firewall tuaj yeem ua haujlwm nrog cov npe dynamic ntawm IP chaw nyob, nws yog lub firewall uas ua qhov kev tshawb nrhiav cov lej, sib piv nrog tus neeg siv khoom IP thiab ntxiv rau cov npe "dawb" siv Layer7 regexp. Lub router nws tus kheej tau muab lub npe DNS raws cai "gw.local", ib daim ntawv A-zoo li qub tau tsim rau nws rau kev xa tawm rau PPP cov neeg siv khoom:

DNS
/ip dns static add name=gw.local address=172.31.1.1

Kev ntes kev khiav tsheb ntawm cov neeg siv tsis tau lees paub ntawm lub npe:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128

Hauv qhov no, tus neeg sawv cev muaj ob txoj haujlwm.

1. Qhib tcp kev sib txuas nrog cov neeg siv khoom;

2. Nyob rau hauv cov ntaub ntawv ntawm kev tso cai ua tau zoo, redirect tus neeg siv browser mus rau ib nplooj ntawv los yog daim duab ceeb toom txog kev ua tau zoo authentication:

Proxy config
/ip proxy set enabled=yes port=3128 /ip proxy access add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0

Kuv yuav teev cov ntsiab lus tseem ceeb ntawm kev teeb tsa:

interface-daim ntawv "2fa" - ib daim ntawv teev npe ntawm cov neeg siv khoom sib cuam tshuam, kev khiav tsheb uas yuav tsum tau ua hauv 2FA;
chaw nyob-daim ntawv "2fa_jailed" - "grey" daim ntawv teev npe ntawm qhov chaw IP chaw nyob ntawm VPN cov neeg siv khoom;
address_list "2fa_approved" - ib daim ntawv teev npe dawb ntawm qhov chaw IP chaw nyob ntawm VPN cov neeg siv khoom uas tau ua tiav ob qhov kev lees paub tseeb.
firewall saw "input_2fa" - nws tshawb xyuas cov pob ntawv tcp rau lub xub ntiag ntawm kev tso cai code thiab phim tus IP chaw nyob ntawm tus lej xa nrog qhov xav tau. Cov cai nyob rau hauv cov saw yog ntxiv thiab tshem tawm dynamically.

Ib daim ntawv qhia yooj yooj yim ntawm kev ua cov pob ntawv zoo li no:

Txhawm rau nkag mus rau hauv Layer7 daim tshev tsheb los ntawm cov neeg siv khoom los ntawm cov npe "grey" uas tseem tsis tau dhau theem thib ob ntawm kev lees paub, txoj cai tau tsim nyob rau hauv tus qauv "cov tswv yim" saw:

code
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa

Tam sim no cia peb pib nrawm tag nrho cov nyiaj no rau PPP kev pabcuam. MikroTik tso cai rau koj siv cov ntawv sau hauv cov ntawv (ppp-profile) thiab muab lawv rau cov xwm txheej ntawm kev teeb tsa thiab rhuav tshem kev sib txuas ppp. Cov kev teeb tsa ppp-profile tuaj yeem siv rau ob qho tib si rau PPP server tag nrho thiab rau ib tus neeg siv. Nyob rau hauv cov ntaub ntawv no, qhov profile muab rau tus neeg siv muaj qhov tseem ceeb, overriding nrog nws cov kev txwv tsis pub muaj qhov profile xaiv rau tus neeg rau zaub mov tag nrho.

Raws li qhov tshwm sim ntawm txoj hauv kev no, peb tuaj yeem tsim qhov profile tshwj xeeb rau ob qhov kev lees paub tseeb thiab muab nws tsis yog rau txhua tus neeg siv, tab sis tsuas yog rau cov uas peb xav tias tsim nyog ua li ntawd. Qhov no yuav muaj feem cuam tshuam yog tias koj siv PPP cov kev pabcuam tsis yog los txuas cov neeg siv kawg nkaus xwb, tab sis tib lub sijhawm los tsim kev sib txuas ntawm qhov chaw-rau-site.

Hauv qhov tshiab tsim tshwj xeeb profile, peb siv qhov sib ntxiv ntawm qhov chaw nyob thiab kev sib txuas ntawm cov neeg siv txuas mus rau "grey" cov npe ntawm chaw nyob thiab cov interfaces:

winbox

code
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1

Nws yog ib qho tsim nyog yuav tsum siv ob qho "chaw nyob-daim ntawv teev npe" thiab "interface-list" cov npe txhawm rau txheeb xyuas thiab ntes cov tsheb khiav los ntawm cov neeg siv tsis yog tus thib ob VPN hauv dstnat (prorouting) saw.

Thaum qhov kev npaj tiav lawm, ntxiv firewall chains thiab ib tug profile tau tsim, peb yuav sau ib tsab ntawv lub luag hauj lwm rau lub pib-generation ntawm 2FA code thiab ib tug neeg firewall cov cai.

Cov ntaub ntawv wiki.mikrotik.com ntawm PPP-Profile enriches peb nrog cov ntaub ntawv hais txog kev hloov pauv uas cuam tshuam nrog PPP tus neeg siv khoom txuas-tshem tawm cov xwm txheej "Ua ntawv sau rau ntawm tus neeg siv nkag-xws li. Cov no muaj cov hloov pauv uas siv tau rau qhov xwm txheej tsab ntawv: tus neeg siv, chaw nyob hauv zos, chaw nyob deb, tus hu-id, hu-id, interface". Ib txhia ntawm lawv muaj txiaj ntsig zoo rau peb.

Code siv nyob rau hauv profile rau PPP on-up txuas kev tshwm sim

#Логируем для отладки полученные переменные 
:log info (

quot;local-address")

:log info (

quot;remote-address")

:log info (

quot;caller-id")

:log info (

quot;called-id")

:log info ([/int pptp-server get (

quot;interface") name])

#Объявляем свои локальные переменные

:local listname "2fa_jailed"

:local viamodem false

:local modemport "usb2"

#ищем автоматически созданную запись в адрес-листе "2fa_jailed"

:local recnum1 [/ip fi address-list find address=(

quot;remote-address") list=$listname]
#получаем псевдослучайный код через random.org

#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4]
#либо получаем псевдослучайный код через локальный генератор

#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]
#Ищем и обновляем коммент к записи в адрес-листе. Вносим искомый код для отладки

/ip fir address-list set $recnum1 comment=$rnd1

#получаем номер телефона куда слать SMS

:local vphone [/ppp secret get [find name=$user] comment]
#Готовим тело сообщения. Если клиент подключается к VPN прямо с телефона ему достаточно

#будет перейти прямо по ссылке из полученного сообщения

:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")
# Отправляем SMS по выбранному каналу - USB-модем или email-to-sms

if $viamodem do={

/tool sms send phone-number=$vphone message=$msgboby port=$modemport }

else={

/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }
#Генерируем Layer7 regexp

local vregexp ("otp\/".$comm1)

:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall layer7-protocol add name=(

quot;vcomment") comment=(

quot;remote-address") regexp=(

quot;vregexp")
#Генерируем правило проверяющее по Layer7 трафик клиента в поисках нужного кода

#и небольшой защитой от брутфорса кодов с помощью dst-limit

/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(

quot;vcomment") protocol=tcp src-address=(

quot;remote-address") dst-limit=1,1,src-address/1m40s



Tshwj xeeb tshaj yog rau cov neeg uas nyiam mindlessly luam-paste, kuv ceeb toom rau koj - cov code yog muab los ntawm lub xeem version thiab tej zaum yuav muaj me typos. Nws yuav tsis yooj yim rau tus neeg to taub kom paub tseeb tias qhov twg.
Thaum tus neeg siv disconnects, qhov kev tshwm sim "On-Down" yog tsim thiab cov ntawv sau nrog cov tsis raug hu ua. Lub hom phiaj ntawm tsab ntawv no yog los ntxuav cov kev cai firewall tsim rau tus neeg siv tsis raug.
Code siv nyob rau hauv profile rau PPP on-down txuas tshwm sim
:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall address-list remove [find address=(

quot;remote-address") list=2fa_approved]
/ip firewall filter remove [find chain="input_2fa" src-address=(

quot;remote-address") ]
/ip firewall layer7-protocol remove [find name=$vcomment]


Tom qab ntawd koj tuaj yeem tsim cov neeg siv thiab muab tag nrho lossis qee tus ntawm lawv mus rau ob qhov kev lees paub qhov tseeb.
winbox


code

/ppp secrets set [find name=Petrov] profile=2FA
Yuav ua li cas nws zoo li ntawm tus neeg siv khoom sab.
Thaum koj tsim kom muaj kev sib txuas VPN, SMS kwv yees li qhov no xa mus rau koj lub xov tooj Android / iOS / ntsiav tshuaj nrog SIM daim npav:
SMS


Yog tias qhov kev sib txuas tau tsim ncaj qha los ntawm lub xov tooj / ntsiav tshuaj, koj tuaj yeem mus dhau 2FA tsuas yog nyem rau ntawm qhov txuas los ntawm cov lus. Nws yooj yim.
Yog tias qhov kev sib txuas VPN tau tsim los ntawm PC, ces tus neeg siv yuav tsum tau nkag mus rau daim ntawv lo lus zais tsawg kawg nkaus. Ib daim ntawv me me hauv daim ntawv HTML yog muab rau tus neeg siv thaum teeb tsa VPN. Cov ntaub ntawv tuaj yeem xa los ntawm kev xa ntawv kom tus neeg siv txuag nws thiab tsim ib qho shortcut nyob rau hauv ib qho chaw yooj yim. Nws zoo li no:
Daim ntawv lo rau ntawm lub rooj


Tus neeg siv nyem rau ntawm qhov shortcut, ib daim ntawv sau npe yooj yim qhib, uas yuav muab cov lej tso rau hauv qhov qhib URL:
Daim duab npo


Daim ntawv tseem ceeb tshaj plaws yog muab ua piv txwv. Cov neeg uas xav tau tuaj yeem hloov kho rau lawv tus kheej.
2 fa_login_mini.html
<html>
<head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head>
<body>
<form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(‘text').value"  method="post"
 <input id="text" type="text"/> 
<input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> 
</form>
</body>
</html>

Yog tias kev tso cai ua tiav, tus neeg siv yuav pom lub logo MikroTik hauv qhov browser, uas yuav tsum tau teeb tsa kev lees paub tiav:

Nco ntsoov tias cov duab raug xa rov qab los ntawm qhov tsim-hauv MikroTik web server siv WebProxy Deny Redirect.
Kuv xav tias cov duab tuaj yeem hloov kho siv lub cuab yeej "hotspot", upload koj tus kheej version nyob ntawd thiab teeb tsa qhov tsis lees txais URL rau nws nrog WebProxy.
Ib qho kev thov loj rau cov neeg uas tab tom sim yuav qhov pheej yig tshaj "khoom ua si" Mikrotik rau $ 20 thiab hloov lub router $ 500 nrog nws - tsis txhob ua li ntawd. Cov khoom siv xws li "hAP Lite" / "hAP mini" (lub tsev nkag mus rau hauv tsev) muaj lub zog CPU tsis muaj zog (smips), thiab nws zoo li lawv yuav tsis tiv nrog cov khoom thauj hauv ntu kev lag luam.
Ceeb toom!  Qhov kev daws teeb meem no muaj ib qho teeb meem: thaum cov neeg siv txuas lossis txiav tawm, kev hloov pauv tau tshwm sim, uas lub router sim khaws cia hauv nws lub cim xeeb uas tsis yog-volatile. Nrog ntau tus neeg siv khoom thiab kev sib txuas thiab kev sib txuas tsis tu ncua, qhov no tuaj yeem ua rau degradation ntawm cov khoom siv sab hauv hauv lub router.
PS: Cov txheej txheem xa cov lej rau cov neeg siv khoom tuaj yeem nthuav dav thiab ntxiv kom deb li deb raws li koj lub peev xwm programming txaus. Piv txwv li, koj tuaj yeem xa cov lus rau hauv xov tooj lossis ... qhia kev xaiv!
Kuv vam tias tsab xov xwm yuav muaj txiaj ntsig zoo rau koj thiab yuav pab ua kom cov tes hauj lwm ntawm cov lag luam me thiab nruab nrab muaj kev nyab xeeb me ntsis.
Tau qhov twg los: www.hab.com

Ob qhov kev lees paub ntawm VPN cov neeg siv ntawm MikroTik thiab SMS