Kuv xav qhia rau zej zog ib txoj hauv kev yooj yim thiab ua haujlwm ntawm kev siv Mikrotik los tiv thaiv koj lub network thiab cov kev pabcuam "peeping" los ntawm qab nws los ntawm kev tawm tsam sab nraud. Namely, tsuas yog peb txoj cai los npaj ib lub honeypot ntawm Mikrotik.
Yog li, cia peb xav txog tias peb muaj chaw ua haujlwm me me, nrog tus IP sab nraud tom qab uas muaj RDP server rau cov neeg ua haujlwm ua haujlwm nyob deb. Thawj txoj cai yog, ntawm chav kawm, hloov chaw nres nkoj 3389 ntawm sab nraud interface mus rau lwm qhov. Tab sis qhov no yuav tsis kav ntev; tom qab ob peb hnub, lub davhlau ya nyob twg neeg rau zaub mov tshawb xyuas lub cav yuav pib qhia ntau qhov kev tso cai ua tsis tiav ib ob los ntawm cov neeg siv khoom tsis paub.
Lwm qhov xwm txheej, koj muaj hnub qub zais tom qab Mikrotik, ntawm chav kawm tsis yog ntawm udp chaw nres nkoj 5060, thiab tom qab ob peb hnub kev tshawb nrhiav lo lus zais kuj pib ... yog, yog, kuv paub, fail2ban yog peb txhua yam, tab sis peb tseem yuav tsum ua haujlwm. ntawm nws ... piv txwv li, kuv nyuam qhuav ntsia nws ntawm ubuntu 18.04 thiab xav tsis thoob thaum pom tias tawm ntawm lub thawv fail2ban tsis muaj qhov chaw tam sim no rau hnub qub los ntawm tib lub thawv ntawm tib ubuntu faib ... thiab googling ceev chaw rau npaj ua "daim ntawv qhia" tsis ua hauj lwm lawm, cov xov tooj rau kev tso tawm yog loj hlob nyob rau hauv lub xyoo, thiab cov khoom nrog "cov zaub mov txawv" rau cov qub versions tsis ua hauj lwm, thiab cov tshiab yuav luag tsis tshwm sim ... Tab sis kuv digress ...
Yog li, dab tsi yog honeypot nyob rau hauv ib tug nutshell - nws yog ib tug honeypot, nyob rau hauv peb cov ntaub ntawv, txhua qhov chaw nres nkoj nrov ntawm tus IP sab nraud, ib qho kev thov rau qhov chaw nres nkoj no los ntawm tus neeg siv sab nraud xa src chaw nyob rau hauv daim ntawv teev npe dub. Tag nrho.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Thawj txoj cai ntawm cov chaw nres nkoj nrov TCP 22, 3389, 8291 ntawm ether4-wan sab nraud interface xa tus " qhua" IP rau "Honeypot Hacker" daim ntawv teev npe (chaw nres nkoj rau ssh, rdp thiab winbox yog neeg xiam ua ntej lossis hloov mus rau lwm tus). Qhov thib ob ua ib yam ntawm cov nrov UDP 5060.
Txoj cai thib peb ntawm theem ua ntej kev xa tawm xa cov pob ntawv los ntawm "cov qhua" uas nws srs-chaw nyob suav nrog hauv "Honeypot Hacker".
Tom qab ob lub lis piam ua haujlwm nrog kuv lub tsev Mikrotik, cov npe "Honeypot Hacker" suav nrog txog ib thiab ib nrab txhiab tus IP chaw nyob ntawm cov neeg nyiam "tuav los ntawm udder" kuv cov peev txheej network (hauv tsev muaj kuv tus kheej xov tooj, xa ntawv, nextcloud, rdp). Brute-force attacks nres, bliss tuaj.
Thaum ua haujlwm, tsis yog txhua yam ua tau yooj yim, nyob ntawd lawv txuas ntxiv mus ua txhaum rdp server los ntawm brute-forcing passwords.
Pom tau tias, tus lej chaw nres nkoj tau txiav txim siab los ntawm lub tshuab luam ntawv ntev ua ntej lub honeypot tau qhib, thiab thaum lub sijhawm cais tawm nws tsis yooj yim rau kev teeb tsa ntau dua 100 tus neeg siv, ntawm 20% muaj hnub nyoog tshaj 65 xyoo. Nyob rau hauv rooj plaub thaum qhov chaw nres nkoj tsis tuaj yeem hloov pauv, muaj daim ntawv qhia ua haujlwm me me. Kuv tau pom qee yam zoo sib xws hauv Is Taws Nem, tab sis muaj qee qhov ntxiv ntxiv thiab kev kho kom zoo koom nrog:
Cov cai rau configuring Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Hauv 4 feeb, tus neeg siv khoom nyob deb tau tso cai ua 12 "thov" tshiab rau RDP server. Ib qho kev sim nkag mus yog los ntawm 1 txog 4 "thov". Ntawm 12th "thov" - thaiv rau 15 feeb. Hauv kuv qhov xwm txheej, cov neeg tawm tsam tsis tau tso tseg hacking lub server, lawv tau hloov kho rau lub sijhawm thiab tam sim no ua nws maj mam, xws li kev xaiv nrawm txo qhov ua tau zoo ntawm kev tawm tsam mus rau xoom. Lub tuam txhab cov neeg ua haujlwm muaj kev tsis txaus siab ntawm kev ua haujlwm los ntawm kev ntsuas.
Lwm me ntsis dag
Txoj cai no hloov raws li lub sijhawm teem tseg thaum 5 teev sawv ntxov thiab kaw thaum XNUMX teev sawv ntxov, thaum cov neeg tiag tiag pw tsaug zog, thiab cov neeg xaiv khoom siv hluav taws xob tseem yuav tsaug zog.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Twb tau nyob rau 8th kev sib txuas, tus neeg tawm tsam tus IP yog blacklisted rau ib lub lim tiam. Kev zoo nkauj!
Zoo, ntxiv rau qhov saum toj no, kuv yuav ntxiv qhov txuas rau Wiki tsab xov xwm nrog kev teeb tsa ua haujlwm rau kev tiv thaiv Mikrotik los ntawm kev siv network scanners.
Ntawm kuv cov khoom siv, qhov teeb tsa no ua haujlwm ua ke nrog cov cai honeypot tau piav qhia saum toj no, ua tiav lawv zoo.
UPD: Raws li tau hais hauv cov lus hais, txoj cai ntim pob khoom poob tau raug txav mus rau RAW kom txo cov load ntawm lub router.
Tau qhov twg los: www.hab.com