phooj ywg, nyob zoo!
Muaj ntau txoj hauv kev los txuas ntawm tsev mus rau koj qhov chaw ua haujlwm. Ib ntawm lawv yog siv Microsoft Remote Desktop Gateway. Qhov no yog RDP dhau HTTP. Kuv tsis xav kov ntawm kev teeb tsa RDGW nws tus kheej ntawm no, Kuv tsis xav tham txog vim li cas nws zoo lossis phem, cia peb kho nws ua ib qho ntawm cov cuab yeej siv hauv thaj chaw deb. Kuv xav tham txog kev tiv thaiv koj RDGW server los ntawm Internet phem. Thaum kuv teeb tsa RDGW server, kuv tau txhawj xeeb txog kev ruaj ntseg tam sim ntawd, tshwj xeeb tshaj yog tiv thaiv tus password brute force. Kuv xav tsis thoob tias kuv tsis pom cov ntawv hauv Internet txog yuav ua li cas. Zoo, koj yuav tau ua koj tus kheej.
RDGW nws tus kheej tsis muaj kev tiv thaiv. Yog, nws tuaj yeem raug nthuav tawm nrog nws qhov liab qab interface ntawm lub network dawb thiab nws yuav ua haujlwm zoo. Tab sis qhov no yuav ua rau tus thawj tswj hwm txoj cai lossis tus kws paub txog kev ruaj ntseg cov ntaub ntawv tsis yooj yim. Tsis tas li ntawd, nws yuav zam qhov teeb meem ntawm kev thaiv tus account, thaum tus neeg ua haujlwm tsis saib xyuas nco qab tus password rau tus account hauv nws lub computer hauv tsev thiab tom qab ntawd hloov nws tus password.
Ib txoj hauv kev zoo los tiv thaiv cov peev txheej sab hauv los ntawm ib puag ncig sab nraud yog los ntawm ntau tus neeg sawv cev, kev tshaj tawm, thiab lwm yam WAFs. Cia peb nco ntsoov tias RDGW tseem yog http, ces nws tsuas yog thov kom ntsaws cov kev daws teeb meem tshwj xeeb ntawm cov servers sab hauv thiab Is Taws Nem.
Kuv paub tias muaj txias F5, A10, Netscaler (ADC). Raws li tus thawj coj ntawm ib qho ntawm cov kab ke no, kuv yuav hais tias nws tseem tuaj yeem teeb tsa kev tiv thaiv brute quab yuam ntawm cov tshuab no. Thiab yog, cov tshuab no tseem yuav tiv thaiv koj los ntawm kev nyab xeeb.
Tab sis tsis yog txhua lub tuam txhab muaj peev xwm them taus yuav cov kev daws teeb meem no (thiab nrhiav tus thawj tswj hwm rau cov kab ke no :), tab sis tib lub sijhawm lawv tuaj yeem saib xyuas kev nyab xeeb!
Nws yog tag nrho rau nruab ib tug dawb version ntawm HAProxy ntawm ib tug dawb operating system. Kuv tau sim ntawm Debian 10, haproxy version 1.8.19 hauv qhov chaw ruaj khov. Kuv kuj tau sim nws ntawm version 2.0.xx los ntawm qhov chaw sim.
Peb yuav tawm ntawm kev teeb tsa debian nws tus kheej sab nraud ntawm cov kab lus no. Luv luv: ntawm qhov dawb interface, kaw txhua yam tshwj tsis yog chaw nres nkoj 443, ntawm qhov cuam tshuam grey - raws li koj txoj cai, piv txwv li, kuj kaw txhua yam tshwj tsis yog chaw nres nkoj 22. Qhib tsuas yog qhov tsim nyog rau kev ua haujlwm (VRRP piv txwv, rau ntab ip).
Ua ntej tshaj plaws, kuv tau teeb tsa haproxy hauv SSL bridging hom (aka http hom) thiab qhib kev nkag mus saib seb puas muaj dab tsi tshwm sim hauv RDP. Yog li hais, kuv tau nyob nruab nrab. Yog li, txoj kev / RDWeb tau teev tseg hauv "tag nrho" kab lus ntawm kev teeb tsa RDGateway ploj lawm. Txhua yam uas muaj yog /rpc/rpcproxy.dll thiab /remoteDesktopGateway/. Hauv qhov no, tus qauv GET/POST thov tsis siv; lawv tus kheej hom kev thov RDG_IN_DATA, RDG_OUT_DATA yog siv.
Tsis ntau, tab sis tsawg kawg ib yam dab tsi.
Cia peb sim.
Kuv tso mstsc, mus rau lub server, saib plaub 401 (tsis tau tso cai) yuam kev hauv cov cav, tom qab ntawd nkag mus rau kuv tus username / password thiab saib cov lus teb 200.
Kuv tua nws, pib dua, thiab hauv cov cav kuv pom tib yam plaub 401 yuam kev. Kuv nkag mus rau qhov tsis ncaj ncees lawm tus ID nkag mus / lo lus zais thiab pom dua plaub 401 yuam kev. Qhov ntawd yog qhov kuv xav tau. Nov yog qhov peb yuav ntes.
Txij li thaum nws tsis tuaj yeem txiav txim siab tus ID nkag mus url, thiab dhau li ntawd, kuv tsis paub yuav ua li cas ntes 401 yuam kev hauv haproxy, kuv yuav ntes (tsis yog ntes, tab sis suav) tag nrho 4xx yuam kev. Kuj haum rau kev daws teeb meem.
Lub ntsiab lus ntawm kev tiv thaiv yuav yog tias peb yuav suav cov lej ntawm 4xx yuam kev (ntawm qhov backend) ib chav tsev ntawm lub sijhawm thiab yog tias nws tshaj qhov txwv, ces tsis lees txais (ntawm frontend) tag nrho cov kev sib txuas ntxiv los ntawm ip no rau lub sijhawm teev. .
Technically, qhov no yuav tsis tiv thaiv tus password brute quab yuam, nws yuav tiv thaiv 4xx yuam kev. Piv txwv li, yog tias koj feem ntau thov qhov tsis muaj url (404), ces kev tiv thaiv kuj yuav ua haujlwm.
Txoj kev yooj yim tshaj plaws thiab ua tau zoo tshaj plaws yog suav rau ntawm qhov backend thiab qhia rov qab yog tias muaj dab tsi ntxiv tshwm:
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/desktop.example.com.pem
mode http
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#ΡΠΎΠ·Π΄Π°ΡΡ ΡΠ°Π±Π»ΠΈΡΡ, ΡΡΡΠΎΠΊΠΎΠ²ΡΡ, 1000 ΡΠ»Π΅ΠΌΠ΅Π½ΡΠΎΠ², ΠΏΡΠΎΡΡΡ
Π°Π΅Ρ ΡΠ΅ΡΠ΅Π· 15 ΡΠ΅ΠΊ, Π·Π°ΠΏΠΈΡΠ°ΡΡ ΠΊΠΎΠ»-Π²ΠΎ ΠΎΡΠΈΠ±ΠΎΠΊ Π·Π° ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠ΅ 10 ΡΠ΅ΠΊ
stick-table type string len 128 size 1k expire 15s store http_err_rate(10s)
#Π·Π°ΠΏΠΎΠΌΠ½ΠΈΡΡ ip
http-request track-sc0 src
#Π·Π°ΠΏΡΠ΅ΡΠΈΡΡ Ρ http ΠΎΡΠΈΠ±ΠΊΠΎΠΉ 429, Π΅ΡΠ»ΠΈ Π·Π° ΠΏΠΎΡΠ»Π΅Π΄Π½ΠΈΠ΅ 10 ΡΠ΅ΠΊ Π±ΠΎΠ»ΡΡΠ΅ 4 ΠΎΡΠΈΠ±ΠΎΠΊ
http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Tsis yog qhov kev xaiv zoo tshaj plaws, cia peb ua rau nws nyuaj. Peb yuav suav rau ntawm lub backend thiab thaiv ntawm lub frontend.
Peb yuav kho tus neeg tawm tsam tsis ncaj ncees thiab tso nws txoj kev sib txuas TCP.
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/ertelecom_ru_2020_06_11.pem
mode http
...
#ΡΠΎΠ·Π΄Π°ΡΡ ΡΠ°Π±Π»ΠΈΡΡ ip Π°Π΄ΡΠ΅ΡΠΎΠ², 1000 ΡΠ»Π΅ΠΌΠ΅Π½ΡΠΎΠ², ΠΏΡΠΎΡΡΡ
Π½Π΅Ρ ΡΠ΅ΡΠ΅Π· 15 ΡΠ΅ΠΊ, ΡΠΎΡ
ΡΡΠ½ΡΡΡ ΠΈΠ· Π³Π»ΠΎΠ±Π°Π»ΡΠ½ΠΎΠ³ΠΎ ΡΡΡΡΡΠΈΠΊΠ°
stick-table type ip size 1k expire 15s store gpc0
#Π²Π·ΡΡΡ ΠΈΡΡΠΎΡΠ½ΠΈΠΊ
tcp-request connection track-sc0 src
#ΠΎΡΠΊΠ»ΠΎΠ½ΠΈΡΡ tcp ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠ΅, Π΅ΡΠ»ΠΈ Π³Π»ΠΎΠ±Π°Π»ΡΠ½ΡΠΉ ΡΡΡΡΡΠΈΠΊ >0
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#ΡΠΎΠ·Π΄Π°ΡΡ ΡΠ°Π±Π»ΠΈΡΡ ip Π°Π΄ΡΠ΅ΡΠΎΠ², 1000 ΡΠ»Π΅ΠΌΠ΅Π½ΡΠΎΠ², ΠΏΡΠΎΡΡΡ
Π½Π΅Ρ ΡΠ΅ΡΠ΅Π· 15 ΡΠ΅ΠΊ, ΡΠΎΡ
ΡΠ°Π½ΡΡΡ ΠΊΠΎΠ»-Π²ΠΎ ΠΎΡΠΈΠ±ΠΎΠΊ Π·Π° 10 ΡΠ΅ΠΊ
stick-table type ip size 1k expire 15s store http_err_rate(10s)
#ΠΌΠ½ΠΎΠ³ΠΎ ΠΎΡΠΈΠ±ΠΎΠΊ, Π΅ΡΠ»ΠΈ ΠΊΠΎΠ»-Π²ΠΎ ΠΎΡΠΈΠ±ΠΎΠΊ Π·Π° 10 ΡΠ΅ΠΊ ΠΏΡΠ΅Π²ΡΡΠΈΠ»ΠΎ 8
acl errors_too_fast sc1_http_err_rate gt 8
#ΠΏΠΎΠΌΠ΅ΡΠΈΡΡ Π°ΡΠ°ΠΊΡ Π² Π³Π»ΠΎΠ±Π°Π»ΡΠ½ΠΎΠΌ ΡΡΡΡΡΠΈΠΊΠ΅ (ΡΠ²Π΅Π»ΠΈΡΠΈΡΡ ΡΡΡΡΡΠΈΠΊ)
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
#ΠΎΠ±Π½ΡΠ»ΠΈΡΡ Π³Π»ΠΎΠ±Π°Π»ΡΠ½ΡΠΉ ΡΡΡΡΡΠΈΠΊ
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
#Π²Π·ΡΡΡ ΠΈΡΡΠΎΡΠ½ΠΈΠΊ
tcp-request content track-sc1 src
#ΠΎΡΠΊΠ»ΠΎΠ½ΠΈΡΡ, ΠΏΠΎΠΌΠ΅ΡΠΈΡΡ, ΡΡΠΎ Π°ΡΠ°ΠΊΠ°
tcp-request content reject if errors_too_fast mark_as_abuser
#ΡΠ°Π·ΡΠ΅ΡΠΈΡΡ, ΡΠ±ΡΠΎΡΠΈΡΡ ΡΠ»Π°ΠΆΠΎΠΊ Π°ΡΠ°ΠΊΠΈ
tcp-request content accept if !errors_too_fast clear_as_abuser
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
tib yam, tab sis hais lus zoo, peb yuav rov qab qhov yuam kev http 429 (Tshaj Xav Tau Ntau)
frontend fe_rdp_tsc
...
stick-table type ip size 1k expire 15s store gpc0
http-request track-sc0 src
http-request deny deny_status 429 if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
http-request track-sc1 src
http-request allow if !errors_too_fast clear_as_abuser
http-request deny deny_status 429 if errors_too_fast mark_as_abuser
...
Kuv kos: Kuv tso mstsc thiab pib random nkag passwords. Tom qab qhov kev sim thib peb, hauv 10 vib nas this nws ncaws kuv rov qab, thiab mstsc muab qhov yuam kev. Raws li tuaj yeem pom hauv cov cav.
Kev piav qhia. Kuv nyob deb ntawm tus tswv haproxy. Kuv tsis nkag siab vim li cas, piv txwv li
http-request deny deny_status 429 yog { sc_http_err_rate(0) gt 4 }
tso cai rau koj ua 10 qhov yuam kev ua ntej nws ua haujlwm.
Kuv tsis meej pem txog tus lej ntawm cov txee. Masters ntawm haproxy, Kuv yuav zoo siab yog tias koj ntxiv kuv, kho kuv, ua kom kuv zoo dua.
Hauv cov lus koj tuaj yeem qhia lwm txoj hauv kev los tiv thaiv RD Gateway, nws yuav txaus siab kawm.
Hais txog Windows Remote Desktop Client (mstsc), nws tsim nyog sau cia tias nws tsis txhawb TLS1.2 (tsawg kawg hauv Windows 7), yog li kuv yuav tsum tau tawm ntawm TLS1; tsis txhawb cov cipher tam sim no, yog li kuv kuj tau tawm ntawm cov qub.
Rau cov neeg uas tsis to taub dab tsi, tsuas yog kawm, thiab twb xav ua kom zoo, kuv yuav muab rau koj tag nrho config.
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE
-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-options no-sslv3
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 15m
timeout server 15m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/dektop.example.com.pem
mode http
capture request header Host len 32
log global
option httplog
timeout client 300s
maxconn 1000
stick-table type ip size 1k expire 15s store gpc0
tcp-request connection track-sc0 src
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl rdweb_domain hdr(host) -i beg dektop.example.com
http-request deny deny_status 400 if !rdweb_domain
default_backend be_rdp_tsc
backend be_rdp_tsc
balance source
mode http
log global
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
tcp-request content track-sc1 src
tcp-request content reject if errors_too_fast mark_as_abuser
tcp-request content accept if !errors_too_fast clear_as_abuser
option forwardfor
http-request add-header X-CLIENT-IP %[src]
option httpchk GET /
cookie RDPWEB insert nocache
default-server inter 3s rise 2 fall 3
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
frontend fe_stats
mode http
bind *:8080
acl ip_allow_admin src 192.168.66.66
stats enable
stats uri /stats
stats refresh 30s
#stats admin if LOCALHOST
stats admin if ip_allow_admin
Vim li cas ob lub servers ntawm lub backend? Vim qhov no yog li cas koj tuaj yeem ua txhaum kev zam txim. Haproxy kuj tseem tuaj yeem ua rau ob qho nrog lub ntab dawb ip.
Cov peev txheej suav nrog: koj tuaj yeem pib nrog "ob gig, ob lub cores, gaming PC." Raws li qhov no yuav txaus rau spare.
Links:
Tau qhov twg los: www.hab.com