Kuv tau nyeem ntau lub tswv yim tias khaws RDP (Chaw Taws Teeb Nruab Nruab Nruab Nruab Nruab Nruab Nruab Nruab Nruab Nrab) chaw nres nkoj qhib rau Is Taws Nem yog qhov tsis zoo thiab yuav tsum tsis txhob ua. Tab sis koj yuav tsum tau nkag mus rau RDP los ntawm VPN, lossis tsuas yog los ntawm qee qhov "dawb" IP chaw nyob.
Kuv tswj hwm ntau lub Windows Servers rau cov tuam txhab me me uas kuv tau ua haujlwm nrog kev muab cov chaw taws teeb nkag mus rau Windows Server rau tus accountants. Qhov no yog cov qauv niaj hnub - ua haujlwm hauv tsev. Heev sai sai, kuv pom tau hais tias kev tsim txom VPN tus accountants yog ib txoj hauj lwm ua tsaug, thiab sau tag nrho cov IPs rau daim ntawv teev npe dawb yuav tsis ua hauj lwm, vim hais tias tib neeg tus IP chaw nyob yog dynamic.
Yog li ntawd, kuv coj txoj kev yooj yim tshaj plaws - xa RDP chaw nres nkoj mus rau sab nraud. Txhawm rau nkag mus tau, tus accountants tam sim no yuav tsum tau khiav RDP thiab nkag mus rau lub hostname (xws li chaw nres nkoj), username thiab password.
Hauv tsab xov xwm no kuv yuav qhia kuv qhov kev paub (zoo thiab tsis zoo) thiab cov lus pom zoo.
Txaus ntshai
Koj pheej pheej hmoo dab tsi los ntawm kev qhib qhov chaw nres nkoj RDP?
1) Tsis tso cai nkag mus rau cov ntaub ntawv rhiab heev
Yog tias ib tus neeg twv tus password RDP, lawv yuav tuaj yeem tau txais cov ntaub ntawv uas koj xav khaws cia tus kheej: tus lej nyiaj, tshuav nyiaj li cas, cov ntaub ntawv cov neeg siv khoom, ...
2) Cov ntaub ntawv poob
Piv txwv li, raws li qhov tshwm sim ntawm tus kab mob ransomware.
Los yog txhob txwm ua los ntawm tus neeg tawm tsam.
3) poob ntawm chaw ua haujlwm
Cov neeg ua haujlwm yuav tsum tau ua haujlwm, tab sis qhov system raug cuam tshuam thiab yuav tsum tau rov nruab / rov kho dua / teeb tsa.
4) Kev cuam tshuam ntawm lub network hauv zos
Yog tias tus neeg tawm tsam tau nkag mus rau lub khoos phis tawj Windows, tom qab ntawd los ntawm lub khoos phis tawj no nws yuav tuaj yeem nkag mus rau cov tshuab uas tsis tuaj yeem nkag mus rau sab nraud, los ntawm Is Taws Nem. Piv txwv li, ua ntaub ntawv sib koom, rau lub tshuab luam ntawv network, thiab lwm yam.
Kuv muaj ib rooj plaub uas Windows Server ntes tau ransomware
thiab qhov no ransomware thawj zaug encrypted feem ntau ntawm cov ntaub ntawv ntawm C: tsav thiab tom qab ntawd pib encrypting cov ntaub ntawv ntawm NAS hauv lub network. Txij li thaum NAS yog Synology, nrog snapshots teeb tsa, Kuv rov qab NAS hauv 5 feeb, thiab rov nruab Windows Server los ntawm kos.
Kev soj ntsuam thiab cov lus pom zoo
Kuv saib xyuas Windows Servers siv , uas xa cov cav mus rau ElasticSearch. Kibana muaj ntau qhov kev pom, thiab kuv kuj teeb tsa lub dashboard kev cai.
Kev saib xyuas nws tus kheej tsis tiv thaiv, tab sis nws pab txiav txim siab qhov tsim nyog ntsuas.
Nov yog qee qhov kev soj ntsuam:
a) RDP yuav raug brute yuam.
Ntawm ib qho ntawm cov servers, kuv tau teeb tsa RDP tsis nyob ntawm tus qauv chaw nres nkoj 3389, tab sis ntawm 443 - zoo, Kuv yuav zais kuv tus kheej li HTTPS. Tej zaum nws yuav tsim nyog hloov qhov chaw nres nkoj los ntawm tus qauv, tab sis nws yuav tsis ua ntau yam zoo. Nov yog cov txheeb cais los ntawm lub server no:
Nws tuaj yeem pom tau tias hauv ib lub lis piam muaj yuav luag 400 qhov kev sim ua tsis tiav los ntawm RDP.
Nws tuaj yeem pom tau tias muaj kev sim nkag los ntawm 55 IP chaw nyob (qee qhov chaw nyob IP twb tau thaiv kuv lawm).
Qhov no ncaj qha qhia qhov xaus tias koj yuav tsum tau teeb tsa fail2ban, tab sis
Tsis muaj qhov siv tau zoo li no rau Windows.
Muaj ob peb txoj haujlwm tso tseg ntawm Github uas zoo li ua qhov no, tab sis kuv tseem tsis tau sim rau nruab lawv:
Kuj tseem muaj cov khoom siv them nyiaj, tab sis kuv tsis tau xav txog lawv.
Yog tias koj paub qhov qhib qhov chaw siv rau lub hom phiaj no, thov qhia rau hauv cov lus.
Hloov tshiab: Cov lus pom zoo tias qhov chaw nres nkoj 443 yog qhov kev xaiv tsis zoo, thiab nws yog qhov zoo dua los xaiv cov chaw nres nkoj siab (32000+), vim tias 443 raug tshuaj xyuas ntau zaus, thiab lees paub RDP ntawm qhov chaw nres nkoj no tsis muaj teeb meem.
b) Muaj qee lub npe siv uas cov neeg tawm tsam nyiam
Nws tuaj yeem pom tau tias kev tshawb nrhiav tau ua nyob rau hauv phau ntawv txhais lus nrog cov npe sib txawv.
Tab sis ntawm no yog qhov kuv pom: ib qho tseem ceeb ntawm kev sim siv lub npe server ua tus ID nkag mus. Kev pom zoo: Tsis txhob siv tib lub npe rau lub computer thiab tus neeg siv. Ntxiv mus, qee zaum nws zoo li lawv tab tom sim txheeb xyuas lub npe neeg rau zaub mov li cas: piv txwv li, rau lub kaw lus nrog lub npe DESKTOP-DFTHD7C, feem ntau sim nkag mus yog nrog lub npe DFTHD7C:
Raws li, yog tias koj muaj lub khoos phis tawj DESKTOP-MARIA, tej zaum koj yuav tau sim nkag mus ua tus neeg siv MARIA.
Lwm qhov kuv pom los ntawm cov cav: ntawm feem ntau cov tshuab, feem ntau sim nkag mus rau hauv yog nrog lub npe "tus thawj tswj hwm". Thiab qhov no tsis yog yam tsis muaj laj thawj, vim tias hauv ntau lub versions ntawm Windows, tus neeg siv no muaj. Ntxiv mus, nws tsis tuaj yeem muab deleted. Qhov no ua kom yooj yim txoj haujlwm rau cov neeg tawm tsam: tsis txhob twv lub npe thiab lo lus zais, koj tsuas yog xav twv tus password.
Los ntawm txoj kev, lub kaw lus uas ntes tau tus ransomware muaj tus neeg siv Administrator thiab tus password Murmansk #9. Kuv tseem tsis paub meej tias lub kaw lus tau raug nyiag li cas, vim tias kuv tau pib saib xyuas tom qab qhov xwm txheej ntawd, tab sis kuv xav tias qhov kev tua tuag yuav tshwm sim.
Yog li yog tias Administrator tus neeg siv tsis tuaj yeem raug tshem tawm, koj yuav ua li cas? Koj tuaj yeem hloov npe nws!
Cov lus pom zoo los ntawm kab lus no:
- tsis txhob siv lub username nyob rau hauv lub computer lub npe
- xyuas kom meej tias tsis muaj Administrator tus neeg siv ntawm qhov system
- siv cov passwords muaj zog
Yog li, kuv tau saib ntau lub Windows Servers nyob rau hauv kuv kev tswj hwm raug brute-forced rau li ob peb xyoos tam sim no, thiab tsis muaj kev vam meej.
Kuv yuav ua li cas thiaj paub tias nws ua tsis tiav?
Vim hais tias nyob rau hauv cov screenshots saum toj no koj tuaj yeem pom tias muaj cov ntawv teev npe ua tiav RDP hu, uas muaj cov ntaub ntawv:
- los ntawm tus IP
- los ntawm lub computer (hostname)
- username
- GeoIP cov ntaub ntawv
Thiab kuv tshawb xyuas qhov ntawd tsis tu ncua - tsis muaj qhov tsis txaus ntseeg tau pom.
Los ntawm txoj kev, yog tias ib qho IP tshwj xeeb raug quab yuam tshwj xeeb, koj tuaj yeem thaiv tus IPs (lossis subnets) zoo li qhov no hauv PowerShell:
New-NetFirewallRule -Direction Inbound -DisplayName "fail2ban" -Name "fail2ban" -RemoteAddress ("185.143.0.0/16", "185.153.0.0/16", "193.188.0.0/16") -Action BlockLos ntawm txoj kev, Elastic, ntxiv rau Winlogbeat, kuj muaj , uas tuaj yeem saib xyuas cov ntaub ntawv thiab cov txheej txheem ntawm lub system. Kuj tseem muaj SIEM (Security Information & Event Management) daim ntawv thov hauv Kibana. Kuv sim ob qho tib si, tab sis tsis pom muaj txiaj ntsig ntau - nws zoo li Auditbeat yuav muaj txiaj ntsig zoo dua rau Linux systems, thiab SIEM tseem tsis tau qhia kuv paub dab tsi tseem ceeb.
Zoo, cov lus pom zoo kawg:
- Ua ib txwm tsis siv neeg thaub qab.
- nruab Kev Ruaj Ntseg Hloov Kho kom raws sijhawm
Ntxiv: cov npe ntawm 50 cov neeg siv uas feem ntau siv rau RDP nkag mus sim
"user.name: Descending"
Suav
dfthd7c (hostname)
842941
winsrv1 (hostname)
266525
ADMINISTRATOR
180678
khiav dej num
163842
Administrator
53541
michael
23101
neeg rau zaub mov
21983
steve
21936
john
21927
paul
21913
txais tos
21909
Mike
21899
chaw ua hauj lwm
21888
scanner
21887
luam theej duab
21867
david
21865
Chris
21860
tswv
21855
saib xyuas
21852
neeg khiav dej num
21841
brian
21839
tus thawj coj
21837
cim
21824
neeg ua hauj lwm
21806
ADMIN
12748
hauv paus
7772
ADMINISTRATOR
7325
TXHAWB
5577
YUG
5418
SIV
4558
admin
2832
TEST
1928
Mysql
1664
admin
1652
TUS TSWV YIM
1322
YEEJ1
1179
PHEEJ YIG
1121
SCAN
1032
ADMINISTRATOR
842
ADMIN 1
525
QAIB
518
MySqlAdmin
518
SAWV DAWS
490
YEEJ2
466
Temp
452
SQLADMIN
450
YEEJ3
441
1
422
TSWV YIM
418
TSWV
410
Tau qhov twg los: www.hab.com