Mwen vle pataje ak kominote a yon fason ki senp epi k ap travay sou fason pou w itilize Mikrotik pou pwoteje rezo w ak sèvis yo k ap “peeping out” dèyè li kont atak ekstèn yo. Savwa, jis twa règ yo òganize yon honeypot sou Mikrotik.
Se konsa, an nou imajine ke nou gen yon ti biwo, ak yon IP ekstèn dèyè ki gen yon sèvè RDP pou anplwaye yo travay adistans. Premye règ la se, nan kou, chanje pò 3389 sou koòdone ekstèn nan yon lòt. Men, sa a pa pral dire lontan; apre yon koup de jou, jounal odit sèvè tèminal la ap kòmanse montre plizyè otorizasyon echwe pou chak segonn nan men kliyan enkoni.
Yon lòt sitiyasyon, ou gen asterisk kache dèyè Mikrotik, nan kou pa sou udp pò 5060, epi apre yon koup de jou rechèch modpas la kòmanse tou... wi, wi, mwen konnen, fail2ban se tout bagay nou, men nou toujou gen nan travay. sou li... pou egzanp, mwen dènyèman enstale li sou ubuntu 18.04 epi mwen te sezi dekouvri ke soti nan bwat la fail2ban pa gen anviwònman aktyèl pou asteris ki soti nan menm bwat la nan menm distribisyon an ubuntu... ak Googling anviwònman rapid pou "resèt" pare yo pa travay ankò, nimewo yo pou degaje yo ap grandi sou ane yo, ak atik ki gen "resèt" pou ansyen vèsyon pa travay ankò, ak nouvo yo prèske pa janm parèt... Men, mwen digress...
Se konsa, ki sa ki yon honeypot nan yon Nutshell - li se yon honeypot, nan ka nou an, nenpòt pò popilè sou yon IP ekstèn, nenpòt demann nan pò sa a soti nan yon kliyan ekstèn voye adrès la src nan lis nwa a. Tout.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Premye règ sou pò TCP popilè 22, 3389, 8291 nan koòdone ekstèn ether4-wan voye IP "envite" nan lis "Honeypot Hacker" (pò pou ssh, rdp ak winbox yo enfim davans oswa chanje nan lòt moun). Dezyèm lan fè menm bagay la sou popilè UDP 5060 la.
Twazyèm règ nan etap pre-routaj la gout pake ki soti nan "envite" ki gen srs-adrès ki enkli nan "Honeypot Hacker la".
Apre de semèn nan travay ak lakay mwen Mikrotik, lis "Honeypot Hacker" la te gen ladann apeprè mil ak yon mwatye adrès IP moun ki renmen "kenbe pa mamèl" resous rezo mwen an (nan kay la gen pwòp telefòn, lapòs, nextcloud, rdp) Atak fòs brital yo sispann, benediksyon te vini.
Nan travay, se pa tout bagay ki te vin tèlman senp, gen yo kontinye kraze sèvè rdp la pa fòse modpas brital.
Aparamman, nimewo pò a te detèmine pa eskanè a depi lontan anvan honeypot la te limen, ak pandan karantèn li se pa tèlman fasil rkonfigirasyon plis pase 100 itilizatè, nan yo ki 20% gen plis pase 65 ane fin vye granmoun. Nan ka a lè pò a pa ka chanje, gen yon ti resèt k ap travay. Mwen te wè yon bagay ki sanble sou entènèt la, men gen kèk adisyon adisyonèl ak ajisteman amann ki enplike:
Règ pou konfigirasyon Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Nan 4 minit, kliyan aleka a gen dwa fè sèlman 12 nouvo "demann" nan sèvè RDP la. Yon tantativ konekte se soti nan 1 a 4 "demann". Nan 12yèm "demann" - bloke pou 15 minit. Nan ka mwen an, atakè yo pa t 'sispann Hacking sèvè a, yo ajiste nan revèy yo e kounye a, fè li trè dousman, tankou yon vitès nan seleksyon diminye efikasite nan atak la a zewo. Anplwaye yo nan konpayi an fè eksperyans nòmalman pa gen okenn deranjman nan travay nan mezi yo pran yo.
Yon lòt ti trick
Règ sa a limen dapre yon orè a 5 a.m. epi li fèmen a XNUMX a.m., lè moun reyèl yo definitivman dòmi, epi chwazi otomatik yo kontinye ap reveye.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Deja sou koneksyon an 8yèm, IP atakè a se lis nwa pou yon semèn. Bote!
Oke, anplis de sa ki anwo a, mwen pral ajoute yon lyen nan yon atik Wiki ak yon konfigirasyon k ap travay pou pwoteje Mikrotik soti nan eskanè rezo.
Sou aparèy mwen yo, anviwònman sa a travay ansanm ak règ honeypot ki dekri pi wo a, konplete yo byen.
UPD: Jan yo sijere nan kòmantè yo, règ gout pake yo te deplase nan RAW pou diminye chaj la sou routeur la.
Sous: www.habr.com