Ụzọ dị mfe iji chebe Mikrotik gị pụọ na mwakpo

Achọrọ m ịkọrọ ndị obodo ụzọ dị mfe ma na-arụ ọrụ nke otu esi eji Mikrotik chebe netwọk gị yana ọrụ "na-apụ apụ" n'azụ ya site na mwakpo mpụga. Ya bụ, dị nnọọ atọ iwu iji hazie a honeypot na Mikrotik.

Yabụ, ka anyị were ya na anyị nwere obere ụlọ ọrụ, yana IP mpụga nke enwere sava RDP maka ndị ọrụ na-arụ ọrụ n'ime ime. Iwu mbụ bụ, n'ezie, ịgbanwe ọdụ ụgbọ mmiri 3389 na interface mpụga gaa na nke ọzọ. Mana nke a agaghị adịte aka ka ụbọchị ole na ole gachara, ndekọ nyocha ihe nkesa ga-amalite igosi ọtụtụ ikike dara ada kwa sekọnd site n'aka ndị ahịa amabeghị.

Ọnọdụ ọzọ bụ na ị nwere Asterisk zoro ezo n'azụ Mikrotik, n'ezie ọ bụghị na ọdụ ụgbọ mmiri 5060 udp, mgbe ụbọchị ole na ole gachara, mgbawa paswọọdụ amalitekwara... ee, ee, ama m, fail2ban bụ ihe niile anyị nwere, mana anyị ka ga-arụ ọrụ na ya... dịka ọmụmaatụ, etinyere m ya n'oge na-adịbeghị anya ubuntu 18.04 wee ju m anya ịchọpụta na fail2ban nke dị n'ime igbe ahụ enweghị ntọala dị ugbu a maka akara mmuke site na otu igbe nke otu ahụ. ubuntu nkesa... na ntọala ngwa ngwa maka "ntụziaka" emere na Google anaghịzi arụ ọrụ, ọnụọgụ mwepụta na-eto eto ka afọ na-aga, isiokwu nwere "ntụziaka" maka ụdị ochie anaghịzi arụ ọrụ, ndị ọhụrụ anaghịkwa apụta... Mana uche m apụọla...

Yabụ, gịnị bụ ite mmanụ aṅụ na nkenke - ọ bụ mmanụ aṅụ, n'ọnọdụ anyị, ọdụ ụgbọ mmiri ọ bụla na-ewu ewu na IP mpụga, arịrịọ ọ bụla n'ọdụ ụgbọ mmiri a sitere n'aka onye ahịa mpụga na-eziga adreesị src na blacklist. Ha niile.

/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker" 
    address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox" 
    connection-state=new dst-port=22,3389,8291 in-interface=
    ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker" 
    address-list-timeout=30d0h0m chain=input comment=
    "block honeypot asterisk" connection-state=new dst-port=5060 
    in-interface=ether4-wan protocol=udp 
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
    "Honeypot Hacker"

Iwu mbụ na ọdụ ụgbọ mmiri TCP na-ewu ewu 22, 3389, 8291 nke ether4-wan mpụga interface na-eziga IP "ọbịa" na ndepụta "Honeypot Hacker" (ọdụ ụgbọ mmiri maka ssh, rdp na winbox nwere nkwarụ tupu oge eruo ma ọ bụ gbanwee ndị ọzọ). Nke abụọ na-eme otu ihe ahụ na UDP 5060 ama ama.

Iwu nke atọ na ọkwa ụzọ ụzọ ga-adaba ngwugwu sitere na “ndị ọbịa” nke srs-adreesị ha gụnyere na “Honeypot Hacker”.

Mgbe izu abụọ nke na-arụ ọrụ na ụlọ m Mikrotik, ndepụta "Honeypot Hacker" gụnyere ihe dị ka otu puku adreesị IP na ọkara nke ndị na-amasị "ijide oda" akụ netwọk m (n'ụlọ enwere telephony nke m, mail, nextcloud, rdp). Mwakpo Brute-force kwụsịrị, obi ụtọ bịara.

N'ebe ọrụ, ọ bụghị ihe niile tụgharịrị dị mfe, ebe ahụ ha na-aga n'ihu na-emebi ihe nkesa rdp site na iji okwuntughe na-amanye.

N'ụzọ doro anya, ọnụ ọgụgụ ọdụ ụgbọ mmiri ahụ kpebiri site na nyocha ogologo oge tupu agbanahụ mmanụ aṅụ, na n'oge kwarantaini ọ dịghị mfe ịmegharị ihe karịrị ndị ọrụ 100, nke 20% dị ihe karịrị afọ 65. N'okwu ahụ mgbe enweghị ike ịgbanwe ọdụ ụgbọ mmiri, enwere uzommeputa obere ọrụ. Ahụla m ihe yiri nke ahụ na ịntanetị, mana enwere mgbakwunye mgbakwunye na ezigbo nlegharị anya gụnyere:

Iwu maka ịhazi Port Knocking

 /ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist 
    address-list-timeout=15m chain=forward comment=rdp_to_blacklist 
    connection-state=new dst-port=3389 protocol=tcp src-address-list=
    rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5 
    address-list-timeout=4m chain=forward connection-state=new dst-port=
    3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4 
    address-list-timeout=4m chain=forward connection-state=new dst-port=
    3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 
    address-list-timeout=4m chain=forward connection-state=new dst-port=3389 
    protocol=tcp 
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist

N'ime nkeji anọ, onye ahịa dịpụrụ adịpụ nwere ike ime naanị "arịrịọ" iri na abụọ ọhụrụ na RDP ihe nkesaOtu mgbalị ịbanye gụnyere "arịrịọ" 1 ruo 4. Na "arịrịọ" nke 12, mkpọchi nkeji 15 mere. N'ọnọdụ m, ndị mwakpo ahụ gara n'ihu na-awakpo sava ahụ; ha gbanwere na ihe ndị na-eme elekere ma ugbu a na-eme ya nwayọ nwayọ. Ọsọ ike a na-ebelata irè mwakpo ahụ ruo efu. Ndị ọrụ ụlọ ọrụ ahụ enwetabeghị nsogbu ọ bụla n'ọrụ ha n'ihi usoro ndị a.

Obere aghụghọ ọzọ
Iwu a na-agbanye dị ka nhazi oge n'elekere 5 nke ụtụtụ ma gbanyụọ n'elekere ise nke ụtụtụ, mgbe ezigbo ndị mmadụ na-ehi ụra nke ọma, ndị na-ahọrọ akpaaka na-anọgide na-amụ anya.

/ip firewall filter 
add action=add-src-to-address-list address-list=rdp_blacklist 
    address-list-timeout=1w0d0h0m chain=forward comment=
    "night_rdp_blacklist" connection-state=new disabled=
    yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8

Ugbua na njikọ 8th, IP onye mwakpo ahụ bụ aha ojii maka otu izu. Mma!

Ọfọn, na mgbakwunye na nke dị n'elu, m ga-agbakwunye njikọ na isiokwu Wiki nwere nhazi ọrụ maka ichebe Mikrotik site na nyocha netwọkụ. wiki.mikrotik.com/wiki/Drop_port_scanners

Na ngwaọrụ m, ntọala a na-arụkọ ọrụ ọnụ yana iwu mmanụ aṅụ akọwara n'elu, na-emeju ha nke ọma.

UPD: Dị ka atụ aro na nkwupụta, a kpọgawo iwu nkwụsị ngwugwu na RAW iji belata ibu dị na rawụta.

isi: www.habr.com

Zụta nnabata ntụkwasị obi maka saịtị nwere nchekwa DDoS, sava VPS VDS 🔥 Zụta ebe nrụọrụ weebụ a pụrụ ịtụkwasị obi na nchekwa DDoS, sava VPS VDS | ProHoster