Ndị enyi, ndewo!
Enwere ọtụtụ ụzọ iji jikọọ site na ụlọ gaa na ebe ọrụ ụlọ ọrụ gị. Otu n'ime ha bụ iji Microsoft Remote Desktop Gateway. Nke a bụ RDP karịa HTTP. Achọghị m imetụ aka na ịtọlite RDGW n'onwe ya ebe a, achọghị m ikwurịta ihe mere o ji dị mma ma ọ bụ ihe ọjọọ, ka anyị were ya dị ka otu n'ime ngwaọrụ ndị dịpụrụ adịpụ. Achọrọ m ikwu maka ichekwa ihe nkesa RDGW gị na ịntanetị ọjọọ. Mgbe m guzobere sava RDGW, enwere m nchegbu ozugbo maka nchekwa, ọkachasị nchebe pụọ n'ike okwuntughe. O juru m anya na ahụghị m akụkọ ọ bụla na Intanet gbasara otu esi eme nke a. Ọfọn, ị ga-eme ya n'onwe gị.
RDGW n'onwe ya enweghị nchekwa ọ bụla. Ee, enwere ike kpughee ya na interface efu na netwọk ọcha na ọ ga-arụ ọrụ dị ukwuu. Mana nke a ga-eme ka ahụ gwụ onye njikwa ma ọ bụ ọkachamara nchekwa ozi ziri ezi. Na mgbakwunye, ọ ga-ekwe ka ị zere ọnọdụ nke igbochi akaụntụ, mgbe onye ọrụ na-enweghị uche chetara paswọọdụ maka akaụntụ ụlọ ọrụ na kọmputa ụlọ ya, wee gbanwee paswọọdụ ya.
Ụzọ dị mma isi chebe akụrụngwa dị n'ime site na gburugburu mpụga bụ site na proxies dị iche iche, usoro mbipụta, na WAF ndị ọzọ. Ka anyị cheta na RDGW ka bụ http, mgbe ahụ ọ na-arịọ ka nkwụnye ngwọta pụrụ iche n'etiti sava ime na ịntanetị.
Amaara m na enwere F5, A10, Netscaler (ADC). Dịka onye nchịkwa nke otu n'ime usoro ndị a, m ga-ekwu na ọ ga-ekwe omume ịmepụta nchebe megide ike ọjọọ na usoro ndị a. Ma ee, usoro ndị a ga-echebekwa gị pụọ na iju mmiri ọ bụla.
Ma ọ bụghị ụlọ ọrụ ọ bụla nwere ike ịzụta ihe ngwọta dị otú ahụ (ma chọta onye nchịkwa maka usoro dị otú ahụ :), ma n'otu oge ahụ ha nwere ike ilekọta nchebe!
Ọ ga-ekwe omume ịwụnye ụdị HAProxy n'efu na sistemụ arụmọrụ efu. M nwalere na Debian 10, ụdị haproxy 1.8.19 na ebe nchekwa kwụsiri ike. M nwalekwara ya na ụdị 2.0.xx site na ebe nchekwa nnwale.
Anyị ga-ahapụ ịtọlite debian n'onwe ya na-abụghị akụkụ nke edemede a. Na nkenke: na interface ọcha, mechie ihe niile ma e wezụga ọdụ ụgbọ mmiri 443, na interface isi awọ - dị ka amụma gị si dị, dịka ọmụmaatụ, mechie ihe niile ma e wezụga ọdụ ụgbọ mmiri 22. Mepee naanị ihe dị mkpa maka ọrụ (VRRP dịka ọmụmaatụ, maka ip na-ese n'elu mmiri).
Nke mbụ, ahaziri m haproxy na SSL bridging mode (aka http mode) wee gbanye ịdenye aha iji hụ ihe na-eme n'ime RDP. Ya mere, ikwu okwu, m banyere n'etiti. Yabụ, ụzọ / RDWeb akọwapụtara na akụkọ “niile” maka ịtọlite RDGateway adịghị efu. Ihe niile dị bụ /rpc/rpcproxy.dll na /remoteDesktopGateway/. N'okwu a, a naghị eji arịrịọ GET/POST ọkọlọtọ eme ihe; a na-eji ụdị arịrịọ nke ha RDG_IN_DATA, RDG_OUT_DATA.
Ọ bụghị ọtụtụ, ma ọ dịkarịa ala ihe.
Ka anyị nwalee.
M na-ewepụta mstsc, gaa na nkesa, hụ njehie 401 (enweghị ikike) na ndekọ, wee tinye aha njirimara / paswọọdụ m wee hụ nzaghachi 200.
M na-agbanyụ ya, malite ya ọzọ, na na ndekọ m na-ahụ otu njehie anọ 401. M na-abanye na-ezighị ezi nbanye / paswọọdụ na-ahụ ọzọ anọ 401 njehie. Nke ahụ bụ ihe m chọrọ. Nke a bụ ihe anyị ga-ejide.
Ebe ọ bụ na ọ gaghị ekwe omume ikpebi url nbanye, ma e wezụga nke ahụ, amaghị m otu esi ejide njehie 401 na haproxy, m ga-ejide (ọ bụghị n'ezie ijide, ma gụọ) njehie 4xx niile. Kwesịrị ekwesị maka idozi nsogbu ahụ.
Ihe kachasị mkpa nke nchebe ga-abụ na anyị ga-agụta ọnụ ọgụgụ nke njehie 4xx (na azụ azụ) kwa nkeji oge ma ọ bụrụ na ọ gafere oke a kapịrị ọnụ, wee jụ (na frontend) njikọ niile site na ip a maka oge a kapịrị ọnụ. .
Teknụzụ, nke a agaghị abụ nchebe pụọ na ike brute okwuntughe, ọ ga-abụ nchekwa megide njehie 4xx. Dịka ọmụmaatụ, ọ bụrụ na ị na-arịọkarị url na-adịghị adị (404), mgbe ahụ nchedo ga-arụkwa ọrụ.
Ụzọ kachasị mfe ma dị irè bụ ịdabere na azụ azụ wee kọọ akụkọ ma ọ bụrụ na ihe ọ bụla ọzọ pụtara:
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/desktop.example.com.pem
mode http
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу, строковую, 1000 элементов, протухает через 15 сек, записать кол-во ошибок за последние 10 сек
stick-table type string len 128 size 1k expire 15s store http_err_rate(10s)
#запомнить ip
http-request track-sc0 src
#запретить с http ошибкой 429, если за последние 10 сек больше 4 ошибок
http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Ọ bụghị nhọrọ kacha mma, ka anyị gbakọọ ya. Anyị ga-agụta na azụ azụ ma gbochie na frontend.
Anyị ga-emeso onye na-awakpo ahụ omume rụrụ arụ ma hapụ njikọ TCP ya.
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/ertelecom_ru_2020_06_11.pem
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохрянять из глобального счётчика
stick-table type ip size 1k expire 15s store gpc0
#взять источник
tcp-request connection track-sc0 src
#отклонить tcp соединение, если глобальный счётчик >0
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохранять кол-во ошибок за 10 сек
stick-table type ip size 1k expire 15s store http_err_rate(10s)
#много ошибок, если кол-во ошибок за 10 сек превысило 8
acl errors_too_fast sc1_http_err_rate gt 8
#пометить атаку в глобальном счётчике (увеличить счётчик)
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
#обнулить глобальный счётчик
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
#взять источник
tcp-request content track-sc1 src
#отклонить, пометить, что атака
tcp-request content reject if errors_too_fast mark_as_abuser
#разрешить, сбросить флажок атаки
tcp-request content accept if !errors_too_fast clear_as_abuser
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Otu ihe ahụ, mana n'ụzọ nkwanye ùgwù, anyị ga-eweghachi njehie http 429 (Otutu Arịrịọ)
frontend fe_rdp_tsc
...
stick-table type ip size 1k expire 15s store gpc0
http-request track-sc0 src
http-request deny deny_status 429 if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
http-request track-sc1 src
http-request allow if !errors_too_fast clear_as_abuser
http-request deny deny_status 429 if errors_too_fast mark_as_abuser
...
Ana m elele: M malite mstsc wee malite itinye okwuntughe na-enweghị usoro. Mgbe mgbalị nke atọ gasịrị, n'ime 10 sekọnd ọ na-agbaghachi m azụ, mstsc na-enye njehie. Dị ka a na-ahụ na ndekọ.
Nkọwa. Adị m anya na nna ukwu haproxy. Aghọtaghị m ihe kpatara ya, dịka ọmụmaatụ
http-arịrịọ jụ deny_status 429 ma ọ bụrụ {sc_http_err_rate(0) gt 4}
na-enye gị ohere ịme ihe dị ka mmejọ 10 tupu ọ rụọ ọrụ.
Enwere m mgbagwoju anya maka ọnụọgụ nke counter. Nna-ukwu nke haproxy, m ga-enwe obi ụtọ ma ọ bụrụ na ị kwadoro m, gbazie m, mee ka m dịkwuo mma.
Na nkwupụta ị nwere ike ịtụ aro ụzọ ndị ọzọ iji chebe ọnụ ụzọ ámá RD, ọ ga-adọrọ mmasị ịmụ ihe.
Banyere Windows Remote Desktop Client (mtsc), ọ dị mma ịmara na ọ naghị akwado TLS1.2 (opekata mpe na Windows 7), yabụ m ga-ahapụ TLS1; anaghị akwado cipher dị ugbu a, yabụ na m ga-ahapụkwa ndị ochie.
Maka ndị na-aghọtaghị ihe ọ bụla, na-amụ ihe, ma chọọ ime nke ọma, m ga-enye gị nhazi niile.
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE
-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-options no-sslv3
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 15m
timeout server 15m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/dektop.example.com.pem
mode http
capture request header Host len 32
log global
option httplog
timeout client 300s
maxconn 1000
stick-table type ip size 1k expire 15s store gpc0
tcp-request connection track-sc0 src
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl rdweb_domain hdr(host) -i beg dektop.example.com
http-request deny deny_status 400 if !rdweb_domain
default_backend be_rdp_tsc
backend be_rdp_tsc
balance source
mode http
log global
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
tcp-request content track-sc1 src
tcp-request content reject if errors_too_fast mark_as_abuser
tcp-request content accept if !errors_too_fast clear_as_abuser
option forwardfor
http-request add-header X-CLIENT-IP %[src]
option httpchk GET /
cookie RDPWEB insert nocache
default-server inter 3s rise 2 fall 3
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
frontend fe_stats
mode http
bind *:8080
acl ip_allow_admin src 192.168.66.66
stats enable
stats uri /stats
stats refresh 30s
#stats admin if LOCALHOST
stats admin if ip_allow_admin
Gịnị mere sava abụọ na azụ azụ? N'ihi na nke a bụ otu ị ga-esi mee ka ọ ghara imejọ. Haproxy nwekwara ike ime abụọ na ip ọcha na-ese n'elu mmiri.
Akụrụngwa ịgbakọ: ị nwere ike ịmalite na "gig abụọ, cores abụọ, PC egwuregwu." Dabere na nke a ga-ezuru oke.
Ntughari:
isi: www.habr.com