Sapa wae sing wis nyoba nglakokake mesin virtual ing mΓ©ga ngerti manawa port RDP standar, yen ditinggal mbukak, bakal langsung diserang dening gelombang upaya sandi brute force saka macem-macem alamat IP ing saindenging jagad.
Ing artikel iki aku bakal nuduhake carane Sampeyan bisa ngatur respon otomatis kanggo sandi brute force kanthi nambahake aturan anyar kanggo firewall. InTrust punika kanggo ngumpulake, nganalisa lan nyimpen data unstructured, kang wis atusan reaksi wis disetel kanggo macem-macem jinis serangan.
Ing Quest InTrust sampeyan bisa ngatur tumindak respon nalika aturan dipicu. Saka agen koleksi log, InTrust nampa pesen babagan upaya wewenang sing ora kasil ing stasiun kerja utawa server. Kanggo ngatur nambahake alamat IP anyar menyang firewall, sampeyan kudu nyalin aturan khusus sing wis ana kanggo ndeteksi pirang-pirang wewenang sing gagal lan mbukak salinan kanggo diowahi:
Acara ing log Windows nggunakake sing diarani InsertionString. (iki minangka login sing ora kasil ing sistem) lan sampeyan bakal weruh yen kolom sing kita minati disimpen ing InsertionString14 (Jeneng Stasiun Kerja) lan InsertionString20 (Alamat Jaringan Sumber). kosong, supaya panggonan iki penting ngganti Nilai saka Alamat Network Sumber.
Iki kaya teks acara 4625:
An account failed to log on.
Subject:
Security ID: S-1-5-21-1135140816-2109348461-2107143693-500
Account Name: ALebovsky
Account Domain: LOGISTICS
Logon ID: 0x2a88a
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Paul
Account Domain: LOGISTICS
Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x3f8
Caller Process Name: C:WindowsSystem32svchost.exe
Network Information:
Workstation Name: DCC1
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: seclogo
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Kajaba iku, kita bakal nambah nilai Alamat Jaringan Sumber menyang teks acara.
Banjur sampeyan kudu nambah skrip sing bakal mblokir alamat IP ing Windows Firewall. Ing ngisor iki conto sing bisa digunakake kanggo iki.
Script kanggo nyetel firewall
param(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string]
$SourceAddress
)
$SourceAddress = $SourceAddress.Trim()
$ErrorActionPreference = 'Stop'
$ruleName = 'Quest-InTrust-Block-Failed-Logons'
$ruleDisplayName = 'Quest InTrust: Blocks IP addresses from failed logons'
function Get-BlockedIps {
(Get-NetFirewallRule -Name $ruleName -ErrorAction SilentlyContinue | get-netfirewalladdressfilter).RemoteAddress
}
$blockedIps = Get-BlockedIps
$allIps = [array]$SourceAddress + [array]$blockedIps | Select-Object -Unique | Sort-Object
if (Get-NetFirewallRule -Name $ruleName -ErrorAction SilentlyContinue) {
Set-NetFirewallRule -Name $ruleName -RemoteAddress $allIps
} else {
New-NetFirewallRule -Name $ruleName -DisplayName $ruleDisplayName -Direction Inbound -Action Block -RemoteAddress $allIps
}
Saiki sampeyan bisa ngganti jeneng aturan lan deskripsi supaya ora bingung mengko.
Saiki sampeyan kudu nambah skrip iki minangka tumindak nanggepi aturan kasebut, ngaktifake aturan kasebut, lan mesthekake yen aturan sing cocog diaktifake ing kabijakan pemantauan wektu nyata. Agen kudu diaktifake kanggo mbukak skrip respon lan kudu nemtokake parameter sing bener.
Sawise setelan rampung, jumlah wewenang sing ora kasil suda 80%. bathi? Sing apik tenan!
Kadhangkala mundhak cilik maneh, nanging iki amarga munculΓ© sumber serangan anyar. Banjur kabeh wiwit mudhun maneh.
Sajrone seminggu kerja, 66 alamat IP ditambahake menyang aturan firewall.
Ing ngisor iki tabel kanthi 10 jeneng panganggo umum sing digunakake kanggo usaha wewenang.
Jeneng pangguna
Jumlah
Ing persentasi
administrator
1220235
40.78
admin
672109
22.46
user
219870
7.35
contoso
126088
4.21
contoso.com
73048
2.44
administrator
55319
1.85
server
39403
1.32
sgazlabdc01.contoso.com
32177
1.08
administrator
32377
1.08
sgazlabdc01
31259
1.04
Marang kita ing komentar carane sampeyan nanggapi ancaman keamanan informasi. Apa sistem sampeyan nggunakake lan carane trep iku?
Yen sampeyan kepengin weruh tumindak InTrust, ing wangun umpan balik ing situs web kita utawa nulis kanggo kula ing pesen pribadi.
Waca artikel liyane babagan keamanan informasi:
(artikel populer)
Source: www.habr.com