Aku pengin nuduhake karo masyarakat cara prasaja lan bisa digunakake carane nggunakake Mikrotik kanggo nglindhungi jaringan lan layanan "peeping metu" saka konco saka serangan external. Yaiku, mung telung aturan kanggo ngatur honeypot ing Mikrotik.
Dadi, ayo bayangake yen kita duwe kantor cilik, kanthi IP eksternal sing ana server RDP kanggo karyawan bisa kerja adoh. Aturan pisanan, mesthi, ngganti port 3389 ing antarmuka eksternal menyang liyane. Nanging iki ora bakal suwe; sawise sawetara dina, log audit server terminal bakal wiwit nuduhake sawetara wewenang sing gagal saben detik saka klien sing ora dingerteni.
Kahanan liyane, sampeyan duwe tanda bintang sing didhelikake ing mburi Mikrotik, mesthi ora ana ing port 5060 udp, lan sawise sawetara dina telusuran sandi uga diwiwiti ... ya, ya, aku ngerti, fail2ban iku kabeh, nanging isih kudu nggarap ... contone, aku bubar nginstal ing ubuntu 18.04 lan kaget nemokake yen metu saka kothak fail2ban ora ngemot setelan saiki kanggo tanda bintang saka kothak sing padha karo distribusi ubuntu sing padha ... lan setelan cepet googling amarga "resep" sing wis siap ora bisa digunakake maneh, jumlah rilis saya tambah akeh sajrone pirang-pirang taun, lan artikel kanthi "resep" kanggo versi lawas ora bisa digunakake maneh, lan sing anyar meh ora katon ...
Dadi, apa honeypot ing Cekakipun - iku honeypot, ing kasus kita, sembarang port populer ing IP eksternal, sembarang panjalukan kanggo port iki saka klien external ngirim alamat src menyang blacklist. Kabeh.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Aturan pisanan ing port TCP populer 22, 3389, 8291 saka antarmuka eksternal ether4-wan ngirim IP "tamu" menyang dhaptar "Honeypot Hacker" (port kanggo ssh, rdp lan winbox dipateni sadurunge utawa diganti liyane). Sing nomer loro nindakake perkara sing padha ing UDP 5060 sing populer.
Aturan katelu ing tataran pra-nuntun nyelehake paket saka "tamu" kang srs-alamat kalebu ing "Honeypot Hacker".
Sawise rong minggu nggarap Mikrotik omahku, dhaptar "Honeypot Hacker" kalebu kira-kira siji setengah ewu alamat IP saka wong-wong sing seneng "nyekel udder" sumber daya jaringanku (ing omah ana telpon, surat, nextcloud, rdp). Serangan brute-force mandheg, rasa seneng teka.
Ing karya, ora kabeh dadi prasaja, ing kana dheweke terus ngrusak server rdp kanthi tembung sandhi sing meksa.
Ketoke, nomer port ditemtokake dening pemindai suwene sadurunge honeypot diuripake, lan sajrone karantina ora gampang kanggo ngatur maneh luwih saka 100 pangguna, sing 20% ββluwih saka 65 taun. Ing kasus nalika port ora bisa diganti, ana resep kerja cilik. Aku wis weruh sing padha ing Internet, nanging ana sawetara tambahan tambahan lan fine tuning melu:
Aturan kanggo configuring Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Ing 4 menit, klien remot diijini nggawe mung 12 "panjalukan" anyar menyang server RDP. Siji nyoba mlebu yaiku saka 1 nganti 4 "panjaluk". Ing "panyuwunan" kaping 12 - mblokir 15 menit. Ing kasusku, para panyerang ora mandhegake hacking server, dheweke nyetel timer lan saiki nindakake kanthi alon, kacepetan pilihan kasebut nyuda efektifitas serangan dadi nol. Karyawan perusahaan meh ora ngalami gangguan ing pakaryan saka langkah-langkah sing ditindakake.
Trik cilik liyane
Aturan iki diuripake miturut jadwal ing jam 5 lan mateni jam XNUMX, nalika wong nyata mesthi turu, lan pemilih otomatis terus tangi.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Wis ing sambungan kaping 8, IP panyerang didaftar ireng sajrone seminggu. Kaendahan!
Uga, saliyane ing ndhuwur, aku bakal nambah link menyang artikel Wiki kanthi persiyapan sing bisa digunakake kanggo nglindhungi Mikrotik saka pemindai jaringan.
Ing pirantiku, setelan iki bisa digunakake bebarengan karo aturan honeypot sing diterangake ing ndhuwur, nglengkapi kanthi apik.
UPD: Kaya sing disaranake ing komentar, aturan gulung paket wis dipindhah menyang RAW kanggo nyuda beban ing router.
Source: www.habr.com