Aku pengin nuduhake karo masyarakat cara prasaja lan efektif nggunakake Mikrotik kanggo nglindhungi jaringan lan layanan sing mbukak saka serangan external. Khusus, nggunakake mung telung aturan, sampeyan bisa nyiyapake honeypot ing Mikrotik.
Dadi, ayo bayangake kita duwe kantor cilik kanthi IP eksternal sing dipasang server RDP kanggo kerja remot. Aturan pisanan, mesthi, ngganti port 3389 ing antarmuka eksternal menyang liyane. Nanging iki ora bakal suwe; sawise sawetara dina, log audit server terminal bakal miwiti nuduhake sawetara wewenang sing gagal saben detik saka klien sing ora dingerteni.
Kahanan liyane: sampeyan duwe Asterisk didhelikake konco Mikrotik, alamiah ora ing port UDP 5060, lan sawise sawetara dina, sandi cracking padha wiwit ... Ya, yeah, aku ngerti, fail2ban iku kabeh kita, nanging isih perlu sawetara karya ... Contone, aku bubar diinstal ing Ubuntu 18.04 lan kaget kanggo nemokake sing metu saka kothak, fail2ban-dates ora ngemot setelan up-date ing Ubuntu ... Lan Googling kanggo setelan cepet lan siap-digawe "resep" wis ora bisa digunakake maneh; nomer release tetep akeh liwat taun, lan artikel karo "resep" kanggo versi lawas ora bisa digunakake maneh, lan anyar sing meh ora ana ... Nanging aku wis digressed ...
Dadi, apa honeypot ing ringkesan? Iki minangka decoy, ing kasus kita, port populer ing IP eksternal. Sembarang panjalukan menyang port iki saka klien eksternal ngirim alamat src menyang dhaptar ireng. Mekaten.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Aturan pisanan ing port TCP populer 22, 3389, lan 8291 ing antarmuka eksternal ether4-wan ngirim IP "tamu" menyang dhaptar "Honeypot Hacker" (port kanggo ssh, rdp, lan winbox sadurunge dipateni utawa diganti menyang port liyane). Kapindho nindakake perkara sing padha ing port UDP 5060 sing populer.
Aturan katelu ing tataran pra-nuntun nyelehake paket "tamu" kang srs-alamat ditemokaké ing "Honeypot Hacker".
Sawise rong minggu nggunakake Mikrotik omahku, dhaptar "Honeypot Hacker" kalebu kira-kira siji setengah ewu alamat IP saka wong-wong sing seneng "nyekel ambing" sumber daya jaringanku (aku duwe sistem telpon, mail, nextcloud, lan RDP ing omah). Serangan brute-force mandheg, lan rasa seneng.
Prekara-prekara kasebut ora gampang banget ing karya; padha terus hack server RDP nggunakake sandi guessing.
Ketoke, nomer port dideteksi dening scanner dawa sadurunge honeypot diaktifake, lan sak quarantine, iku ora gampang kanggo reconfigure luwih saka 100 pangguna, 20% kang liwat 65. Yen port ora bisa diganti, ana workaround prasaja. Aku wis ndeleng sing padha online, nanging iki kalebu sawetara workarounds tambahan lan fine-tuning:
Aturan kanggo configuring Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Sajrone 4 menit, klien jarak jauh mung diidini nggawe 12 "panjaluk" anyar menyang RDP pelayanSiji upaya mlebu log nglibatake 1 nganti 4 "panjalukan." Ing "panjalukan" kaping 12, bakal ana lockout 15 menit. Ing kasusku, para penyerang terus nge-hack server; dheweke nyetel karo timer lan saiki nindakake kanthi alon banget. Kacepetan brute-force iki nyuda efektifitas serangan dadi nol. Karyawan perusahaan meh ora ngalami gangguan ing pakaryane amarga langkah-langkah kasebut.
Siji trik cilik liyane
Aturan iki dijadwalake bakal diuripake ing jam 1 lan mateni jam 5, nalika wong nyata mesthi turu, nanging pemilih otomatis tetep siyaga.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Sawise mung sambungan kaping wolu, IP panyerang didaftar ireng sajrone seminggu. ayu!
Lan saliyane ing ndhuwur, aku bakal nambah link menyang artikel Wiki kanthi persiyapan sing bisa digunakake kanggo proteksi Mikrotik marang scanner jaringan.
Ing pirantiku, setelan iki bisa digunakake bebarengan karo aturan honeypot sing diterangake ing ndhuwur, nglengkapi kanthi apik.
UPD: Kaya sing disaranake ing komentar, aturan gulung paket wis dipindhah menyang RAW kanggo nyuda beban ing router.
Source: www.habr.com
