Amici, salve!
Multi modi sunt iungendi a domo ad officium tuum workspace. Una earum est uti Microsoft Desktop porta longinqua. Haec RDP super HTTP. Nolo ipsum hic attingere instituendo RDGW, nolo discutere quare bonum vel malum sit, unum e longinquis instrumentorum accessu tractamus. Loqui volo de servo tuo RdgW custodiendo a malo interreti. Cum servo RDGW statuo, statim de securitate sollicitus sum, praesertim praesidium contra vim violentam tesseram. Miratus sum me non reperisse articulos in Interreti quomodo id facerem. Bene, habebis ut facias.
ipsa RDGW praesidia nulla habet. Etiam nudo interface ad retis albis exponi potest et magna operabitur. Sed hoc faciet ius administrator vel specialist informationes securitatis turbat. Insuper condicionem interclusionis rationis vitare tibi sinet, cum neglegentior operarius tesseram corporatum in computatorio domicilio suo recordatus est, et tesseram eius mutavit.
Bona via ad defendendas opes internas ab ambitu externo est per varios procuratores, systemata evulgandas, et alios WAFs. Meminerimus RDGW adhuc http, tunc solum rogat solutionem specialem obturaculum inter servientes interni et interreti.
Scio frigus esse F5, A10, Netscaler (ADC). Ut administrator unius harum systematum, dicam etiam posse praesidium contra vim in his systematis constituere. Et sic, etiam haec systemata te ab omni diluvio defendet.
Sed non omnis societas talem solutionem mercari potest (et inveniat administratorem pro tali systemate:), sed simul curam securitatis!
Omnino possibile est liberam versionem HAProxy instituere in libera systemate operante. Probavi in Debian X, versionem haproxy 10 in promptuario stabili. Probavi etiam in versione 1.8.19.xx ex probatione repositorium.
Extra ambitum huius articuli relinquemus ipsum debianum constituere. Breviter: on the white interface, claude omnia praeter portum 443, in griseo interface - secundum tuum consilium, e.g., etiam claudunt omnia praeter portum XXII. Aperi solum quod ad laborem necessarium est (VRRP pro exemplo fluitantis ip).
Imprimis haproxy figuravi in SSL variandi modo (aka http modo) et in colligationem converti ad videndum quid RDP intus ageretur. Ita dicam, in medio accepi. Ita, via /RDWeb definita in "omnibus" articulis in Rdgateway constituendis deest. Omne quod est, est /rpc/rpcproxy.dll et /remoteDesktopGateway/. Hoc in casu, normae petitiones GET/post usus non sunt, petitionis genus suum RDG_IN_DATA, RDG_OUT_DATA adhibetur.
Non multum, sed aliquid saltem.
Let's test.
Mitto mstsc, vade ad ministratorem, vide quattuor 401 (non legitimi) errores in lignis, deinde intra usoris usoris mei et vide responsionem CC.
Averto, rursus incipe, et in lignis eosdem quattuor 401 errores video: iniuriam login/password ineo et iterum quattuor 401 errores video. Hoc est quod opus est. Hoc est quod capiemus.
Cum definire url login non potuit, et praeterea nescio quomodo errorem 401 in haproxy capere, omnes 4xx errores comprehendam (non actu capio, sed computa). Item ad solvendum idoneos.
Essentia tutelae erit ut numerum 4xx errorum (in backend) per unitatem temporis numerabimus et si certum terminum excedit, omnes ulteriores nexus ab hoc ip tempore praefinito rejiciemus. .
Technice, hoc praesidium contra password violentum non erit, praesidium contra 4xx errores erit. Exempli gratia, si saepe domicilium non-exsistentem petentibus (404), tutela etiam operabitur.
Modus simplicissimus et efficacior est numerare in backendo et renuntiare si quid extra appareat;
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/desktop.example.com.pem
mode http
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу, строковую, 1000 элементов, протухает через 15 сек, записать кол-во ошибок за последние 10 сек
stick-table type string len 128 size 1k expire 15s store http_err_rate(10s)
#запомнить ip
http-request track-sc0 src
#запретить с http ошибкой 429, если за последние 10 сек больше 4 ошибок
http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Non optima optio, complicata. Nos in backend et scandalum in frontend numerabimus.
Nos inclementer incussorem tractabimus et nexum eius TCP omittemus.
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/ertelecom_ru_2020_06_11.pem
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохрянять из глобального счётчика
stick-table type ip size 1k expire 15s store gpc0
#взять источник
tcp-request connection track-sc0 src
#отклонить tcp соединение, если глобальный счётчик >0
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохранять кол-во ошибок за 10 сек
stick-table type ip size 1k expire 15s store http_err_rate(10s)
#много ошибок, если кол-во ошибок за 10 сек превысило 8
acl errors_too_fast sc1_http_err_rate gt 8
#пометить атаку в глобальном счётчике (увеличить счётчик)
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
#обнулить глобальный счётчик
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
#взять источник
tcp-request content track-sc1 src
#отклонить, пометить, что атака
tcp-request content reject if errors_too_fast mark_as_abuser
#разрешить, сбросить флажок атаки
tcp-request content accept if !errors_too_fast clear_as_abuser
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
idem, sed blande reddemus errorem http 429 ( Nimis multae petitiones )
frontend fe_rdp_tsc
...
stick-table type ip size 1k expire 15s store gpc0
http-request track-sc0 src
http-request deny deny_status 429 if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
http-request track-sc1 src
http-request allow if !errors_too_fast clear_as_abuser
http-request deny deny_status 429 if errors_too_fast mark_as_abuser
...
Cohibeo: mstsc inicio et inicio passim passwords intrantes. Post tertium conatum, intra 10 seconds me retro calcit, et mstsc dat errorem. sicut videre licet in lignis.
Resolutiones. Ego procul ab haproxy herus sum. Nescio quid, exempli gratia
http-petitionem negare 429 si sc_http_err_rate(0) gt 4}
sino te facere de 10 errata antequam operatur.
De calculis numeratione confusus sum. Praeceptores haproxy, laetabor si me compleveris, corrige me meliores.
In commentationibus aliis modis tuendi RD Gateway suggerere potes, studium studiosis erit.
Quoad Fenestra Longinquus Desktop Client (mstsc), notatu dignum est quod TLS1.2 (saltem in Fenestra 7) non sustinet, ideo relinquere habui TLS1; non current notas, sic et veteres relinquere.
Nam qui aliquid non intelligunt, iusta discunt, et iam bene facere volunt, tibi totam config.
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE
-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-options no-sslv3
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 15m
timeout server 15m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/dektop.example.com.pem
mode http
capture request header Host len 32
log global
option httplog
timeout client 300s
maxconn 1000
stick-table type ip size 1k expire 15s store gpc0
tcp-request connection track-sc0 src
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl rdweb_domain hdr(host) -i beg dektop.example.com
http-request deny deny_status 400 if !rdweb_domain
default_backend be_rdp_tsc
backend be_rdp_tsc
balance source
mode http
log global
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
tcp-request content track-sc1 src
tcp-request content reject if errors_too_fast mark_as_abuser
tcp-request content accept if !errors_too_fast clear_as_abuser
option forwardfor
http-request add-header X-CLIENT-IP %[src]
option httpchk GET /
cookie RDPWEB insert nocache
default-server inter 3s rise 2 fall 3
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
frontend fe_stats
mode http
bind *:8080
acl ip_allow_admin src 192.168.66.66
stats enable
stats uri /stats
stats refresh 30s
#stats admin if LOCALHOST
stats admin if ip_allow_admin
Cur duo servientes in tergo sunt? Quia hoc est quomodo tolerantiam culpae facere potes. Haproxy potest etiam duos facere cum albo ip.
Facultates computandi: incipere potes cum "duos cisio, duos coros, PC ludum." Secundum hoc satis erit parcere.
references:
Source: www.habr.com