E hoa ma, tena koutou!
He maha nga huarahi hei hono mai i te kaainga ki to waahi mahi tari. Ko tetahi o enei ko te whakamahi i te Microsoft Remote Desktop Gateway. Ko RDP tenei mo HTTP. Kaore au e pai ki te pa atu ki te whakatu i a RDGW ano i konei, kaore au e pai ki te korero he aha te pai, te kino ranei, me waiho hei tetahi o nga taputapu uru mamao. E hiahia ana ahau ki te korero mo te tiaki i to RDGW tūmau mai i te Ipurangi kino. I taku whakaturanga i te tūmau RDGW, ka raru tonu ahau mo te haumarutanga, ina koa ko te whakamarumaru ki te kupu huna. I miharo ahau kaore i kitea e au etahi tuhinga i runga i te Ipurangi mo te mahi i tenei. Ana, me mahi koe i a koe ano.
Karekau he parenga a RDGW ake. Ae, ka taea te whakaatu me te atanga kau ki te whatunga ma ka pai te mahi. Engari ma tenei ka raruraru te kaiwhakahaere tika, te tohunga mo te haumaru korero ranei. I tua atu, ka taea e koe te karo i te ahuatanga o te aukati i te kaute, i te wa i mahara ai te kaimahi maharahara ki te kupuhipa mo tetahi kaute umanga i runga i tana rorohiko kaainga, katahi ka huri i tana kupuhipa.
Ko te huarahi pai ki te tiaki i nga rawa o roto mai i te taiao o waho ko nga momo takawaenga, nga punaha whakaputa me etahi atu WAF. Kia maumahara tatou ko te RDGW tonu te http, katahi ka tono kia monohia he otinga motuhake i waenga i nga kaitoro o roto me te Ipurangi.
Kei te mohio ahau he F5 hauhautanga, A10, Netscaler(ADC). Hei kaiwhakahaere mo tetahi o enei punaha, ka kii ahau ka taea ano te whakatu he whakamarumaru ki nga mahi nanakia ki runga i enei punaha. Ae, ma enei punaha koe e tiaki mai i nga waipuke katoa.
Engari kaore e taea e nga kamupene katoa te hoko i taua otinga (ka kitea he kaiwhakahaere mo taua punaha :), engari i te wa ano ka taea e ratou te tiaki i te haumaru!
Ka taea te whakauru i tetahi putanga kore utu o HAProxy ki runga i te punaha whakahaere kore utu. I whakamatauria e ahau a Debian 10, te putanga haproxy 1.8.19 i roto i te putunga putunga. I whakamatauria ano e ahau i runga i te putanga 2.0.xx mai i te rehitatanga whakamatautau.
Ka waiho maatau te whakatu i te debian ki waho o te waahanga o tenei tuhinga. He poto: i runga i te atanga ma, kati nga mea katoa haunga te tauranga 443, i runga i te atanga hina - kia rite ki to kaupapa here, hei tauira, kati nga mea katoa engari ko te tauranga 22. Tuwhera noa nga mea e tika ana mo te mahi (VRRP hei tauira, mo te ip maanu).
Tuatahi, i whirihora ahau i te haproxy i roto i te aratau piriti SSL (aka http aratau) ka whakahurihia te takiuru kia kite i nga mahi kei roto i te RDP. Na ki te korero, i uru ahau ki waenganui. Na, kei te ngaro te ara /RDWeb kua tohua i roto i nga tuhinga "katoa" mo te whakaturanga RDGateway. Ko nga mea katoa ko /rpc/rpcproxy.dll me /remoteDesktopGateway/. I tenei keehi, kaore nga tono GET/POST paerewa e whakamahia ana; ko o raatau ake momo tono RDG_IN_DATA, RDG_OUT_DATA ka whakamahia.
Ehara i te nui, engari i te iti rawa tetahi mea.
Kia whakamatautau tatou.
Ka whakarewahia e ahau te mstsc, haere ki te tūmau, tirohia e wha nga hapa 401 (kaore i whakaaetia) i roto i nga raarangi, katahi ka uru ki taku ingoa ingoa/kupuhipa ka kite i te whakautu 200.
Ka whakawetohia e ahau, ka timata ano, ka kite ahau i nga hapa e wha 401. Ka uru ahau ki te takiuru / kupuhipa he ka kite ano i nga hapa e wha 401. Koina taku e hiahia ana. Koinei te mea ka mau.
I te mea kaore i taea te whakatau i te url takiuru, me tua atu, kaore au e mohio ki te hopu i te hapa 401 i roto i te haproxy, ka mau ahau (kaore e mau, engari ka tatau) nga hapa 4xx katoa. He pai hoki mo te whakaoti rapanga.
Ko te ngako o te whakamarutanga ka tatauhia e matou te maha o nga hapa 4xx (kei te tuara) mo ia waeine o te wa, a, ki te nui ake i te rohe kua tohua, katahi ka paopao (kei te pito o mua) nga hononga katoa mai i tenei ip mo te waa kua tohua. .
Ma te hangarau, ehara tenei i te whakamarumaru mai i te kaha o te kupuhipa, he whakamarumaru ki nga hapa 4xx. Hei tauira, mena ka tono koe i te url kore-kore (404), ka mahi ano te whakamarumaru.
Ko te huarahi ngawari me te whai hua ko te tatau ki te tuara me te whakahoki korero mena ka puta mai he mea taapiri:
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/desktop.example.com.pem
mode http
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу, строковую, 1000 элементов, протухает через 15 сек, записать кол-во ошибок за последние 10 сек
stick-table type string len 128 size 1k expire 15s store http_err_rate(10s)
#запомнить ip
http-request track-sc0 src
#запретить с http ошибкой 429, если за последние 10 сек больше 4 ошибок
http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Ehara i te mea pai rawa atu, me whakararu. Ka tatau tatou ki te tuara ka poraka ki te pito o mua.
Ka tukinotia e matou te kaitukino ka whakataka tana hononga TCP.
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/ertelecom_ru_2020_06_11.pem
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохрянять из глобального счётчика
stick-table type ip size 1k expire 15s store gpc0
#взять источник
tcp-request connection track-sc0 src
#отклонить tcp соединение, если глобальный счётчик >0
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохранять кол-во ошибок за 10 сек
stick-table type ip size 1k expire 15s store http_err_rate(10s)
#много ошибок, если кол-во ошибок за 10 сек превысило 8
acl errors_too_fast sc1_http_err_rate gt 8
#пометить атаку в глобальном счётчике (увеличить счётчик)
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
#обнулить глобальный счётчик
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
#взять источник
tcp-request content track-sc1 src
#отклонить, пометить, что атака
tcp-request content reject if errors_too_fast mark_as_abuser
#разрешить, сбросить флажок атаки
tcp-request content accept if !errors_too_fast clear_as_abuser
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
ko te mea ano, engari ma te pai, ka whakahokia e matou te hapa http 429 (He maha nga tono)
frontend fe_rdp_tsc
...
stick-table type ip size 1k expire 15s store gpc0
http-request track-sc0 src
http-request deny deny_status 429 if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
http-request track-sc1 src
http-request allow if !errors_too_fast clear_as_abuser
http-request deny deny_status 429 if errors_too_fast mark_as_abuser
...
Ka tirohia e au: Ka whakarewahia e ahau te mstsc ka tiimata ki te whakauru i nga kupuhipa. I muri i te toru o nga nganatanga, i roto i te 10 hēkona ka whana ahau ki muri, ka puta he hapa a mstsc. Ka kitea i roto i nga rakau.
Nga whakamarama. Kei tawhiti ahau i te rangatira haproxy. Kare au i te marama he aha, hei tauira
http-tono whakakahore deny_status 429 mena { sc_http_err_rate(0) gt 4 }
ka taea e koe kia 10 nga hapa i mua i te mahi.
E rangirua ana ahau mo te tatau o nga porotiti. E nga rangatira o te haproxy, ka koa ahau ki te whakakii koe i ahau, whakatikahia ahau, kia pai ake ahau.
I roto i nga korero ka taea e koe te whakaatu etahi atu huarahi hei tiaki i te RD Gateway, he pai ki te ako.
Mo te Kiritaki Papamahi Mamao Windows (mstsc), me mahara kaore e tautoko ana i te TLS1.2 (i te iti rawa i roto i te Windows 7), no reira me wehe ahau i te TLS1; e kore e tautoko i te cipher o naianei, no reira me waiho e au nga mea tawhito.
Mo te hunga kaore i te mohio ki tetahi mea, kei te ako noa, kua hiahia ki te mahi pai, ka hoatu e ahau te whirihora katoa.
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE
-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-options no-sslv3
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 15m
timeout server 15m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/dektop.example.com.pem
mode http
capture request header Host len 32
log global
option httplog
timeout client 300s
maxconn 1000
stick-table type ip size 1k expire 15s store gpc0
tcp-request connection track-sc0 src
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl rdweb_domain hdr(host) -i beg dektop.example.com
http-request deny deny_status 400 if !rdweb_domain
default_backend be_rdp_tsc
backend be_rdp_tsc
balance source
mode http
log global
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
tcp-request content track-sc1 src
tcp-request content reject if errors_too_fast mark_as_abuser
tcp-request content accept if !errors_too_fast clear_as_abuser
option forwardfor
http-request add-header X-CLIENT-IP %[src]
option httpchk GET /
cookie RDPWEB insert nocache
default-server inter 3s rise 2 fall 3
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
frontend fe_stats
mode http
bind *:8080
acl ip_allow_admin src 192.168.66.66
stats enable
stats uri /stats
stats refresh 30s
#stats admin if LOCALHOST
stats admin if ip_allow_admin
He aha nga tūmau e rua i te tuara? Na te mea ko tenei ka taea e koe te whakatau i te he. Ka taea hoki e Haproxy te hanga e rua me te ip ma maanu.
Rauemi rorohiko: ka taea e koe te tiimata me "e rua gig, e rua nga matua, PC petipeti." E ai ki
He Tohutoro:
Source: will.com