Kutsimikizika kwazinthu ziwiri kwa ogwiritsa ntchito VPN kudzera pa MikroTik ndi SMS

Moni anzanu! Lero, pamene chilakolako chozungulira ntchito yakutali chachepa pang'ono, olamulira ambiri agonjetsa ntchito yofikira kutali kwa ogwira ntchito ku intaneti yamakampani, ndi nthawi yoti ndigawane zomwe ndakhala nazo kwa nthawi yaitali pakuwongolera chitetezo cha VPN. Nkhaniyi sifotokoza za IPSec IKEv2 ndi xAuth yamakono. Ndi za kupanga dongosolo kutsimikizika kwazinthu ziwiri (2FA) Ogwiritsa ntchito VPN pomwe MikroTik imachita ngati seva ya VPN. Mwakutero, ma protocol a "classic" ngati PPP amagwiritsidwa ntchito.

Lero ndikuuzani momwe mungatetezere MikroTik PPP-VPN ngakhale akaunti yanu yogwiritsa ntchito itabedwa. Pamene dongosololi linaperekedwa kwa mmodzi wa makasitomala anga, iye anafotokoza mwachidule kuti “chabwino, tsopano kuli ngati ku banki!”

Njirayi sigwiritsa ntchito ntchito zotsimikizira zakunja. Ntchitozo zimachitidwa mkati ndi rauta yokha. Palibe mtengo kwa kasitomala wolumikizidwa. Njirayi imagwira ntchito kwa makasitomala onse a PC ndi zida zam'manja.

General chitetezo dongosolo ndi motere:

1. Adilesi yamkati ya IP ya wogwiritsa ntchito yemwe walumikizana bwino ndi seva ya VPN imangowonjezeredwa pamndandanda wa imvi.
2. Chochitika cholumikizira chimangopanga kachidindo kamodzi komwe kamatumizidwa kwa wogwiritsa ntchito imodzi mwa njira zomwe zilipo.
3. Maadiresi omwe ali pamndandandawu ali ndi mwayi wochepa wogwiritsa ntchito maukonde amderalo, kupatulapo ntchito ya "authenticator", yomwe ikuyembekeza kulandira nambala yachinsinsi kamodzi.
4. Pambuyo popereka kachidindo, wogwiritsa ntchito ali ndi mwayi wogwiritsa ntchito maukonde amkati.

Yoyamba vuto laling'ono lomwe tidakumana nalo ndikusunga zidziwitso za wogwiritsa ntchito kuti atumize khodi ya 2FA. Popeza ndizosatheka kupanga magawo osagwirizana ndi ogwiritsa ntchito ku Mikrotik, gawo la "ndemanga" lomwe lidalipo linagwiritsidwa ntchito:

/ppp zinsinsi onjezerani dzina=Petrov password=4M@ngr! ndemanga = "89876543210"

Yachiwiri vuto linakhala lalikulu kwambiri - kusankha njira ndi njira yoperekera code. Pakalipano, ndondomeko zitatu zikugwiritsidwa ntchito: a) SMS kudzera pa USB modem b) e-mail c) SMS kudzera pa imelo yomwe ilipo kwa makasitomala amakampani a oyendetsa mafoni ofiira.

Inde, ma SMS amawononga ndalama. Koma ngati muyang'ana, "chitetezo nthawi zonse chimakhala chandalama" (c).
Ine pandekha sindimakonda dongosolo la imelo. Osati chifukwa zimafuna kuti seva yamakalata ipezeke kwa kasitomala kuti atsimikizidwe - si vuto kugawanitsa magalimoto. Komabe, ngati kasitomala mosasamala adasunga mapasiwedi onse a VPN ndi imelo mu msakatuli, ndiyeno atataya laputopu yake, wowukirayo adzapeza mwayi wopezeka ndi netiweki yamakampani kuchokera pamenepo.

Chifukwa chake, zasankhidwa - timapereka nambala yanthawi imodzi pogwiritsa ntchito ma SMS.

Chachitatu vuto linali kuti ndi kuti momwe mungapangire pseudo-random code ya 2FA mu MikroTik. Palibe chofanana ndi ntchito yachisawawa () muchilankhulo cholembera cha RouterOS, ndipo ndawonapo majenereta angapo a pseudo-random manambala m'mbuyomu. Sindinawakonde aliyense wa iwo pazifukwa zosiyanasiyana.

M'malo mwake, pali jenereta ya pseudo-random sequence ku MikroTik! Imabisidwa pakungoyang'ana mwachiphamaso pa / certification scep-server. Njira yoyamba kupeza mawu achinsinsi a nthawi imodzi ndikosavuta komanso kosavuta - ndi lamulo / satifiketi scep-server otp kupanga. Ngati titachita ntchito yosavuta yosinthira, tidzapeza mtengo womwe ungagwiritsidwe ntchito pambuyo pake m'malemba.

Njira yachiwiri kupeza mawu achinsinsi a nthawi imodzi, omwenso ndi osavuta kugwiritsa ntchito - kugwiritsa ntchito ntchito yakunja makanimawa.org kuti apange mtundu womwe mukufuna wa manambala achinyengo. Nayi chosavuta cantilevered chitsanzo cha kulandira deta mu variable:

kachidindo
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6] :put $rnd1

Pempho losinthidwa la kontrakitala (kuthawa zilembo zapadera kudzafunika mu script) imalandira mndandanda wa zilembo zisanu ndi chimodzi mu $rnd1 variable. Lamulo lotsatira la "put" limangowonetsa zosinthika mu MikroTik console.

Vuto lachinayi zomwe zimayenera kuthetsedwa mwachangu zinali momwe komanso komwe kasitomala wolumikizidwa angatumize kachidindo kake kamodzi pa gawo lachiwiri la kutsimikizika.

Payenera kukhala ntchito pa MikroTik rauta yomwe ingavomereze kachidindo ndikuyifananiza ndi kasitomala wina. Ngati code yoperekedwayo ikufanana ndi yomwe ikuyembekezeredwa, adiresi ya kasitomala iyenera kuphatikizidwa pamndandanda wina "woyera", maadiresi omwe amaloledwa kupita ku intaneti yamkati ya kampani.

Chifukwa cha kusankha kochepa kwa mautumiki, adaganiza zovomereza zizindikiro kudzera pa http pogwiritsa ntchito webproxy yomangidwa ku Mikrotik. Ndipo popeza firewall imatha kugwira ntchito ndi mindandanda yosinthika ya ma adilesi a IP, ndiye chowotcha moto chomwe chimasaka ma code, chikufanana ndi IP kasitomala ndikuchiwonjezera pamndandanda "woyera" pogwiritsa ntchito Layer7 regexp. Router yokha yapatsidwa dzina la DNS lokhazikika "gw.local", ndipo mbiri yokhazikika ya A yapangidwapo kuti iperekedwe kwa makasitomala a PPP:

DNS
/ip dns static add name=gw.local address=172.31.1.1

Kujambula kuchuluka kwa magalimoto kuchokera kwamakasitomala osatsimikizika ndi projekiti:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128


Pachifukwa ichi, proxy ili ndi ntchito ziwiri.

1. Tsegulani maulalo a TCP ndi makasitomala;

2. Ngati mutavomerezedwa bwino, tumizaninso msakatuli wa kasitomala kutsamba kapena chithunzi chodziwitsa za kutsimikizika kopambana:

Kusintha kwa proxy
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0

Ndilemba zinthu zofunika kasinthidwe:

1. mawonekedwe-mndandanda "2fa" - mndandanda wosinthika wamakasitomala, magalimoto omwe amafunikira kukonzedwa mkati mwa 2FA;
2. mndandanda wama adilesi "2fa_jailed" - "imvi" mndandanda wama adilesi a IP amakasitomala a VPN;
3. address_list "2fa_approved" - mndandanda woyera wama adilesi a IP amakasitomala a VPN omwe adadutsa kutsimikizika kwazinthu ziwiri.
4. chowotcha "input_2fa" - imayang'ana mapaketi a TCP kuti adziwe ngati pali nambala yovomerezeka komanso ngati adilesi ya IP ya wotumizayo ikufanana ndi yofunika. Malamulo mu unyolo amawonjezeredwa ndikuchotsedwa mwamphamvu.

Chojambula chosavuta chopangira paketi chimawoneka motere:

Kuti muphatikizepo kuchuluka kwamakasitomala omwe ali pamndandanda wa "imvi" omwe sanadutse gawo lachiwiri la kutsimikizika pa sikani ya Layer7, lamulo lapangidwa mu "input" wamba:

kachidindo
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa

Tsopano tiyeni tiyambe kulumikiza chuma chonsechi ku ntchito ya PPP. MikroTik imakupatsani mwayi wogwiritsa ntchito zolemba mumbiri (ppp-profile) ndikuwapatsa zochitika zokhazikitsa ndikuphwanya kulumikizana kwa ppp. Zokonda pambiri ya ppp zitha kugwiritsidwa ntchito ku seva ya PPP yonse komanso kwa ogwiritsa ntchito aliyense payekha. Pachifukwa ichi, mbiri yomwe wapatsidwa kwa wogwiritsa ntchito imakhala yofunika kwambiri, kupitilira ndi magawo ake omwe amasankhidwa pa seva yonse.

Chifukwa cha njirayi, tikhoza kupanga mbiri yapadera ya kutsimikizika kwazinthu ziwiri ndikugawa osati kwa onse ogwiritsa ntchito, koma kwa omwe timawaona kuti ndi ofunikira kutero. Izi zitha kukhala zofunikira ngati mugwiritsa ntchito mautumiki a PPP osati kungolumikiza ogwiritsa ntchito kumapeto, koma nthawi yomweyo kuti mumange kulumikizana ndi malo.

Mu mbiri yapadera yomwe yangopangidwa kumene, timagwiritsa ntchito kuwonjezera kwa adilesi ndi mawonekedwe a wogwiritsa ntchito pamndandanda wa "imvi" wama adilesi ndi ma interfaces:

winbox

kachidindo
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1

Ndikofunikira kugwiritsa ntchito mndandanda wa "address-list" ndi "interface-list" palimodzi kuti muzindikire ndikujambula magalimoto kuchokera kwa makasitomala a VPN omwe sanapatsidwe chilolezo chachiwiri mumndandanda wa dstnat (prerouting).

Kukonzekera kukamalizidwa, maunyolo owonjezera a firewall ndi mbiri adapangidwa, tidzalemba script yomwe imayang'anira kupanga auto-code ya 2FA code ndi malamulo a firewall.

Zolemba wiki.mikrotik.com pa PPP-Profile imatilemeretsa ndi zidziwitso zokhudzana ndi kulumikizidwa kwa kasitomala wa PPP ndi zochitika zosiya "Pangani script pazochitika zolowera. Izi ndizomwe zilipo zomwe zimapezeka pazolemba zochitika: wogwiritsa, adilesi yapafupi, adilesi yakutali, id-id, yotchedwa-id, mawonekedwe". Zina mwa izo zidzakhala zothandiza kwambiri kwa ife.

Khodi yogwiritsidwa ntchito mumbiri ya chochitika cholumikizira cha PPP

#Логируем для отладки полученные переменные 
:log info (

quot;local-address")

:log info (

quot;remote-address")

:log info (

quot;caller-id")

:log info (

quot;called-id")

:log info ([/int pptp-server get (

quot;interface") name])

#Объявляем свои локальные переменные

:local listname "2fa_jailed"

:local viamodem false

:local modemport "usb2"

#ищем автоматически созданную запись в адрес-листе "2fa_jailed"

:local recnum1 [/ip fi address-list find address=(

quot;remote-address") list=$listname]
#получаем псевдослучайный код через random.org

#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4]
#либо получаем псевдослучайный код через локальный генератор

#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]
#Ищем и обновляем коммент к записи в адрес-листе. Вносим искомый код для отладки

/ip fir address-list set $recnum1 comment=$rnd1

#получаем номер телефона куда слать SMS

:local vphone [/ppp secret get [find name=$user] comment]
#Готовим тело сообщения. Если клиент подключается к VPN прямо с телефона ему достаточно

#будет перейти прямо по ссылке из полученного сообщения

:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")
# Отправляем SMS по выбранному каналу - USB-модем или email-to-sms

if $viamodem do={

/tool sms send phone-number=$vphone message=$msgboby port=$modemport }

else={

/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }
#Генерируем Layer7 regexp

local vregexp ("otp\/".$comm1)

:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall layer7-protocol add name=(

quot;vcomment") comment=(

quot;remote-address") regexp=(

quot;vregexp")
#Генерируем правило проверяющее по Layer7 трафик клиента в поисках нужного кода

#и небольшой защитой от брутфорса кодов с помощью dst-limit

/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(

quot;vcomment") protocol=tcp src-address=(

quot;remote-address") dst-limit=1,1,src-address/1m40s



Ndikukuchenjezani makamaka kwa iwo omwe amakonda kukopera-kumata mosasamala - khodiyo idatengedwa ku mtundu woyeserera ndipo ikhoza kukhala ndi zolakwika zazing'ono. Sizingakhale zovuta kwa munthu womvetsetsa kudziwa komwe kuli.
Wogwiritsa ntchito akadula, chochitika cha "On-Down" chimapangidwa ndipo script yofananira ndi magawo imatchedwa. Cholinga cha script iyi ndikuyeretsa malamulo a firewall omwe amapangidwa kwa wogwiritsa ntchito wochotsedwa.
Khodi yogwiritsidwa ntchito mumbiri ya chochitika cholumikizira pansi cha PPP
:local vcomment ("2fa_".(

quot;remote-address"))

/ip firewall address-list remove [find address=(

quot;remote-address") list=2fa_approved]
/ip firewall filter remove [find chain="input_2fa" src-address=(

quot;remote-address") ]
/ip firewall layer7-protocol remove [find name=$vcomment]


Mutha kupanga ogwiritsa ntchito ndikugawa ena kapena onse ku mbiri yotsimikizika yazinthu ziwiri.
winbox


kachidindo

/ppp secrets set [find name=Petrov] profile=2FA
Zimawoneka bwanji kumbali ya kasitomala.
Mukakhazikitsa kulumikizana kwa VPN, SMS pafupifupi ngati iyi imatumizidwa ku foni/thabuleti yanu ya Android/iOS ndi SIM khadi:
sms


Ngati kulumikizana kukhazikitsidwa mwachindunji kuchokera pa foni/piritsi yanu, ndiye kuti mutha kudutsa 2FA mongodina ulalo wa uthengawo. Ndi bwino.
Ngati kugwirizana kwa VPN kukhazikitsidwa kuchokera pa PC, ndiye kuti wogwiritsa ntchitoyo adzafunika kulowetsa mawu achinsinsi ochepa. Fomu yaying'ono mu mawonekedwe a fayilo ya HTML imatumizidwa kwa wogwiritsa ntchito pokhazikitsa VPN. Fayilo imatha kutumizidwanso ndi makalata kuti wogwiritsa ntchitoyo aisunge ndikupanga njira yachidule pamalo abwino. Zikuwoneka motere:
Lembani patebulo


Wogwiritsa adina njira yachidule, mawonekedwe osavuta olowera kachidindo amatsegulidwa, omwe amalowetsa kachidindo mu URL yotsegulidwa:
Chophimba cha fomu


Fomuyi ndi yakale kwambiri, yoperekedwa monga chitsanzo. Amene akufuna akhoza kusintha izo kuti zigwirizane ndi iwo okha.
2fa_login_mini.html
<html>
<head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head>
<body>
<form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(‘text').value"  method="post"
 <input id="text" type="text"/> 
<input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> 
</form>
</body>
</html>

Ngati chilolezo chikuyenda bwino, wogwiritsa ntchito awona logo ya MikroTik mu msakatuli, yomwe iyenera kukhala chizindikiro cha kutsimikizika kopambana:

Dziwani kuti chithunzicho chabwezedwa kuchokera pa seva yomangidwa mu MikroTik pogwiritsa ntchito WebProxy Deny Redirect.
Ndikukhulupirira kuti chithunzichi chikhoza kusinthidwa pogwiritsa ntchito chida cha "hotspot", kukweza mtundu wanu pamenepo ndikuyika Deny Redirect URL kwa icho ndi WebProxy.
Pempho lalikulu kwa iwo omwe akuyesera kugula "chidole" chotsika mtengo cha Mikrotik kwa $ 20 ndikusintha ndi rauta ya $ 500 - musatero. Zipangizo monga "hAP Lite"/"hAP mini" (malo olowera kunyumba) zili ndi CPU yofooka kwambiri (smips), ndipo mwina sizingathe kupirira katundu mu gawo la bizinesi.
Chenjezo!  Yankho ili liri ndi drawback imodzi: pamene makasitomala akugwirizanitsa kapena kusokoneza, kusintha kwa kasinthidwe kumachitika, zomwe router imayesa kusunga mu kukumbukira kwake kosasunthika. Ndi makasitomala ambiri komanso kulumikizidwa pafupipafupi ndi kuchotsedwa, izi zingayambitse kuwonongeka kwa zosungirako zamkati mu rauta.
PS: Njira zoperekera ma code kwa kasitomala zitha kukulitsidwa ndikuwonjezedwa momwe mungapangire mapulogalamu anu. Mwachitsanzo, mutha kutumiza mauthenga pa telegalamu kapena... perekani zosankha!
Ndikukhulupirira kuti nkhaniyi ikuthandizani ndikuthandizira kupanga mabizinesi ang'onoang'ono ndi apakatikati kukhala otetezeka pang'ono.
Source: www.habr.com