Aliyense amene anayesa kuyendetsa makina mumtambo akudziwa bwino kuti doko la RDP lokhazikika, ngati litasiyidwa lotseguka, lidzawukiridwa nthawi yomweyo ndi mafunde amphamvu achinsinsi omwe amayesa ma adilesi osiyanasiyana a IP padziko lonse lapansi.
M'nkhaniyi ndikuwonetsani momwe mungachitire Mutha kusintha kuyankha kwachinsinsi ku mphamvu yachinsinsi powonjezera lamulo latsopano pachitetezo chamoto. Intrust ndi kusonkhanitsa, kusanthula ndi kusunga deta yosalongosoka, yomwe ili kale ndi mazana a machitidwe omwe amawafotokozeratu ku mitundu yosiyanasiyana ya kuukira.
Mu Quest InTrust mutha kusintha mayankhidwe ngati lamulo layambika. Kuchokera kwa wotolera zipika, InTrust imalandira uthenga wonena za kuyesa kosavomerezeka kovomerezeka pamalo ogwirira ntchito kapena seva. Kuti musinthe maadiresi atsopano a IP pa firewall, muyenera kutengera lamulo lomwe lilipo kuti mupeze zilolezo zingapo zomwe zalephera ndikutsegula kopi yake kuti muyisinthe:
Zochitika mu zipika za Windows zimagwiritsa ntchito chinthu chotchedwa InsertionString. (uku ndikulowa kosachita bwino pamakina) ndipo muwona kuti minda yomwe tikufuna yasungidwa mu InsertionString14 (Dzina la Malo Ogwirira Ntchito) ndi InsertionString20 (Source Network Address). Mukawukira pa intaneti, gawo la Dzina la Workstation litha kukhala kukhala opanda kanthu, kotero malowa ndi ofunikira m'malo mwa mtengo wa Source Network Address.
Izi ndi zomwe mawu a chochitika 4625 amawoneka ngati:
An account failed to log on.
Subject:
Security ID: S-1-5-21-1135140816-2109348461-2107143693-500
Account Name: ALebovsky
Account Domain: LOGISTICS
Logon ID: 0x2a88a
Logon Type: 2
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: Paul
Account Domain: LOGISTICS
Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x3f8
Caller Process Name: C:WindowsSystem32svchost.exe
Network Information:
Workstation Name: DCC1
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: seclogo
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Kuonjezera apo, tidzawonjezera mtengo wa Adilesi ya Source Network pamutuwu.
Kenako muyenera kuwonjezera script yomwe ingatseke IP adilesi mu Windows Firewall. Pansipa pali chitsanzo chomwe chingagwiritsidwe ntchito pa izi.
Script yokhazikitsa firewall
param(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[string]
$SourceAddress
)
$SourceAddress = $SourceAddress.Trim()
$ErrorActionPreference = 'Stop'
$ruleName = 'Quest-InTrust-Block-Failed-Logons'
$ruleDisplayName = 'Quest InTrust: Blocks IP addresses from failed logons'
function Get-BlockedIps {
(Get-NetFirewallRule -Name $ruleName -ErrorAction SilentlyContinue | get-netfirewalladdressfilter).RemoteAddress
}
$blockedIps = Get-BlockedIps
$allIps = [array]$SourceAddress + [array]$blockedIps | Select-Object -Unique | Sort-Object
if (Get-NetFirewallRule -Name $ruleName -ErrorAction SilentlyContinue) {
Set-NetFirewallRule -Name $ruleName -RemoteAddress $allIps
} else {
New-NetFirewallRule -Name $ruleName -DisplayName $ruleDisplayName -Direction Inbound -Action Block -RemoteAddress $allIps
}
Tsopano mutha kusintha dzina laulamuliro ndi kufotokozera kuti mupewe chisokonezo pambuyo pake.
Tsopano mukuyenera kuwonjezera script iyi ngati njira yoyankhira ku lamuloli, yambitsani lamuloli, ndikuwonetsetsa kuti lamulo lofananira likugwiritsidwa ntchito mu ndondomeko yowunikira nthawi yeniyeni. Wothandizira akuyenera kuthandizidwa kuti azitha kuyankhidwa ndipo ayenera kukhala ndi gawo lolondola.
Zosintha zikamalizidwa, kuchuluka kwa zilolezo zomwe sizinapambane zidatsika ndi 80%. Phindu? Ndi chachikulu bwanji!
Nthawi zina kuwonjezeka pang'ono kumachitika kachiwiri, koma izi zimachitika chifukwa cha kutuluka kwa magwero atsopano owukira. Ndiye chirichonse chimayamba kuchepa kachiwiri.
Pakatha sabata lantchito, ma adilesi 66 a IP adawonjezeredwa ku lamulo la firewall.
Pansipa pali tebulo lomwe lili ndi mayina 10 odziwika omwe amagwiritsidwa ntchito poyesa kuvomereza.
lolowera
Chiwerengero cha
Pamaperesenti
mtsogoleri
1220235
40.78
boma
672109
22.46
wosuta
219870
7.35
contoso
126088
4.21
contoso.com
73048
2.44
mtsogoleri
55319
1.85
seva
39403
1.32
sgazlabdc01.contoso.com
32177
1.08
woyang'anira
32377
1.08
sgazlabdc01
31259
1.04
Tiuzeni mu ndemanga momwe mumayankhira ku ziwopsezo zachitetezo chazidziwitso. Ndi dongosolo lanji lomwe mumagwiritsa ntchito ndipo ndi losavuta bwanji?
Ngati mukufuna kuwona InTrust ikugwira ntchito, mu fomu yoyankha patsamba lathu kapena ndilembeni uthenga wanga.
Werengani zolemba zathu zina zokhudzana ndi chitetezo chazidziwitso:
(nkhani yotchuka)
Source: www.habr.com