Moni nonse. Nkhaniyi idapangidwira omwe ali ndi zida zambiri za Mikrotik m'zombo zawo, komanso omwe akufuna kupanga kulumikizana kwakukulu kuti asalumikizane ndi chipangizo chilichonse padera. M'nkhaniyi ndikufotokozerani ntchito yomwe, mwatsoka, sinafike kumenyana chifukwa cha zifukwa zaumunthu. Mwachidule: ma routers oposa 200, kukhazikitsa mwamsanga ndi maphunziro a ogwira ntchito, kugwirizanitsa ndi dera, zosefera zosefera ndi makamu enieni, kuthekera kowonjezera malamulo pazida zonse, kudula mitengo ndi kuwongolera.
Zomwe zafotokozedwa m'munsimu sizimayesa kukhala okonzeka, koma ndikuyembekeza kuti zidzakhala zothandiza kwa inu pokonzekera maukonde anu ndikuchepetsa zolakwika. Mwina mfundo ndi mayankho ena sangawoneke olondola kwa inu - ngati ndi choncho, lembani mu ndemanga. Kutsutsa mu nkhani iyi kudzakhala zochitika kwa chuma wamba. Choncho, owerenga, yang'anani ndemanga, mwinamwake wolembayo analakwitsa kwambiri - anthu ammudzi adzathandiza.
Chiwerengero cha ma routers ndi 200-300, omwazikana m'mizinda yosiyanasiyana ndi mitundu yosiyanasiyana yolumikizira intaneti. Ndikofunikira kuchita zonse mokongola komanso momveka bwino kwa ma admin amderalo momwe chilichonse chidzagwirira ntchito.
Ndiye polojekiti iliyonse imayambira pati? Inde, ndi Π’Π.
- Kupanga dongosolo la maukonde a nthambi zonse malinga ndi zomwe makasitomala amafuna, magawo a netiweki (kuyambira 3 mpaka 20 maukonde munthambi kutengera kuchuluka kwa zida).
- Kukhazikitsa zida munthambi iliyonse. Kuyang'ana kuthamanga kwenikweni kwa operekera pansi pazikhalidwe zosiyanasiyana zogwirira ntchito.
- Kukonzekera kwachitetezo cha zida, kasamalidwe ka anthu omwe ali ndi chilolezo chovomerezeka, kudzizindikiritsa okha zachiwembu pogwiritsa ntchito kusaka kwanthawi yayitali, kuchepetsa kugwiritsa ntchito njira zosiyanasiyana zamaukadaulo zomwe zimagwiritsidwa ntchito kuletsa mwayi wowongolera ndikuletsa ntchito.
- Gulu la kulumikizana kotetezeka kwa VPN ndikusefa pamaneti malinga ndi zomwe makasitomala amafuna. Zochepera 3 zolumikizira za VPN kuchokera kunthambi iliyonse kupita pakati.
- Kutengera mfundo 1, 2. Sankhani njira zabwino kwambiri zopangira ma VPN olekerera zolakwika. Ngati zilungamitsidwa bwino, ukadaulo wowongolera ukhoza kusankhidwa ndi kontrakitala.
- Kukonzekera kuyika patsogolo magalimoto ndi ma protocol, madoko, okhala ndi ntchito zina zomwe kasitomala amagwiritsa ntchito. (VOIP, makamu okhala ndi ntchito zofunika)
- Bungwe loyang'anira ndikudula mitengo ya zochitika za rauta poyankha ogwira ntchito zaukadaulo.
Monga tikudziwira, muzochitika zingapo zamakono zamakono zimapangidwira malinga ndi zofunikira. Ndinapanga zofunikira izi ndekha, nditamvetsera mavuto akuluakulu. Iye anavomereza kuti nβzotheka kuti wina angasamalire mfundo zimenezi.
Ndi zida ziti zomwe zidzagwiritsidwe ntchito kukwaniritsa zofunikira izi:
- ELK stack (pambuyo pa nthawi, zinaonekeratu kuti momveka bwino adzagwiritsidwa ntchito m'malo logstash).
- Zoyenera. Kuti muzitha kuwongolera komanso kugawana nawo, tidzagwiritsa ntchito AWX.
- GITLAB. Palibe chifukwa chofotokozera apa. Kodi tikadakhala kuti popanda kuwongolera kosinthika kwathu?
- PowerShell. Padzakhala script yosavuta kwa mbadwo woyamba wa config.
- Doku wiki, polemba zolemba ndi maupangiri. Pankhaniyi, timagwiritsa ntchito habr.com.
- Kuyang'anira kudzachitika kudzera pa zabbix. Chithunzi cholumikizira chidzajambulidwanso pamenepo kuti mumvetsetse.
Zosintha za EFK
Ponena za mfundo yoyamba, ndingofotokoza malingaliro omwe ma indices adzamangidwa. Pali zambiri
zolemba zabwino kwambiri pakukhazikitsa ndi kulandira zipika kuchokera ku zida zomwe zimagwiritsa ntchito mikrotik.
Ndikhala pazifukwa zina:
1. Malinga ndi chithunzichi, ndi bwino kuganizira kulandira zipika kuchokera kumalo osiyanasiyana komanso pamadoko osiyanasiyana. Kuti tichite zimenezi, tidzagwiritsa ntchito log aggregator. Tikufunanso kupanga zithunzi zapadziko lonse lapansi za ma routers onse omwe ali ndi mwayi wogawana nawo. Kenako timapanga indexes motere:
apa pali chidutswa cha config ndi bwino mtundu elasticsearch
logstash_format zoona
index_name mikrotiklogs.north
logstash_prefix mikrotiklogs.north
flush_interval 10s
makamu : 9200
doko 9200
Mwanjira iyi tikhoza kuphatikiza ma routers ndi gawo malinga ndi ndondomeko - mikrotiklogs.west, mikrotiklogs.south, mikrotiklogs.east. N'chifukwa chiyani zikuvuta kwambiri? Timamvetsetsa kuti tidzakhala ndi zida 200 kapena kuposerapo. Simungathe kusunga zonse. Ndi mtundu 6.8 wa elasticsearch, zoikamo zachitetezo zilipo kwa ife (popanda kugula laisensi), potero titha kugawira ufulu wowonera pakati pa ogwira ntchito paukadaulo kapena oyang'anira makina amderalo.
Matebulo, ma graph - apa muyenera kuvomereza - mwina gwiritsani ntchito zomwezo, kapena aliyense amachita zomwe zili zoyenera kwa iye.
2. Mwa kudula mitengo. Ngati titha kulowa mu malamulo a firewall, ndiye kuti timapanga mayina opanda mipata. Zitha kuwoneka kuti pogwiritsa ntchito masinthidwe osavuta momveka bwino, titha kusefa deta ndikupanga mapanelo osavuta. Chithunzi chomwe chili pansipa ndi rauta yanga yakunyumba.
3. Ndi malo okhala ndi mitengo. Pafupifupi, ndi mauthenga a 1000 pa ola limodzi, zipika zimatenga 2-3 MB patsiku, zomwe, mukuwona, sizochuluka. Mtundu wa Elasticsearch 7.5.
ANSIBLE.AWX
Mwamwayi kwa ife, tili ndi gawo lokonzekera la ma routers
Ndatchula za AWX, koma malamulo omwe ali pansipa ndi okhudza ansible mu mawonekedwe ake oyera - ndikuganiza kuti kwa iwo omwe agwira ntchito ndi ansible, sipadzakhala mavuto pogwiritsa ntchito awx kupyolera mu gui.
Kunena zowona, izi zisanachitike ndidayang'ana maupangiri ena komwe amagwiritsa ntchito ssh, ndipo onse anali ndi mavuto osiyanasiyana ndi nthawi yoyankha ndi mulu wamavuto ena. Ndikubwerezanso, sizinabwere kumenyana ο, tengani chidziwitso ichi ngati kuyesa komwe sikunapite patsogolo kuposa maimidwe a 20 routers.
Tiyenera kugwiritsa ntchito satifiketi kapena akaunti. Zili ndi inu kusankha, ine ndi wa satifiketi. Mfundo zobisika za ufulu. Ndimapereka ufulu wolembera - osachepera "reset config" sigwira ntchito.
Pasakhale zovuta kupanga, kukopera ndi kuitanitsa satifiketi:
Lamulo lachidulePa PC yanu
ssh-keygen -t RSA, yankhani mafunso, sungani kiyi.
Koperani ku mikrotik:
makiyi a ssh import public-key-file=id_mtx.pub user=ansible
Choyamba muyenera kupanga akaunti ndikugawa ufulu kwa iyo.
Kuyang'ana kulumikizidwa pogwiritsa ntchito satifiketi
ssh -p 49475 -i /keys/mtx [imelo ndiotetezedwa]
Lembani vi /etc/ansible/hosts
MT01 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT02 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT03 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT04 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
Chabwino, playbook chitsanzo: - dzina: add_work_sites
makamu: testmt
mndandanda: 1
kugwirizana: network_cli
remote_user: mikrotik.west
sonkhanitsani_zowona: inde
ntchito:
- dzina: onjezani Work_sites
routeros_command:
akulamula kuti:
- /ip firewall address-list add address=gov.ru list=work_sites comment=Ticket665436_Ochen_nado
- /ip firewall address-list add address=habr.com list=work_sites comment=for_habr
Monga mukuonera pa kasinthidwe pamwambapa, kupanga playbook yanu sikovuta. Ndikokwanira kudziwa bwino cli mikrotik. Tangoganizirani nthawi yomwe muyenera kuchotsa mndandanda wa maadiresi ndi deta ina pa ma routers onse, ndiye:
Pezani ndi kuchotsa/ ip firewal adilesi-mndandanda chotsani [pezani pomwe mndandanda = "gov.ru"]
Mwadala sindinaphatikizepo mndandanda wonse wa firewall pano chifukwa ... idzakhala yapayekha pulojekiti iliyonse. Koma chinthu chimodzi chomwe ndinganene motsimikiza, gwiritsani ntchito mndandanda wa ma adilesi okha.
Malinga ndi GITLAB zonse ndi zomveka. Sindikakamira pamfundoyi. Chilichonse ndichabwino kwa ntchito zapayekha, ma templates, othandizira.
Powershell
Padzakhala 3 owona apa. Chifukwa powershell? Mutha kusankha chida chilichonse chopangira ma configs, chilichonse chomwe chili chosavuta kwa inu. Pankhaniyi, aliyense ali ndi Windows pa PC yawo, chifukwa chiyani mukuchita mu bash pomwe powershell ndiyosavuta. Ndi iti yomwe ili yabwino kwambiri?
Zolemba zokha (zosavuta komanso zomveka):[cmdletBinding()] Param(
[Parameter(Zofunika =$zoona)] [chingwe]$EXTERNALIPADDDRESS,
[Parameter(Zofunikira=$zoona)] [chingwe]$EXTERNALIPROUTE,
[Parameter(Zofunika =$zoona)] [chingwe]$BWorknets,
[Parameter(Zofunika =$zoona)] [chingwe]$CWorknets,
[Parameter(Zofunika =$zoona)] [chingwe]$BVoipNets,
[Parameter(Zofunika =$zoona)] [chingwe]$CVoipNets,
[Parameter(Zofunika =$zoona)] [chingwe]$CClients,
[Parameter(Zofunikira=$zoona)] [chingwe]$BVPNWORKs,
[Parameter(Zofunikira=$zoona)] [chingwe]$CPWORKs,
[Parameter(Zofunika =$zoona)] [chingwe]$BVPNCLIENTSs,
[Parameter(Zofunika =$zoona)] [chingwe]$cVPNCLIENTSs,
[Parameter(Zofunikira=$zoona)] [chingwe]$NAMEROUTER,
[Parameter(Zofunika =$zoona)] [chingwe]$ServerCertificates,
[Parameter(Zofunika =$zoona)] [chingwe]$infile,
[Parameter(Zofunika=$zoona)] [chingwe]$outfile
)
Pezani-Zamkatimu $infile | Chida Chapatsogolo {$_.Bwezerani("EXTERNIP", $EXTERNALIPADDRESS)} |
Patsogolo pathu {$_.Bwezerani("EXTOUTE", $EXTERNALIPROUTE)} |
Foreach-Object {$_.Replace("BWorknet", $BWorknets)} |
Foreach-Object {$_.Replace("CWorknet", $CWorknets)} |
Foreach-Object {$_.Replace("BVoipNet", $BVoipNets)} |
Foreach-Object {$_.Replace("CVoipNet", $CVoipNets)} |
Foreach-Object {$_.Replace("CClients", $CClients)} |
Foreach-Object {$_.Replace("BVPNWORK", $BVPNWORKs)} |
Foreach-Object {$_.Replace("CVPNWORK", $CPWORKs)} |
Zolinga-Zotsogola {$_.Bwezerani("BVPNCLIENTS", $BVPNCLIENTSs)} |
Zolinga-Zotsogola {$_.Bwezerani("CVPNCLIENTS", $cVPNCLIENTSs)} |
Cholinga cha Patsogolo {$_.Bwezerani("MYNAMERROUTER", $NAMEROUTER)} |
Foreach-Object {$_.Replace("ServerCertificate", $ServerCertificates)} | Khazikitsani-Zamkatimu $outfile
Chonde ndikhululukireni, sindingathe kutumiza malamulo onse chifukwa ... sizikhala zokongola kwambiri. Mukhoza kupanga malamulo nokha, motsogoleredwa ndi machitidwe abwino.
Mwachitsanzo, nali mndandanda wamalumikizidwe omwe ndidatsatira::Securing_Your_rauta
:IP/Firewall/Filter
:OSPF-zitsanzo
:Winbox
:Upgrading_RouterOS
:IP/Fasttrack - apa muyenera kudziwa kuti fasttrack ikayatsidwa, malamulo oyendetsera magalimoto ndi mapangidwe sangagwire ntchito - zothandiza pazida zofooka.
Zizindikiro zamitundu yosiyanasiyana:Maukonde otsatirawa amatengedwa ngati chitsanzo:
192.168.0.0/24 network yogwira ntchito
172.22.4.0/24 VOIP network
10.0.0.0/24 netiweki yamakasitomala opanda mwayi pa netiweki yakomweko
192.168.255.0/24 VPN network ya nthambi zazikulu
172.19.255.0/24 VPN network yaying'ono
Adilesi ya netiweki imakhala ndi manambala 4, motero ABCD, m'malo mwake imagwira ntchito chimodzimodzi, ngati poyambira imafunsa B, ndiye kuti muyenera kulowa nambala 192.168.0.0 pamaneti 24/0, ndi C. = 0.
$EXTERNALIPADDDRESS - adilesi yodzipereka kuchokera kwa omwe amapereka.
$EXTERNALIPROUTE - njira yofikira pa netiweki 0.0.0.0/0
$BWorknets - Network network, mu chitsanzo chathu padzakhala 168
$CWorknets - Network yogwira ntchito, mu chitsanzo chathu izi zikhala 0
$BVoipNets - VOIP network mu chitsanzo chathu apa 22
$CVoipNets - VOIP network mu chitsanzo chathu apa 4
$CClients - Netiweki yamakasitomala - Kufikira pa intaneti kokha, kwa ife pano 0
$BVPNWORKs - VPN network ya nthambi zazikulu, mu chitsanzo chathu 20
$CPWORKs - VPN network ya nthambi zazikulu, mu chitsanzo chathu 255
$BVPNCLIENTS - VPN network ya nthambi zazing'ono, kutanthauza 19
$ CVPNCLIENTS - VPN network ya nthambi zazing'ono, kutanthauza 255
$NAMEROUTER - dzina la rauta
$ServerCertificate - dzina la satifiketi yomwe mudatumiza kunja
$infile - Tchulani njira yopita ku fayilo yomwe tidzawerengako config, mwachitsanzo D: config.txt (makamaka njira ya Chingerezi popanda zolemba ndi malo)
$outfile - tchulani njira yosungira, mwachitsanzo D:MT-test.txt
Ndasintha mwadala maadiresi mu zitsanzo pazifukwa zomveka.
Ndinaphonya mfundo yozindikira ziwawa ndi machitidwe odabwitsa - izi zikuyenera kukhala ndi nkhani ina. Koma ndizoyenera kunena kuti m'gululi mutha kugwiritsa ntchito kuwunika kwa data kuchokera ku Zabbix + kusinthidwa ma curl data kuchokera ku elasticsearch.
Ndi mfundo ziti zomwe muyenera kuziganizira:
- Network plan. Ndi bwino kulemba nthawi yomweyo mu mawonekedwe owerengeka. Excel idzakwanira. Tsoka ilo, nthawi zambiri ndimawona kuti maukonde amamangidwa molingana ndi mfundo yakuti "Nthambi yatsopano yawonekera, nayi / 24 yanu." Palibe amene akudziwa kuti ndi zida zingati zomwe zikuyembekezeredwa pamalo operekedwa kapena ngati padzakhala kukula kwina. Mwachitsanzo, sitolo yaing'ono inatsegulidwa momwe poyamba zinali zoonekeratu kuti chipangizocho sichidzakhala choposa 10, bwanji kugawa / 24? Kwa nthambi zazikulu, m'malo mwake, amagawa / 24, ndipo pali zida 500 - mutha kungowonjezera maukonde, koma mukufuna kuganiza zonse nthawi imodzi.
- Kusefa malamulo. Ngati polojekitiyo ikuganiza kuti padzakhala kulekana kwa maukonde ndi magawo ambiri. Zochita Zabwino zimasintha pakapita nthawi. M'mbuyomu, ma netiweki a PC ndi makina osindikizira adagawidwa, koma tsopano ndizabwinobwino kusagawa maukonde awa. Ndikoyenera kugwiritsa ntchito nzeru komanso osapanga ma subnet ambiri pomwe safunikira komanso osaphatikiza zida zonse kukhala netiweki imodzi.
- Zokonda "Golden" pa ma routers onse. Iwo. ngati mwasankha dongosolo. Ndikoyenera kuwoneratu zonse nthawi yomweyo ndikuyesera kuwonetsetsa kuti zosintha zonse ndizofanana - mndandanda wa ma adilesi okha ndi ma adilesi a IP ndizosiyana. Ngati mavuto abuka, nthawi yothetsa vutoli idzakhala yochepa.
- Nkhani za bungwe ndizofunika kwambiri kuposa zaukadaulo. Nthawi zambiri ogwira ntchito aulesi amachita izi "pamanja", osagwiritsa ntchito masinthidwe okonzeka ndi zolemba, zomwe pamapeto pake zimadzetsa mavuto.
Ndi mayendedwe amphamvu. OSPF yokhala ndi magawo ogawa idagwiritsidwa ntchito. Koma iyi ndi benchi yoyesera; ndizosangalatsa kwambiri kukhazikitsa zinthu zotere mumikhalidwe yankhondo.
Ndikukhulupirira kuti palibe amene akukhumudwa kuti sindinatumize masanjidwe a rauta. Ndikuganiza kuti maulalo adzakhala okwanira, ndiyeno zonse zimadalira zofunikira. Ndipo ndithudi mayesero, mayesero ochulukirapo akufunika.
Ndikukhumba aliyense azindikire ntchito zawo m'chaka chatsopano. Mulole mwayi woperekedwa ukhale nanu !!!
Source: www.habr.com