Pulogalamu ya ProHoster > Blog > Ulamuliro > Ntchito zakutali muofesi. RDP, Port Knocking, Mikrotik: yosavuta komanso yotetezeka

Ntchito zakutali muofesi. RDP, Port Knocking, Mikrotik: yosavuta komanso yotetezeka

Chifukwa cha mliri wa covid-19 komanso kukhala kwaokha anthu m'maiko ambiri, njira yokhayo yoti makampani ambiri apitilize kugwira ntchito ndikufikira kutali ndi malo antchito kudzera pa intaneti. Pali njira zambiri zotetezeka zogwirira ntchito zakutali - koma kutengera kukula kwa vutoli, chomwe chikufunika ndi njira yosavuta kuti wogwiritsa ntchito aliyense alumikizane ndi ofesi patali komanso popanda kufunikira kowonjezera, mafotokozedwe, kukambirana kotopetsa komanso nthawi yayitali. malangizo. Njirayi imakondedwa ndi olamulira ambiri a RDP (Remote Desktop Protocol). Kulumikizana mwachindunji ndi malo ogwirira ntchito kudzera pa RDP kumathetsa vuto lathu, kupatula ntchentche imodzi yayikulu mumafuta - kusunga doko la RDP lotseguka pa intaneti ndikowopsa. Choncho, pansipa ndikupangira njira yosavuta koma yodalirika yotetezera.Ntchito zakutali muofesi. RDP, Port Knocking, Mikrotik: yosavuta komanso yotetezeka

Popeza nthawi zambiri ndimakumana ndi mabungwe ang'onoang'ono omwe zida za Mikrotik zimagwiritsidwa ntchito ngati intaneti, m'munsimu ndikuwonetsa momwe ndingagwiritsire ntchito izi pa Mikrotik, koma njira yoteteza ku Port Knocking imatha kukhazikitsidwa pazida zina zapamwamba zokhala ndi zoikamo za rauta yolowera komanso firewall

Mwachidule za Port Knocking. Chitetezo chabwino chakunja cha intaneti cholumikizidwa ndi intaneti ndi pamene zida zonse ndi madoko zimatsekedwa kunja ndi firewall. Ndipo ngakhale rauta yokhala ndi chowotchera chozimitsa chotere sichichita mwanjira iliyonse pamapaketi akuchokera kunja, imawamvera. Chifukwa chake, mutha kusintha rauta kuti ikalandira mndandanda wina (code) wa mapaketi a netiweki pamadoko osiyanasiyana, iwo (rauta) wa IP komwe mapaketiwo adabwera, amakana kupeza zinthu zina (madoko, ma protocol, ndi zina zambiri). .).

Tsopano ku mfundo. Sindidzapereka tsatanetsatane wa kukhazikitsa firewall pa Mikrotik - intaneti ili ndi magwero abwino a izi. Momwemo, firewall imatchinga mapaketi onse omwe akubwera, koma 

/ip firewall filter
add action=accept chain=input comment="established and related accept" connection-state=established,related

Imalola magalimoto obwera kuchokera kumalumikizidwe omwe akhazikitsidwa kale (okhazikitsidwa, okhudzana).
Tsopano tikonza Port Knocking pa Mikrotik:

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
move [/ip firewall filter find comment=RemoteRules] 1
/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

Tsopano mwatsatanetsatane:

malamulo awiri oyambirira 

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules

kuletsa mapaketi obwera kuchokera ku ma adilesi a IP omwe adasindikizidwa pakusaka padoko;

Lamulo lachitatu:

add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules

imawonjezera ip pamndandanda wamakamu omwe adagogoda koyenera padoko lomwe mukufuna (19000);
Malamulo anayi otsatirawa:

add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

pangani madoko a msampha kwa iwo omwe akufuna kuyang'ana madoko anu, ndipo zoyesayesa zotere zikadziwika, amalemba ma IP awo kwa mphindi 60, pomwe malamulo awiri oyamba sangapatse makamu otere mwayi wogogoda pamadoko olondola;

Lamulo lotsatira:

add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

imayika ip pamndandanda wa ololedwa kwa mphindi imodzi (yokwanira kukhazikitsa kulumikizana), popeza kugogoda kwachiwiri kolondola kumapangidwa padoko lomwe mukufuna (1);

Lamulo lotsatira:

move [/ip firewall filter find comment=RemoteRules] 1

imapangitsa malamulo athu kukweza makina opangira ma firewall, popeza nthawi zambiri tidzakhala ndi malamulo osiyanasiyana oletsa omwe akhazikitsidwa omwe angalepheretse omwe adangopangidwa kumene kuti asagwire ntchito. Lamulo loyamba kwambiri ku Mikrotik limayamba kuchokera ku zero, koma pa chipangizo changa zero chinali ndi lamulo lokhazikika ndipo sikunali kotheka kusuntha - ndinasunthira ku 1. Choncho, timayang'ana zoikamo zathu - kumene tingathe kuzisuntha. ndikuwonetsa nambala yomwe mukufuna.

Zokonda zotsatirazi:

/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp_to_33" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

imatumiza doko losankhidwa mwachisawawa 33890 kupita ku doko la RDP 3389 ndi IP ya kompyuta kapena seva yomaliza yomwe tikufuna. Timapanga malamulo oterowo pazofunikira zonse zamkati, makamaka kuyika madoko akunja (komanso osiyana). Mwachilengedwe, IP yazinthu zamkati iyenera kukhala yokhazikika kapena yoperekedwa ku seva ya DHCP.

Tsopano Mikrotik yathu yakhazikitsidwa ndipo timafunikira njira yosavuta kuti wogwiritsa ntchito agwirizane ndi RDP yathu yamkati. Popeza nthawi zambiri tili ndi ogwiritsa ntchito Windows, timapanga fayilo yosavuta ya bat ndikuyitcha StartRDP.bat:

1.htm
1.rdp

motero 1.htm ili ndi code iyi:

<img src="http://my_router.sn.mynetname.net:19000/1.jpg">
Π½Π°ΠΆΠΌΠΈΡ‚Π΅ ΠΎΠ±Π½ΠΎΠ²ΠΈΡ‚ΡŒ страницу для ΠΏΠΎΠ²Ρ‚ΠΎΡ€Π½ΠΎΠ³ΠΎ Π·Π°Ρ…ΠΎΠ΄Π° ΠΏΠΎ RDP
<img src="http://my_router.sn.mynetname.net:16000/2.jpg">

apa pali maulalo awiri ku zithunzi zongoyerekeza zomwe zili pa adilesi my_router.sn.mynetname.net - timatenga adilesi iyi kuchokera ku Mikrotik DDNS system titatha kuthandizira izi mu Mikrotik yathu: pitani ku IP-> Cloud menyu - onani DDNS Yathandizidwa. bokosi, dinani Ikani ndikutengera dzina la dns la rauta yathu. Koma izi ndi zofunika kokha pamene IP yakunja ya rauta ndi yamphamvu kapena kasinthidwe ndi angapo opereka Intaneti ntchito.

Doko mu ulalo woyamba: 19000 likufanana ndi doko loyamba lomwe muyenera kugogoda, lachiwiri likufanana ndi lachiwiri. Pakati pa maulalo pali malangizo afupiafupi omwe amasonyeza zoyenera kuchita ngati mwadzidzidzi kugwirizana kwathu kwasokonezedwa chifukwa cha mavuto afupipafupi a intaneti - timatsitsimutsa tsamba, doko la RDP limatsegulidwanso kwa mphindi 1 ndipo gawo lathu labwezeretsedwa. Komanso, zolembedwa pakati pa ma tag a img zimapanga kuchedwetsa pang'ono kwa osatsegula, zomwe zimachepetsa mwayi wa paketi yoyamba kuperekedwa ku doko lachiwiri (16000) - pakadali pano sipanakhalepo milandu yotereyi m'masabata awiri ogwiritsidwa ntchito (30). anthu).

Kenako pamabwera fayilo ya 1.rdp, yomwe titha kuyikonza kwa aliyense kapena padera kwa aliyense wogwiritsa ntchito (ndizomwe ndidachita - ndizosavuta kugwiritsa ntchito mphindi 15 kuposa maola angapo ndikufunsira omwe sanathe kuzizindikira) 

screen mode id:i:2
use multimon:i:1
.....
connection type:i:6
networkautodetect:i:0
.....
disable wallpaper:i:1
.....
full address:s:my_router.sn.mynetname.net:33890
.....
username:s:myuserlogin
domain:s:mydomain

Chimodzi mwazosangalatsa apa ndikugwiritsa ntchito multimon:i:1 - izi zikuphatikiza kugwiritsa ntchito zowunikira zingapo - anthu ena amafunikira izi, koma saganiza zozitsegula okha.

mtundu wolumikizira: i: 6 ndi networkautodetect: i: 0 - popeza ambiri a intaneti ali pamwamba pa 10 Mbit, ndiye kuti lumikizani mtundu 6 (network yakomweko 10 Mbit ndi pamwambapa) ndikuletsa networkautodetect, popeza ngati kusakhazikika ndi (auto), ndiye ngakhale ochepa ang'onoang'ono a Network latency amangoyika liwiro la gawo lathu pa liwiro lotsika kwa nthawi yayitali, zomwe zingapangitse kuchedwa kowoneka bwino kwa ntchito, makamaka pamapulogalamu azithunzi.

zimitsani wallpaper: i:1 - zimitsani chithunzi cha pakompyuta
dzina lolowera:s:myuserlogin - tikuwonetsa olowera, popeza gawo lalikulu la ogwiritsa ntchito sadziwa malowedwe awo.
domain:s:mydomain - onetsani dera kapena dzina la kompyuta

Koma ngati tikufuna kufewetsa ntchito yopanga njira yolumikizira, titha kugwiritsanso ntchito PowerShell - StartRDP.ps1

Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 19000
Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 16000
mstsc /v:my_router.sn.mynetname.net:33890

Komanso pang'ono za kasitomala wa RDP mu Windows: MS yafika patali pakukhathamiritsa protocol ndi seva yake ndi magawo a kasitomala, kugwiritsa ntchito zinthu zambiri zothandiza - monga kugwira ntchito ndi hardware 3D, kukhathamiritsa chinsalu chazithunzi pazowunikira zanu, mawonekedwe ambiri, ndi zina. Koma zowonadi, chilichonse chimayendetsedwa mumayendedwe obwerera m'mbuyo ndipo ngati kasitomala ali Windows 7 ndipo PC yakutali ndi Windows 10, ndiye RDP idzagwira ntchito pogwiritsa ntchito protocol 7.0. Koma mwamwayi, mutha kusintha mitundu ya RDP kumitundu yaposachedwa - mwachitsanzo, mutha kukweza mtundu wa protocol kuchokera ku 7.0 (Windows 7) mpaka 8.1. Chifukwa chake, kuti makasitomala athandizidwe, muyenera kukulitsa matembenuzidwe a gawo la seva, komanso perekani maulalo osinthira kumitundu yatsopano yamakasitomala a protocol a RDP.

Zotsatira zake, tili ndi ukadaulo wosavuta komanso wotetezeka wolumikizira kutali ndi PC yantchito kapena seva yomaliza. Koma kuti tigwirizane ndi chitetezo chowonjezereka, njira yathu Yogogoda pa Port ikhoza kukhala yovuta kwambiri kuukira ndi maulamuliro angapo a ukulu, powonjezera madoko kuti muwone - pogwiritsa ntchito malingaliro omwewo, mukhoza kuwonjezera 3,4,5,6 ... doko ndi pamenepa, kulowerera mwachindunji mu maukonde anu adzakhala pafupifupi zosatheka.

Kukonzekera kwa fayilo kuti mupange kulumikizana kwakutali ku RDP.

Source: www.habr.com

Kuwonjezera ndemanga