Ou te manaʻo e faʻasoa i le alalafaga se auala faigofie ma galue o le faʻaogaina o Mikrotik e puipuia ai lau fesoʻotaʻiga ma auʻaunaga "aʻo mai" mai tua mai osofaʻiga i fafo. O lona uiga, na o le tolu tulafono e faʻatulaga ai se honeypot i Mikrotik.
O lea la, seʻi manatu o loʻo i ai so matou ofisa laʻititi, ma se IP fafo i tua o loʻo i ai se RDP server mo tagata faigaluega e galulue mamao. O le tulafono muamua, ioe, ia suia le taulaga 3389 i luga o le faʻaoga fafo i le isi. Ae o le a le umi lenei mea; a maeʻa ni nai aso, o le a amata ona faʻaalia e le faʻamaumauga o suʻega suʻega faʻamaumau le tele o faʻatagaga le manuia i le sekone mai tagata e le o iloa.
O le isi tulaga, o loʻo i ai sau asterisk natia i tua o Mikrotik, o le mea moni e le o luga o le 5060 udp port, ma a maeʻa ni nai aso e amata foi le sailiga o upu faʻamaonia ... ioe, ioe, ou te iloa, fail2ban o a tatou mea uma, ae e tatau lava ona tatou faia. galue i luga ... mo se faʻataʻitaʻiga, na ou faʻapipiʻiina talu ai nei i luga o le ubuntu 18.04 ma sa ou ofo i le iloa o fafo atu o le pusa fail2ban e le o iai ni faʻatulagaga o loʻo i ai nei mo faʻailoga mai le pusa lava e tasi o le ubuntu tufatufa tutusa ... ma googling faʻatulagaina vave. aua ua le toe aoga "fua" ua saunia, o numera mo faʻasalalauga ua faʻatupulaia i le tele o tausaga, ma tala faʻatasi ma "fua" mo lomiga tuai e le o toe aoga, ma mea fou e toetoe lava a le toe aliali mai ... Ae ou te faʻafefe ...
O lea la, o le a le honeypot i se faapuupuuga - o se honeypot, i lo tatou tulaga, soʻo se taulaga lauiloa i luga o se IP fafo, soʻo se talosaga i lenei taulaga mai se tagata faʻatau fafo e auina atu le tuatusi src i le blacklist. O mea uma.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
O le tulafono muamua i luga o ports TCP lauiloa 22, 3389, 8291 o le ether4-wan faʻaoga fafo e auina atu ai le IP "malosi" i le lisi o le "Honeypot Hacker" (o ports mo ssh, rdp ma winbox ua le atoatoa pe suia i isi). O le lona lua e faia tutusa i luga o le lauiloa UDP 5060.
O le tulafono lona tolu i le laasaga muamua o le taʻavale e tuʻuina mai ai pepa mai "malo" o loʻo iai le tuatusi srs i le "Honeypot Hacker".
Ina ua maeʻa le lua vaiaso o le galue ma loʻu fale Mikrotik, o le lisi "Honeypot Hacker" e aofia ai le tusa ma le tasi ma le afa afe tuatusi IP oi latou e fiafia e "taofi i le susu" aʻu punaoa fesoʻotaiga (i le fale o loʻo i ai laʻu lava telefoni, meli, Nextcloud, rdp) Na taofia osofa'iga malolosi, na o'o mai le fiafia.
I le galuega, e le o mea uma na foliga mai e faigofie tele, o iina latou te faʻaauau pea ona talepe le server rdp e ala i upu faʻamalosi faʻamalosi.
E foliga mai, o le numera o le taulaga na fuafuaina e le scanner i se taimi umi ae leʻi faʻaalia le honeypot, ma i le taimi o le karantina e le faigofie tele ona toe faʻaleleia le sili atu i le 100 tagata faʻaoga, lea e 20% e silia ma le 65 tausaga. I le tulaga e le mafai ona suia le uafu, o loʻo i ai se fua galue itiiti. Ua ou vaai i se mea faapena i luga o le Initoneti, ae o loʻo i ai nisi faʻaopoopoga faaopoopo ma faʻalogo lelei e aofia ai:
Tulafono mo le setiina o le Taulaga Tu'itu'i
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
I le 4 minute, e faʻatagaina le tagata faʻatau mamao e naʻo le 12 "talosaga" fou i le RDP server. E tasi le taumafaiga e saini mai le 1 i le 4 "talosaga". I le 12th "talosaga" - poloka mo le 15 minute. I loʻu tulaga, e leʻi taofia e le au osofaʻi le taʻavaleina o le 'auʻaunaga, latou te fetuʻunaʻi i timers ma o lea e fai lemu tele, o le saoasaoa o le filifiliga e faʻaitiitia ai le aoga o le osofaʻiga i le zero. O tagata faigaluega a le kamupani e toetoe a leai se faʻalavelave i le galuega mai faiga na faia.
O se isi togafiti itiiti
O lenei tulafono e ki e tusa ai ma se faʻatulagaga i le 5 i le taeao ma tape i le XNUMX i le taeao, pe a mautinoa e momoe tagata moni, ma o loʻo faʻaauau pea ona mataala tagata pikiina otometi.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Ua uma ona i luga o le 8th fesoʻotaʻiga, o le IP a le tagata osofaʻi o loʻo faʻamaonia mo le vaiaso. Lalelei!
Ia, i le faʻaopoopoga i luga, o le a ou faʻaopoopoina se fesoʻotaʻiga i se tala Wiki ma se seti galue mo le puipuia o Mikrotik mai suʻesuʻega fesoʻotaʻiga.
I luga o aʻu masini, o lenei faʻatulagaga e galulue faʻatasi ma tulafono o le honeypot o loʻo faʻamatalaina i luga, faʻapipiʻi lelei.
UPD: E pei ona fautuaina i faʻamatalaga, o le paʻu paʻu tulafono ua siitia i le RAW e faʻaitiitia ai le uta i luga o le router.
puna: www.habr.com