Mhoro vaunoshanda navo! Nhasi, apo kusimba kwekuda kutenderedza "basa rekure" kwadzikira zvishoma, ruzhinji rweadmins rwakakunda basa rekuwana kure kwevashandi kune network yekambani, yave nguva yekugovera ruzivo rwangu rwenguva refu mukuvandudza VPN chengetedzo. Ichi chinyorwa hachizove chefashoni ikozvino IPSec IKEv2 uye xAuth. Ndezvekuvaka hurongwa. Vashandisi veVPN kana MikroTik ichiita sevhavha yeVPN. Kureva, kana "classic" mapuroteni akadai sePPP achishandiswa.

Nhasi ini ndichakuudza nzira yekudzivirira MikroTik PPP-VPN kunyangwe kana "kubirwa" kweiyo mushandisi account. Apo chirongwa ichi chakatangwa kune mumwe wevatengi vangu, akatsanangura muchidimbu se "zvakanaka, zvino zvakangofanana nebhangi!".
Iyo nzira haishandisi ekunze authenticator masevhisi. Mabasa anoitwa mukati nerouter pachayo. Hapana mari yekubatanidza mutengi. Iyo nzira inoshanda kune vese PC vatengi uye nharembozha.
Iyo general protection scheme ndeiyi inotevera:
- Iyo yemukati IP kero yemushandisi akabudirira kubatana neVPN server inoiswa greylist.
- Chiitiko chekubatanidza chinongogadzira kodhi yenguva imwe chete inotumirwa kumushandisi uchishandisa imwe yenzira dziripo.
- Kero dziri muchirongwa ichi dzine mukana wekuwana zviwanikwa zvemunetiweki zvemuno, kunze kweiyo "authenticator" sevhisi, iyo yakamirira kugamuchira kamwe-kamwe passcode.
- Mushure mekupa iyo kodhi, mushandisi anokwanisa kuwana zviwanikwa zvemukati zvetiweki.
Kutanga diki dambudziko randaifanira kutarisana naro raive rekuchengetedza ruzivo nezve mushandisi kuti ndimutumire iyo 2FA kodhi. Sezvo zvisingabviri kugadzira minda yedata isina kujeka inoenderana nevashandisi muMikrotik, iyo iripo "comment" ndima yakashandiswa:
/ ppp zvakavanzika wedzera zita = Petrov password = 4M @ ngr! comment = "89876543210"
Yechipiri dambudziko rakazove rakanyanya kuoma - kusarudzwa kwenzira uye nzira yekuendesa kodhi. Zvirongwa zvitatu zvave kuitwa: a) SMS kuburikidza ne USB-modemu b) e-mail c) SMS kuburikidza ne-e-mail inowanikwa kune vatengi vemakambani ered cellular opareta.
Hongu, zvirongwa zveSMS zvinounza mari. Asi kana iwe ukatarisa, "kuchengetedzwa kunogara kuri pamusoro pemari" (c).
Ini pachangu handifarire chirongwa chine e-mail. Kwete nekuti inoda kuti mail server iwanikwe kuti mutengi ave nechokwadi - harisi dambudziko kupatsanura traffic. Nekudaro, kana mutengi asina hanya akachengeta ese vpn uye email mapassword mubrowser uye obva arasikirwa nelaptop yake, anorwisa anowana mukana wakazara kune network yekambani kubva kwairi.
Saka, zvakasarudzwa - tinoendesa kodhi-yenguva imwe chete tichishandisa mameseji eSMS.
Chechitatu Dambudziko raive kupi maitiro ekugadzira pseudo-random kodhi ye2FA muMikroTik. Iko hakuna analogue yerango () basa mumutauro wekunyora weRouterOS, uye ndakaona akati wandei crutch script pseudo-random nhamba jenareta kare. Ndaisada chero ipi zvayo nokuda kwezvikonzero zvakasiyana-siyana.
Muchokwadi, kune pseudo-random sequence jenareta muMikroTik! Iyo yakavanzwa kubva pakutarisa kwepamusoro mumamiriro e / zvitupa scep-server. Nzira yekutanga kuwana password yenguva imwe iri nyore uye iri nyore - nemurairo / zvitupa scep-server otp gadzira. Kana tikaita basa rakareruka rekuita basa, tinowana array value iyo inogona kushandiswa gare gare mumascript.
Nzira yechipiri kuwana password yenguva imwe zvakare iri nyore kushandisa - uchishandisa sevhisi yekunze kugadzira rudzi rwaunoda rwekutevedzana kwenhamba dzemanyepo-random. Hezvino zviri nyore cantilevered muenzaniso wekutora data mune inosiyana:
kodhi
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6]
:put $rnd1
Chikumbiro chakarongedzerwa koni (kupukunyuka mavara akakosha kunozodiwa mumutumbi wescript) inogamuchira tambo yemanhamba matanhatu muiyo $ rnd1 inosiyana. Iwo unotevera "kuisa" murairo unongoratidza shanduko muMikroTik console.
Dambudziko rechina iyo yaifanira kukurumidza kugadziriswa - iyi ndiyo nzira uye kupi iyo mutengi akabatana anoendesa kodhi yayo yenguva imwe chete padanho rechipiri rehuchokwadi.

Panofanira kunge paine sevhisi paMikroTik router iyo inogona kugamuchira kodhi uye kuifananidza nemutengi chaiwo. Kana iyo kodhi yakapihwa ichienderana neinotarirwa, kero yemutengi inofanirwa kuverengerwa mune imwe "chena" runyorwa, kero kubva kune inobvumidzwa kupinda kune yemukati network yekambani.
Nekuda kwekusarudzika kwakashata kwesevhisi, zvakasarudzwa kugamuchira macode kuburikidza ne http uchishandisa webproxy yakavakwa muMikrotik. Uye sezvo firewall ichigona kushanda neane simba mazita emakero eIP, ndiyo firewall inoita yekutsvaga kodhi, ichiifananidza nemutengi IP uye kuiwedzera kune "chena" runyorwa uchishandisa Layer7 regexp. Iyo router pachayo yakapihwa zvine mamiriro eDNS zita "gw.local", a static A-rekodhi yakagadzirwa pairi kuti ibudise kune vatengi vePPP:
DNS
/ip dns static add name=gw.local address=172.31.1.1
Kutora traffic yevatengi vasina kusimbiswa pane proxy:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128
Muchiitiko ichi, proxy ine mabasa maviri.
1. Vhura tcp kubatana nevatengi;
2. Kana ukabvumidzwa nemvumo, tungamira bhurawuza kupeji kana mufananidzo unozivisa nezvezvakabudirira zvechokwadi:
Proxy config
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0
Ini ndichanyora zvakakosha zvigadziriso zvinhu:
- interface-rondedzero "2fa" - runyoro rune simba rwevatengi interfaces, traffic kubva iyo inoda kugadziriswa mukati me2FA;
- kero-rondedzero "2fa_jailed" - "grey" runyorwa rwetunnel IP kero yeVPN vatengi;
- address_list "2fa_approved" - "white" rondedzero yetunnel IP kero yeVPN vatengi vakabudirira kupasa mbiri-chinhu chechokwadi.
- firewall chain "input_2fa" - inotarisa tcp mapaketi ehuvepo hwekodhi yemvumo uye inofananidza IP kero yemutumiri wekodhi neinodiwa. Mitemo mumaketani inowedzerwa uye inobviswa zvine simba.
Iyo yakapfava yekuyerera yekugadzira packet inotaridzika seizvi:
Kuti upinde muLayer7 cheki yetraffic kubva kune vatengi kubva kune "grey" runyorwa rwusati rwapfuura nhanho yechipiri yekusimbisa, mutemo wakagadzirwa mune yakajairwa "input" ketani:
kodhi
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa
Zvino ngatitangei kusungirira hupfumi hwese kushumiro yePPP. MikroTik inokutendera kuti ushandise zvinyorwa mumaprofile (ppp-profile) uye ugovapa kune zviitiko zvekumisikidza uye kutyora kubatana kweppp. Iyo ppp-profile marongero anogona kuiswa kune ese PPP server seyakazara uye kune mumwe nemumwe vashandisi. Panguva imwecheteyo, iyo mbiri yakagoverwa kumushandisi ine yekutanga, ichipfuura maparameter eiyo profil yakasarudzwa kune sevha yakazara nematanho ayo akatsanangurwa.
Nekuda kweiyi nzira, isu tinokwanisa kugadzira yakakosha mbiri yehuviri-chinhu chechokwadi uye kugovera iyo kwete kune vese vashandisi, asi kune avo chete vanofunga kuti zvakakosha kuita kudaro. Izvi zvingave zvakakosha kana iwe ukashandisa PPP masevhisi kwete chete kubatanidza vashandisi vekupedzisira, asi panguva imwe chete kuvaka saiti-kune-saiti kubatana.
Mune iyo ichangobva kugadzirwa yakasarudzika mbiri, isu tinoshandisa ine simba yekuwedzera kero uye chimiro chemushandisi akabatana kune "grey" rondedzero yemakero uye maficha:
winbox
kodhi
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1
Izvo zvinodikanwa kushandisa ese "kero-rondedzero" uye "interface-rondedzero" rondedzero kuona uye kutora traffic kubva kune isiri-yechipiri VPN vatengi mune dstnat (prerouting) ketani.
Kana gadziriro yacho yapera, mamwe macheni e firewall anogadzirwa, isu tichanyora script inokonzeresa auto-chizvarwa cheiyo 2FA kodhi uye yega firewall mitemo.
paPPP-Profile inotipfumisa neruzivo nezve zvinosiyana zvine chekuita nePPP mutengi batanidza-dimbura zviitiko "Gadzirisa script pamushandisi wekupinda-chiitiko. Aya anowanikwa akasiyana anowanikwa kune chiitiko script: mushandisi, yemuno-kero, kure-kero, caller-id, inonzi-id, interface". Zvimwe zvacho zvinobatsira chaizvo kwatiri.
Kodhi inoshandiswa muprofile yePPP pane-up yekubatanidza chiitiko
#ΠΠΎΠ³ΠΈΡΡΠ΅ΠΌ Π΄Π»Ρ ΠΎΡΠ»Π°Π΄ΠΊΠΈ ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅ :log info (quot;local-address")
:log info (quot;remote-address")
:log info (quot;caller-id")
:log info (quot;called-id")
:log info ([/int pptp-server get (quot;interface") name])
#ΠΠ±ΡΡΠ²Π»ΡΠ΅ΠΌ ΡΠ²ΠΎΠΈ Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅
:local listname "2fa_jailed"
:local viamodem false
:local modemport "usb2"
#ΠΈΡΠ΅ΠΌ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ ΡΠΎΠ·Π΄Π°Π½Π½ΡΡ Π·Π°ΠΏΠΈΡΡ Π² Π°Π΄ΡΠ΅Ρ-Π»ΠΈΡΡΠ΅ "2fa_jailed"
:local recnum1 [/ip fi address-list find address=(quot;remote-address") list=$listname]
#ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΠΏΡΠ΅Π²Π΄ΠΎΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ ΠΊΠΎΠ΄ ΡΠ΅ΡΠ΅Π· random.org
#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4]
#Π»ΠΈΠ±ΠΎ ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΠΏΡΠ΅Π²Π΄ΠΎΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ ΠΊΠΎΠ΄ ΡΠ΅ΡΠ΅Π· Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠΉ Π³Π΅Π½Π΅ΡΠ°ΡΠΎΡ
#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]#ΠΡΠ΅ΠΌ ΠΈ ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ΅ΠΌ ΠΊΠΎΠΌΠΌΠ΅Π½Ρ ΠΊ Π·Π°ΠΏΠΈΡΠΈ Π² Π°Π΄ΡΠ΅Ρ-Π»ΠΈΡΡΠ΅. ΠΠ½ΠΎΡΠΈΠΌ ΠΈΡΠΊΠΎΠΌΡΠΉ ΠΊΠΎΠ΄ Π΄Π»Ρ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
/ip fir address-list set $recnum1 comment=$rnd1
#ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ Π½ΠΎΠΌΠ΅Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π° ΠΊΡΠ΄Π° ΡΠ»Π°ΡΡ SMS
:local vphone [/ppp secret get [find name=$user] comment]#ΠΠΎΡΠΎΠ²ΠΈΠΌ ΡΠ΅Π»ΠΎ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ. ΠΡΠ»ΠΈ ΠΊΠ»ΠΈΠ΅Π½Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ ΠΊ VPN ΠΏΡΡΠΌΠΎ Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π° Π΅ΠΌΡ Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ
#Π±ΡΠ΄Π΅Ρ ΠΏΠ΅ΡΠ΅ΠΉΡΠΈ ΠΏΡΡΠΌΠΎ ΠΏΠΎ ΡΡΡΠ»ΠΊΠ΅ ΠΈΠ· ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ
:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")# ΠΡΠΏΡΠ°Π²Π»ΡΠ΅ΠΌ SMS ΠΏΠΎ Π²ΡΠ±ΡΠ°Π½Π½ΠΎΠΌΡ ΠΊΠ°Π½Π°Π»Ρ - USB-ΠΌΠΎΠ΄Π΅ΠΌ ΠΈΠ»ΠΈ email-to-sms
if $viamodem do={
/tool sms send phone-number=$vphone message=$msgboby port=$modemport }
else={
/tool e-mail send server=a.b.c.d from=admin@mydomain.example to=mail2sms@mcommunicator.ru subject="@".$vphone body=$msgboby }#ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Layer7 regexp
local vregexp ("otp\/".$comm1)
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall layer7-protocol add name=(quot;vcomment") comment=(
quot;remote-address") regexp=(
quot;vregexp")
#ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ ΠΏΡΠΎΠ²Π΅ΡΡΡΡΠ΅Π΅ ΠΏΠΎ Layer7 ΡΡΠ°ΡΠΈΠΊ ΠΊΠ»ΠΈΠ΅Π½ΡΠ° Π² ΠΏΠΎΠΈΡΠΊΠ°Ρ Π½ΡΠΆΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π°
#ΠΈ Π½Π΅Π±ΠΎΠ»ΡΡΠΎΠΉ Π·Π°ΡΠΈΡΠΎΠΉ ΠΎΡ Π±ΡΡΡΡΠΎΡΡΠ° ΠΊΠΎΠ΄ΠΎΠ² Ρ ΠΏΠΎΠΌΠΎΡΡΡ dst-limit
/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(quot;vcomment") protocol=tcp src-address=(
quot;remote-address") dst-limit=1,1,src-address/1m40s
Kunyanya kune avo vanofarira kukopa-namira zvisina musoro, ndinokuyambira - iyo kodhi inotorwa kubva muyedzo vhezheni uye inogona kunge iine madiki typos. Hazvizonetsi kumunhu anonzwisisa kuziva kuti ndepapi chaipo.Kana mushandisi akadzimbura, chiitiko che "On-Down" chinogadzirwa uye script inoenderana nema parameter inodanwa. Basa reiyi script nderekuchenesa iyo firewall mitemo yakagadzirwa kune akabviswa mushandisi.
Kodhi inoshandiswa muprofile yePPP pane-pasi yekubatanidza chiitiko
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall address-list remove [find address=(quot;remote-address") list=2fa_approved]
/ip firewall filter remove [find chain="input_2fa" src-address=(quot;remote-address") ]
/ip firewall layer7-protocol remove [find name=$vcomment]
Iwe unogona ipapo kugadzira vashandisi uye kugovera ese kana mamwe acho kune maviri-chinhu chechokwadi chimiro.winbox
kodhi
/ppp secrets set [find name=Petrov] profile=2FAZvinotaridzika sei kudivi revatengi.
Kana VPN yekubatanidza yatangwa, Android/iOS foni/tablet ine SIM card inogamuchira SMS yakaita seiyi:
SMS
Kana iyo yekubatanidza ikasimbiswa zvakananga kubva parunhare / piritsi, saka unogona kuenda kuburikidza ne2FA nekungodzvanya pane chinongedzo kubva kune meseji. Zviri nyore.
Kana iyo VPN yekubatanidza ikasimbiswa kubva kuPC, ipapo mushandisi anozodikanwa kuisa fomu shoma password. Chimiro chidiki muchimiro chefaira reHTML chinopihwa mushandisi pakumisikidza VPN. Iyo faira inogona kutumirwa netsamba kuitira kuti mushandisi arichengetedze uye anogadzira nzira yekudimbudzira munzvimbo iri nyore. Zvinoita seizvi:
Nyora patafura
Mushandisi anodzvanya pane nzira yekudimbudzira, iri nyore kodhi yekupinda fomu inovhura, iyo inoisa iyo kodhi muiyo yakavhurwa URL:
Screen fomu
Iyo yakanyanya primitive fomu inopiwa semuenzaniso. Vanoda vanogona kuzvigadzirisa.
2fa_login_mini.html
<html> <head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head> <body> <form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(βtext').value" method="post" <input id="text" type="text"/> <input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> </form> </body> </html>Kana mvumo yakabudirira, mushandisi achaona iyo MikroTik logo mubrowser, iyo inofanirwa kuratidza yakabudirira yechokwadi:
Ziva kuti chifananidzo chinodzoserwa kubva kune yakavakirwa-mukati MikroTik web server uchishandisa WebProxy Ramba Redirect.
Ini ndinofunga kuti mufananidzo unogona kugadzirwa uchishandisa "hotspot" chishandiso, kurodha yako vhezheni ipapo uye kuseta iyo Ramba Redirect URL kwairi neWebProxy.
Chikumbiro chikuru kune avo vari kuedza kutenga yakachipa "toyi" Mikrotik ye $ 20 uye kutsiva 500 router nayo - usaite izvozvo. Zvishandiso zvakaita se "hAP Lite" / "hAP mini" (nzvimbo yekuwana imba) ine CPU isina kusimba (smips), uye zvingangoita kuti havazokwanisa kutarisana nemutoro muchikamu chebhizinesi.
Yambiro! Iyi sarudzo ine imwe drawback: apo vatengi vanobatana kana kubvisa, kuchinja kwekugadzirisa kunoitika, iyo router inoedza kuchengetedza mundangariro yayo isingachinji. Nenhamba huru yevatengi uye kazhinji kubatana uye kubviswa, izvi zvinogona kutungamira mukuderedzwa kwemukati mekuchengetedza mune router.
PS: Nzira dzekuendesa kodhi kumutengi dzinogona kukwidziridzwa uye kuwedzeredzwa kusvika pakugona kwako kuronga kwakaringana. Semuenzaniso, unogona kutumira mameseji kuteregiramu kana ... kurudzira sarudzo!
Ndinovimba kuti chinyorwa chichave chinobatsira kwauri uye chichabatsira kuita kuti network dzemabhizinesi madiki uye epakati achengeteke zvishoma.
Source: www.habr.com




