Ndinoda kugoverana nenharaunda nzira iri nyore uye inoshanda yekushandisa Mikrotik kuchengetedza network yako uye masevhisi "kudongorera" kubva kuseri kwayo kubva kurwiswa kwekunze. Izvozvi, mitemo mitatu chete yekuronga huchi paMikrotik.
Saka, ngatimbofungidzira kuti tine hofisi diki, ine yekunze IP kumashure uko kune RDP server yevashandi kuti vashande kure. Mutemo wekutanga ndewe, hongu, kushandura port 3389 pane yekunze interface kune imwe. Asi izvi hazvitore nguva refu; mushure memazuva mashoma, iyo terminal server yekuongorora log ichatanga kuratidza akati wandei akakundikana mvumo pasekondi kubva kune vasingazivikanwe vatengi.
Imwe mamiriro ezvinhu, une asterisk yakavanzwa kuseri kweMikrotik, hongu kwete pa5060 udp port, uye mushure memazuva mashoma kutsvaga password kunotanga zvakare ... hongu, hongu, ndinoziva, fail2ban ndeyedu zvese, asi isu tichiri kufanira. semuenzaniso, ini nguva pfupi yadarika ndakaiisa pa ubuntu 18.04 uye ndakashamisika kuona kuti kunze kwebhokisi fail2ban haina zvigadziriso zvazvino zveasterisk kubva mubhokisi rimwechete rekugovera ubuntu ... uye googling nekukurumidza kuseta. nokuti "maresiphi" akagadzirwa haachashandi, nhamba dzekubudiswa dziri kukura nekufamba kwemakore, uye zvinyorwa zvine "mabikirwo" ezvinyorwa zvekare hazvichashandi, uye zvitsva zvinenge zvisingambooneki ...
Saka, chii chinonzi honeypot muchidimbu - ihochi yehuchi, kwatiri isu, chero chiteshi chakakurumbira pane yekunze IP, chero chikumbiro kuchiteshi ichi kubva kune wekunze mutengi anotumira src kero kune blacklist. Zvose.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Mutemo wekutanga pane yakakurumbira TCP ports 22, 3389, 8291 ye ether4-wan yekunze interface inotumira "muenzi" IP kune "Honeypot Hacker" rondedzero (zviteshi zve ssh, rdp uye winbox zvakaremara pamberi kana kuchinjirwa kune vamwe). Yechipiri inoita zvakafanana pane yakakurumbira UDP 5060.
Mutemo wechitatu pa-pre-routing stage inodonha mapaketi kubva kune "vaenzi" vane srs-kero inowanikwa mu "Honeypot Hacker".
Mushure memavhiki maviri ekushanda neimba yangu Mikrotik, rondedzero ye "Honeypot Hacker" yaisanganisira inenge chiuru nehafu IP kero yeavo vanoda "kubata nezamu" network yangu zviwanikwa (pamba pane yangu nhare, tsamba, nextcloud, rdp). Kurwiswa kweBrute-force kwakamira, mufaro ukauya.
Kubasa, hazvisi zvese zvakazove nyore, ipapo ivo vanoramba vachipwanya rdp server nebrute-forcing passwords.
Sezviri pachena, nhamba yechiteshi yakatemwa ne scanner nguva refu poto yehuchi isati yavhurwa, uye panguva yekuvharirwa hazvisi nyore kugadzirisa zvakare vashandisi vanopfuura zana, avo makumi maviri muzana vanopfuura makore makumi matanhatu nemashanu. Muchiitiko apo chiteshi chengarava hachigoni kuchinjwa, pane kamukira kadiki kanoshanda. Ndakaona chimwe chinhu chakafanana paInternet, asi pane kumwe kuwedzera uye kugadzirisa kwakanaka kunobatanidzwa:
Mitemo yekugadzirisa Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Mumaminetsi mana, mutengi ari kure anotenderwa kuita gumi nemaviri chete "zvikumbiro" zvitsva kune RDP server. Kumwe kuedza kwekupinda kunobva ku4 kusvika ku12 "zvikumbiro". Pa1 "chikumbiro" - kuvhara kwemaminitsi gumi nemashanu. Mune mhaka yangu, vapambi havana kurega kubira sevha, vakagadzirisa kune nguva uye zvino vanozviita zvishoma nezvishoma, kukurumidza kwakadaro kwekusarudza kunoderedza kushanda kwekurwisa kusvika zero. Vashandi vekambani iyi vanomboona kusanetsa pabasa kubva pamatanho akatorwa.
Imwe nzira diki
Mutemo uyu unobatika zvinoenderana nehurongwa na5 am uye unodzima naXNUMX a.m., kana vanhu chaivo vakarara, uye vanotora vanongoramba vakamuka.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Atova pa 8th yekubatanidza, IP yeanorwisa yakasvibiswa kwevhiki. Runako!
Zvakanaka, kuwedzera kune zviri pamusoro, ini ndichawedzera chinongedzo kune chinyorwa cheWiki chine seti inoshanda yekudzivirira Mikrotik kubva kune network scanners.
Pamidziyo yangu, iyi gadziriso inoshanda pamwe chete nemitemo yehuchi inotsanangurwa pamusoro, ichizadzisa iwo zvakanaka.
UPD: Sezvakataurwa mumashoko, mutemo wekudonhedza pakiti wakaendeswa kuRAW kuderedza mutoro pa router.
Source: www.habr.com