ProHoster > Zvine ngozi here kuchengeta RDP yakavhurika paInternet?

Zvine ngozi here kuchengeta RDP yakavhurika paInternet?

Ini ndagara ndichiverenga pfungwa yekuti kuchengeta RDP (Remote Desktop Protocol) chiteshi chakavhurika kuInternet hakuna kuchengetedzeka uye hazvifanirwe kuitwa. Asi iwe unofanirwa kupa mukana weRDP kungave kuburikidza neVPN, kana chete kubva kune mamwe "chena" IP kero.

Ini ndinotungamira akati wandei maWindows Server kumafemu madiki kwandakapihwa basa rekupa kure kure kuWindows Server yeakaunzi. Aya ndiwo maitiro emazuva ano - kushanda kubva kumba. Nekukurumidza, ndakaona kuti kutambudza VPN accountants ibasa risingatengi, uye kuunganidza maIP ese erunyoro chena hazvishande, nekuti IP kero dzevanhu dzine simba.

Naizvozvo, ndakatora nzira yakapfava - kuendesa RDP chiteshi kunze. Kuti uwane mukana, maakaunti ikozvino anoda kumhanya RDP uye isa zita remugamuchiri (kusanganisira chiteshi), zita rekushandisa uye password.

Muchikamu chino ini ndichagovera ruzivo rwangu (chakanaka uye kwete chakanaka) uye mazano.

Ngozi

Chii chauri kuisa panjodzi nekuvhura chiteshi cheRDP?

1) Kuwanikwa kusingatenderwe kune yakakosha data
Kana mumwe munhu akafungidzira password yeRDP, vanozokwanisa kuwana data raunoda kuchengeta rakavandika: mamiriro eakaundi, zviyero, data revatengi, ...

2) Kurasikirwa kwedata
Semuenzaniso, semugumisiro wehutachiona hweransomware.
Kana kuita nemaune neanorwisa.

3) Kurasikirwa kwenzvimbo yekushanda
Vashandi vanofanirwa kushanda, asi sisitimu yakakanganiswa uye inoda kudzoserwa / kudzoreredzwa/kugadziriswa.

4) Kukanganisa kweiyo network network
Kana munhu anorwisa akawana ruzivo rwekombuta yeWindows, ipapo kubva pakombiyuta iyi achakwanisa kuwana zvirongwa zvisingasviki kubva kunze, kubva paInternet. Semuyenzaniso, kufaira shares, kune network printers, etc.

Ndakanga ndine nyaya apo Windows Server yakabata ransomware

uye iyi ransomware yakatanga encrypted akawanda emafaira paC: drive ichibva yatanga kuvharidzira mafaera paNAS pamusoro penetiweki. Sezvo iyo NAS yaive Synology, ine snapshots akagadziridzwa, ndakadzoreredza iyo NAS mumaminetsi mashanu, uye ndakadzosera Windows Server kubva kutanga.

Zvinoonekwa uye Zvinokurudzirwa

Ini ndinotarisisa Windows Servers ndichishandisa Winlogbeat, iyo inotumira matanda kuElasticSearch. Kibana ine akati wandei maonesheni, uye ini zvakare ndakamisa dhibhodhi retsika.
Kuzvitarisa pachako hakudziviriri, asi kunobatsira kuona matanho anodiwa.

Hezvino zvimwe zvakaonekwa:
a) RDP ichamanikidzwa hutsinye.
Pane imwe yemaseva, ndakaisa RDP kwete pane yakajairwa chiteshi 3389, asi pa443 - zvakanaka, ndichazvivanza seHTTPS. Zvichida zvakakodzera kushandura chiteshi kubva kune yakajairwa, asi hazvizoite zvakawanda zvakanaka. Hedzino nhamba kubva pane ino server:

Zvine ngozi here kuchengeta RDP yakavhurika paInternet?

Zvinogona kuoneka kuti muvhiki pakanga paine anenge mazana mana ezviuru akaedza kupinda kuburikidza neRDP.
Zvinogona kuonekwa kuti pane kuedza kupinda kubva ku55 IP kero (dzimwe IP kero dzakatovharwa neni).

Izvi zvinopa zano mhedziso yekuti iwe unofanirwa kuseta fail2ban, asi

Iko hakuna kushandiswa kwakadaro kweWindows.

Pane akati wandei akasiiwa mapurojekiti paGithub anoita seanoita izvi, asi ini handina kana kumboedza kuamisa:
https://github.com/glasnt/wail2ban
https://github.com/EvanAnderson/ts_block

Kune zvakare zvinobhadharwa zvekushandisa, asi ini handina kuzvifunga.

Kana iwe uchiziva yakavhurika sosi yekushandisa kune ichi chinangwa, ndapota igovera iyo mune zvakataurwa.

Update: Mashoko anoratidza kuti port 443 isarudzo yakaipa, uye zviri nani kusarudza zviteshi zvepamusoro (32000+), nokuti 443 inoongororwa kakawanda, uye kuziva RDP pachiteshi ichi haisi dambudziko.

update: Maonero acho akakurudzira kuti chishandiso chakadaro chiripo:
https://github.com/digitalruby/ipban

b) Pane mamwe mazita ekushandisa anodiwa nevashori
Zvinogona kuonekwa kuti kutsvaga kunoitwa muduramazwi rine mazita akasiyana.
Asi hezvino izvo zvandakaona: nhamba yakakosha yekuedza iri kushandisa zita reseva sekupinda. Kurudziro: Usashandise zita rimwechete rekombuta nemushandisi. Uyezve, dzimwe nguva zvinoita sekunge vari kuyedza kupaza zita reseva neimwe nzira: semuenzaniso, kune sisitimu ine zita rekuti DESKTOP-DFTHD7C, iyo yakanyanya kuedza kupinda ine zita DFTHD7C:

Zvine ngozi here kuchengeta RDP yakavhurika paInternet?

Saizvozvo, kana uine komputa yeDESKTOP-MARIA, ungangove uchiedza kupinda semushandisi we MARIA.

Chimwe chinhu chandakaona kubva mumatanda: pane akawanda masisitimu, akawanda anoedza kupinda ane zita rekuti "mutongi". Uye izvi hazvisi pasina chikonzero, nekuti mune dzakawanda shanduro dzeWindows, mushandisi uyu aripo. Uyezve, haigoni kudzimwa. Izvi zvinorerutsa basa revanorwisa: pachinzvimbo chekufungidzira zita nepassword, unongoda kufungidzira password.
Nenzira, sisitimu yakabata ransomware yaive nemushandisi Administrator uye password Murmansk#9. Ini handisati ndave nechokwadi chekuti system yacho yakabiwa sei, nekuti ndakatanga kutarisa mushure mechiitiko ichocho, asi ndinofunga kuti kuwandisa kungangoita.
Saka kana Administrator mushandisi asingakwanisi kudzimwa, saka chii chaunofanira kuita? Unogona kuzvitumidza zita!

Zvinokurudzirwa kubva mundima iyi:

  • usashandise zita rekushandisa muzita rekombuta
  • ita shuwa kuti hapana Administrator mushandisi pane system
  • shandisa mapassword akasimba

Saka, ndanga ndichiona akati wandei maWindows Server pasi pesimba rangu achimanikidzwa-kumanikidzwa kweanenge makore akati wandei ikozvino, uye pasina kubudirira.

Ndinoziva sei kuti hazvina kubudirira?
Nekuti mune zvidzitiro zviri pamusoro unogona kuona kuti kune matanda eakabudirira eRDP mafoni, ane ruzivo:

  • kubva kupi IP
  • kubva kupi komputa (zita rezita)
  • Username
  • GeoIP ruzivo

Uye ini ndinotarisa ipapo nguva nenguva - hapana anomalies akawanikwa.

Nenzira, kana imwe IP iri kumanikidzwa-kumanikidzwa zvakanyanya kuoma, saka iwe unogona kuvharira yega IPs (kana subnets) seizvi muPowerShell:

New-NetFirewallRule -Direction Inbound -DisplayName "fail2ban" -Name "fail2ban" -RemoteAddress ("185.143.0.0/16", "185.153.0.0/16", "193.188.0.0/16") -Action Block

Nenzira, Elastic, kuwedzera kune Winlogbeat, zvakare ine Auditbeat, iyo inogona kutarisa mafaera uye maitiro pane system. Kune zvakare SIEM (Security Information & Event Management) application muKibana. Ndakaedza ese ari maviri, asi handina kuona bhenefiti yakawanda - zvinoita sekunge Auditbeat ichanyanya kubatsira kune Linux masisitimu, uye SIEM haisati yandiratidza chero chinhu chinonzwisisika.

Zvakanaka, mazano ekupedzisira:

  • Gadzira otomatiki backups nguva dzose.
  • isa Security Updates munguva yakakodzera

Bhonasi: runyorwa rwevashandisi makumi mashanu vaiwanzo shandiswa pakuedza kupinda muRDP

"user.name: Kudzika"
Verenga

dfthd7c (zita reimba)
842941

winsrv1 (zita reimba)
266525

MUDZIMAI
180678

mutariri
163842

mutariri
53541

Mikaeri
23101

Server
21983

steve
21936

John
21927

paul
21913

mutambo
21909

Mike
21899

hofisi
21888

scanner
21887

Shandisa scan
21867

David
21865

Chris
21860

muridzi
21855

meneja
21852

mutariri
21841

Brian
21839

administrator
21837

maka
21824

tsvimbo
21806

ADMIN
12748

ROOT
7772

MUTUNGAMIRI
7325

MUTSIGIRI
5577

MEDIUM
5418

mushandisi
4558

arun
2832

KUYARA
1928

mysql
1664

Admin
1652

GUEST
1322

USER1
1179

Scanner
1121

SCAN
1032

MUTUNGAMIRI
842

ADMIN1
525

KUSVIRA
518

MySqlAdmin
518

KUTENDA
490

USER2
466

Temp
452

SQLADMIN
450

USER3
441

1
422

MANAGER
418

MURIDZI WEMBA
410

Source: www.habr.com

Voeg