Ini ndagara ndichiverenga pfungwa yekuti kuchengeta RDP (Remote Desktop Protocol) chiteshi chakavhurika kuInternet hakuna kuchengetedzeka uye hazvifanirwe kuitwa. Asi iwe unofanirwa kupa mukana weRDP kungave kuburikidza neVPN, kana chete kubva kune mamwe "chena" IP kero.
Ini ndinotungamira akati wandei maWindows Server kumafemu madiki kwandakapihwa basa rekupa kure kure kuWindows Server yeakaunzi. Aya ndiwo maitiro emazuva ano - kushanda kubva kumba. Nekukurumidza, ndakaona kuti kutambudza VPN accountants ibasa risingatengi, uye kuunganidza maIP ese erunyoro chena hazvishande, nekuti IP kero dzevanhu dzine simba.
Naizvozvo, ndakatora nzira yakapfava - kuendesa RDP chiteshi kunze. Kuti uwane mukana, maakaunti ikozvino anoda kumhanya RDP uye isa zita remugamuchiri (kusanganisira chiteshi), zita rekushandisa uye password.
Muchikamu chino ini ndichagovera ruzivo rwangu (chakanaka uye kwete chakanaka) uye mazano.
Ngozi
Chii chauri kuisa panjodzi nekuvhura chiteshi cheRDP?
1) Kuwanikwa kusingatenderwe kune yakakosha data
Kana mumwe munhu akafungidzira password yeRDP, vanozokwanisa kuwana data raunoda kuchengeta rakavandika: mamiriro eakaundi, zviyero, data revatengi, ...
2) Kurasikirwa kwedata
Semuenzaniso, semugumisiro wehutachiona hweransomware.
Kana kuita nemaune neanorwisa.
3) Kurasikirwa kwenzvimbo yekushanda
Vashandi vanofanirwa kushanda, asi sisitimu yakakanganiswa uye inoda kudzoserwa / kudzoreredzwa/kugadziriswa.
4) Kukanganisa kweiyo network network
Kana munhu anorwisa akawana ruzivo rwekombuta yeWindows, ipapo kubva pakombiyuta iyi achakwanisa kuwana zvirongwa zvisingasviki kubva kunze, kubva paInternet. Semuyenzaniso, kufaira shares, kune network printers, etc.
Ndakanga ndine nyaya apo Windows Server yakabata ransomware
uye iyi ransomware yakatanga encrypted akawanda emafaira paC: drive ichibva yatanga kuvharidzira mafaera paNAS pamusoro penetiweki. Sezvo iyo NAS yaive Synology, ine snapshots akagadziridzwa, ndakadzoreredza iyo NAS mumaminetsi mashanu, uye ndakadzosera Windows Server kubva kutanga.
Zvinoonekwa uye Zvinokurudzirwa
Ini ndinotarisisa Windows Servers ndichishandisa
Kuzvitarisa pachako hakudziviriri, asi kunobatsira kuona matanho anodiwa.
Hezvino zvimwe zvakaonekwa:
a) RDP ichamanikidzwa hutsinye.
Pane imwe yemaseva, ndakaisa RDP kwete pane yakajairwa chiteshi 3389, asi pa443 - zvakanaka, ndichazvivanza seHTTPS. Zvichida zvakakodzera kushandura chiteshi kubva kune yakajairwa, asi hazvizoite zvakawanda zvakanaka. Hedzino nhamba kubva pane ino server:
Zvinogona kuoneka kuti muvhiki pakanga paine anenge mazana mana ezviuru akaedza kupinda kuburikidza neRDP.
Zvinogona kuonekwa kuti pane kuedza kupinda kubva ku55 IP kero (dzimwe IP kero dzakatovharwa neni).
Izvi zvinopa zano mhedziso yekuti iwe unofanirwa kuseta fail2ban, asi
Iko hakuna kushandiswa kwakadaro kweWindows.
Pane akati wandei akasiiwa mapurojekiti paGithub anoita seanoita izvi, asi ini handina kana kumboedza kuamisa:
Kune zvakare zvinobhadharwa zvekushandisa, asi ini handina kuzvifunga.
Kana iwe uchiziva yakavhurika sosi yekushandisa kune ichi chinangwa, ndapota igovera iyo mune zvakataurwa.
Update: Mashoko anoratidza kuti port 443 isarudzo yakaipa, uye zviri nani kusarudza zviteshi zvepamusoro (32000+), nokuti 443 inoongororwa kakawanda, uye kuziva RDP pachiteshi ichi haisi dambudziko.
update: Maonero acho akakurudzira kuti chishandiso chakadaro chiripo:
b) Pane mamwe mazita ekushandisa anodiwa nevashori
Zvinogona kuonekwa kuti kutsvaga kunoitwa muduramazwi rine mazita akasiyana.
Asi hezvino izvo zvandakaona: nhamba yakakosha yekuedza iri kushandisa zita reseva sekupinda. Kurudziro: Usashandise zita rimwechete rekombuta nemushandisi. Uyezve, dzimwe nguva zvinoita sekunge vari kuyedza kupaza zita reseva neimwe nzira: semuenzaniso, kune sisitimu ine zita rekuti DESKTOP-DFTHD7C, iyo yakanyanya kuedza kupinda ine zita DFTHD7C:
Saizvozvo, kana uine komputa yeDESKTOP-MARIA, ungangove uchiedza kupinda semushandisi we MARIA.
Chimwe chinhu chandakaona kubva mumatanda: pane akawanda masisitimu, akawanda anoedza kupinda ane zita rekuti "mutongi". Uye izvi hazvisi pasina chikonzero, nekuti mune dzakawanda shanduro dzeWindows, mushandisi uyu aripo. Uyezve, haigoni kudzimwa. Izvi zvinorerutsa basa revanorwisa: pachinzvimbo chekufungidzira zita nepassword, unongoda kufungidzira password.
Nenzira, sisitimu yakabata ransomware yaive nemushandisi Administrator uye password Murmansk#9. Ini handisati ndave nechokwadi chekuti system yacho yakabiwa sei, nekuti ndakatanga kutarisa mushure mechiitiko ichocho, asi ndinofunga kuti kuwandisa kungangoita.
Saka kana Administrator mushandisi asingakwanisi kudzimwa, saka chii chaunofanira kuita? Unogona kuzvitumidza zita!
Zvinokurudzirwa kubva mundima iyi:
- usashandise zita rekushandisa muzita rekombuta
- ita shuwa kuti hapana Administrator mushandisi pane system
- shandisa mapassword akasimba
Saka, ndanga ndichiona akati wandei maWindows Server pasi pesimba rangu achimanikidzwa-kumanikidzwa kweanenge makore akati wandei ikozvino, uye pasina kubudirira.
Ndinoziva sei kuti hazvina kubudirira?
Nekuti mune zvidzitiro zviri pamusoro unogona kuona kuti kune matanda eakabudirira eRDP mafoni, ane ruzivo:
- kubva kupi IP
- kubva kupi komputa (zita rezita)
- Username
- GeoIP ruzivo
Uye ini ndinotarisa ipapo nguva nenguva - hapana anomalies akawanikwa.
Nenzira, kana imwe IP iri kumanikidzwa-kumanikidzwa zvakanyanya kuoma, saka iwe unogona kuvharira yega IPs (kana subnets) seizvi muPowerShell:
New-NetFirewallRule -Direction Inbound -DisplayName "fail2ban" -Name "fail2ban" -RemoteAddress ("185.143.0.0/16", "185.153.0.0/16", "193.188.0.0/16") -Action Block
Nenzira, Elastic, kuwedzera kune Winlogbeat, zvakare ine
Zvakanaka, mazano ekupedzisira:
- Gadzira otomatiki backups nguva dzose.
- isa Security Updates munguva yakakodzera
Bhonasi: runyorwa rwevashandisi makumi mashanu vaiwanzo shandiswa pakuedza kupinda muRDP
"user.name: Kudzika"
Verenga
dfthd7c (zita reimba)
842941
winsrv1 (zita reimba)
266525
MUDZIMAI
180678
mutariri
163842
mutariri
53541
Mikaeri
23101
Server
21983
steve
21936
John
21927
paul
21913
mutambo
21909
Mike
21899
hofisi
21888
scanner
21887
Shandisa scan
21867
David
21865
Chris
21860
muridzi
21855
meneja
21852
mutariri
21841
Brian
21839
administrator
21837
maka
21824
tsvimbo
21806
ADMIN
12748
ROOT
7772
MUTUNGAMIRI
7325
MUTSIGIRI
5577
MEDIUM
5418
mushandisi
4558
arun
2832
KUYARA
1928
mysql
1664
Admin
1652
GUEST
1322
USER1
1179
Scanner
1121
SCAN
1032
MUTUNGAMIRI
842
ADMIN1
525
KUSVIRA
518
MySqlAdmin
518
KUTENDA
490
USER2
466
Temp
452
SQLADMIN
450
USER3
441
1
422
MANAGER
418
MURIDZI WEMBA
410
Source: www.habr.com