Salaan asxaabta! Maanta, markii xoogga xamaasadda ku wareegsan "shaqada fog" ay yara yaraatay, badi maamulayaasha ayaa ku guuleystey hawsha marin gelinta fog ee shaqaalaha ee shabakada shirkadda, waa waqtigii aan la wadaagi lahaa waayo-aragnimadayda dheer ee horumarinta amniga VPN. Maqaalkani hadda ma noqon doono moodada IPSec IKEv2 iyo xAuth. Waxay ku saabsan tahay dhisidda nidaam. Isticmaalayaasha VPN marka MikroTik u dhaqmo sidii server VPN ah. Magac ahaan, marka "caadiga ah" borotokoolka sida PPP la isticmaalo.
Maanta waxaan kuu sheegi doonaa sida loo ilaaliyo MikroTik PPP-VPN xitaa haddii ay dhacdo "afduubka" xisaabta isticmaalaha. Markii nidaamkan loo soo bandhigay mid ka mid ah macaamiishayda, wuxuu si kooban u qeexay "si fiican, hadda waa sida bangiga oo kale!".
Habka ma isticmaalo adeegyada xaqiijinta dibadda. Hawlaha waxaa lagu sameeyaa gudaha router laftiisa. Wax kharash ah ma laha macmiilka isku xidhaya. Habkani wuxuu u shaqeeyaa labadaba macaamiisha PC iyo aaladaha mobilada.
Nidaamka ilaalinta guud waa sida soo socota:
- Ciwaanka IP-ga gudaha ee isticmaale si guul leh ugu xidhay serfarka VPN ayaa si toos ah loogu liis garaysan yahay.
- Dhacdada isku xidhka ayaa si toos ah u soo saarta kood hal mar ah kaas oo loo diro isticmaalaha iyadoo la isticmaalayo mid ka mid ah hababka la heli karo.
- Cinwaannada liiskan ku jira ayaa xaddidan gelitaanka ilaha shabakadda maxalliga ah, marka laga reebo adeegga βxaqiijiyahaβ, kaas oo sugaya inuu helo kood hal mar ah.
- Ka dib marka la soo bandhigo koodhka, isticmaaluhu wuxuu heli karaa ilaha gudaha ee shabakada.
Marka hore Dhibaatada ugu yar ee aan la kulmay waxay ahayd kaydinta macluumaadka xiriirka ee isticmaalaha si aan ugu diro lambarka 2FA. Maaddaama aysan suurtagal ahayn in la abuuro goobo xogeed oo u dhigma isticmaalayaasha Mikrotik, goobta "faallo" ee hadda jirta ayaa la isticmaalay:
/ppp siraha waxay ku daraan magac = Petrov password=4M@ngr! faallo="89876543210"
Midka labaad dhibaatadu waxay noqotay mid aad u daran - doorashada waddada iyo habka bixinta code. Saddex hab ayaa hadda la fuliyaa: a) SMS-ka USB-modem b) e-mail c) SMS e-mail ah oo ay heli karaan macaamiisha shirkadaha ee hawlwadeenka gacanta cas.
Haa, nidaamyada SMS waxay keenaan kharash. Laakiin haddii aad eegto, "amnigu had iyo jeer waa lacag" (c).
Anigu shakhsi ahaan ma jecli nidaamka iimaylka. Ma aha sababtoo ah waxay u baahan tahay server-ka mailku inuu diyaar u yahay macmiilka si loo xaqiijiyo - dhib maaha in la kala qaybiyo taraafikada. Si kastaba ha ahaatee, haddii macmiilku si taxadar la'aan ah u kaydiyo labadaba vpn iyo emailka sirta ah ee browserka ka dibna uu lumiyo laptop-kooda, weeraryahanku wuxuu si buuxda uga heli doonaa shabakada shirkadda.
Marka, waa la go'aamiyay - waxaan gaarsiinaa kood hal mar ah anagoo adeegsanayna fariimaha SMS.
Saddexaad Dhibaatadu waxay ahayd halkee sida loo sameeyo kood kood- random-ka ah ee 2FA gudaha MikroTik. Ma jiro analoog ah shaqada random() ee ku jira luqadda qoraalka ee RouterOS, waxaanan horay u arkay dhowr abuure nambaro faras ah oo been abuur ah. Midkoodna maan jeclayn sababo kala duwan dartood.
Dhab ahaantii, waxa MikroTik ka jira soo-saare isku xig xiga oo random-ka-random ah! Waa laga qariyay jaleecada sare ee macnaha guud/server-ka shahaadiga ah. Sida ugu horeysa Helitaanka erayga sirta ah ee hal mar ah waa mid sahlan oo fudud - iyadoo la raacayo amarka /certificates scep-server otp dhalin. Haddii aan samayno hawl fudud oo meelaynta doorsoomayaasha ah, waxaan heli doonaa qiime toosan oo hadhow loo isticmaali karo qoraalada.
Qaabka labaad Helitaanka furaha sirta ah ee hal mar ah kaas oo sidoo kale sahlan in la codsado - adoo isticmaalaya adeeg dibadda ah si loo abuuro nooca la rabo ee isku xigxiga ee tirooyinka-random-ka. Halkan waa mid la fududeeyay cantilevered tusaale ahaan helitaanka xogta doorsoome:
Code
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6]
:put $rnd1
Codsiga loo qaabeeyey konsole (ka baxsanaya jilayaasha gaarka ah ayaa looga baahan doonaa qaybta qoraalka) waxa uu helayaa xadhig lix nambar ah doorsoomaha $rnd1. Amarka "ku dhig" soo socda wuxuu si fudud u muujinayaa doorsoomiyaha ku jira Console-ka MikroTik.
Dhibka afraad taas oo ahayd in si dhakhso ah loo xalliyo - tani waa sida iyo meesha macmiilka ku xiran uu u wareejin doono koodka hal mar marxaladda labaad ee xaqiijinta.
Waa in uu jiraa adeeg ku yaal router-ka MikroTik kaas oo aqbali kara koodka oo la jaan qaadi kara macmiil gaar ah. Haddii koodka la bixiyay uu la mid yahay kan la filayo, ciwaanka macmiilka waa in lagu daraa liis gaar ah oo "caddaan", ciwaannada loo oggol yahay gelitaanka shabakadda gudaha ee shirkadda.
Sababo la xiriira xulashada adeegyada liidata, waxaa la go'aamiyay in lagu aqbalo koodka http iyadoo la adeegsanayo webproxy-ka lagu dhisay Mikrotik. Maaddaama dabku uu la shaqeyn karo liisaska firfircoon ee ciwaannada IP-ga, waa dab-damiska kan sameeya raadinta koodhka, oo ku habboon IP-ga macmiilka oo ku dara liiska "caddaan" adoo isticmaalaya Layer7 regexp. Router-ka laftiisa ayaa loo qoondeeyay magaca DNS shuruudaysan "gw.local", diiwaan A-joog ah ayaa lagu sameeyay korkiisa si loogu soo saaro macaamiisha PPP:
DNS
/ip dns static add name=gw.cocal address=172.31.1.1
Qabashada taraafikada macaamiisha aan la xaqiijin ee wakiilka:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128
Xaaladdan, wakiilku wuxuu leeyahay laba hawlood.
1. Fur xiriir tcp macaamiisha;
2. Haddii ay dhacdo oggolaansho guulaysato, u jiheeyaha macmiilka bog ama sawir ogeysiin ku saabsan xaqiijinta guulaystay:
Qaabka wakiilka
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0
Waxaan tixi doonaa qaybaha muhiimka ah ee qaabeynta:
- interface-liiska "2fa" - liis firfircoon ee isdhexgalka macmiilka, taraafikada kaas oo u baahan ka-hortagga 2FA;
- liiska ciwaanka "2fa_jailed" - "cawlan" liiska tunnel IP-ga ee macaamiisha VPN;
- address_list "2fa_approved" - "cad" liiska tunnel-ka IP-ga ciwaanka ee macaamiisha VPN si guul leh uga gudbay xaqiijinta laba-geesoodka ah.
- Silsiladda dab-damiska "input_2fa" - waxay hubisaa baakadaha tcp joogitaanka koodka oggolaanshaha waxayna la mid tahay ciwaanka IP-ga soo-diraha koodka iyo midka loo baahan yahay. Xeerarka silsiladda ayaa lagu daraa oo laga saaraa si firfircoon.
Shaxda socodka la fududeeyay ee habaynta baakidhku waxay u eegtahay sidan:
Si aad u gasho jeegga Layer7 ee macaamiisha ee liiska "cawlan" ee aan weli gudbin marxaladda labaad ee xaqiijinta, xeer ayaa lagu sameeyay silsiladda caadiga ah ee "gelinta":
Code
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa
Hadda aan bilowno in aan ku xidhno dhammaan hantidan adeegga PPP. MikroTik wuxuu kuu ogolaanayaa inaad isticmaasho qoraallada profiles (ppp-profile) oo aad ku meelayso dhacdooyinka aasaasida iyo jebinta xidhiidhka ppp. Dejinta-profile-ka ppp-ga waxaa lagu dabaqi karaa labadaba server-ka PPP guud ahaan iyo isticmaalayaasha gaarka ah. Isla mar ahaantaana, astaanta loo xilsaaray isticmaaluhu waxay leedahay mudnaan, iyada oo meesha ka saaraysa cabbirrada astaanta loo xushay server-ka guud ahaan iyada oo la xaddiday xaddidaadkeeda.
Natiijo ahaan habkan, waxaan u abuuri karnaa muuqaal gaar ah oo loogu talagalay xaqiijinta laba-geesoodka ah oo aan ku wareejin karno dhammaan isticmaalayaasha, laakiin kaliya kuwa u fiirsada inay lagama maarmaan tahay inay sidaas sameeyaan. Tani waxay noqon kartaa mid khuseeya haddii aad isticmaasho adeegyada PPP ma aha oo kaliya inaad ku xidho isticmaalayaasha dhamaadka, laakiin isla mar ahaantaana si aad u dhisto isku xirka goobta iyo goobta.
Muuqaalka gaarka ah ee cusub ee la sameeyay, waxaanu isticmaalnaa ku-darka firfircoon ee ciwaanka iyo is-dhexgalka isticmaalaha ku xidhan liisaska "cawlan" ee cinwaannada iyo is-dhexgalka:
winbox
Code
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1
Waa lagama maarmaan in la isticmaalo labadaba "liiska-cinwaanka" iyo "liiska-interface-liiska" si loo ogaado loogana qabto taraafikada macaamiisha VPN-ka ee aan sare ahayn ee silsiladda dstnat (prerouting).
Marka diyaarinta la dhammeeyo, silsilado dab-damis oo dheeraad ah ayaa la abuurayaa iyo profile, waxaanu qori doonaa qoraal mas'uul ka ah soo saarista koodhka 2FA iyo xeerarka dab-damiska gaarka ah.
on PPP-Profile waxa ay nagu hodminaysaa macluumaadka ku saabsan doorsoomayaasha la xidhiidha xidhiidh-goynta macmiilka PPP "Ku fuli qoraalka dhacdada galitaanka isticmaalaha. Kuwani waa doorsoomayaal la heli karo oo loo heli karo qoraalka dhacdada: isticmaale, ciwaanka maxalliga ah, ciwaanka fog-fog, caller-id, call-id, interface". Qaarkood aad bay noo anfacaan.
Koodhka loo isticmaalo astaanta guud ee dhacdada xidhiidhinta korka ee PPP
#ΠΠΎΠ³ΠΈΡΡΠ΅ΠΌ Π΄Π»Ρ ΠΎΡΠ»Π°Π΄ΠΊΠΈ ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅ :log info (quot;local-address")
:log info (quot;remote-address")
:log info (quot;caller-id")
:log info (quot;called-id")
:log info ([/int pptp-server get (quot;interface") name])
#ΠΠ±ΡΡΠ²Π»ΡΠ΅ΠΌ ΡΠ²ΠΎΠΈ Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅
:local listname "2fa_jailed"
:local viamodem false
:local modemport "usb2"
#ΠΈΡΠ΅ΠΌ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ ΡΠΎΠ·Π΄Π°Π½Π½ΡΡ Π·Π°ΠΏΠΈΡΡ Π² Π°Π΄ΡΠ΅Ρ-Π»ΠΈΡΡΠ΅ "2fa_jailed"
:local recnum1 [/ip fi address-list find address=(quot;remote-address") list=$listname]
#ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΠΏΡΠ΅Π²Π΄ΠΎΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ ΠΊΠΎΠ΄ ΡΠ΅ΡΠ΅Π· random.org
#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4] #Π»ΠΈΠ±ΠΎ ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΠΏΡΠ΅Π²Π΄ΠΎΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ ΠΊΠΎΠ΄ ΡΠ΅ΡΠ΅Π· Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠΉ Π³Π΅Π½Π΅ΡΠ°ΡΠΎΡ
#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]#ΠΡΠ΅ΠΌ ΠΈ ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ΅ΠΌ ΠΊΠΎΠΌΠΌΠ΅Π½Ρ ΠΊ Π·Π°ΠΏΠΈΡΠΈ Π² Π°Π΄ΡΠ΅Ρ-Π»ΠΈΡΡΠ΅. ΠΠ½ΠΎΡΠΈΠΌ ΠΈΡΠΊΠΎΠΌΡΠΉ ΠΊΠΎΠ΄ Π΄Π»Ρ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
/ip fir address-list set $recnum1 comment=$rnd1
#ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ Π½ΠΎΠΌΠ΅Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π° ΠΊΡΠ΄Π° ΡΠ»Π°ΡΡ SMS
:local vphone [/ppp secret get [find name=$user] comment]#ΠΠΎΡΠΎΠ²ΠΈΠΌ ΡΠ΅Π»ΠΎ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ. ΠΡΠ»ΠΈ ΠΊΠ»ΠΈΠ΅Π½Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ ΠΊ VPN ΠΏΡΡΠΌΠΎ Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π° Π΅ΠΌΡ Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ
#Π±ΡΠ΄Π΅Ρ ΠΏΠ΅ΡΠ΅ΠΉΡΠΈ ΠΏΡΡΠΌΠΎ ΠΏΠΎ ΡΡΡΠ»ΠΊΠ΅ ΠΈΠ· ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ
:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")# ΠΡΠΏΡΠ°Π²Π»ΡΠ΅ΠΌ SMS ΠΏΠΎ Π²ΡΠ±ΡΠ°Π½Π½ΠΎΠΌΡ ΠΊΠ°Π½Π°Π»Ρ - USB-ΠΌΠΎΠ΄Π΅ΠΌ ΠΈΠ»ΠΈ email-to-sms
if $viamodem do={
/tool sms send phone-number=$vphone message=$msgboby port=$modemport }
else={
/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }#ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Layer7 regexp
local vregexp ("otp\/".$comm1)
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall layer7-protocol add name=(quot;vcomment") comment=(
quot;remote-address") regexp=(
quot;vregexp")
#ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ ΠΏΡΠΎΠ²Π΅ΡΡΡΡΠ΅Π΅ ΠΏΠΎ Layer7 ΡΡΠ°ΡΠΈΠΊ ΠΊΠ»ΠΈΠ΅Π½ΡΠ° Π² ΠΏΠΎΠΈΡΠΊΠ°Ρ Π½ΡΠΆΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π°
#ΠΈ Π½Π΅Π±ΠΎΠ»ΡΡΠΎΠΉ Π·Π°ΡΠΈΡΠΎΠΉ ΠΎΡ Π±ΡΡΡΡΠΎΡΡΠ° ΠΊΠΎΠ΄ΠΎΠ² Ρ ΠΏΠΎΠΌΠΎΡΡΡ dst-limit
/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(quot;vcomment") protocol=tcp src-address=(
quot;remote-address") dst-limit=1,1,src-address/1m40s
Gaar ahaan kuwa jecel inay si caqli-gal ah u koobiyeeyaan-ku dhejiyaan, waxaan kaaga digayaa - koodka waxaa laga soo qaatay nooca tijaabada waxaana ku jiri kara qoraallo yaryar. Kuma adkaan doonto qofka wax fahma inuu si sax ah u ogaado meesha.Marka isticmaaluhu gooyo, dhacdo "On-Down" ayaa la soo saarayaa oo qoraalka u dhigma ee cabbiraadaha ayaa loo yaqaan. Ujeedada qoraalkani waa in la nadiifiyo xeerarka dab-damiska ee loo sameeyay isticmaaleha go'ay.
Koodhka loo isticmaalo astaanta guud ee dhacdada xidhiidhka sare ee PPP
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall address-list remove [find address=(quot;remote-address") list=2fa_approved] /ip firewall filter remove [find chain="input_2fa" src-address=(
quot;remote-address") ] /ip firewall layer7-protocol remove [find name=$vcomment]
Waxaad markaa abuuri kartaa isticmaalayaasha oo waxaad ku meelayn kartaa dhammaan ama qaar ka mid ah profile xaqiijinta laba-factor.winbox
Code
/ppp secrets set [find name=Petrov] profile=2FASida ay u muuqato dhinaca macmiilka.
Marka la sameeyo xidhiidhka VPN, talefanka Android/iOS/ tabletka leh SIM kaar waxa uu helayaa SMS sidan oo kale ah:
SMS
Haddii xiriirku si toos ah looga sameeyo taleefanka / tablet-ka, markaa waxaad si fudud ugu dhex mari kartaa 2FA adigoo gujinaya xiriirka farriinta. Waa raaxo.
Haddii xiriirka VPN laga sameeyay kombuyuutar, markaa isticmaaluhu wuxuu u baahan doonaa inuu galo foomka sirta ah ee ugu yar. Foom yar oo qaab HTML ah ayaa la siiyaa isticmaalaha marka la dejinayo VPN. Faylka xitaa waxaa lagu soo diri karaa boostada si isticmaaluhu u badbaadiyo oo uu u sameeyo jid gaaban meel ku habboon. Waxay u egtahay sidan:
Ku calaamadee miiska
Isticmaaluhu waxa uu gujiyaa jidka gaaban, foom kood fudud oo fudud ayaa furmay, kaas oo koodhka ku dhejin doona URL-ka furmay:
Foomka shaashadda
Qaabka ugu da'da weyn waxa lagu bixiyaa tusaale ahaan. Kuwa doonaya naftooda ayay wax ka beddeli karaan.
2fa_login_mini.html
<html> <head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head> <body> <form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(βtext').value" method="post" <input id="text" type="text"/> <input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> </form> </body> </html>Haddii oggolaanshaha lagu guulaysto, isticmaaluhu wuxuu arki doonaa astaanta MikroTik browser-ka, taasoo calaamad u ah xaqiijinta guusha leh:
Ogsoonow in sawirka laga soo celiyay server-ka ku dhex jira ee MikroTik iyada oo la adeegsanayo WebProxy Deny Redirect.
Waxaan u malaynayaa in sawirka lagu habeyn karo iyadoo la adeegsanayo aaladda "hotspot", ku dhejinta noocaaga halkaas oo aad dejiso Deny Redirect URL iyada oo leh WebProxy.
Codsi weyn oo ku socda kuwa isku dayaya inay ku iibsadaan Mikrotik "Toy" ugu jaban $20 oo ay ku beddelaan $ 500 router - ha sameynin taas. Aaladaha sida "hAP Lite" / "hAP mini" (goobta gelitaanka guriga) ayaa leh CPU aad u daciif ah (smips), waxayna u badan tahay inaysan la qabsan doonin culeyska qaybta ganacsiga.
Digniin! Xalkani wuxuu leeyahay hal cillad: marka macaamiishu isku xiraan ama kala gooyaan, isbeddelka qaabeynta ayaa dhacaya, kaas oo router uu isku dayo inuu ku badbaadiyo xusuusta aan xasilloonayn. Iyada oo tiro badan oo macaamiisha ah iyo isku xirnaanta iyo kala-goynta joogtada ah, tani waxay horseedi kartaa hoos u dhaca kaydinta gudaha ee router-ka.
PS: Hababka loogu gudbiyo koodka macmiilka waa la balaadhin karaa oo waa la kordhin karaa ilaa iyo inta awoodaha barnaamijyadu ku filan yihiin. Tusaale ahaan, waxaad fariimaha u diri kartaa telegram ama ... soo jeedi doorashooyin!
Waxaan rajeynayaa in maqaalku uu faa'iido kuu yeelan doono oo uu kaa caawin doono inaad ka dhigto shabakadaha ganacsiyada yaryar iyo kuwa dhexdhexaadka ah waxoogaa ammaan ah.
Source: www.habr.com