Waxaan rabaa inaan bulshada la wadaago hab fudud oo shaqo oo ah sida loo isticmaalo Mikrotik si aan uga ilaaliyo shabakadaada iyo adeegyada "ka soo baxaysa" gadaasheeda weerarada dibadda. Kuwaas oo kala ah, kaliya saddex xeer oo lagu abaabulo dheriga malabka ee Mikrotik.
Marka, aan qiyaasno inaan haysano xafiis yar, oo leh IP dibadeed kaas oo uu jiro server-ka RDP ee shaqaalaha si ay uga shaqeeyaan meel fog. Xeerka ugu horreeya waa, dabcan, in la beddelo dekedda 3389 ee interface dibadda mid kale. Laakiin tani ma sii socon doonto muddo dheer; dhowr maalmood ka dib, diiwaanka xisaabinta ee server-ka terminal wuxuu bilaabi doonaa inuu muujiyo oggolaansho dhowr ah oo fashilmay ilbiriqsi kasta oo ka yimid macaamiisha aan la garanayn.
Xaalad kale, waxaad leedahay calaamad qarsoon oo ku qarsoon Mikrotik, dabcan maahan dekedda 5060 udp, laba maalmood ka dib waxaa sidoo kale bilaabmaya raadinta erayga sirta ah ... haa, haa, waan ogahay, fail2ban waa wax walba, laakiin weli waa inaan sameynaa. ka shaqee... tusaale ahaan, waxaan dhawaan ku rakibay ubuntu 18.04 waxaana la yaabay inaan ogaado in sanduuqa ka baxsan failure2ban aysan ku jirin goobaha hadda ee calaamadaynta isla sanduuqa isla qaybinta ubuntu⦠iyo googling deg deg ah "Cuntada diyaarka ah" ee diyaarka ah hadda ma shaqeyneyso, tirooyinka sii deynta ayaa sii kordhaya sannadaha, iyo maqaallada leh "cunto karinta" ee noocyadii hore ma shaqeeyaan, kuwa cusubna waligood ma muuqdaan ...
Markaa, waa maxay dheriga malabka ee gaaban - waa malab, kiiskeena, deked kasta oo caan ah oo ku taal IP-ga dibadeed, codsi kasta oo dekeddan ka yimaada macmiil dibadeed wuxuu u soo diraa ciwaanka src liiska madow. Dhammaan
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Xeerka ugu horreeya ee dekedaha caanka ah ee TCP 22, 3389, 8291 ee ether4-wan interface dibadda ah waxay u dirtaa "martida" IP liiska "Honeypot Hacker" (dekedaha ssh, rdp iyo winbox horayba waa u naafo ama loo beddelaa kuwa kale). Midka labaad ayaa sidaas oo kale ku sameeya UDP 5060 ee caanka ah.
Xeerka saddexaad ee marxaladda marin-u-gudbinta ka hor waxay soo daadisaa baakadaha "martida" kuwaas oo cinwaankoodu srs-ku ku jiro "Honeypot Hacker".
Ka dib laba toddobaad oo aan la shaqaynayey gurigayga Mikrotik, liiska "Honeypot Hacker" waxaa ku jiray ilaa hal iyo badh kun oo cinwaan IP ah oo kuwa jecel inay "candhada ku qabtaan" ilaha shabakadayda (guriga waxaa jira teleefoon, boostada, nextcloud, rdp) Weerarradii xoogga ahaa waa joogsadeen, farxad baa timid.
Shaqada, wax walba ma noqdeen kuwo fudud, halkaas waxay ku sii wadaan inay jebiyaan server-ka rdp iyaga oo ku qasbaya furaha sirta ah.
Sida muuqata, nambarka dekedda waxaa go'aamiyay iskaanka muddo dheer ka hor inta aan la shidin dheriga malabka, iyo inta lagu jiro karantiil ma fududa in dib loo habeeyo in ka badan 100 isticmaale, kuwaas oo 20% ay ka weyn yihiin 65 sano. Xaaladda marka dekedda aan la beddeli karin, waxaa jira cunto kariye yar oo shaqeynaya. Waxaan ku arkay wax la mid ah internetka, laakiin waxaa jira wax dheeraad ah oo dheeri ah iyo hagaajin wanaagsan oo ku lug leh:
Xeerarka habaynta Port knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
4 daqiiqo gudahood, macmiilka fog waxaa loo oggol yahay inuu sameeyo 12 "codsi" cusub oo keliya server-ka RDP. Mid ka mid ah isku dayga gelitaanka waa 1 ilaa 4 "codsiyada". Marka 12-aad "codsi" - xannibista 15 daqiiqo. Kiiskeyga, weerarradu ma joojin jabsiga server-ka, waxay la qabsadeen saacadaha waxayna hadda si tartiib tartiib ah u sameeyaan, xawaaraha noocan oo kale ah ee xulashada ayaa yareynaya waxtarka weerarka ilaa eber. Shaqaalaha shirkadu wax dhib ah kuma la kulmaan shaqada talaabooyinka la qaaday.
Khiyaamo yar oo kale
Xeerkani wuxuu shidaa si waafaqsan jadwalka 5da subaxnimo wuxuuna dami XNUMX subaxnimo, marka dadka dhabta ahi ay hubaal seexdaan, iyo kuwa si toos ah u soo qaada inay sii wadaan inay soo jeedaan.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Horeba xidhiidhka 8-aad, IP-ga weeraryahanku waxa uu ku jiraa liiska madow muddo toddobaad ah. Qurux!
Hagaag, marka lagu daro kuwa kor ku xusan, waxaan ku dari doonaa isku xirka maqaalka Wiki oo leh qaabaynta shaqada ee ilaalinta Mikrotik ee iskaanka shabakadaha.
Qalabkayga, goobtani waxay si wada jir ah ula shaqaysaa xeerarka qashin-qubka ee kor lagu sharraxay, iyaga oo si fiican u dhammaystiraya.
UPD: Sida lagu soo jeediyay faallooyinka, xeer hoosaadka xirmada waxaa loo raray RAW si loo yareeyo culeyska saaran router-ka.
Source: www.habr.com