Saaxiibayaal, salaan!
Waxaa jira siyaabo badan oo lagu xidhi karo guriga ilaa goobta shaqada ee xafiiskaaga. Mid ka mid ah iyaga ka mid ah waa in la isticmaalo kaddinka Desktop Fog ee Microsoft. Kani waa RDP ka sarreeya HTTP. Ma rabo inaan taabto dejinta RDGW lafteeda halkan, ma rabo inaan ka hadlo sababta ay u wanaagsan tahay ama u xun tahay, aan ula dhaqno mid ka mid ah qalabka gelitaanka fog. Waxaan rabaa inaan ka hadlo ka ilaalinta server-kaaga RDGW internetka xun. Markii aan dajiyay server-ka RDGW, waxaan isla markiiba ka walwalay amniga, gaar ahaan ilaalinta xoogga sirta ah. Waxaan la yaabay in aanan ka helin internetka wax maqaallo ah oo ku saabsan sida tan loo sameeyo. Hagaag, waa inaad adigu sameysaa.
RDGW lafteedu ma laha wax ilaalin ah. Haa, waxaa lagu soo bandhigi karaa iyada oo muuqaalkeeda qaawan ee shabakad cad waxayna si weyn u shaqeyn doontaa. Laakiin tani waxay dhibsan doontaa maamulaha saxda ah ama khabiirka amniga macluumaadka. Intaa waxaa dheer, waxay ka fogaan doontaa xaaladda xannibaadda akoonnada, marka shaqaalaha taxadar la'aanta ah uu xasuusto erayga sirta ah ee koontada shirkadda ee kombuyuutarkiisa guriga ka dibna bedelay erayga sirta ah.
Habka wanaagsan ee looga ilaaliyo kheyraadka gudaha deegaanka dibadda waa iyada oo loo marayo wakiilo kala duwan, nidaamyada daabacaadda, iyo WAF-yada kale. Aynu xasuusanno in RDGW ay weli tahay http, ka dibna waxay ku baryaysaa in lagu xidho xal gaar ah oo u dhexeeya server-yada gudaha iyo internetka.
Waan ogahay inay jiraan F5, A10, Netscaler (ADC) qabow. Maamule mid ka mid ah nidaamyadan, waxaan dhihi doonaa inay sidoo kale suurtagal tahay in la sameeyo ka-hortagga xoogga wax-ku-oolka ah ee nidaamyadan. Haa, nidaamyadani waxay sidoo kale kaa ilaalin doonaan daad kasta.
Laakiin shirkad kastaa ma awoodo inay iibsato xalkan oo kale (oo u hel maamulaha nidaamkan :), laakiin isla mar ahaantaana waxay daryeeli karaan amniga!
Gebi ahaanba waa suurtogal in lagu rakibo nooca HAProxy ee bilaashka ah nidaamka hawlgalka bilaashka ah. Waxaan ku tijaabiyay Debian 10, nooca haproxy 1.8.19 ee kaydka xasilloon. Waxaan sidoo kale ku tijaabiyay nooca 2.0.xx ee kaydka tijaabada.
Waxaan uga tagi doonaa dejinta debian lafteeda si ka baxsan baaxadda maqaalkan. Si kooban: interface-ka cad, xir wax kasta marka laga reebo dekedda 443, ku dul-duleelaha cawl - sida ku cad siyaasaddaada, tusaale ahaan, sidoo kale xir wax kasta marka laga reebo dekedda 22. Fur kaliya waxa lagama maarmaanka u ah shaqada (VRRP tusaale ahaan, sabayn ip).
Ugu horreyntii, waxaan ku habeeyey haproxy qaabka isku-xidhka SSL (loo yaqaan http mode) oo waxaan daaray gaynta si aan u arko waxa ka socda gudaha RDP. Si aan u hadlo, waxaan galay dhexda. Markaa, dariiqa/RDWeb ee lagu qeexay maqaallada “dhammaan” ee ku saabsan dejinta RDGateway waa maqan tahay. Dhammaan waxa jira waa /rpc/rpcproxy.dll iyo /remoteDesktopGateway/. Xaaladdan oo kale, codsiyada caadiga ah ee GET/POST lama isticmaalo; codsigooda RDG_IN_DATA, RDG_OUT_DATA ayaa la isticmaalaa.
Ma badna, laakiin ugu yaraan wax.
Aan tijaabinno.
Waxaan bilaabay mstsc, aadaa server-ka, arag afar 401 (aan la ogolayn) khaladaadka ku jira diiwaanka, dabadeed geli magaca isticmaalaha/passwordka oo arag jawaabta 200.
Waan dami, mar kale dib u bilaaba, iyo diiwaannada waxaan ku arkaa afar qalad oo isku mid ah 401. Waxaan galaa khalad gal / erayga sirta ah oo aan mar kale arko afar qalad 401. Taasi waa waxa aan u baahanahay. Tani waa waxa aan qaban doono.
Maaddaama aysan suurtagal ahayn in la go'aamiyo url galitaanka, iyo ka sokow, ma aqaano sida loo qabto qaladka 401 ee haproxy, waan qaban doonaa (dhab ahaantii ma qaban, laakiin tiri) dhammaan khaladaadka 4xx. Sidoo kale ku habboon xallinta dhibaatada.
Nuxurka ilaalintu waxay noqon doontaa inaan xisaabin doono tirada 4xx khaladaadka (ee dhabarka dambe) halbeeg kasta iyo haddii ay dhaafto xadka la cayimay, ka dibna diido (dhinaca hore) dhammaan xidhiidhada dheeraadka ah ee ip-kan wakhtiga la cayimay. .
Farsamo ahaan, tani kama ilaalin doonto xoogga sirta sirta ah, waxay ka ilaalin doontaa khaladaadka 4xx. Tusaale ahaan, haddii aad inta badan codsato url aan jirin (404), markaa ilaalintu sidoo kale way shaqayn doontaa.
Habka ugu fudud uguna waxtarka badan waa in la tiriyo dhabarka oo dib loo soo sheego haddii wax dheeraad ah ay soo baxaan:
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/desktop.example.com.pem
mode http
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу, строковую, 1000 элементов, протухает через 15 сек, записать кол-во ошибок за последние 10 сек
stick-table type string len 128 size 1k expire 15s store http_err_rate(10s)
#запомнить ip
http-request track-sc0 src
#запретить с http ошибкой 429, если за последние 10 сек больше 4 ошибок
http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Ma aha doorashada ugu fiican, aynu u adkeyno. Waxaan ku xisaabtami doonaa dhabarka iyo xannibaadda xagga hore.
Waxaan ula dhaqmi doonaa qofka weerarka geystay si edeb darro ah waxaanan joojin doonnaa xiriirkiisa TCP.
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/ertelecom_ru_2020_06_11.pem
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохрянять из глобального счётчика
stick-table type ip size 1k expire 15s store gpc0
#взять источник
tcp-request connection track-sc0 src
#отклонить tcp соединение, если глобальный счётчик >0
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохранять кол-во ошибок за 10 сек
stick-table type ip size 1k expire 15s store http_err_rate(10s)
#много ошибок, если кол-во ошибок за 10 сек превысило 8
acl errors_too_fast sc1_http_err_rate gt 8
#пометить атаку в глобальном счётчике (увеличить счётчик)
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
#обнулить глобальный счётчик
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
#взять источник
tcp-request content track-sc1 src
#отклонить, пометить, что атака
tcp-request content reject if errors_too_fast mark_as_abuser
#разрешить, сбросить флажок атаки
tcp-request content accept if !errors_too_fast clear_as_abuser
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Si la mid ah, laakiin si xushmad leh, waxaan soo celin doonaa qaladka http 429 (Codsi badan)
frontend fe_rdp_tsc
...
stick-table type ip size 1k expire 15s store gpc0
http-request track-sc0 src
http-request deny deny_status 429 if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
http-request track-sc1 src
http-request allow if !errors_too_fast clear_as_abuser
http-request deny deny_status 429 if errors_too_fast mark_as_abuser
...
Waxaan hubiyaa: Waxaan bilaabay mstsc oo waxaan bilaabay si aan kala sooc lahayn u gelida ereyada sirta ah. Isku daygii saddexaad ka dib, 10 ilbiriqsi gudahood ayay dib iigu soo celinaysaa, mstsc-na waxay ku siinaysaa cilad. Sida ka muuqata galka.
Sharaxaad. Waan ka fogahay sayid haproxy. Ma fahmin sababta, tusaale ahaan
http-codsi diido deny_status 429 haddii {s_http_err_rate(0) gt 4}
waxay kuu ogolaanaysaa inaad samayso ilaa 10 khalad ka hor inta aanay shaqayn.
Waxaan ku wareersanahay nambarada xisaabiyeyaasha. Masters of haproxy, waan ku farxi doonaa haddii aad i dhammaystirto, i saxdo, i hagaajiso.
Faallooyinka waxaad ku soo jeedin kartaa siyaabo kale oo lagu ilaaliyo Kadinka RD, waxay noqon doontaa mid xiiso leh in la barto.
Marka laga hadlayo Macmiilka Mashiinka Fog ee Windows (mtsc), waxaa xusid mudan in aysan taageerin TLS1.2 (ugu yaraan gudaha Windows 7), markaa waa inaan ka tago TLS1; ma taageerto sifaarka hadda jira, sidaas darteed waxaan sidoo kale lahaa inaan ka tago kuwii hore.
Kuwa aan waxba fahmin, kaliya wax baranaya, oo mar horeba doonaya inay si fiican u qabtaan, waxaan ku siin doonaa qaabka oo dhan.
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE
-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-options no-sslv3
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 15m
timeout server 15m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/dektop.example.com.pem
mode http
capture request header Host len 32
log global
option httplog
timeout client 300s
maxconn 1000
stick-table type ip size 1k expire 15s store gpc0
tcp-request connection track-sc0 src
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl rdweb_domain hdr(host) -i beg dektop.example.com
http-request deny deny_status 400 if !rdweb_domain
default_backend be_rdp_tsc
backend be_rdp_tsc
balance source
mode http
log global
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
tcp-request content track-sc1 src
tcp-request content reject if errors_too_fast mark_as_abuser
tcp-request content accept if !errors_too_fast clear_as_abuser
option forwardfor
http-request add-header X-CLIENT-IP %[src]
option httpchk GET /
cookie RDPWEB insert nocache
default-server inter 3s rise 2 fall 3
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
frontend fe_stats
mode http
bind *:8080
acl ip_allow_admin src 192.168.66.66
stats enable
stats uri /stats
stats refresh 30s
#stats admin if LOCALHOST
stats admin if ip_allow_admin
Waa maxay sababta labada server ee dhabarka? Sababtoo ah tani waa sida aad u samayn karto dulqaadka qaladka. Haproxy sidoo kale waxay samayn kartaa laba leh ip cad oo sabaynaya.
Ilaha xisaabinta: waxaad ku bilaabi kartaa "laba gig, laba geesood, PC gaming." Sida laga soo xigtay Tani waxay ku filnaan doontaa in la dhaafo.
Tixraacyada:
Source: www.habr.com