Metsoalle, lumelang!
Ho na le mekhoa e mengata ea ho hokahanya ho tloha lapeng ho ea mosebetsing oa hau oa ofisi. E 'ngoe ea tsona ke ho sebelisa Microsoft Remote Desktop Gateway. Ena ke RDP holim'a HTTP. Ha ke batle ho ama ho theha RDGW ka boeona mona, ha ke batle ho buisana ka hore na ke hobane'ng ha e le ntle kapa e le mpe, a re e nke e le e 'ngoe ea lisebelisoa tsa ho fihlella hole. Ke batla ho bua ka ho sireletsa seva sa hau sa RDGW ho Marang-rang a mabe. Ha ke theha seva sa RDGW, hang-hang ke ile ka ameha ka ts'ireletso, haholo-holo tšireletso khahlanong le matla a sehlōhō a password. Ke ile ka makatsoa ke hore ha kea fumana lihlooho leha e le life Inthaneteng mabapi le mokhoa oa ho etsa sena. Be, u tla tlameha ho e etsa ka bouena.
RDGW ka boeona ha e na litšireletso. E, e ka pepesoa ka sebopeho se se nang letho ho marang-rang a tšoeu 'me e tla sebetsa hantle. Empa sena se tla etsa hore molaoli ea nepahetseng kapa setsebi sa ts'ireletso ea tlhahisoleseling se se ke sa phutholoha. Ho phaella moo, e tla u lumella ho qoba boemo ba ho thibela akhaonto, ha mosebeletsi ea sa tsotelleng a hopola phasewete bakeng sa akhaonto ea k'hamphani khomphuteng ea hae, ebe o fetola phasewete ea hae.
Mokhoa o motle oa ho sireletsa lisebelisoa tsa kahare ho tikoloho ea kantle ke ka li-proxies tse fapaneng, litsamaiso tsa khatiso le li-WAF tse ling. A re hopoleng hore RDGW e ntse e le http, joale e kopa feela ho kenya tharollo e khethehileng pakeng tsa li-server tse ka hare le Inthanete.
Kea tseba hore ho na le F5, A10, Netscaler(ADC) e pholileng. Joaloka molaoli oa e 'ngoe ea litsamaiso tsena, ke tla re hape hoa khoneha ho theha tšireletso khahlanong le matla a sehlōhō holim'a litsamaiso tsena. E, litsamaiso tsena li tla u sireletsa le likhohola leha e le life tsa syn.
Empa ha se k'hamphani e 'ngoe le e' ngoe e ka khonang ho reka tharollo e joalo (le ho fumana mookameli oa tsamaiso e joalo :), empa ka nako e ts'oanang ba ka hlokomela tšireletso!
Hoa khoneha ho kenya mofuta oa mahala oa HAProxy ho sistimi ea mahala ea ts'ebetso. Ke lekile ho Debian 10, haproxy version 1.8.19 sebakeng se tsitsitseng sa polokelo. Ke boetse ke e lekile ho mofuta oa 2.0.xx ho tsoa polokelong ea liteko.
Re tla tlohela ho theha debian ka boeona ka ntle ho sebaka sa sengoloa sena. Ka bokhutšoanyane: ho sebopeho se tšoeu, koala ntho e 'ngoe le e' ngoe ntle le boema-kepe ba 443, ho sebopeho sa bohlooho - ho ea ka leano la hau, mohlala, hape koala ntho e 'ngoe le e' ngoe ntle le port 22. Bula feela se hlokahalang bakeng sa mosebetsi (VRRP ka mohlala, bakeng sa ip e phaphametseng).
Pele ho tsohle, ke hlophisitse haproxy ka mokhoa oa borokho oa SSL (aka http mode) mme ka bula ho rema lifate ho bona se etsahalang ka hare ho RDP. Kahoo ho bua, ke ile ka kena bohareng. Kahoo, tsela ea /RDWeb e boletsoeng lingoloeng tsa "tsohle" mabapi le ho theha RDGateway ha e eo. Sohle se teng ke /rpc/rpcproxy.dll le /remoteDesktopGateway/. Tabeng ena, likopo tse tloaelehileng tsa GET/POST ha li sebelisoe; mofuta oa kopo oa bona RDG_IN_DATA, RDG_OUT_DATA oa sebelisoa.
Eseng haholo, empa bonyane ho hong.
Ha re lekeng.
Ke qala mstsc, e ea ho seva, bona liphoso tse 'nè tsa 401 (tse sa lumelloeng) ka har'a li-log, ebe u kenya lebitso la ka la mosebedisi / password mme u bone karabo 200.
Kea e tima, ke qala hape, 'me ka li-logs ke bona liphoso tse tšoanang tse' nè tsa 401. Ke kenya ho kena / password e fosahetseng ebe ke bona hape liphoso tse 'nè tsa 401. Ke seo ke se hlokang. Sena ke seo re tla se tšoara.
Kaha ho ne ho sa khonehe ho fumana url ea ho kena, 'me ntle le moo, ha ke tsebe ho tšoara phoso ea 401 ka haproxy, ke tla tšoara (eseng ho tšoara, empa ho bala) liphoso tsohle tsa 4xx. E boetse e loketse ho rarolla bothata.
Moko oa ts'ireletso e tla ba hore re tla bala palo ea liphoso tsa 4xx (ka morao) ka nako e le 'ngoe' me haeba e feta moeli o boletsoeng, joale u hane (ka pele) likhokahano tsohle tse ling tse tsoang ho ip bakeng sa nako e behiloeng. .
Ha e le hantle, sena e ke ke ea e-ba tšireletso khahlanong le matla a sehlōhō a password, e tla ba tšireletso khahlanong le liphoso tsa 4xx. Mohlala, haeba hangata o kopa url e seng teng (404), ts'ireletso le eona e tla sebetsa.
Tsela e bonolo le e sebetsang ka ho fetisisa ke ho itšetleha ka backend le ho tlaleha haeba ho na le letho le eketsehileng le hlahang:
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/desktop.example.com.pem
mode http
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу, строковую, 1000 элементов, протухает через 15 сек, записать кол-во ошибок за последние 10 сек
stick-table type string len 128 size 1k expire 15s store http_err_rate(10s)
#запомнить ip
http-request track-sc0 src
#запретить с http ошибкой 429, если за последние 10 сек больше 4 ошибок
http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Ha se khetho e ntle ka ho fetisisa, ha re e thatafatse. Re tla itšetleha ka backend le thibela ka frontend.
Re tla tšoara mohlaseli ka mokhoa o hlokang tlhompho mme re tlohele khokahanyo ea hae ea TCP.
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/ertelecom_ru_2020_06_11.pem
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохрянять из глобального счётчика
stick-table type ip size 1k expire 15s store gpc0
#взять источник
tcp-request connection track-sc0 src
#отклонить tcp соединение, если глобальный счётчик >0
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохранять кол-во ошибок за 10 сек
stick-table type ip size 1k expire 15s store http_err_rate(10s)
#много ошибок, если кол-во ошибок за 10 сек превысило 8
acl errors_too_fast sc1_http_err_rate gt 8
#пометить атаку в глобальном счётчике (увеличить счётчик)
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
#обнулить глобальный счётчик
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
#взять источник
tcp-request content track-sc1 src
#отклонить, пометить, что атака
tcp-request content reject if errors_too_fast mark_as_abuser
#разрешить, сбросить флажок атаки
tcp-request content accept if !errors_too_fast clear_as_abuser
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
ntho e ts'oanang, empa ka tlhompho, re tla khutlisa phoso http 429 (Likopo tse ngata haholo)
frontend fe_rdp_tsc
...
stick-table type ip size 1k expire 15s store gpc0
http-request track-sc0 src
http-request deny deny_status 429 if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
http-request track-sc1 src
http-request allow if !errors_too_fast clear_as_abuser
http-request deny deny_status 429 if errors_too_fast mark_as_abuser
...
Ke hlahloba: Ke qala mstsc mme ke qala ho kenya li-passwords ka mokhoa o sa reroang. Ka mor'a teko ea boraro, ka mor'a metsotsoana ea 10 e nkotla morao, 'me mstsc e fana ka phoso. Joalo ka ha ho bonoa ho likutung.
Litlhaloso. Ke hole le haproxy master. Ha ke utloisise hore na ke hobane'ng, mohlala
http-kopela hana deny_status 429 haeba {sc_http_err_rate(0) gt 4}
e o lumella ho etsa liphoso tse ka bang 10 pele e sebetsa.
Ke ferekanngoa ke lipalo tsa li-counters. Benghali ba haproxy, ke tla thaba ha le ntlatsa, le ntokela, le ntlafatse.
Litlhalosong u ka fana ka maikutlo a litsela tse ling tsa ho sireletsa RD Gateway, ho tla ba monate ho ithuta.
Mabapi le Windows Remote Desktop Client (mstsc), ke habohlokoa ho hlokomela hore ha e tšehetse TLS1.2 (bonyane ho Windows 7), kahoo ke ile ka tlameha ho tloha TLS1; ha e tšehetse li-cipher tsa hajoale, ka hona ke ile ka tlameha ho tlohela tsa khale.
Bakeng sa ba sa utloisiseng letho, ba ntse ba ithuta, 'me ba se ba batla ho sebetsa hantle, ke tla u fa tlhophiso eohle.
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE
-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-options no-sslv3
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 15m
timeout server 15m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/dektop.example.com.pem
mode http
capture request header Host len 32
log global
option httplog
timeout client 300s
maxconn 1000
stick-table type ip size 1k expire 15s store gpc0
tcp-request connection track-sc0 src
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl rdweb_domain hdr(host) -i beg dektop.example.com
http-request deny deny_status 400 if !rdweb_domain
default_backend be_rdp_tsc
backend be_rdp_tsc
balance source
mode http
log global
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
tcp-request content track-sc1 src
tcp-request content reject if errors_too_fast mark_as_abuser
tcp-request content accept if !errors_too_fast clear_as_abuser
option forwardfor
http-request add-header X-CLIENT-IP %[src]
option httpchk GET /
cookie RDPWEB insert nocache
default-server inter 3s rise 2 fall 3
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
frontend fe_stats
mode http
bind *:8080
acl ip_allow_admin src 192.168.66.66
stats enable
stats uri /stats
stats refresh 30s
#stats admin if LOCALHOST
stats admin if ip_allow_admin
Ke hobane'ng ha li-server tse peli li le ka morao? Hobane ke kamoo u ka etsang mamello ea liphoso. Haproxy e ka boela ea etsa tse peli ka ip e tšoeu e phaphametseng.
Lisebelisoa tsa komporo: u ka qala ka "gig tse peli, li-cores tse peli, PC ea papali." Ho latela sena se tla lekana ho boloka.
Lipeeletso:
Source: www.habr.com