Mosebetsi o ka thōko ofising. RDP, Port Knocking, Mikrotik: e bonolo ebile e bolokehile

Ka lebaka la seoa sa kokoana-hloko ea covid-19 le ho arola batho ka kakaretso linaheng tse ngata, tsela feela ea hore lik'hamphani tse ngata li tsoele pele ho sebetsa ke ho fihlella libaka tsa mosebetsi ka Marang-rang. Ho na le mekhoa e mengata e batlang e bolokehile bakeng sa mosebetsi o hole - empa ho latela boholo ba bothata, se hlokahalang ke mokhoa o bonolo hore mosebelisi ofe kapa ofe a hokahane le ofisi a le hole le ntle le tlhoko ea litlhophiso tse eketsehileng, litlhaloso, lipuisano tse tenang le nako e telele. ditaelo. Mokhoa ona o ratoa ke balaoli ba bangata ba RDP (Remote Desktop Protocol). Ho hokela ka kotloloho setsing sa mosebetsi ka RDP ho rarolla bothata ba rona ka nepo, ntle le ntsintsi e le 'ngoe e kholo ka har'a setlolo - ho boloka boema-kepe ba RDP bo bulehile bakeng sa Marang-rang ha hoa sireletseha haholo. Ka hona, ka tlase ke sisinya mokhoa o bonolo empa o ka tšeptjoa oa tšireletso.

Kaha hangata ke kopana le mekhatlo e menyenyane moo lisebelisoa tsa Mikrotik li sebelisoang e le khokahanyo ea Inthanete, ka tlase ke tla bontša mokhoa oa ho kenya ts'ebetsong ena ho Mikrotik, empa mokhoa oa tšireletso oa Port Knocking o ka sebelisoa habonolo lisebelisoa tse ling tsa maemo a holimo tse nang le litlhophiso tse tšoanang tsa router le firewall

Ka bokhuts'oane ka Port Knocking. Tšireletso e ntle ea kantle ea marang-rang e hokahaneng le Marang-rang ke ha lisebelisoa tsohle le likou li koetsoe ho tsoa ka ntle ke firewall. Mme leha router e nang le firewall e hlophisitsoeng joalo e sa arabe ka tsela efe kapa efe ho lipakete tse tsoang kantle, ea li mamela. Ka hona, o ka lokisa router e le hore ha e fumana tatellano e itseng (khoutu) ea lipakete tsa marang-rang likoung tse fapaneng, eona (router) bakeng sa IP ho tloha moo lipakete li tlileng teng, e hana ho fumana lisebelisoa tse itseng (li-ports, protocols, joalo-joalo). .).

Joale ho ntlha. Nke ke ka fana ka tlhaloso e qaqileng ea ho theha firewall ho Mikrotik - Inthanete e tletse mehloli ea boleng bakeng sa sena. Ha e le hantle, firewall e thibela lipakete tsohle tse kenang, empa

/ip firewall filter
add action=accept chain=input comment="established and related accept" connection-state=established,related

E lumella sephethephethe se kenang ho tsoa ho likhokahano tse seng li thehiloe (tse thehiloeng, tse amanang).
Joale re hlophisa Port Knocking ho Mikrotik:

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
move [/ip firewall filter find comment=RemoteRules] 1
/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

Joale ka botlalo:

melao e 'meli ea pele

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules

thibela lipakete tse kenang ho tsoa ho liaterese tsa IP tse neng li ngolisitsoe ka har'a li-port scanning;

Molao oa boraro:

add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules

e eketsa ip lethathamong la mabotho a entseng hore motho a kokote ka lekhetlo la pele boema-kepeng bo lakatsehang (19000);
Melao e mene e latelang:

add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

theha likou tsa leraba bakeng sa ba batlang ho lekola likou tsa hau, 'me ha liteko tse joalo li fumanoa, ba thathamisa IP ea bona ka metsotso e 60, nakong eo melao e' meli ea pele e ke keng ea fa mabotho a joalo monyetla oa ho kokota likoung tse nepahetseng;

Molao o latelang:

add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

e beha ip lenaneng la ba lumelletsoeng bakeng sa motsotso o le mong (ho lekane ho theha khokahano), kaha ho kokota ho nepahetseng ha bobeli ho etsoa boema-kepeng bo lakatsehang (1);

Taelo e latelang:

move [/ip firewall filter find comment=RemoteRules] 1

e tsamaisa melao ea rona holimo ho ketane ea ts'ebetso ea firewall, kaha ho ka etsahala hore ebe re tla be re se re e-na le melao e fapaneng e thibelang e hlophisitsoeng e tla thibela tse sa tsoa etsoa ho sebetsa. Molao oa pele haholo ho Mikrotik o qala ho tloha ho zero, empa mochine oa ka oa zero o ne o tšoaretsoe ke molao o hahiloeng 'me ho ne ho ke ke ha khoneha ho o tsamaisa - ke o fetisitse ho 1. Ka hona, re sheba litlhophiso tsa rona - moo re ka e tsamaisang teng. 'me u bontše nomoro e batloang.

Litlhophiso tse latelang:

/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp_to_33" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

e fetisetsa boema-kepe bo khethiloeng ka mokhoa o sa reroang 33890 ho boema-kepe bo tloaelehileng ba RDP 3389 le IP ea komporo kapa seva ea terminal eo re e hlokang. Re theha melao e joalo bakeng sa lisebelisoa tsohle tse hlokahalang tsa kahare, ka ho khetheha re beha likou tsa kantle tse sa tloaelehang (le tse fapaneng). Ka tlhaho, IP ea lisebelisoa tsa ka hare e tlameha ho ba e tsitsitseng kapa e abeloe ho seva sa DHCP.

Hona joale Mikrotik ea rona e hlophisitsoe 'me re hloka mokhoa o bonolo oa hore mosebedisi a hokahane le RDP ea rona ea ka hare. Kaha hangata re na le basebelisi ba Windows, re theha faele e bonolo ea bat ebe re e bitsa StartRDP.bat:

1.htm
1.rdp

ka hona 1.htm e na le khoutu e latelang:

<img src="http://my_router.sn.mynetname.net:19000/1.jpg">
нажмите обновить страницу для повторного захода по RDP
<img src="http://my_router.sn.mynetname.net:16000/2.jpg">

mona ho na le likhokahano tse peli tsa litšoantšo tse inahaneloang tse fumanehang atereseng my_router.sn.mynetname.net - re nka aterese ena ho tsoa ho sistimi ea Mikrotik DDNS kamora ho etsa sena ho Mikrotik ea rona: e ea ho IP-> Cloud menu - hlahloba DDNS E nolofalitsoe. lebokoseng, tlanya Etsa kopo le ho kopitsa lebitso la dns la router ea rona. Empa sena se hlokahala feela ha IP ea ka ntle ea router e le matla kapa ho sebelisoa ho hlophisoa le bafani ba 'maloa ba Inthanete.

Boema-kepe ba sehokelo sa pele: 19000 e lumellana le kou ea pele eo u hlokang ho kokota ho eona, ea bobeli e lumellana le ea bobeli. Pakeng tsa li-link ho na le taelo e khutšoanyane e bontšang seo re lokelang ho se etsa haeba ka tšohanyetso khokahanyo ea rona e sitisoa ka lebaka la mathata a khutšoanyane a marang-rang - re khatholla leqephe, sekepe sa RDP se buletsoe hape bakeng sa metsotso ea 1 'me seboka sa rona se tsosolosoa. Hape, mongolo o pakeng tsa li-tag tsa img o baka tieho e nyane bakeng sa sebatli, e leng ho fokotsang monyetla oa hore pakete ea pele e isoe boema-kepeng ba bobeli (16000) - ho fihlela joale ha ho so be le linyeoe tse joalo ka libeke tse peli tsa ts'ebeliso (30). batho).

E latelang ho tla faele ea 1.rdp, eo re ka e hlophisang bakeng sa motho e mong le e mong kapa ka thoko bakeng sa mosebelisi e mong le e mong (ke seo ke se entseng - ho bonolo ho qeta metsotso e meng e 15 ho feta lihora tse 'maloa re buisana le ba sa khoneng ho e tseba)

screen mode id:i:2
use multimon:i:1
.....
connection type:i:6
networkautodetect:i:0
.....
disable wallpaper:i:1
.....
full address:s:my_router.sn.mynetname.net:33890
.....
username:s:myuserlogin
domain:s:mydomain

E 'ngoe ea litlhophiso tse khahlisang mona ke sebelisa multimon:i:1 - sena se kenyelletsa ts'ebeliso ea li-monitor tse ngata - batho ba bang ba hloka sena, empa ha ba nahane ho ipulela.

mofuta oa khokahano: i: 6 le networkautodetect: i: 0 - kaha boholo ba Marang-rang bo kaholimo ho 10 Mbit, joale nolofalletsa mofuta oa khokahano 6 (marang-rang a sebaka sa 10 Mbit le holimo) 'me u tima netwekeautodetect, kaha haeba default ke (auto), joale esita le ka seoelo e nyenyane Network latency ka tsela e iketsang beha lebelo bakeng sa fa setlhopha se kopane ka lebelo le ka tlaase ka nako e telele, e leng se ka baka tieho hlokomelehang mosebetsing, haholo-holo ka dikerafike dilenaneo.

tima wallpaper: i:1 - tima setšoantšo sa desktop
lebitso la mosebedisi:s:myuserlogin - re bonts'a ho kena ha mosebedisi, kaha karolo e kholo ea basebelisi ba rona ha e tsebe ho kena ha bona.
domain:s:mydomain - bonts'a domain kapa lebitso la komporo

Empa haeba re batla ho nolofatsa mosebetsi oa ho theha mokhoa oa ho hokahanya, re ka boela ra sebelisa PowerShell - StartRDP.ps1

Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 19000
Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 16000
mstsc /v:my_router.sn.mynetname.net:33890

Hape hanyane ka moreki oa RDP ho Windows: MS e tsamaile hole ho ntlafatsa protocol le likarolo tsa eona tsa seva le bareki, ho kenya tšebetsong likarolo tse ngata tsa bohlokoa - joalo ka ho sebetsa ka Hardware 3D, ho ntlafatsa tharollo ea skrini bakeng sa sebali sa hau, li-skrini tse ngata, etc. Empa ha e le hantle, ntho e 'ngoe le e' ngoe e kenngoa ts'ebetsong ka mokhoa oa ho lumellana le morao 'me haeba moreki a le teng Windows 7 le PC e hole e Windows 10, joale RDP e tla sebetsa e sebelisa protocol version 7.0. Empa ka lehlohonolo, o ka ntlafatsa liphetolelo tsa RDP ho liphetolelo tsa morao-rao - mohlala, o ka ntlafatsa mofuta oa protocol ho tloha ho 7.0 (Windows 7) ho isa ho 8.1. Ka hona, molemong oa bareki, o hloka ho eketsa liphetolelo tsa karolo ea seva, hape o fane ka likhokahano tsa ho nchafatsa liphetolelo tse ncha tsa bareki ba protocol ea RDP.

Ka lebaka leo, re na le thekenoloji e bonolo le e batlang e sireletsehile bakeng sa ho hokahanya hole le PC ea mosebetsi kapa seva sa terminal. Empa bakeng sa khokahanyo e sireletsehileng haholoanyane, mokhoa oa rona oa ho kokota ha Port o ka thatafalloa le ho feta ho hlasela ka litaelo tse 'maloa tsa boholo, ka ho eketsa likou ho hlahloba - ho sebelisa mohopolo o tšoanang, o ka eketsa 3,4,5,6 ... port le tabeng ena, ho kenella ka ho toba marang-rang a hau ho tla batla ho sa khonehe.

Litokisetso tsa faele bakeng sa ho theha khokahano e hole le RDP.

Source: www.habr.com