Abdi hoyong bagikeun sareng komunitas cara anu saderhana sareng cara kumaha ngagunakeun Mikrotik pikeun ngajagi jaringan anjeun sareng jasa "peeping kaluar" ti tukangeunana tina serangan luar. Nyaéta, ngan ukur tilu aturan pikeun ngatur honeypot dina Mikrotik.
Ku kituna, hayu urang ngabayangkeun yen urang boga kantor leutik, kalawan IP éksternal tukangeun aya hiji server RDP pikeun pagawé pikeun digawé jarak jauh. Aturan kahiji nyaéta, tangtosna, ngarobih port 3389 dina antarmuka éksternal ka anu sanés. Tapi ieu moal lami; saatos sababaraha dinten, log audit server terminal bakal mimiti nunjukkeun sababaraha otorisasi anu gagal per detik ti klien anu teu dipikanyaho.
Situasi anu sanés, anjeun gaduh tanda bintang disumputkeun di tukangeun Mikrotik, tangtosna henteu dina port 5060 udp, sareng saatos sababaraha dinten milarian sandi ogé dimimitian ... dianggo dina éta ... contona, kuring nembe dipasang dina ubuntu 2 sareng reuwas mendakan yén kaluar tina kotak fail18.04ban henteu ngandung setélan ayeuna pikeun tanda bintang tina kotak anu sami tina distribusi ubuntu anu sami ... sareng setélan gancang googling. Pikeun "resep" siap-siap henteu tiasa dianggo deui, jumlah sékrési naék salami mangtaun-taun, sareng tulisan "resep" pikeun versi lami henteu tiasa dianggo, sareng anu énggal ampir henteu pernah muncul... Tapi kuring nyimpang...
Ku kituna, naon a honeypot di nutshell - éta honeypot a, dina hal urang, sagala port populér dina hiji IP éksternal, sagala pamundut ka port ieu ti klien éksternal ngirimkeun alamat src ka blacklist nu. Sadayana.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Aturan munggaran ngeunaan palabuhan TCP populér 22, 3389, 8291 tina panganteur éksternal ether4-wan ngirimkeun "tamu" IP kana daptar "Honeypot Hacker" (porter pikeun ssh, rdp sareng winbox ditumpurkeun sateuacanna atanapi dirobih ka batur). Anu kadua ngalakukeun hal anu sami dina UDP 5060 anu populér.
Aturan katilu dina tahap pre-routing teundeun pakét ti "tamu" nu srs-alamat kaasup dina "Honeypot Hacker".
Saatos dua minggu damel sareng Mikrotik bumi abdi, daptar "Honeypot Hacker" kalebet sakitar hiji satengah sarébu alamat IP jalma anu resep "nyepeng udder" sumber jaringan kuring (di bumi aya telepon sorangan, surat, nextcloud, rdp). Serangan brute-force eureun, kabagjaan datang.
Di tempat kerja, henteu sadayana tétéla saderhana pisan, di dinya aranjeunna teras-terasan ngarobih server rdp ku kecap konci anu maksa.
Tétéla, jumlah port ditangtukeun ku scanner lila saméméh honeypot dihurungkeun, sarta salila karantina teu jadi gampang pikeun reconfigure leuwih ti 100 pamaké, nu 20% heubeul leuwih 65 taun. Dina kasus nalika port teu bisa dirobah, aya resep kerja leutik. Kuring geus katempo hal sarupa dina Internét, tapi aya sababaraha tambahan tambahan sarta fine tuning aub:
Aturan pikeun ngonpigurasikeun Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Dina 4 menit, klien jauh diidinan ngan ukur 12 "paménta" anyar ka server RDP. Hiji usaha login nyaéta tina 1 ka 4 "paménta". Dina "paménta" ka-12 - meungpeuk 15 menit. Dina kasus kuring, panyerang henteu lirén nga-hack server, aranjeunna disaluyukeun kana timers sareng ayeuna ngalakukeunana laun-laun, laju seleksi sapertos ngirangan efektivitas serangan ka nol. Karyawan perusahaan ampir henteu ngalaman kasulitan di tempat damel tina ukuran anu dilaksanakeun.
trik saeutik sejen
Aturan ieu dihurungkeun dumasar kana jadwal jam 5 sareng dipareuman jam XNUMX, nalika jalma nyata pasti sare, sareng pickers otomatis terus hudang.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Parantos dina sambungan ka-8, IP panyerang di-blacklist saminggu. kageulisan!
Nya, salian di luhur, kuring bakal nambihan tautan kana artikel Wiki kalayan setelan anu tiasa dianggo pikeun ngajagi Mikrotik tina panyeken jaringan.
Dina alat kuring, setelan ieu jalan babarengan jeung aturan honeypot ditétélakeun di luhur, complementing aranjeunna ogé.
UPD: Sakumaha anu disarankeun dina koméntar, aturan serelek pakét parantos dipindahkeun ka RAW pikeun ngirangan beban dina router.
sumber: www.habr.com