Men hamjamiyat bilan o'z tarmog'ingizni va uning orqasidan "ko'zga tashlanadigan" xizmatlarni tashqi hujumlardan himoya qilish uchun Mikrotikdan qanday foydalanishning oddiy va samarali usulini baham ko'rmoqchiman. Ya'ni, Mikrotik-da asal idishini tashkil qilishning uchta qoidasi.
Shunday qilib, tasavvur qilaylik, bizda tashqi IP-ga ega bo'lgan kichik ofisimiz bor, uning orqasida xodimlarning masofadan ishlashi uchun RDP serveri mavjud. Birinchi qoida, albatta, tashqi interfeysdagi 3389 portni boshqasiga o'zgartirishdir. Ammo bu uzoq davom etmaydi; bir necha kundan so'ng, terminal serverining audit jurnali noma'lum mijozlar tomonidan soniyada bir nechta muvaffaqiyatsiz ruxsatnomalarni ko'rsatishni boshlaydi.
Yana bir holat, sizda yulduzcha Mikrotik orqasida yashiringan, albatta 5060 udp portida emas va bir-ikki kundan keyin parol qidirish ham boshlanadi... ha, ha, bilaman, fail2ban bizning hamma narsamiz, lekin biz hali ham shunday qilishimiz kerak. u ustida ishlash... masalan, men uni yaqinda ubuntu 18.04 da o'rnatdim va fail2ban qutisidan tashqarida xuddi shu ubuntu tarqatish qutisidagi yulduzcha uchun joriy sozlamalar mavjud emasligini bilib hayron bo'ldim... va tezkor sozlamalarni googling. tayyor "retseptlar" uchun endi ishlamaydi, nashrlar soni yillar davomida o'sib bormoqda va eski versiyalar uchun "retseptlar" bo'lgan maqolalar endi ishlamaydi va yangilari deyarli paydo bo'lmaydi ... Lekin men chekinaman ...
Shunday qilib, qisqacha aytganda, honeypot nima - bu asal pot, bizning holatlarimizda, tashqi IP-dagi har qanday mashhur port, tashqi mijozning ushbu portga har qanday so'rovi src manzilini qora ro'yxatga yuboradi. Hammasi.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Ether22-wan tashqi interfeysining 3389, 8291, 4-sonli mashhur TCP portlaridagi birinchi qoida "mehmon" IP-ni "Honeypot Hacker" ro'yxatiga yuboradi (ssh, rdp va winbox uchun portlar oldindan o'chirilgan yoki boshqalarga o'zgartirilgan). Ikkinchisi mashhur UDP 5060 da xuddi shunday qiladi.
Marshrutlashdan oldingi bosqichdagi uchinchi qoida srs-manzili "Honeypot Hacker" ga kiritilgan "mehmonlar" dan paketlarni tushiradi.
Mening uyim Mikrotik bilan ikki haftalik ishlaganimdan so'ng, "Honeypot Hacker" ro'yxatiga mening tarmoq resurslarimni (uyda o'zimning telefoniyam, pochtam bor) "elini ushlab turishni" yoqtiradiganlarning bir yarim mingga yaqin IP-manzillari kiritilgan. nextcloud, rdp). Shafqatsiz kuchlar hujumlari to'xtadi, baxt keldi.
Ishda hamma narsa juda oddiy bo'lib chiqmadi, u erda ular qo'pol parollar yordamida rdp serverini buzishni davom ettirmoqdalar.
Ko'rinishidan, port raqami skaner tomonidan honeypot yoqilishidan ancha oldin aniqlangan va karantin paytida 100 dan ortiq foydalanuvchilarni qayta sozlash unchalik oson emas, ularning 20 foizi 65 yoshdan oshgan. Portni o'zgartirish mumkin bo'lmaganda, kichik ishchi retsept mavjud. Men Internetda shunga o'xshash narsani ko'rdim, lekin qo'shimcha qo'shimchalar va nozik sozlashlar mavjud:
Port Knockingni sozlash qoidalari
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
4 daqiqada masofaviy mijozga RDP serveriga atigi 12 ta yangi "so'rov" yuborishga ruxsat beriladi. Kirish uchun bitta urinish - 1 dan 4 tagacha "so'rovlar". 12-"so'rov" da - 15 daqiqaga blokirovka qilish. Mening holimda tajovuzkorlar serverni buzishni to'xtatmadilar, ular taymerlarga moslashdilar va endi buni juda sekin qilishdi, bunday tanlash tezligi hujumning samaradorligini nolga tushiradi. Ko‘rilgan choralar tufayli kompaniya xodimlari ishda deyarli hech qanday noqulaylik sezmaydilar.
Yana bir kichik hiyla
Ushbu qoida jadvalga muvofiq soat 5:XNUMX da yoqiladi va soat XNUMX da o'chadi, haqiqiy odamlar aniq uxlab yotganda va avtomatlashtirilgan terimchilar hushyor bo'lishda davom etadilar.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage88-ulanishda allaqachon tajovuzkorning IP-si bir hafta davomida qora ro'yxatga kiritilgan. Go'zallik!
Xo'sh, yuqoridagilarga qo'shimcha ravishda, men Mikrotikni tarmoq skanerlaridan himoya qilish uchun ishlaydigan sozlash bilan Wiki maqolasiga havola qo'shaman.
Mening qurilmalarimda ushbu sozlama yuqorida tavsiflangan honeypot qoidalari bilan birgalikda ishlaydi va ularni yaxshi to'ldiradi.
UPD: Izohlarda tavsiya etilganidek, marshrutizatordagi yukni kamaytirish uchun paketlarni tashlab yuborish qoidasi RAW ga ko'chirildi.
Manba: www.habr.com