Molweni balingane! Namhlanje, xa ubunzulu beminqweno ejikeleze "umsebenzi okude" buyehla kancinci, uninzi lwabaphathi baphumelele umsebenzi wokufikelela kude kwabasebenzi kwinethiwekhi yeshishini, lixesha lokwabelana ngamava am ekudala ndimi ekuphuculeni ukhuseleko lweVPN. Eli nqaku aliyi kuba sefashonini ngoku IPSec IKEv2 kunye xAuth. Kumalunga nokwakha inkqubo. Abasebenzisi beVPN xa iMikroTik isebenza njengeseva yeVPN. Oko kukuthi, xa kusetyenziswa iiprothokholi "zakudala" ezifana nePPP.
Namhlanje ndiza kukuxelela indlela yokukhusela iMikroTik PPP-VPN nokuba iakhawunti yomsebenzisi "iphangiwe". Xa esi sikimu saziswa komnye wabathengi bam, wachaza ngokufutshane ngokuthi "kakuhle, ngoku kufana nje nebhanki!".
Indlela ayisebenzisi iinkonzo zobungqina bangaphandle. Imisebenzi yenziwa ngaphakathi yi-router ngokwayo. Akukho ndleko yokudibanisa umxhasi. Indlela isebenza kubo bobabini abathengi bePC kunye nezixhobo eziphathwayo.
Iskimu sokhuseleko jikelele simi ngolu hlobo lulandelayo:
- Idilesi ye-IP yangaphakathi yomsebenzisi oqhagamshele ngempumelelo kwiseva yeVPN ifakwe greylisted ngokuzenzekelayo.
- Isiganeko soqhagamshelo sivelisa ngokuzenzekelayo ikhowudi yexesha elinye elithunyelwa kumsebenzisi usebenzisa enye yeendlela ezikhoyo.
- Iidilesi ezikolu luhlu zinokufikelela okulinganiselweyo kwimithombo yenethiwekhi yendawo, ngaphandle kwenkonzo "yokuqinisekisa", elinde ukufumana iphasikhodi yexesha elinye.
- Emva kokubonisa ikhowudi, umsebenzisi unokufikelela kwimithombo yangaphakathi yenethiwekhi.
Okokuqala eyona ngxaki incinci bendijongene nayo kukugcina iinkcukacha zoqhagamshelwano malunga nomsebenzisi ukuze ndimthumelele ikhowudi ye-2FA. Ekubeni kungenakwenzeka ukudala iindawo zedatha ezichaseneyo ezihambelana nabasebenzisi kwi-Mikrotik, indawo ekhoyo "yamazwana" isetyenzisiwe:
/ iimfihlo zeppp zongeza igama=Petrov password=4M@ngr! izimvo = "89876543210"
Okwesibini ingxaki yaba yinto enzima kakhulu - ukhetho lwendlela kunye nendlela yokuhambisa ikhowudi. Zintathu iinkqubo eziphunyeziweyo ngoku: a) I-SMS nge-USB-modem b) i-imeyile c) I-SMS nge-imeyile efumanekayo kubaxumi bamashishini bomsebenzisi weselula ebomvu.
Ewe, amacebo eSMS azisa iindleko. Kodwa ukuba ujonga, "ukhuseleko luhlala lumalunga nemali" (c).
Mna ngokwam andiyithandi inkqubo ye-imeyile. Akunjalo kuba ifuna umncedisi weposi ukuba abekhona ukuze umxhasi aqinisekiswe - akuyongxaki ukwahlula itrafikhi. Nangona kunjalo, ukuba umxhasi ugcina ngokungakhathali zombini i-vpn kunye neepassword ze-imeyile kwisikhangeli kwaye emva koko waphulukana nelaptop yakhe, umhlaseli uya kufumana ukufikelela okugcweleyo kwinethiwekhi yenkampani kuyo.
Ke, kugqitywe ekubeni - sihambisa ikhowudi yexesha elinye sisebenzisa imiyalezo yeSMS.
Okwesithathu Ingxaki ibiphi uyenza njani ikhowudi yepseudo-random ye-2FA kwiMikroTik. Akukho mlinganiso we-random() umsebenzi kulwimi loshicilelo lwe-RouterOS, kwaye ndibone uninzi lweskripthi se-crutch pseudo-random number generators ngaphambili. Andizange ndithande namnye kubo ngenxa yezizathu ezahlukahlukeneyo.
Ngapha koko, kukho i-pseudo-random ijenereyitha yokulandelelana kwiMikroTik! Ifihliwe kujongo oluphezulu kumxholo we /izitifiketi ze-scep-server. Indlela yokuqala ukufumana igama lokugqitha lexesha elinye kulula kwaye kulula - ngomyalelo /izatifikethi ze-scep-server otp yenza. Ukuba senza umsebenzi olula wesabelo oguquguqukayo, siya kufumana ixabiso loluhlu olunokuthi lusetyenziswe kamva kwizikripthi.
Indlela yesibini ukufumana igama lokugqitha lexesha elinye ekwalula ukulisebenzisa - usebenzisa inkonzo yangaphandle ukwenza uhlobo olufunwayo lolandelelwano lwamanani pseudo-random. Nantsi into eyenziwe lula cantilevered umzekelo wokufumana idatha kwi-variable:
Ikhowudi
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6]
:put $rnd1
Isicelo esilungiselelwe ikhonsoli (ukubaleka abalinganiswa abakhethekileyo kuya kufuneka kumzimba weskripthi) sifumana umtya wamanani amathandathu kwi-$rnd1 eguquguqukayo. Lo myalelo ulandelayo othi "beka" ubonisa ngokulula ukuguquguquka kwikhonsoli yeMikroTik.
Ingxaki yesine okwakufuneka isonjululwe ngokukhawuleza - le yindlela kwaye apho umxhasi odibeneyo uya kudlulisela ikhowudi yakhe yexesha elilodwa kwinqanaba lesibini lokuqinisekisa.
Kufuneka kubekho inkonzo kwi-router ye-MikroTik enokwamkela ikhowudi kwaye idibanise nomxhasi othile. Ukuba ikhowudi enikeziweyo ihambelana nokulindelweyo, idilesi yomxhasi kufuneka ifakwe kuluhlu oluthile "olumhlophe", iidilesi ezivunyelwe ukufikelela kuzo kwinethiwekhi yangaphakathi yenkampani.
Ngenxa yokungakhethi kakuhle kweenkonzo, kwagqitywa ekubeni kwamkele iikhowudi nge-http usebenzisa i-webproxy eyakhelwe kwi-Mikrotik. Kwaye ekubeni i-firewall inokusebenza ngoluhlu oluguquguqukayo lweedilesi ze-IP, ludonga lomlilo olwenza ukhangelo lwekhowudi, liyithelekise nomxhasi we-IP kwaye yongeze kuluhlu "olumhlophe" usebenzisa iLayer7 regexp. I-router ngokwayo yabelwe igama le-DNS elinemiqathango "gw.local", irekhodi elimileyo le-A lenziwe kuyo ukuze likhutshelwe abathengi be-PPP:
DNS
/ip dns static add name=gw.local address=172.31.1.1
Ukuthatha i-traffic yabathengi abangaqinisekanga kwi-proxy:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128
Kule meko, i-proxy inemisebenzi emibini.
1. Vula uqhagamshelo lwe-tcp kunye nabaxhasi;
2. Kwimeko yogunyaziso oluyimpumelelo, phinda uqondise isikhangeli somthengi kwiphepha okanye umfanekiso owazisa malunga nokuqinisekiswa okuyimpumelelo:
Ulungelelwaniso lommeli
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0
Ndiza kudwelisa izinto ezibalulekileyo zoqwalaselo:
- Uluhlu lwe-interface "2fa" - uluhlu oluguquguqukayo lwe-interfaces yabathengi, i-traffic apho ifuna ukuqhutyelwa ngaphakathi kwe-2FA;
- Uluhlu lwedilesi "2fa_jailed" - "grey" uluhlu lweedilesi ze-IP zetonela zabathengi be-VPN;
- address_list "2fa_approved" - "white" uluhlu lweedilesi ze-IP zetonela yabathengi be-VPN abaphumelele ukuqinisekiswa kwezinto ezimbini.
- ikhonkco ye-firewall "input_2fa" - ihlola iipakethi ze-tcp ubukho bekhowudi yogunyaziso kwaye ihambelana nedilesi ye-IP yomthumeli wekhowudi kunye nefunekayo. Imithetho kwikhonkco yongezwa kwaye isuswe ngokukhawuleza.
I-flowchart eyenziwe lula yokusetyenzwa kwepakethi ibonakala ngolu hlobo:
Ukungena kwi-Layer7 yokukhangela i-traffic evela kubathengi ukusuka kuluhlu "lwegrey" olungekadluli inqanaba lesibini lokuqinisekisa, umgaqo wenziwa kwikhonkco "lokufaka" okuqhelekileyo:
Ikhowudi
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa
Ngoku masiqale ukuqinisa bonke obu butyebi kwinkonzo yePPP. I-MikroTik ikuvumela ukuba usebenzise izikripthi kwiiprofayili (ppp-profile) kwaye uzinikele kwiziganeko zokuseka kunye nokwaphula uxhulumaniso lwe-ppp. Izicwangciso zeprofayile ye-ppp zingasetyenziswa kumncedisi we PPP xa iyonke okanye kubasebenzisi ngabanye. Kwangaxeshanye, iprofayile eyabelwe umsebenzisi inokubaluleka, igqithisa iiparitha zeprofayile ekhethiweyo kumncedisi xa iyonke kunye neeparamitha zayo ezichaziweyo.
Ngenxa yale ndlela, sinokwenza iphrofayili ekhethekileyo yokuqinisekiswa kwezinto ezimbini kwaye singabizi kubo bonke abasebenzisi, kodwa kuphela kwabo bacinga ukuba kuyimfuneko ukwenza njalo. Oku kunokuba yimfuneko ukuba usebenzisa iinkonzo zePPP kungekhona nje ukudibanisa abasebenzisi bokugqibela, kodwa ngexesha elifanayo ukwakha uxhulumaniso lwesayithi ukuya kwindawo.
Kwiprofayile ekhethekileyo esanda kwenziwa, sisebenzisa ukongezwa okuguquguqukayo kwedilesi kunye nojongano lomsebenzisi oqhagamshelweyo kuluhlu "lwengwevu" lweedilesi kunye nojongano:
winbox
Ikhowudi
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1
Kuyimfuneko ukusebenzisa zombini izintlu "lwe-address-list" kunye "ne-interface-list" ukufumana kunye nokufaka i-traffic evela kubaxhasi be-VPN abangeyonxalenye yesibini kwitsheyini ye-dstnat (prerouting).
Xa ukulungiswa kugqityiwe, iintambo ezongezelelweyo ze-firewall kunye neprofayili zenziwe, siya kubhala iskripthi esijongene nokuveliswa ngokuzenzekelayo kwekhowudi ye-2FA kunye nemithetho ye-firewall.
kwiPPP-Iprofayile iyasityebisa ngolwazi malunga noguquko olunxulunyaniswa neziganeko zoqhagamshelo lomxhasi wePPP "Yenza iskripthi kwisiganeko sokungena komsebenzisi. Ezi ziguquguqukayo ezikhoyo ezifikelelekayo kwiskripthi sesiganeko: umsebenzisi, idilesi yendawo, idilesi ekude, i-caller-id, ebizwa-id, i-interface". Ezinye zazo ziluncedo kakhulu kuthi.
Ikhowudi esetyenziswe kwiprofayile yePPP isiganeko soqhagamshelwano
#ΠΠΎΠ³ΠΈΡΡΠ΅ΠΌ Π΄Π»Ρ ΠΎΡΠ»Π°Π΄ΠΊΠΈ ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅ :log info (quot;local-address")
:log info (quot;remote-address")
:log info (quot;caller-id")
:log info (quot;called-id")
:log info ([/int pptp-server get (quot;interface") name])
#ΠΠ±ΡΡΠ²Π»ΡΠ΅ΠΌ ΡΠ²ΠΎΠΈ Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅
:local listname "2fa_jailed"
:local viamodem false
:local modemport "usb2"
#ΠΈΡΠ΅ΠΌ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ ΡΠΎΠ·Π΄Π°Π½Π½ΡΡ Π·Π°ΠΏΠΈΡΡ Π² Π°Π΄ΡΠ΅Ρ-Π»ΠΈΡΡΠ΅ "2fa_jailed"
:local recnum1 [/ip fi address-list find address=(quot;remote-address") list=$listname]
#ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΠΏΡΠ΅Π²Π΄ΠΎΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ ΠΊΠΎΠ΄ ΡΠ΅ΡΠ΅Π· random.org
#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4] #Π»ΠΈΠ±ΠΎ ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΠΏΡΠ΅Π²Π΄ΠΎΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ ΠΊΠΎΠ΄ ΡΠ΅ΡΠ΅Π· Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠΉ Π³Π΅Π½Π΅ΡΠ°ΡΠΎΡ
#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]#ΠΡΠ΅ΠΌ ΠΈ ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ΅ΠΌ ΠΊΠΎΠΌΠΌΠ΅Π½Ρ ΠΊ Π·Π°ΠΏΠΈΡΠΈ Π² Π°Π΄ΡΠ΅Ρ-Π»ΠΈΡΡΠ΅. ΠΠ½ΠΎΡΠΈΠΌ ΠΈΡΠΊΠΎΠΌΡΠΉ ΠΊΠΎΠ΄ Π΄Π»Ρ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
/ip fir address-list set $recnum1 comment=$rnd1
#ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ Π½ΠΎΠΌΠ΅Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π° ΠΊΡΠ΄Π° ΡΠ»Π°ΡΡ SMS
:local vphone [/ppp secret get [find name=$user] comment]#ΠΠΎΡΠΎΠ²ΠΈΠΌ ΡΠ΅Π»ΠΎ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ. ΠΡΠ»ΠΈ ΠΊΠ»ΠΈΠ΅Π½Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ ΠΊ VPN ΠΏΡΡΠΌΠΎ Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π° Π΅ΠΌΡ Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ
#Π±ΡΠ΄Π΅Ρ ΠΏΠ΅ΡΠ΅ΠΉΡΠΈ ΠΏΡΡΠΌΠΎ ΠΏΠΎ ΡΡΡΠ»ΠΊΠ΅ ΠΈΠ· ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ
:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")# ΠΡΠΏΡΠ°Π²Π»ΡΠ΅ΠΌ SMS ΠΏΠΎ Π²ΡΠ±ΡΠ°Π½Π½ΠΎΠΌΡ ΠΊΠ°Π½Π°Π»Ρ - USB-ΠΌΠΎΠ΄Π΅ΠΌ ΠΈΠ»ΠΈ email-to-sms
if $viamodem do={
/tool sms send phone-number=$vphone message=$msgboby port=$modemport }
else={
/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }#ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Layer7 regexp
local vregexp ("otp\/".$comm1)
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall layer7-protocol add name=(quot;vcomment") comment=(
quot;remote-address") regexp=(
quot;vregexp")
#ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ ΠΏΡΠΎΠ²Π΅ΡΡΡΡΠ΅Π΅ ΠΏΠΎ Layer7 ΡΡΠ°ΡΠΈΠΊ ΠΊΠ»ΠΈΠ΅Π½ΡΠ° Π² ΠΏΠΎΠΈΡΠΊΠ°Ρ Π½ΡΠΆΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π°
#ΠΈ Π½Π΅Π±ΠΎΠ»ΡΡΠΎΠΉ Π·Π°ΡΠΈΡΠΎΠΉ ΠΎΡ Π±ΡΡΡΡΠΎΡΡΠ° ΠΊΠΎΠ΄ΠΎΠ² Ρ ΠΏΠΎΠΌΠΎΡΡΡ dst-limit
/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(quot;vcomment") protocol=tcp src-address=(
quot;remote-address") dst-limit=1,1,src-address/1m40s
Ngokukodwa kwabo bathanda ukukopa-unamathisele ngokungenangqondo, ndiyalumkisa - ikhowudi ithathwe kwinguqulo yovavanyo kwaye inokuba neetypos ezincinci. Akuyi kuba nzima kumntu oqondayo ukuqonda ukuba kuphi kanye kanye.Xa umsebenzisi eqhawula, isiganeko esithi "On-Down" senziwa kwaye iskripthi esihambelanayo kunye neeparameters sibizwa. Umsebenzi wesi sikripthi kukucoca imigaqo yomlilo eyenzelwe umsebenzisi onqanyuliweyo.
Ikhowudi esetyenziswe kwiprofayile yePPP kwisiganeko soqhagamshelwano olusezantsi
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall address-list remove [find address=(quot;remote-address") list=2fa_approved] /ip firewall filter remove [find chain="input_2fa" src-address=(
quot;remote-address") ] /ip firewall layer7-protocol remove [find name=$vcomment]
Emva koko unokwenza abasebenzisi kwaye unikeze bonke okanye abanye babo kwiprofayile yokuqinisekiswa kwezinto ezimbini.winbox
Ikhowudi
/ppp secrets set [find name=Petrov] profile=2FAIjongeka njani kwicala lomxhasi.
Xa uqhagamshelo lweVPN lusekiwe, ifowuni ye-Android/iOS/ithebhulethi eneSIM khadi ifumana iSMS enjengale:
i-SMS
Ukuba uqhagamshelo lusekwe ngokuthe ngqo kwifowuni / ithebhulethi, ungadlula kwi-2FA ngokulula ngokucofa ikhonkco elivela kumyalezo. Ikhululekile.
Ukuba uqhagamshelo lwe-VPN lusekwe kwi-PC, ngoko umsebenzisi uya kufuneka ukuba afake ifom ye-password encinci. Ifom encinci kwifom yefayile ye-HTML inikezelwa kumsebenzisi xa ubeka i-VPN. Ifayile inokuthunyelwa ngeposi ukuze umsebenzisi ayigcine kwaye enze indlela emfutshane kwindawo efanelekileyo. Ijongeka ngolu hlobo:
Ileyibhile etafileni
Umsebenzisi ucofa indlela emfutshane, ifom yokungena ikhowudi elula iyavula, eya kuncamathisela ikhowudi kwi-URL evuliwe:
Ifom yesikrini
Eyona fomu yamandulo inikwe njengomzekelo. Abo banqwenelayo banokuzilungisela ngokwabo.
2fa_login_mini.html
<html> <head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head> <body> <form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(βtext').value" method="post" <input id="text" type="text"/> <input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> </form> </body> </html>Ukuba ugunyaziso luphumelele, umsebenzisi uya kubona uphawu lweMikroTik kwisikhangeli, ekufuneka lubonise uqinisekiso oluyimpumelelo:
Qaphela ukuba umfanekiso ubuyiselwe kwi-MikroTik yomncedisi wewebhu eyakhelweyo usebenzisa i-WebProxy Deny Redirect.
Ndicinga ukuba umfanekiso unokwenziwa ngokwezifiso usebenzisa "i-hotspot" isixhobo, ulayishe eyakho inguqulelo apho kwaye usete i-Deny Redirect URL kuyo ngeWebProxy.
Isicelo esikhulu kulabo bazama ukuthenga "ithoyizi" ebiza kakhulu iMikrotik ye-20 yeedola kwaye ithathe indawo ye-router ye-500 ye-$ nayo - musa ukwenza oko. Izixhobo ezifana ne "hAP Lite" / "hAP mini" (indawo yokufikelela ekhaya) ine-CPU ebuthathaka kakhulu (i-smips), kwaye mhlawumbi abayi kuhlangabezana nomthwalo kwicandelo lezoshishino.
Isilumkiso! Esi sisombululo sine-drawback enye: xa abaxhasi bedibanisa okanye beqhawula, utshintsho lwe-configuration lwenzeka, apho i-router izama ukuyigcina kwimemori yayo engaguqukiyo. Ngenani elikhulu labathengi kunye nokudibanisa rhoqo kunye nokuqhawula, oku kunokukhokelela ekuthotyweni kokugcinwa kwangaphakathi kwi-router.
I-PS: Iindlela zokuhambisa ikhowudi kumxhasi zinokwandiswa kwaye zongezwe kangangoko amandla akho okuprograma anele. Umzekelo, ungathumela imiyalezo kwitelegram okanye ... cebisa iinketho!
Ndiyathemba ukuba eli nqaku liya kuba luncedo kuwe kwaye liya kunceda ukwenza uthungelwano lwamashishini amancinci naphakathi akhuseleke ngakumbi.
umthombo: www.habr.com