Ndifuna ukwabelana noluntu ngendlela elula kunye nokusebenza kwendlela yokusebenzisa i-Mikrotik ukukhusela inethiwekhi yakho kunye neenkonzo "zokukhangela" emva kwayo ekuhlaselweni kwangaphandle. Oko kukuthi, imithetho emithathu kuphela yokuququzelela i-honeypot kwi-Mikrotik.
Ngoko, makhe sicinge ukuba sineofisi encinci, ene-IP yangaphandle emva kwayo kukho iseva ye-RDP yabasebenzi ukuba basebenze kude. Umgaqo wokuqala, ngokuqinisekileyo, ukutshintsha i-port 3389 kwi-interface yangaphandle ukuya kwenye. Kodwa oku akuyi kuhlala ixesha elide; emva kweentsuku ezimbalwa, i-log yophicotho lweseva yesiphelo iya kuqala ukubonisa izigunyaziso ezininzi ezisileleyo ngomzuzwana ukusuka kubathengi abangaziwayo.
Enye imeko, une-asterisk efihliweyo emva kweMikrotik, ngokuqinisekileyo ayikho kwi-port ye-5060 udp, kwaye emva kweentsuku ezimbalwa ukukhangela igama eliyimfihlo kwakhona liqala ... ewe, ewe, ndiyazi, i-fail2ban yinto yethu yonke, kodwa kusafuneka senze sebenza kuyo...umzekelo, ndisandula ukuyihlohla kubuntu 18.04 kwaye ndothuswa kukufumanisa ukuba ngaphandle kwebhokisi fail2ban ayiqulathanga izicwangciso zangoku zeasterisk ukusuka kwibhokisi efanayo yonikezelo lobuntu... kunye nokujonga izicwangciso ezikhawulezayo. "Iiresiphi" esele zilungile azisasebenzi, amanani okukhutshwa akhula ngokuhamba kweminyaka, kwaye amanqaku ane "recipes" kwiinguqulelo ezindala azisasebenzi, kwaye ezintsha azizange zivele ... Kodwa ndiyaphambuka...
Ngoko ke, yintoni i-honeypot ngokufutshane - i-honeypot, kwimeko yethu, nayiphi na i-port eyaziwayo kwi-IP yangaphandle, nayiphi na isicelo kule port evela kumxhasi wangaphandle ithumela idilesi ye-src kuluhlu olumnyama. Konke.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Umgaqo wokuqala kwii-ports ze-TCP ezithandwayo ze-22, i-3389, i-8291 ye-ether4-wan interface yangaphandle ithumela i-IP "yendwendwe" kwi-"Honeypot Hacker" uluhlu (iizibuko ze-ssh, i-rdp kunye ne-winbox zikhubazekile kwangaphambili okanye zitshintshelwe kwabanye). Owesibini wenza okufanayo kwi-UDP 5060 eyaziwayo.
Umgaqo wesithathu kwinqanaba langaphambili lokuhamba ulahla iipakethi ezivela "kwiindwendwe" ezinedilesi ye-srs ifakwe kwi "Honeypot Hacker".
Emva kweeveki ezimbini zokusebenza kunye nekhaya lam iMikrotik, uluhlu lwe "Honeypot Hacker" lubandakanya malunga newaka elinesiqingatha seedilesi ze-IP zalabo abathanda "ukubamba umbele" wemithombo yam yenethiwekhi (ekhaya, i-telephony yam, i-imeyile, i-nextcloud , rdp) Uhlaselo lweBrute-force lwayeka, kwafika ulonwabo.
Emsebenzini, ayizizo zonke izinto eziye zalula, apho baqhubeka besaphula iseva ye-rdp ngokunyanzela amagama ayimfihlo.
Kuyabonakala ukuba, inombolo yezibuko igqitywe sisikena kwakudala ngaphambi kokuba i-honeypot ivulwe, kwaye ngexesha lokuvalelwa akulula kangako ukuphinda kuqwalaselwe abasebenzisi abangaphezu kwe-100, apho i-20% ingaphezulu kweminyaka engama-65 ubudala. Kwimeko xa i-port ayinakuguqulwa, kukho iresiphi encinci yokusebenza. Ndibone into efanayo kwi-Intanethi, kodwa kukho ukongezwa okongeziweyo kunye nokulungiswa okufanelekileyo okubandakanyekayo:
Imithetho yokuqwalasela i-Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Kwimizuzu emi-4, umxhasi okude uvumelekile ukuba enze kuphela i-12 entsha "izicelo" kwi-server ye-RDP. Enye inzame yokungena ivela kwi-1 ukuya kwi-4 "izicelo". Kwi-12 "isicelo" - ukuvimbela imizuzu eyi-15. Kwimeko yam, abahlaseli abazange bayeke ukukrazula umncedisi, bahlengahlengise ixesha kwaye ngoku bayenze ngokucothayo, isantya esinjalo sokukhetha sinciphisa ukusebenza kohlaselo ukuya kwi-zero. Abasebenzi bale nkampani abafumani nto iphazamisayo emsebenzini kumanyathelo athathiweyo.
Elinye iqhinga elincinci
Lo mgaqo ujika ngokuhambelana neshedyuli ngo-5 ekuseni kwaye uvale ngo-XNUMX ekuseni, xa abantu bokwenene belele ngokuqinisekileyo, kwaye abakhethi abazenzekelayo baqhubeka bevukile.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Sele kunxibelelwano lwe-8, i-IP yomhlaseli ifakwe kuluhlu olumnyama ngeveki. Buhle!
Ewe, ukongeza koku kungasentla, ndiya kongeza ikhonkco kwinqaku leWiki kunye nokuseta okusebenzayo ukukhusela iMikrotik kwizikena zenethiwekhi.
Kwizixhobo zam, esi silungiselelo sisebenza kunye nemithetho ye-honeypot echazwe ngasentla, izalisekisa kakuhle.
UPD: Njengoko kucetyisiwe kumazwana, umgaqo wokulahla ipakethe uhanjiswe kwi-RAW ukunciphisa umthwalo kwi-router.
umthombo: www.habr.com