Ndihlala ndifunda uluvo lokuba ukugcina i-RDP (i-Remote Desktop Protocol) ivuleleke kwi-Intanethi akukhuselekanga kakhulu kwaye akufanelekanga ukwenziwa. Kodwa kufuneka unikeze ukufikelela kwi-RDP nokuba kunge-VPN, okanye kuphela kwiidilesi ezithile ze-IP "ezimhlophe".
Ndilawula iiSeva ezininzi zeWindows kwiifemu ezincinci apho ndinikwe umsebenzi wokubonelela ngofikelelo olukude kwiSeva yeWindows kubaphenduli. Le yindlela yanamhlanje - ukusebenza ekhaya. Ngokukhawuleza, ndaqonda ukuba ukuhlushwa kwee-akhawunti ze-VPN ngumsebenzi ongenambulelo, kwaye ukuqokelela zonke ii-IP zoluhlu olumhlophe aziyi kusebenza, kuba iidilesi ze-IP zabantu zinamandla.
Ke ngoko, ndithathe eyona ndlela ilula - ndathumela izibuko leRDP ngaphandle. Ukufumana ukufikelela, abagcini-mali ngoku kufuneka baqhube i-RDP kwaye bafake igama lomninimzi (kuquka i-port), igama lomsebenzisi kunye negama lokugqitha.
Kule nqaku ndiza kubelana ngamava am (alungileyo kwaye angabi njalo) kunye neengcebiso.
Mngcipheko
Ubeka ntoni emngciphekweni ngokuvula izibuko leRDP?
1) Ukufikelela okungagunyaziswanga kwidatha ebuthathaka
Ukuba umntu uqikelela igama eliyimfihlo le-RDP, uya kuba nakho ukufumana idatha ofuna ukuyigcina ngasese: isimo seakhawunti, iibhalansi, idatha yomthengi, ...
2) Ilahleko yedatha
Ngokomzekelo, ngenxa yentsholongwane ye-ransomware.
Okanye isenzo sangabom somhlaseli.
3) Ukulahleka kwendawo yokusebenza
Abasebenzi kufuneka basebenze, kodwa inkqubo isengozini kwaye idinga ukufakwa kwakhona / ukugcinwa / ukuqwalasela.
4) Ukuxhatshazwa kwenethiwekhi yendawo
Ukuba umhlaseli uye wafumana ukufikelela kwikhompyutheni yeWindows, ngoko kule khompyutha uya kukwazi ukufikelela kwiinkqubo ezingenakufikeleleka ngaphandle, kwi-Intanethi. Umzekelo, ukwenza izabelo zefayile, kubashicileli benethiwekhi, njl.
Ndinetyala apho iWindows Server ibambe i-ransomware
kwaye le ntlawulelo iqale yafihla uninzi lweefayile kwi C: drive kwaye emva koko yaqala ukufihla iifayile kwiNAS ngaphezulu komsebenzi womnatha. Kuba i-NAS yayiyi-Synology, ene-snapshots eqwalaselweyo, ndibuyisele i-NAS kwimizuzu emi-5, kwaye ndaphinda ndafaka iWindows Server ukusuka ekuqaleni.
Imigqaliselo kunye neeNgcebiso
Ndibeka iliso kwiiSeva zeWindows ndisebenzisa , ethumela iilog kwi-ElasticSearch. I-Kibana inemibono emininzi, kwaye ndiseta ideshibhodi yesiko.
Ukubeka iliso ngokwalo akukhuseli, kodwa kunceda ukumisela amanyathelo ayimfuneko.
Nantsi imigqaliselo:
a) I-RDP iya kunyanzeliswa ngokungenalusini.
Kwenye yeeseva, ndifake i-RDP hayi kwizibuko eliqhelekileyo le-3389, kodwa kwi-443-ke, ndiza kuzifihla njenge-HTTPS. Kufanelekile ukutshintsha izibuko ukusuka kweliqhelekileyo, kodwa ayizukwenza nto ilungileyo. Nazi iinkcukacha-manani kule seva:
Kuyabonakala ukuba ngeveki bekukho malunga ne-400 imizamo engaphumelelanga yokungena nge-RDP.
Kuyabonakala ukuba kukho iinzame zokungena kwiidilesi ze-IP ze-55 (ezinye iidilesi ze-IP sele zivaliwe ndim).
Oku kuphakamisa ngokuthe ngqo isigqibo sokuba kufuneka usete i-fail2ban, kodwa
Akukho nto iluncedo kwiWindows.
Kukho iiprojekthi ezimbalwa ezishiyiweyo kwi-Github ezibonakala ngathi ziyayenza le nto, kodwa andikazami nokuzifaka:
Kukho nezinto eziluncedo ezihlawulweyo, kodwa khange ndiziqwalasele.
Ukuba uyayazi into eluncedo yomthombo ovulekileyo ngale njongo, nceda wabelane ngayo kumagqabaza.
Gqiba: Amagqabantshintshi acetyisa ukuba i-port 443 ilukhetho olubi, kwaye kungcono ukhethe amachweba aphezulu (32000+), kuba i-443 iskenwa rhoqo, kwaye ukuqonda i-RDP kule port akuyona ingxaki.
b) Kukho amagama abasebenzisi abathile abakhetha abahlaseli
Kuyabonakala ukuba uphendlo lwenziwa kwisichazi-magama esinamagama ahlukeneyo.
Kodwa nantsi into endiyiqapheleyo: inani elibalulekileyo lokuzama ukusebenzisa igama leseva njengokungena. Ingcebiso: Musa ukusebenzisa igama elifanayo kwikhompyuter kunye nomsebenzisi. Ngaphezu koko, ngamanye amaxesha kubonakala ngathi bazama ukwahlula igama leseva ngandlela thile: umzekelo, inkqubo enegama elithi DESKTOP-DFTHD7C, ezona nzame zokungena zinegama elithi DFTHD7C:
Ngokufanelekileyo, ukuba uneDESKTOP-MARIA ikhompyuter, uya kuzama ukungena njengomsebenzisi we-ARIA.
Enye into endiyiqapheleyo kwiilogi: kwiinkqubo ezininzi, ezininzi iinzame zokungena zinegama elithi "umlawuli". Kwaye oku akukho sizathu, kuba kwiinguqulelo ezininzi zeWindows, lo msebenzisi ukhona. Ngaphezu koko, ayinakususwa. Oku kuwenza lula umsebenzi wabahlaseli: endaweni yokuqikelela igama kunye negama lokugqitha, kufuneka uqashele igama eligqithisiweyo kuphela.
Ngendlela, inkqubo ebambe iransomware inoMlawuli womsebenzisi kunye negama lokugqitha iMurmansk#9. Andiqinisekanga ukuba le nkqubo yaqhekezwa njani, kuba ndiqale ukubeka esweni nje emva kweso siganeko, kodwa ndicinga ukuba kunokwenzeka ukuba kugqithise.
Ke ukuba umsebenzisi woMlawuli akanakususwa, kufuneka wenze ntoni? Ungayiqamba ngokutsha!
Iingcebiso kulo mhlathi:
- Sukusebenzisa igama lomsebenzisi kwigama lekhompyuter
- qinisekisa ukuba akukho msebenzisi woMlawuli kwisixokelelwano
- sebenzisa amagama ayimfihlo anamandla
Ke, bendibukele iiSeva ezininzi zeWindows phantsi kolawulo lwam zinyanzelwa ngokungenalusini malunga neminyaka embalwa ngoku, kwaye ngaphandle kwempumelelo.
Ndazi njani ukuba ayiphumelelanga?
Kuba kwii-screenshots ezingasentla ungabona ukuba kukho iilogi zeefowuni zeRDP eziyimpumelelo, eziqulethe ulwazi:
- ukusuka apho IP
- isuka kweyiphi ikhompyuter (igama lomamkeli)
- Igama lomsebenzisi
- Ulwazi lweGeoIP
Kwaye ndijonga apho rhoqo - akukho zimpazamo zifunyenweyo.
Ngendlela, ukuba i-IP ethile inyanzeliswa ngoburhalarhume ngakumbi, ungavala ii-IPs (okanye ii-subnets) ngolu hlobo kwi-PowerShell:
New-NetFirewallRule -Direction Inbound -DisplayName "fail2ban" -Name "fail2ban" -RemoteAddress ("185.143.0.0/16", "185.153.0.0/16", "193.188.0.0/16") -Action BlockNgendlela, i-Elastic, ukongeza kwiWinlogbeat, nayo inakho , enokubeka iliso kwiifayile kunye neenkqubo kwinkqubo. Kukho kwakhona i-SIEM (uLwazi lwezoKhuseleko kunye noLawulo loMcimbi) isicelo kwi-Kibana. Ndizamile zombini, kodwa andizange ndibone nzuzo ingako- kubonakala ngathi i-Auditbeat iya kuba luncedo ngakumbi kwiinkqubo zeLinux, kwaye i-SIEM ayikandibonisi nantoni na eqondakalayo okwangoku.
Ewe, iingcebiso zokugqibela:
- Yenza ii-backups ezizenzekelayo rhoqo.
- faka uHlaziyo loKhuseleko ngexesha elifanelekileyo
Ibhonasi: uluhlu lwabasebenzisi abangama-50 abebesoloko besetyenziselwa iinzame zokungena kwi-RDP
"igama lomsebenzisi: liyehla"
Bala
dfthd7c (igama lomamkeli)
842941
winsrv1 (igama lomamkeli)
266525
UMLAWULI
180678
umlawuli
163842
umlawuli
53541
Michael
23101
Mncedisi
21983
steve
21936
john
21927
paul
21913
indawo yolwamkelo
21909
mike
21899
iofisi
21888
isikeni
21887
scan
21867
david
21865
chris
21860
umnini
21855
umlawuli
21852
umlawuli
21841
brian
21839
umlawuli
21837
uphawu
21824
abaqeshwa
21806
ADMIN
12748
INJONGO
7772
UMLAWULI
7325
INKXASO
5577
INKXASO
5418
UMSEBENZI
4558
admin
2832
UVAVANYO
1928
mysql
1664
admin
1652
Undwendwe
1322
UMSEBENZI 1
1179
ISkena
1121
ISCAN
1032
UMLAWULI
842
ADMIN1
525
BACKUP
518
MySqlAdmin
518
UKWAMKELWA
490
UMSEBENZI 2
466
I-TEMP
452
SQLADMIN
450
UMSEBENZI 3
441
1
422
UMPHATHI
418
UMNIKELI
410
umthombo: www.habr.com