ProHoster > Ibhulogi > Ulawulo > Umsebenzi okude kwiofisi. RDP, Port Knocking, Mikrotik: ilula kwaye ikhuselekile

Umsebenzi okude kwiofisi. RDP, Port Knocking, Mikrotik: ilula kwaye ikhuselekile

Ngenxa yobhubhani wentsholongwane ye-covid-19 kunye nokuvalelwa kwabantu bodwa kumazwe amaninzi, ekuphela kwendlela yokuba iinkampani ezininzi ziqhubeke nokusebenza kukufikelela kude kwiindawo zokusebenza nge-Intanethi. Zininzi iindlela ezikhuselekileyo zokusebenza ezikude-kodwa xa kujongwa ubungakanani bengxaki, into efunekayo yindlela elula kuye nawuphi na umsebenzisi ukuba aqhagamshele eofisini ekude kwaye ngaphandle kwesidingo seseto ezongezelelweyo, iinkcazo, ukubonisana okudinayo kunye nobude obude. imiyalelo. Le ndlela ithandwa ngabalawuli abaninzi be-RDP (iProtocol yeDesktop ekude). Ukuqhagamshela ngokuthe ngqo kwindawo yokusebenzela nge-RDP kusombulula ingxaki yethu, ngaphandle kwempukane enye enkulu kwi-ointment - ukugcina izibuko le-RDP livulekile kwi-Intanethi akukhuselekanga kakhulu. Ngoko ke, ngezantsi ndiphakamisa indlela elula kodwa ethembekileyo yokukhusela.Umsebenzi okude kwiofisi. RDP, Port Knocking, Mikrotik: ilula kwaye ikhuselekile

Ekubeni ndihlala ndidibana nemibutho emincinci apho izixhobo zeMikrotik zisetyenziselwa uxhulumaniso lwe-Intanethi, ngezantsi ndiza kubonisa indlela yokuphumeza oku kwi-Mikrotik, kodwa indlela yokukhusela i-Port Knocking inokuphunyezwa ngokulula kwezinye izixhobo ezikumgangatho ophezulu kunye nezicwangciso ze-router zokufakwayo ezifanayo kwaye i-firewall

Ngokufutshane malunga nokunkqonkqozwa kweBhayi. Ukhuseleko lwangaphandle olufanelekileyo lothungelwano oluqhagamshelwe kwi-Intanethi kuxa zonke izixhobo kunye namazibuko zivaliwe ukusuka ngaphandle ngodonga lomlilo. Kwaye nangona i-router ene-firewall emiselweyo ayiphenduli nangayiphi na indlela kwiipakethi ezivela ngaphandle, iyabaphulaphula. Ngoko ke, unokuqwalasela i-router ukwenzela ukuba xa ifumana ulandelelwano oluthile (ikhowudi) yeepakethi zenethiwekhi kumachweba ahlukeneyo, yona (i-router) ye-IP ukusuka apho iipakethe zeza khona, iyala ukufikelela kwimithombo ethile (iichwephesha, iiprothokholi, njl. .).

Ngoku ukuya kwinqanaba. Andiyi kunika inkcazo ecacileyo yokuseta i-firewall kwi-Mikrotik - i-Intanethi igcwele imithombo yomgangatho wale nto. Ngokufanelekileyo, i-firewall ivimba zonke iipakethi ezingenayo, kodwa 

/ip firewall filter
add action=accept chain=input comment="established and related accept" connection-state=established,related

Ivumela uthungelwano olungenayo olusuka kumdibaniso osekiweyo (osekiweyo, onxulumeneyo).
Ngoku siqwalasela iPort Knocking kwiMikrotik:

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
move [/ip firewall filter find comment=RemoteRules] 1
/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

Ngoku ngokweenkcukacha ngakumbi:

imithetho emibini yokuqala 

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules

ukuthintela iipakethi ezingenayo kwiidilesi ze-IP ezifakwe kuluhlu olumnyama ngexesha lokuskena kwezibuko;

Umgaqo wesithathu:

add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules

yongeza i-ip kuluhlu lwenginginya ezenze ukunkqonkqoza kokuqala okuchanekileyo kwizibuko elifunekayo (19000);
Le migaqo mine ilandelayo:

add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

yenza izibuko zomgibe kwabo bafuna ukuskena izibuko zakho, kwaye xa iinzame ezinjalo zichongiwe, badwelisa i-IP yabo imizuzu engama-60, ngexesha apho imithetho emibini yokuqala ayiyi kunika ababuki zindwendwe ithuba lokunkqonkqoza kumazibuko achanekileyo;

Umgaqo olandelayo:

add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

ibeka i-ip kuluhlu lwabavunyelweyo kwi-1 umzuzu (okwaneleyo ukuseka uxhulumaniso), ekubeni ukubetha okwesibini okuchanekileyo kwenziwa kwi-port efunwayo (16000);

Umyalelo olandelayo:

move [/ip firewall filter find comment=RemoteRules] 1

ihambisa imithetho yethu inyuse ikhonkco lokulungisa i-firewall, kuba kusenokwenzeka ukuba sele sinemithetho eyahlukeneyo eyalelayo emiselweyo eya kuthi ithintele ezo zethu ezisanda kuyilwa ekusebenzeni. Umgaqo wokuqala kakhulu kwi-Mikrotik uqala ukusuka kwi-zero, kodwa kwisixhobo sam i-zero yayinomgaqo owakhelwe ngaphakathi kwaye kwakungenakwenzeka ukuwuhambisa - ndayihambisa kwi-1. Ngoko ke, sijonga izicwangciso zethu - apho sinokuyihambisa khona. kwaye ubonise inani elifunekayo.

Useto olulandelayo:

/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp_to_33" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

phambili izibuko ezikhethiweyo ngokungenamkhethe 33890 ukuya rhoqo RDP port 3389 kunye IP yekhompyutha okanye iseva terminal esiyifunayo. Senza imithetho enjalo kuzo zonke izixhobo eziyimfuneko zangaphakathi, ngokukhetha ukuseta amachweba angaphandle (kunye nezahlukileyo). Ngokwemvelo, i-IP yemithombo yangaphakathi kufuneka ibe yi-static okanye inikezelwe kumncedisi we-DHCP.

Ngoku iMikrotik yethu iqwalaselwe kwaye sifuna inkqubo elula yokuba umsebenzisi aqhagamshele kwi-RDP yethu yangaphakathi. Kuba uninzi lwethu sinabasebenzisi beWindows, senza ifayile ye-bat elula kwaye siyibize ngokuthi StartRDP.bat:

1.htm
1.rdp

ngokufanelekileyo i-1.htm iqulethe le khowudi ilandelayo:

<img src="http://my_router.sn.mynetname.net:19000/1.jpg">
нажмите обновить страницу для повторного захода по RDP
<img src="http://my_router.sn.mynetname.net:16000/2.jpg">

apha iqulathe amakhonkco amabini kwimifanekiso yentelekelelo ebekwe kwidilesi my_router.sn.mynetname.net - sithatha le dilesi kwindlela yeMikrotik DDNS emva kokwenza oku kwiMikrotik yethu: yiya kwi IP-> Cloud menu - khangela iDDNS Inikwe amandla. ibhokisi, nqakraza Faka kwaye ukope igama le-dns ye-router yethu. Kodwa oku kuyimfuneko kuphela xa i-IP yangaphandle ye-router iguquguqukayo okanye ulungelelwaniso kunye nababoneleli abaninzi be-Intanethi kusetyenziswa.

I-port kwikhonkco yokuqala: i-19000 ihambelana ne-port yokuqala ekufuneka unkqonkqoze kuyo, okwesibini ihambelana neyesibini. Phakathi kwamakhonkco kukho umyalelo omfutshane obonisa ukuba yintoni enokuyenza ukuba ngokukhawuleza uxhulumaniso lwethu luphazamisekile ngenxa yeengxaki zenethiwekhi ezimfutshane - sihlaziya iphepha, i-port ye-RDP iphinda ivulwe kuthi ngomzuzu we-1 kwaye iseshoni yethu ibuyiselwe. Kwakhona, okubhaliweyo phakathi kweethegi ze-img kudala ukulibaziseka kwe-micro-browser, okunciphisa amathuba okuba ipakethe yokuqala ihanjiswe kwi-port yesibini (16000) - ukuza kuthi ga ngoku akukabikho iimeko ezinjalo kwiiveki ezimbini zokusetyenziswa (30). abantu).

Okulandelayo kuza ifayile ye-1.rdp, esinokuyiqwalasela enye kumntu wonke okanye ngokwahlukileyo kumsebenzisi ngamnye (yiloo nto endiyenzileyo - kulula ukuchitha imizuzu ye-15 eyongezelelweyo kuneeyure ezininzi ngokubonisana nabo bangakwaziyo ukuyiqonda) 

screen mode id:i:2
use multimon:i:1
.....
connection type:i:6
networkautodetect:i:0
.....
disable wallpaper:i:1
.....
full address:s:my_router.sn.mynetname.net:33890
.....
username:s:myuserlogin
domain:s:mydomain

Olunye useto olunomdla apha kukusebenzisa i-multimon:i:1 - oku kubandakanya ukusetyenziswa kweemonitha ezininzi-abanye abantu bayayifuna le nto, kodwa abacingi ukuyijikela ngokwabo.

uhlobo loqhagamshelo:i:6 kunye ne-networkautodetect:i:0 - ekubeni uninzi lwe-Intanethi lungaphezulu kwe-10 Mbit, emva koko vumela uhlobo loqhagamshelo lwe-6 (inethiwekhi yendawo ye-10 Mbit nangaphezulu) kwaye khubaza i-networkautodetect, ekubeni ukuba ukungagqibeki ku (auto), emva koko i-Network encinci latency ibeka ngokuzenzekelayo isantya seseshoni yethu ngesantya esisezantsi ixesha elide, elinokudala ukulibaziseka okubonakalayo emsebenzini, ngakumbi kwiinkqubo zemizobo.

khubaza iphepha lodonga: i:1 - khubaza umfanekiso wedesktop
Igama lomsebenzisi:s:myuserlogin - sibonisa igama lomsebenzisi, kuba inxalenye ebalulekileyo yabasebenzisi bethu ingakwazi ukungena kwabo
ithambeka:s:idomain yam - bonisa isizinda okanye igama lekhompyutha

Kodwa ukuba sifuna ukwenza lula umsebenzi wokudala inkqubo yoqhagamshelwano, sinokusebenzisa iPowerShell - StartRDP.ps1

Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 19000
Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 16000
mstsc /v:my_router.sn.mynetname.net:33890

Kwakhona kancinci malunga nomxhasi we-RDP kwiWindows: I-MS ihambe indlela ende ekuphuculeni iprothokholi kunye neseva yayo kunye namalungu omxumi, iphumeza amanqaku amaninzi aluncedo-njengokusebenza nge-hardware ye-3D, ukwenza isisombululo sesikrini kwimonitha yakho, isikrini esikhulu, njl. Kodwa ke, yonke into iphunyezwa kwimowudi yokuhambelana ngasemva kwaye ukuba umxhasi ukhona Windows 7 kunye nePC ekude Windows 10, ke iRDP iya kusebenza isebenzisa iprotocol version 7.0. Kodwa ngethamsanqa, unokuhlaziya iinguqulelo zeRDP kwiinguqulelo zamva nje - umzekelo, unokuphucula inguqulelo yeprotocol ukusuka kwi-7.0 (Windows 7) ukuya kwi-8.1. Ke ngoko, ukuze kube lula kubaxumi, kufuneka ukwandise iinguqulelo zecandelo leseva, kwaye unike amakhonkco okuhlaziya iinguqulelo ezintsha zabathengi beprotocol yeRDP.

Ngenxa yoko, sinobuchwephesha obulula nobukhuselekileyo bonxibelelwano olukude kwiPC yomsebenzi okanye kwiseva yesiphelo. Kodwa uxhulumaniso olukhuselekileyo ngakumbi, indlela yethu yokuNgqobhoza kwePort ingenziwa nzima ngakumbi ukuhlasela ngemiyalelo emininzi yobukhulu, ngokongeza izibuko ukujonga - usebenzisa ingqiqo efanayo, unokongeza i-3,4,5,6... izibuko kunye kulo mzekelo, ukungena ngokuthe ngqo kumsebenzi womnatha wakho kuya kuba phantse akunakwenzeka .

Amalungiselelo efayile okudala uqhagamshelo olukude kwi-RDP.

umthombo: www.habr.com

Yongeza izimvo