ProHoster > Блог > Isakoso > Iṣẹ latọna jijin ni ọfiisi. RDP, Port knocking, Mikrotik: o rọrun ati ki o ni aabo

Iṣẹ latọna jijin ni ọfiisi. RDP, Port knocking, Mikrotik: o rọrun ati ki o ni aabo

Nitori ajakaye-arun ọlọjẹ-19 ati iyasọtọ gbogbogbo ni ọpọlọpọ awọn orilẹ-ede, ọna kan ṣoṣo fun ọpọlọpọ awọn ile-iṣẹ lati tẹsiwaju ṣiṣẹ ni iraye si latọna jijin si awọn aaye iṣẹ nipasẹ Intanẹẹti. Ọpọlọpọ awọn ọna ailewu ti o ni ibatan wa fun iṣẹ latọna jijin - ṣugbọn fun iwọn ti iṣoro naa, ohun ti o nilo ni ọna ti o rọrun fun olumulo eyikeyi lati sopọ si ọfiisi latọna jijin ati laisi iwulo fun awọn eto afikun, awọn alaye, awọn ijumọsọrọ tedious ati gigun. ilana. Ọna yii nifẹ nipasẹ ọpọlọpọ awọn alabojuto RDP (Ilana Ojú-iṣẹ Latọna jijin). Sisopọ taara si ibudo iṣẹ nipasẹ RDP ni apere yanju iṣoro wa, ayafi fun fo nla kan ninu ikunra - fifi ibudo RDP ṣii fun Intanẹẹti jẹ ailewu pupọ. Nitorinaa, ni isalẹ Mo daba ọna ti o rọrun ṣugbọn igbẹkẹle ti aabo.Iṣẹ latọna jijin ni ọfiisi. RDP, Port knocking, Mikrotik: o rọrun ati ki o ni aabo

Niwọn igba ti MO nigbagbogbo wa awọn ẹgbẹ kekere nibiti a ti lo awọn ẹrọ Mikrotik bi asopọ Intanẹẹti, ni isalẹ Emi yoo ṣafihan bi o ṣe le ṣe eyi lori Mikrotik, ṣugbọn ọna aabo Port knocking le ni irọrun ni imuse lori awọn ẹrọ miiran ti o ga-giga pẹlu iru awọn eto olulana titẹ sii ati ogiriina

Ni soki nipa Port knocking. Idaabobo ita gbangba ti o dara julọ ti nẹtiwọọki ti o sopọ si Intanẹẹti ni nigbati gbogbo awọn orisun ati awọn ebute oko oju omi ti wa ni pipade lati ita nipasẹ ogiriina kan. Ati pe botilẹjẹpe olulana pẹlu iru ogiriina ti tunto ko ṣe ni eyikeyi ọna si awọn apo-iwe ti o wa lati ita, o tẹtisi wọn. Nitorinaa, o le tunto olulana naa pe nigbati o ba gba ọna kan (koodu) kan ti awọn apo-iwe nẹtiwọọki lori awọn ebute oko oju omi oriṣiriṣi, o (olulana) fun IP lati ibiti awọn apo-iwe ti wa, kọ iraye si awọn orisun kan (awọn ebute oko oju omi, awọn ilana, ati bẹbẹ lọ). .).

Bayi si ojuami. Emi kii yoo fun ni alaye alaye ti iṣeto ogiriina kan lori Mikrotik - Intanẹẹti kun fun awọn orisun didara fun eyi. Bi o ṣe yẹ, ogiriina kan ṣe idiwọ gbogbo awọn apo-iwe ti nwọle, ṣugbọn 

/ip firewall filter
add action=accept chain=input comment="established and related accept" connection-state=established,related

Faye gba ijabọ ti nwọle lati awọn asopọ ti iṣeto tẹlẹ (ti iṣeto, ti o ni ibatan).
Bayi a tunto Port knocking lori Mikrotik:

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
move [/ip firewall filter find comment=RemoteRules] 1
/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

Bayi ni alaye diẹ sii:

akọkọ meji ofin 

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules

fàyègba awọn apo-iwe ti nwọle lati awọn adiresi IP ti o jẹ dudu ni akoko ibojuwo ibudo;

Ofin kẹta:

add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules

ṣe afikun ip si atokọ awọn ọmọ-ogun ti o ṣe kọlu akọkọ ti o tọ lori ibudo ti o fẹ (19000);
Awọn ofin mẹrin wọnyi:

add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

ṣẹda awọn ebute oko oju omi fun awọn ti o fẹ lati ṣayẹwo awọn ebute oko oju omi rẹ, ati nigbati iru awọn igbiyanju bẹẹ ba rii, wọn ṣe akojọ dudu IP wọn fun awọn iṣẹju 60, lakoko eyiti awọn ofin meji akọkọ kii yoo fun iru awọn ọmọ ogun ni aye lati kọlu awọn ebute oko oju omi to tọ;

Ofin ti o tẹle:

add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

fi ip sinu atokọ ti awọn ti o gba laaye fun iṣẹju 1 (to lati fi idi asopọ kan), niwọn bi o ti ṣe kọlu keji ti o tọ lori ibudo ti o fẹ (16000);

Aṣẹ atẹle:

move [/ip firewall filter find comment=RemoteRules] 1

gbe awọn ofin wa soke pq sisẹ ogiriina, nitori o ṣeeṣe julọ a yoo ti ni ọpọlọpọ awọn ofin idinamọ ti a tunto ti yoo ṣe idiwọ awọn ti a ṣẹda tuntun lati ṣiṣẹ. Ofin akọkọ ni Mikrotik bẹrẹ lati odo, ṣugbọn lori ẹrọ mi odo ti tẹdo nipasẹ ofin ti a ṣe sinu ati pe ko ṣee ṣe lati gbe - Mo gbe lọ si 1. Nitorinaa, a wo awọn eto wa - nibiti a le gbe lọ. ati tọkasi nọmba ti o fẹ.

Eto atẹle:

/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp_to_33" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

siwaju ibudo 33890 ti a yan laileto si ibudo RDP deede 3389 ati IP ti kọnputa tabi olupin ebute ti a nilo. A ṣẹda iru awọn ofin fun gbogbo awọn pataki ti abẹnu oro, pelu ṣeto ti kii-bošewa (ati ki o yatọ) ita ebute oko. Nipa ti ara, IP ti awọn orisun inu gbọdọ jẹ boya aimi tabi sọtọ si olupin DHCP kan.

Bayi Mikrotik wa ni tunto ati pe a nilo ilana irọrun fun olumulo lati sopọ si RDP inu wa. Niwọn igba ti a ni pupọ julọ awọn olumulo Windows, a ṣẹda faili adan ti o rọrun ati pe StartRDP.bat:

1.htm
1.rdp

ni ibamu 1.htm ni koodu atẹle naa:

<img src="http://my_router.sn.mynetname.net:19000/1.jpg">
нажмите обновить страницу для повторного захода по RDP
<img src="http://my_router.sn.mynetname.net:16000/2.jpg">

nibi ni awọn ọna asopọ meji si awọn aworan ero inu ti o wa ni adirẹsi my_router.sn.mynetname.net - a gba adirẹsi yii lati inu eto DDNS Mikrotik lẹhin ti o mu eyi ṣiṣẹ ni Mikrotik wa: lọ si IP-> Akojọ awọsanma - ṣayẹwo DDNS Ṣiṣẹ apoti, tẹ Waye ati daakọ orukọ DNS ti olulana wa. Ṣugbọn eyi jẹ pataki nikan nigbati IP ita ti olulana ba ni agbara tabi iṣeto ni pẹlu ọpọlọpọ awọn olupese Intanẹẹti ti lo.

Ibudo ni ọna asopọ akọkọ: 19000 ni ibamu si ibudo akọkọ ti o nilo lati kọlu, ni keji o ni ibamu si keji. Laarin awọn ọna asopọ nibẹ ni itọnisọna kukuru kan ti o fihan kini lati ṣe ti o ba jẹ lojiji asopọ wa ni idilọwọ nitori awọn iṣoro nẹtiwọọki kukuru - a tun ṣe oju-iwe naa, ibudo RDP tun ṣii fun wa fun iṣẹju 1 ati pe igba wa ti tun pada. Pẹlupẹlu, ọrọ laarin awọn aami img ṣẹda idaduro micro-fun ẹrọ aṣawakiri, eyiti o dinku iṣeeṣe ti apo akọkọ ti a firanṣẹ si ibudo keji (16000) - titi di isisiyi ko si iru awọn ọran ni ọsẹ meji ti lilo (30) eniyan).

Nigbamii ti o wa faili 1.rdp, eyiti a le tunto ọkan fun gbogbo eniyan tabi lọtọ fun olumulo kọọkan (iyẹn ni ohun ti Mo ṣe - o rọrun lati lo iṣẹju 15 ni afikun ju awọn wakati pupọ lọ lati ṣagbero awọn ti ko le rii) 

screen mode id:i:2
use multimon:i:1
.....
connection type:i:6
networkautodetect:i:0
.....
disable wallpaper:i:1
.....
full address:s:my_router.sn.mynetname.net:33890
.....
username:s:myuserlogin
domain:s:mydomain

Ọkan ninu awọn eto ti o nifẹ si nibi ni lilo multimon: i: 1 - eyi pẹlu lilo awọn diigi pupọ - diẹ ninu awọn eniyan nilo eyi, ṣugbọn wọn ko ronu lati yi ara wọn pada.

iru asopọ: i: 6 ati networkautodetect: i: 0 - niwọn igba ti Intanẹẹti pọ julọ ju 10 Mbit lọ, lẹhinna mu iru asopọ ṣiṣẹ 6 (nẹtiwọọki agbegbe 10 Mbit ati loke) ati mu networkautodetect kuro, nitori ti aiyipada ba jẹ (laifọwọyi), lẹhinna paapaa lairi Nẹtiwọọki kekere ti o ṣọwọn laifọwọyi ṣeto iyara fun igba wa ni iyara kekere fun igba pipẹ, eyiti o le ṣẹda awọn idaduro akiyesi ni iṣẹ, ni pataki ni awọn eto eya aworan.

mu iṣẹṣọ ogiri kuro:i:1 - mu aworan tabili ṣiṣẹ
orukọ olumulo: s: myuserlogin - a tọka iwọle olumulo, nitori apakan pataki ti awọn olumulo wa ko mọ iwọle wọn.
domain:s:mydomain - tọkasi agbegbe tabi orukọ kọmputa

Ṣugbọn ti a ba fẹ lati ṣe irọrun iṣẹ ṣiṣe ti ṣiṣẹda ilana asopọ, a tun le lo PowerShell - StartRDP.ps1

Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 19000
Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 16000
mstsc /v:my_router.sn.mynetname.net:33890

Paapaa diẹ nipa alabara RDP ni Windows: MS ti wa ọna pipẹ ni jijẹ ilana naa ati olupin rẹ ati awọn ẹya alabara, imuse ọpọlọpọ awọn ẹya ti o wulo - gẹgẹbi ṣiṣẹ pẹlu 3D ohun elo, iṣapeye ipinnu iboju fun atẹle rẹ, iboju pupọ, ati be be lo. Ṣugbọn nitorinaa, ohun gbogbo ni imuse ni ipo ibaramu sẹhin ati ti alabara ba jẹ Windows 7 ati PC latọna jijin jẹ Windows 10, lẹhinna RDP yoo ṣiṣẹ nipa lilo ẹya Ilana 7.0. Ṣugbọn da, o le ṣe imudojuiwọn awọn ẹya RDP si awọn ẹya aipẹ diẹ sii - fun apẹẹrẹ, o le ṣe igbesoke ẹya ilana lati 7.0 (Windows 7) si 8.1. Nitorinaa, fun irọrun ti awọn alabara, o nilo lati mu awọn ẹya ti apakan olupin pọ si, ati tun pese awọn ọna asopọ lati ṣe imudojuiwọn awọn ẹya tuntun ti awọn alabara ilana ilana RDP.

Bi abajade, a ni imọ-ẹrọ ti o rọrun ati ti o ni aabo fun asopọ latọna jijin si PC iṣẹ tabi olupin ebute. Ṣugbọn fun asopọ ti o ni aabo diẹ sii, ọna Kọlu Port wa le jẹ ki o nira sii lati kọlu nipasẹ ọpọlọpọ awọn aṣẹ titobi, nipa fifi awọn ebute oko oju omi kun lati ṣayẹwo - ni lilo ọgbọn kanna, o le ṣafikun 3,4,5,6… ibudo ati ninu ọran yii, ifọle taara sinu nẹtiwọọki rẹ yoo fẹrẹ ṣee ṣe.

Awọn igbaradi faili fun ṣiṣẹda asopọ latọna jijin si RDP.

orisun: www.habr.com

Fi ọrọìwòye kun