Sawubona ozakwethu! Namuhla, lapho ukushuba kwezinkanuko "zomsebenzi oqhelile" kuncipha kancane, iningi labaphathi liwine umsebenzi wokufinyelela kude kwabasebenzi kunethiwekhi yebhizinisi, sekuyisikhathi sokwabelana ngolwazi lwami lwesikhathi eside ekuthuthukiseni ukuphepha kwe-VPN. Lesi sihloko ngeke sibe semfashini manje IPSec IKEv2 kanye ne-xAuth. Kumayelana nokwakha uhlelo. Abasebenzisi be-VPN lapho i-MikroTik isebenza njengeseva ye-VPN. Okungukuthi, lapho kusetshenziswa izivumelwano "zakudala" ezifana ne-PPP.
Namuhla ngizokutshela ukuthi ungayivikela kanjani i-MikroTik PPP-VPN ngisho noma kwenzeka "ukudunwa" kwe-akhawunti yomsebenzisi. Lapho lolu hlelo lwethulwa kwelinye lamakhasimende ami, waluchaza kafushane ngokuthi βkahle, manje sekungathi kusebhange!β.
Indlela ayisebenzisi izinsizakalo zokufakazela ubuqiniso zangaphandle. Imisebenzi yenziwa ngaphakathi yi-router ngokwayo. Azikho izindleko zeklayenti elixhumayo. Indlela isebenza kuwo womabili amaklayenti e-PC namadivayisi eselula.
Uhlelo olujwayelekile lokuvikela lumi kanje:
- Ikheli le-IP langaphakathi lomsebenzisi oxhume ngempumelelo kuseva ye-VPN lifakwa ohlwini olumpunga ngokuzenzakalelayo.
- Umcimbi wokuxhuma ukhiqiza ngokuzenzakalelayo ikhodi yesikhathi esisodwa ethunyelwa kumsebenzisi kusetshenziswa enye yezindlela ezitholakalayo.
- Amakheli akulolu hlu anokufinyelela okulinganiselwe kuzinsiza zenethiwekhi yendawo, ngaphandle kwesevisi "yokufakazela ubuqiniso", elinde ukuthola iphasikhodi yesikhathi esisodwa.
- Ngemva kokwethula ikhodi, umsebenzisi uyakwazi ukufinyelela izinsiza zangaphakathi zenethiwekhi.
Okokuqala inkinga encane obekumele ngibhekane nayo kwakuwukugcina imininingwane yokuxhumana mayelana nomsebenzisi ukuze ngimthumelele ikhodi ye-2FA. Njengoba kungenakwenzeka ukudala izinkambu zedatha ezingafanele ezihambisana nabasebenzisi ku-Mikrotik, inkambu ekhona "yamazwana" isetshenzisiwe:
/ppp secrets add name=Petrov password=4M@ngr! comment="89876543210"
Owesibili inkinga yaba yimbi kakhulu - ukukhethwa kwendlela kanye nendlela yokuletha ikhodi. Amasu amathathu asetshenziswayo njengamanje: a) I-SMS nge-USB-modemu b) i-imeyili c) I-SMS nge-imeyili etholakalayo kumakhasimende ezinkampani ka-opharetha weselula obomvu.
Yebo, izinhlelo ze-SMS ziletha izindleko. Kodwa uma ubheka, "ukuphepha kuhlale kumayelana nemali" (c).
Mina ngokwami ββangiluthandi uhlelo lwe-e-mail. Hhayi ngoba idinga iseva yemeyili ukuthi itholakale ukuze iklayenti ligunyazwe - akuyona inkinga ukuhlukanisa ithrafikhi. Kodwa-ke, uma iklayenti ngokunganaki lilondoloze kokubili amaphasiwedi e-vpn nawe-imeyili esipheqululini bese lilahlekelwa ikhompuyutha yalo ephathekayo, umhlaseli uzothola ukufinyelela okugcwele kunethiwekhi yebhizinisi kuyo.
Ngakho-ke, kunqunyiwe - siletha ikhodi yesikhathi esisodwa sisebenzisa imilayezo ye-SMS.
Okwesithathu Inkinga yayikuphi ungayenza kanjani ikhodi ye-pseudo-random ye-2FA ku-MikroTik. Ayikho i-analogue yomsebenzi we-random() olimini lokubhala lwe-RouterOS, futhi ngike ngabona izijeneretha zezinombolo ze-crutch crutch-random ngaphambilini. Angizange ngithande neyodwa yazo ngenxa yezizathu ezihlukahlukene.
Eqinisweni, kukhona ijeneretha yokulandelana okungahleliwe ku-MikroTik! Ifihliwe ekubukeni okukha phezulu kumongo we-/izitifiketi ze-scep-server. Indlela yokuqala ukuthola iphasiwedi yesikhathi esisodwa kulula futhi kulula - ngomyalo /izitifiketi ze-scep-server otp zikhiqiza. Uma senza umsebenzi ozokwenziwa oshintshashintshayo olula, sizothola inani lamalungu afanayo elingasetshenziswa kamuva emibhalweni.
Indlela yesibili ukuthola iphasiwedi yesikhathi esisodwa futhi okulula ukuyifaka - usebenzisa isevisi yangaphandle ukukhiqiza uhlobo olufiswayo lokulandelana kwezinombolo ezingamanga-okungahleliwe. Nakhu kwenziwe lula cantilevered isibonelo sokufaka idatha kokuguquguqukayo:
Ikhodi
:global rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user ]->"da
ta") 1 6]
:put $rnd1
Isicelo esifomethiwe sekhonsoli (ukubalekela izinhlamvu ezikhethekile kuzodingeka emzimbeni weskripthi) sithola uchungechunge lwamadijithi ayisithupha kokuhluka kwe-$rnd1. Umyalo olandelayo othi "beka" uvele ubonise okuguquguqukayo kukhonsoli ye-MikroTik.
Inkinga yesine okwakudingeka ixazululwe ngokushesha - lena yindlela futhi lapho iklayenti elixhunyiwe lizodlulisela ikhodi yalo yesikhathi esisodwa esigabeni sesibili sokuqinisekisa.
Kumelwe kube nesevisi kumzila we-MikroTik engamukela ikhodi futhi ihambisane neklayenti elithile. Uma ikhodi enikeziwe ifana nelindelekile, ikheli leklayenti kufanele lifakwe ohlwini oluthile "olumhlophe", amakheli avunyelwe kuwo ukufinyelela kunethiwekhi yangaphakathi yenkampani.
Ngenxa yokukhetha okungalungile kwezinsizakalo, kunqunywe ukwamukela amakhodi nge-http kusetshenziswa i-webproxy eyakhelwe ku-Mikrotik. Futhi njengoba i-firewall ingasebenza nohlu oluguqukayo lwamakheli e-IP, i-firewall eyenza ukusesha kwekhodi, iyifanise ne-IP yeklayenti futhi iyengeze ohlwini "olumhlophe" isebenzisa i-Layer7 regexp. Irutha ngokwayo inikezwe igama le-DNS elinemibandela elithi "gw.local", irekhodi elingu-A elimile lidalwe kuyo ukuze likhishelwe amaklayenti e-PPP:
DNS
/ip dns static add name=gw.local address=172.31.1.1
Ithwebula ithrafikhi yamaklayenti angaqinisekisiwe kummeleli:
/ip firewall nat add chain=dstnat dst-port=80,443 in-interface=2fa protocol=tcp !src-address-list=2fa_approved action=redirect to-ports=3128
Kulokhu, ummeleli unemisebenzi emibili.
1. Vula ukuxhumana kwe-tcp namakhasimende;
2. Esimeni sokugunyazwa ngempumelelo, qondisa kabusha isiphequluli seklayenti ekhasini noma isithombe esazisa mayelana nokuqinisekisa ngempumelelo:
Ukulungiselelwa kommeleli
/ip proxy
set enabled=yes port=3128
/ip proxy access
add action=deny disabled=no redirect-to=gw.local./mikrotik_logo.png src-address=0.0.0.0/0
Ngizoklelisa izinto ezibalulekile zokumisa:
- i-interface-list "2fa" - uhlu oluguquguqukayo lwezixhumanisi zamakhasimende, ithrafikhi esuka lapho idinga ukucutshungulwa ngaphakathi kwe-2FA;
- uhlu lwamakheli "2fa_jailed" - "grey" uhlu lwamakheli e-IP omhubhe amaklayenti e-VPN;
- address_list "2fa_approved" - "mhlophe" uhlu lwamakheli e-IP omhubhe wamaklayenti e-VPN aphumelele ukuqinisekiswa kwezinto ezimbili.
- iketango le-firewall "input_2fa" - lihlola amaphakethe e-tcp ukuze libone ukuthi kukhona ikhodi yokugunyazwa futhi lihambisana nekheli le-IP lomthumeli wekhodi nalelo elidingekayo. Imithetho kuketango yengezwa futhi isuswe ngokuguquguqukayo.
I-flowchart eyenziwe lula yokucubungula iphakethe ibonakala kanje:
Ukuze ungene ekuhloleni kwe-Layer7 yethrafikhi evela kumakhasimende asuka kuhlu "olumpunga" olungakadluli isigaba sesibili sokufakazela ubuqiniso, umthetho udaliwe ochungechungeni "lokufaka" olujwayelekile:
Ikhodi
/ip firewall filter add chain=input !src-address-list=2fa_approved action=jump jump-target=input_2fa
Manje ake siqale ukubophela yonke le ngcebo kusevisi ye-PPP. I-MikroTik ikuvumela ukuthi usebenzise imibhalo kumaphrofayili (iphrofayili ye-ppp) futhi uyinikeze izehlakalo zokusungula nokuphula ukuxhumana kwe-ppp. Izilungiselelo zephrofayela ye-ppp zingasetshenziswa kuseva ye-PPP iyonke noma kubasebenzisi ngabanye. Ngesikhathi esifanayo, iphrofayili eyabelwe umsebenzisi inokubaluleka, idlula imingcele yephrofayela ekhethelwe iseva iyonke kanye nemingcele yayo ecacisiwe.
Njengomphumela wale ndlela, singakwazi ukudala iphrofayili ekhethekile yokuqinisekiswa kwezinto ezimbili futhi sinikeze hhayi kubo bonke abasebenzisi, kodwa kuphela kulabo abakubona kudingekile ukwenza kanjalo. Lokhu kungase kuhlobane uma usebenzisa izinsiza ze-PPP hhayi kuphela ukuxhuma abasebenzisi bokugcina, kodwa ngesikhathi esifanayo ukwakha ukuxhumana kwesayithi nesayithi.
Kuphrofayela ekhethekile esanda kwakhiwa, sisebenzisa ukungezwa okuguquguqukayo kwekheli nesixhumi esibonakalayo somsebenzisi oxhunyiwe ohlwini "olumpunga" lwamakheli nezindawo:
winbox
Ikhodi
/ppp profile add address-list=2fa_jailed change-tcp-mss=no local-address=192.0.2.254 name=2FA interface-list=2fa only-one=yes remote-address=dhcp_pool1 use-compression=no use-encryption= required use-mpls=no use-upnp=no dns-server=172.31.1.1
Kuyadingeka ukusebenzisa kokubili "uhlu lwamakheli" kanye "nohlu lwesixhumi esibonakalayo" ukuze uthole futhi uthwebule ithrafikhi evela kumakhasimende angewona awesibili e-VPN kuchungechunge lwe-dstnat (prerouting).
Uma ukulungiswa sekuqediwe, amaketango engeziwe okuvikela umlilo kanye nephrofayili kwakhiwa, sizobhala iskripthi esibophezelekile ekukhiqizeni okuzenzakalelayo kwekhodi ye-2FA kanye nemithetho ye-firewall ngayinye.
ku-PPP-Iphrofayela isicebisa ngolwazi mayelana neziguquko ezihlobene nemicimbi yokuxhuma-nqamula iklayenti le-PPP "Yenza iskripthi kumcimbi wokungena ngemvume komsebenzisi. Lokhu okuguquguqukayo okutholakalayo okufinyeleleka kuskripthi somcimbi: umsebenzisi, ikheli lendawo, ikheli elikude, ubunikazi bekholi, ubunikazi bokubizwa, isixhumi esibonakalayo". Ezinye zazo ziwusizo kakhulu kithi.
Ikhodi esetshenziswe kuphrofayela yomcimbi wokuxhumana we-PPP
#ΠΠΎΠ³ΠΈΡΡΠ΅ΠΌ Π΄Π»Ρ ΠΎΡΠ»Π°Π΄ΠΊΠΈ ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅ :log info (quot;local-address")
:log info (quot;remote-address")
:log info (quot;caller-id")
:log info (quot;called-id")
:log info ([/int pptp-server get (quot;interface") name])
#ΠΠ±ΡΡΠ²Π»ΡΠ΅ΠΌ ΡΠ²ΠΎΠΈ Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠ΅ ΠΏΠ΅ΡΠ΅ΠΌΠ΅Π½Π½ΡΠ΅
:local listname "2fa_jailed"
:local viamodem false
:local modemport "usb2"
#ΠΈΡΠ΅ΠΌ Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈ ΡΠΎΠ·Π΄Π°Π½Π½ΡΡ Π·Π°ΠΏΠΈΡΡ Π² Π°Π΄ΡΠ΅Ρ-Π»ΠΈΡΡΠ΅ "2fa_jailed"
:local recnum1 [/ip fi address-list find address=(quot;remote-address") list=$listname]
#ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΠΏΡΠ΅Π²Π΄ΠΎΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ ΠΊΠΎΠ΄ ΡΠ΅ΡΠ΅Π· random.org
#:local rnd1 [:pick ([/tool fetch url="https://www.random.org/strings/?num=1&len=7&digits=on&unique=on&format=plain&rnd=new" as-value output=user]->"data") 0 4] #Π»ΠΈΠ±ΠΎ ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ ΠΏΡΠ΅Π²Π΄ΠΎΡΠ»ΡΡΠ°ΠΉΠ½ΡΠΉ ΠΊΠΎΠ΄ ΡΠ΅ΡΠ΅Π· Π»ΠΎΠΊΠ°Π»ΡΠ½ΡΠΉ Π³Π΅Π½Π΅ΡΠ°ΡΠΎΡ
#:local rnd1 [pick ([/cert scep-server otp generate as-value minutes-valid=1]->"password") 0 4 ]#ΠΡΠ΅ΠΌ ΠΈ ΠΎΠ±Π½ΠΎΠ²Π»ΡΠ΅ΠΌ ΠΊΠΎΠΌΠΌΠ΅Π½Ρ ΠΊ Π·Π°ΠΏΠΈΡΠΈ Π² Π°Π΄ΡΠ΅Ρ-Π»ΠΈΡΡΠ΅. ΠΠ½ΠΎΡΠΈΠΌ ΠΈΡΠΊΠΎΠΌΡΠΉ ΠΊΠΎΠ΄ Π΄Π»Ρ ΠΎΡΠ»Π°Π΄ΠΊΠΈ
/ip fir address-list set $recnum1 comment=$rnd1
#ΠΏΠΎΠ»ΡΡΠ°Π΅ΠΌ Π½ΠΎΠΌΠ΅Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π° ΠΊΡΠ΄Π° ΡΠ»Π°ΡΡ SMS
:local vphone [/ppp secret get [find name=$user] comment]#ΠΠΎΡΠΎΠ²ΠΈΠΌ ΡΠ΅Π»ΠΎ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ. ΠΡΠ»ΠΈ ΠΊΠ»ΠΈΠ΅Π½Ρ ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ°Π΅ΡΡΡ ΠΊ VPN ΠΏΡΡΠΌΠΎ Ρ ΡΠ΅Π»Π΅ΡΠΎΠ½Π° Π΅ΠΌΡ Π΄ΠΎΡΡΠ°ΡΠΎΡΠ½ΠΎ
#Π±ΡΠ΄Π΅Ρ ΠΏΠ΅ΡΠ΅ΠΉΡΠΈ ΠΏΡΡΠΌΠΎ ΠΏΠΎ ΡΡΡΠ»ΠΊΠ΅ ΠΈΠ· ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΠΎΠΎΠ±ΡΠ΅Π½ΠΈΡ
:local msgboby ("Your code: ".$comm1."n Or open link http://gw.local/otp/".$comm1."/")# ΠΡΠΏΡΠ°Π²Π»ΡΠ΅ΠΌ SMS ΠΏΠΎ Π²ΡΠ±ΡΠ°Π½Π½ΠΎΠΌΡ ΠΊΠ°Π½Π°Π»Ρ - USB-ΠΌΠΎΠ΄Π΅ΠΌ ΠΈΠ»ΠΈ email-to-sms
if $viamodem do={
/tool sms send phone-number=$vphone message=$msgboby port=$modemport }
else={
/tool e-mail send server=a.b.c.d [email protected] [email protected] subject="@".$vphone body=$msgboby }#ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ Layer7 regexp
local vregexp ("otp\/".$comm1)
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall layer7-protocol add name=(quot;vcomment") comment=(
quot;remote-address") regexp=(
quot;vregexp")
#ΠΠ΅Π½Π΅ΡΠΈΡΡΠ΅ΠΌ ΠΏΡΠ°Π²ΠΈΠ»ΠΎ ΠΏΡΠΎΠ²Π΅ΡΡΡΡΠ΅Π΅ ΠΏΠΎ Layer7 ΡΡΠ°ΡΠΈΠΊ ΠΊΠ»ΠΈΠ΅Π½ΡΠ° Π² ΠΏΠΎΠΈΡΠΊΠ°Ρ Π½ΡΠΆΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π°
#ΠΈ Π½Π΅Π±ΠΎΠ»ΡΡΠΎΠΉ Π·Π°ΡΠΈΡΠΎΠΉ ΠΎΡ Π±ΡΡΡΡΠΎΡΡΠ° ΠΊΠΎΠ΄ΠΎΠ² Ρ ΠΏΠΎΠΌΠΎΡΡΡ dst-limit
/ip firewall filter add action=add-src-to-address-list address-list=2fa_approved address-list-timeout=none-dynamic chain=input_2fa dst-port=80,443,3128 layer7-protocol=(quot;vcomment") protocol=tcp src-address=(
quot;remote-address") dst-limit=1,1,src-address/1m40s
Ikakhulukazi kulabo abathanda ukukopisha-namathisela ngokungenangqondo, ngiyakuxwayisa - ikhodi ithathwe enguqulweni yokuhlola futhi ingaqukatha ama-typos amancane. Ngeke kube nzima ngomuntu oqondayo ukuthola ukuthi ukuphi ngempela.Uma umsebenzisi enqamula, umcimbi othi "On-Down" uyakhiqizwa futhi iskripthi esihambisanayo esinamapharamitha sibizwa. Umsebenzi walesi skripthi ukuhlanza imithetho yohlelo lokuvikela eyenzelwe umsebenzisi onqanyuliwe.
Ikhodi esetshenziswe kuphrofayela yomcimbi wokuxhumana ophansi we-PPP
:local vcomment ("2fa_".(quot;remote-address"))
/ip firewall address-list remove [find address=(quot;remote-address") list=2fa_approved] /ip firewall filter remove [find chain="input_2fa" src-address=(
quot;remote-address") ] /ip firewall layer7-protocol remove [find name=$vcomment]
Ungakha abasebenzisi bese unikeza bonke noma abanye babo kuphrofayela yokuqinisekisa yezinto ezimbili.winbox
Ikhodi
/ppp secrets set [find name=Petrov] profile=2FAIbukeka kanjani ohlangothini lweklayenti.
Uma uxhumano lwe-VPN selusunguliwe, ifoni/ithebhulethi ye-Android/iOS ene-SIM khadi ithola i-SMS ebukeka kanje:
I-SMS
Uma uxhumano lusungulwa ngokuqondile ocingweni / kuthebhulethi, ungadlula ku-2FA ngokuchofoza isixhumanisi esivela kumlayezo. Ikhululekile.
Uma uxhumano lwe-VPN lusungulwa kusukela ku-PC, umsebenzisi uzodingeka ukuthi afake ifomu lephasiwedi elincane. Ifomu elincane elisesimweni sefayela le-HTML linikezwa umsebenzisi lapho esetha i-VPN. Ifayela lingathunyelwa ngisho nangeposi ukuze umsebenzisi aligcine futhi enze isinqamuleli endaweni elula. Kubukeka kanjena:
Lebula etafuleni
Umsebenzisi uchofoza isinqamuleli, kuvuleka ifomu elilula lokufaka ikhodi, elizonamathisela ikhodi ku-URL evuliwe:
Ifomu lesikrini
Ifomu lakudala kakhulu linikezwe njengesibonelo. Abafisayo bangazilungisela bona.
2fa_login_mini.html
<html> <head> <title>SMS OTP login</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head> <body> <form name="login" action="location.href='http://gw.local/otp/'+document.getElementById(βtext').value" method="post" <input id="text" type="text"/> <input type="button" value="Login" onclick="location.href='http://gw.local/otp/'+document.getElementById('text').value"/> </form> </body> </html>Uma ukugunyazwa kuphumelele, umsebenzisi uzobona ilogo ye-MikroTik esipheqululini, okufanele ibonise ukuqinisekiswa okuyimpumelelo:
Qaphela ukuthi isithombe sibuyiswa kusuka kuseva yewebhu eyakhelwe ngaphakathi ye-MikroTik kusetshenziswa i-WebProxy Deny Redirect.
Ngicabanga ukuthi isithombe singenziwa ngendlela oyifisayo kusetshenziswa ithuluzi le-"hotspot", ukulayisha eyakho inguqulo lapho bese usetha i-URL ye-Deny Redirect kuso nge-WebProxy.
Isicelo esikhulu kulabo abazama ukuthenga "ithoyizi" elishibhile i-Mikrotik nge-$ 20 futhi bashintshe i-router ye-$ 500 ngayo - ungakwenzi lokho. Amadivayisi afana ne-"hAP Lite" / "hAP mini" (indawo yokufinyelela yasekhaya) ane-CPU ebuthaka kakhulu (ama-smips), futhi cishe ngeke akwazi ukubhekana nomthwalo esigabeni sebhizinisi.
Isexwayiso! Lesi sixazululo sinokungalungi okukodwa: lapho amaklayenti exhuma noma enqamula, izinguquko zokumisa zenzeka, lapho i-router ezama ukuyigcina kumemori yayo engaguquki. Ngenani elikhulu lamaklayenti kanye nokuxhumeka okuvamile nokunqanyulwa, lokhu kungaholela ekulimazeni isitoreji sangaphakathi kumzila.
PS: Izindlela zokuletha ikhodi kuklayenti zinganwetshwa futhi zengezwe ngokwamandla akho okuhlela anele. Isibonelo, ungathumela imilayezo kuthelegramu noma ... uphakamise izinketho!
Ngithemba ukuthi lesi sihloko sizoba usizo kuwe futhi sizosiza ukwenza amanethiwekhi amabhizinisi amancane naphakathi avikeleke kancane.
Source: www.habr.com