Ngifuna ukwabelana nomphakathi ngendlela elula nesebenzayo yokuthi ungasebenzisa kanjani i-Mikrotik ukuvikela inethiwekhi yakho kanye nezinsizakalo "zokulunguza" ngemuva kwayo ekuhlaselweni kwangaphandle. Okungukuthi, imithetho emithathu nje yokuhlela i-honeypot ku-Mikrotik.
Ngakho-ke, ake sicabange ukuthi sinehhovisi elincane, eline-IP yangaphandle ngemuva kwayo kuneseva ye-RDP ukuze abasebenzi basebenze bekude. Umthetho wokuqala, yiqiniso, ukushintsha i-port 3389 ku-interface yangaphandle ibe enye. Kodwa lokhu ngeke kuhlale isikhathi eside; ngemva kwezinsuku ezimbalwa, irekhodi lokuhlola iseva yesiphetho lizoqala ukubonisa ukugunyazwa okuningana okuhlulekile ngomzuzwana okuvela kumakhasimende angaziwa.
Esinye isimo, unenkanyezi efihliwe ngemuva kwe-Mikrotik, vele hhayi echwebeni le-5060 udp, futhi ngemva kwezinsuku ezimbalwa ukusesha iphasiwedi nakho kuqala ... yebo, yebo, ngiyazi, i-fail2ban yinto yethu yonke, kodwa kusadingeka sebenza kuyo... isibonelo, ngisanda kuyifaka ku-ubuntu 18.04 futhi ngamangala ukuthola ukuthi ngaphandle kwebhokisi i-fail2ban ayinazo izilungiselelo zamanje zenkanyezi ephuma ebhokisini elifanayo lokusabalalisa ubuntu... "Amaresiphi" asevele enziwe awasasebenzi, izinombolo zokukhishwa ziyakhula ngokuhamba kweminyaka, futhi izihloko ezithi " zokupheka" zezinguqulo ezindala azisasebenzi, futhi ezintsha cishe aziveli... Kodwa ngiyaphuma...
Ngakho-ke, iyini i-honeypot ngamafuphi - i-honeypot, esimweni sethu, noma iyiphi ichweba elidumile ku-IP yangaphandle, noma yisiphi isicelo kuleli chweba esivela kuklayenti langaphandle sithumela ikheli le-src ohlwini lwabavinjelwe. Konke.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Umthetho wokuqala ezimbobeni ze-TCP ezidumile ezingu-22, 3389, 8291 zesixhumi esibonakalayo sangaphandle se-ether4-wan sithumela i-IP “yesivakashi” kuhlu lwe-“Honeypot Hacker” (izimbobo ze-ssh, rdp ne-winbox zikhutshaziwe kusengaphambili noma zishintshelwa kwabanye). Owesibili wenza okufanayo ku-UDP 5060 edumile.
Umthetho wesithathu esiteji sangaphambi komzila wehlisa amaphakethe "ezivakashini" lapho ikheli le-srs lifakwe "ku-Honeypot Hacker".
Ngemva kwamasonto amabili ngisebenza nekhaya lami iMikrotik, uhlu lwe-“Honeypot Hacker” lwaluhlanganisa cishe amakheli e-IP ayizinkulungwane eziyinkulungwane nengxenye alabo abathanda “ukubamba umbele” izinsiza zami zenethiwekhi (ekhaya kukhona ucingo lwami, i-mail, nextcloud, rdp). Ukuhlasela kwe-Brute-force kwanqamuka, kwafika injabulo.
Emsebenzini, akuyona yonke into evele yaba lula, lapho baqhubeka nokuphula iseva ye-rdp ngamaphasiwedi aphoqelela ngesihluku.
Ngokusobala, inombolo yechweba yanqunywa isithwebuli kudala ngaphambi kokuba kuvulwe ibhodwe lezinyosi, futhi ngesikhathi sokuvalelwa akulula kangako ukulungisa kabusha abasebenzisi abangaphezu kwe-100, okuthi u-20% wabo ungaphezu kweminyaka engama-65 ubudala. Esimeni lapho ichweba lingenakushintshwa, kukhona iresiphi encane yokusebenza. Ngibone okufanayo ku-inthanethi, kodwa kukhona okunye okungeziwe nokulungisa kahle okuhilelekile:
Imithetho yokumisa i-Port Knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Emaminithini angu-4, iklayenti elikude livunyelwe ukwenza kuphela "izicelo" ezintsha ezingu-12 kuseva ye-RDP. Umzamo owodwa wokungena usuka ku-1 kuye ku-4 "izicelo". Nge-12 "isicelo" - ukuvimbela imizuzu engu-15. Endabeni yami, abahlaseli abazange bayeke ukugebenga iseva, balungise izikhathi futhi manje bakwenza kancane kakhulu, ijubane elinjalo lokukhetha linciphisa ukusebenza kokuhlasela ku-zero. Abasebenzi bale nkampani ababikho nakancane ukuphazamiseka emsebenzini ngenxa yezinyathelo ezithathiwe.
Elinye iqhinga elincane
Lo mthetho uvulwa ngokuvumelana neshejuli ngo-5 ekuseni futhi uvale ngo-XNUMX a.m., lapho abantu bangempela belele nakanjani, futhi abakhethi abazenzakalelayo baqhubeka bephapheme.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8
Kakade ekuxhumekeni kwesi-8, i-IP yomhlaseli ivinjelwe isonto lonke. Nobuhle!
Yebo, ngaphezu kwalokhu okungenhla, ngizofaka isixhumanisi esihlokweni se-Wiki ngokusetha okusebenzayo ukuze kuvikelwe i-Mikrotik kumaskena enethiwekhi.
Kumadivayisi ami, lesi silungiselelo sisebenza kanye nemithetho yebhodwe lezinyosi echazwe ngenhla, siyiphelelisa kahle.
I-UPD: Njengoba kuphakanyiswe kumazwana, umthetho wokulahla iphakethe uhanjiswe ku-RAW ukuze kwehliswe umthwalo kumzila.
Source: www.habr.com