Sanibonani nonke. Lesi sihloko senzelwe labo abanamadivayisi amaningi e-Mikrotik emikhumbini yabo, futhi abafuna ukwenza ukuhlanganiswa okuphezulu ukuze bangaxhumeki kudivayisi ngayinye ngokuhlukana. Kulesi sihloko ngizochaza iphrojekthi, ngeshwa, engazange ifinyelele izimo zokulwa ngenxa yezici zomuntu. Ngamafuphi: ama-routers angaphezu kuka-200, ukusetha okusheshayo nokuqeqeshwa kwabasebenzi, ukuhlanganiswa ngesifunda, amanethiwekhi okuhlunga kanye nabasingathi abathile, ikhono lokwengeza kalula imithetho kuwo wonke amadivayisi, ukungena ngemvume nokulawula ukufinyelela.
Okuchazwe ngezansi akwenzi sengathi kuyicala elenziwe ngomumo, kodwa ngithemba ukuthi kuzoba usizo kuwe lapho uhlela amanethiwekhi akho futhi unciphisa amaphutha. Mhlawumbe amanye amaphuzu nezisombululo kungase kungabonakali kulungile kuwe - uma kunjalo, bhala kumazwana. Ukugxekwa kuleli cala kuzoba yinto eyenzeka kumgcinimafa ojwayelekile. Ngakho-ke mfundi ake ubheke ukuphawula, mhlawumbe umbhali wenze iphutha elikhulu - umphakathi uzosiza.
Inombolo yamarutha ngu-200-300, ahlakazeke emadolobheni ahlukene anekhwalithi ehlukene yoxhumo lwe-inthanethi. Kuyadingeka ukwenza yonke into kahle nangokucacile kubaphathi bendawo ukuthi konke kuzosebenza kanjani.
Ngakho, iqala kuphi iphrojekthi? Yiqiniso, nge TK.
- Ukuhlelwa kohlelo lwenethiwekhi yawo wonke amagatsha ngokwezidingo zekhasimende, ukuhlukaniswa kwenethiwekhi (kusuka kumanethiwekhi ama-3 kuye kwangama-20 emagatsheni kuye ngenani lamadivayisi).
- Ukusetha amadivayisi egatsheni ngalinye. Ukuhlola isivinini sangempela sokuphuma somhlinzeki ngaphansi kwezimo zokusebenza ezihlukene.
- Inhlangano yokuvikelwa kwedivayisi, ukuphathwa kohlu olugunyaziwe, ukutholwa okuzenzakalelayo kokuhlaselwa ngokufaka kuhlu okuzenzakalelayo isikhathi esithile, ukunciphisa ukusetshenziswa kwezindlela zobuchwepheshe ezihlukahlukene ezisetshenziselwa ukuvimbela ukufinyelela kokulawula nokunqabela isevisi.
- Inhlangano yokuxhumana okuphephile kwe-VPN ngokuhlunga kwenethiwekhi ngokuya ngezidingo zamakhasimende. Ubuncane bokuxhunywa kwe-VPN okungu-3 kusuka egatsheni ngalinye kuya enkabeni.
- Ngokusekelwe kumaphuzu 1, 2. Khetha izindlela ezikahle zokwakha ama-VPN abekezelela amaphutha. Uma kuthethelelwe ngendlela efanele, ubuchwepheshe bomzila obuguqukayo bungakhethwa usonkontileka.
- Ukuhleleka kokubekwa phambili kwethrafikhi ngamaphrothokholi, izimbobo, abasingathi namanye amasevisi athile asetshenziswa ikhasimende. (I-VOIP, ibamba ngezinsizakalo ezibalulekile)
- Inhlangano yokuqapha nokungena kwemicimbi ye-router ukuze kuphendulwe abasebenzi bosekelo lobuchwepheshe.
Njengoba siqonda, ezimweni eziningi ukucaciswa kobuchwepheshe kubhalwa ngokusekelwe ezidingweni. Ngazakhela lezi zidingo ngokwami, ngemva kokulalela izinkinga ezinkulu. Uvumile ukuthi kungenzeka kube khona omunye ongawanakekela la maphuzu.
Imaphi amathuluzi azosetshenziswa ukufeza lezi zidingo:
- Isitaki se-ELK (ngemuva kwesikhathi esithile, kwacaca ukuthi i-fluentd izosetshenziswa esikhundleni se-logstash).
- Kuyaqondakala. Ukuze kube lula ukuphatha nokwabelana ngokufinyelela, sizosebenzisa i-AWX.
- I-GITLAB. Asikho isidingo sokuchaza lapha. Besingaba kuphi ngaphandle kokulawulwa kwenguqulo yezilungiselelo zethu?
- I-PowerShell. Kuzoba khona iskripthi esilula sesizukulwane sokuqala se-config.
- I-Doku wiki, yokubhala imibhalo nemihlahlandlela. Kulokhu, sisebenzisa i-habr.com.
- Ukuqapha kuzokwenziwa nge-zabbix. Umdwebo wokuxhuma uzophinde udwetshwe lapho ukuze kuqondwe kabanzi.
Amaphoyinti okusetha we-EFK
Mayelana nephuzu lokuqala, ngizochaza kuphela imibono lapho ama-indices azokwakhiwa khona. Kuningi
izindatshana ezinhle kakhulu zokusetha nokwamukela izingodo ezivela kumadivayisi asebenzisa i-mikrotik.
Ngizogxila kwamanye amaphuzu:
1. Ngokusho komdwebo, kufanelekile ukucabangela ukwamukela izingodo ezivela ezindaweni ezahlukene nasemachwebeni ahlukene. Kulokhu sizosebenzisa i-log aggregator. Sifuna futhi ukwenza imidwebo yendawo yonke yawo wonke amarutha anekhono lokwabelana ngokufinyelela. Bese sakha ama-index kanjena:
nansi ingxenye ye-config ene-fluentd thayipha i-elasticsearch
logstash_format iqiniso
index_name mikrotiklogs.north
logstash_prefix mikrotiklogs.north
flush_interval 10s
izivakashi : 9200
imbobo 9200
Ngale ndlela singakwazi ukuhlanganisa ama-routers kanye nesigaba ngokusho kwepulani - mikrotiklogs.west, mikrotiklogs.south, mikrotiklogs.east. Kungani ukwenza kube nzima kangaka? Siyaqonda ukuthi sizoba namadivayisi angama-200 noma ngaphezulu. Awukwazi ukulandela yonke into. Ngenguqulo engu-6.8 ye-elasticsearch, izilungiselelo zokuphepha ziyatholakala kithi (ngaphandle kokuthenga ilayisense), ngaleyo ndlela singakwazi ukusabalalisa amalungelo okubuka phakathi kwezisebenzi zosekelo lwezobuchwepheshe noma abaphathi besistimu bendawo.
Amathebula, amagrafu - lapha udinga nje ukuvumelana - sebenzisa okufanayo, noma wonke umuntu wenza lokho okumlungele.
2. Ngokugawula. Uma sinika amandla ukungena ngemvume emithethweni ye-firewall, bese senza amagama ngaphandle kwezikhala. Kungabonakala ukuthi ngokusebenzisa ukulungiselelwa okulula ngokushelelayo, singakwazi ukuhlunga idatha futhi senze amaphaneli afanelekile. Isithombe esingezansi irutha yami yasekhaya.
3. Ngesikhala esithathwe nezingodo. Ngokwesilinganiso, ngemilayezo eyi-1000 ngehora, izingodo zithatha u-2-3 MB ngosuku, okuyinto, uyabona, ayiningi kangako. Inguqulo ye-Elasticsearch 7.5.
I-ANSIBLE.AWX
Ngenhlanhla ngathi, sinemodyuli eyenziwe ngomumo yama-routers
Ngishilo nge-AWX, kepha imiyalo engezansi imayelana nokusebenziseka ngendlela emsulwa - ngicabanga ukuthi kulabo abasebenze nge-ansible, ngeke kube nezinkinga ngokusebenzisa i-awx ngokusebenzisa i-gui.
Uma ngikhuluma iqiniso, ngaphambi kwalokhu ngibheke ezinye iziqondiso lapho zisebenzisa i-ssh, futhi zonke zinezinkinga ezihlukile ngesikhathi sokuphendula kanye nenqwaba yezinye izinkinga. Ngiyaphinda futhi, akuzange kufike ekulweni , thatha lolu lwazi njengesilingo esingazange siqhubekele phambili kunesitendi samarutha angama-20.
Kudingeka sisebenzise isitifiketi noma i-akhawunti. Kukuwe ukuthi unqume, mina ngimele izitifiketi. Iphuzu elithile elicashile ngamalungelo. Nginikeza amalungelo okubhala - okungenani "ukusetha kabusha ukusetha" ngeke kusebenze.
Akufanele kube nezinkinga zokukhiqiza, ukukopisha nokungenisa isitifiketi:
Uhlu lomyalo omfushaneKu-PC yakho
ssh-keygen -t RSA, phendula imibuzo, gcina ukhiye.
Kopisha ku-mikrotik:
umsebenzisi ssh-keys import public-key-file=id_mtx.pub user=ansible
Okokuqala udinga ukudala i-akhawunti futhi unikeze amalungelo kuyo.
Ihlola ukuxhumeka kusetshenziswa isitifiketi
ssh -p 49475 -i /keys/mtx [i-imeyili ivikelwe]
Bhalisa vi /etc/ansible/hosts
MT01 ansible_network_os=routos ansible_ssh_port=49475 ansible_ssh_user= ansible
MT02 ansible_network_os=routos ansible_ssh_port=49475 ansible_ssh_user= ansible
MT03 ansible_network_os=routos ansible_ssh_port=49475 ansible_ssh_user= ansible
MT04 ansible_network_os=routos ansible_ssh_port=49475 ansible_ssh_user= ansible
Isibonelo, incwadi yokudlala: - igama: add_work_sites
umbuki zindwendwe ngu testmt
serial: 1
uxhumano: network_cli
umsebenzisi_okude: mikrotik.west
qoqa_amaqiniso: yebo
imisebenzi:
- igama: engeza Work_sites
routeros_command:
imiyalo:
— /ip firewall address-list add address=gov.ru list=work_sites comment=Ticket665436_Ochen_nado
— /ip firewall address-list add address=habr.com list=work_sites comment=for_habr
Njengoba ungabona ekucushweni okungenhla, ukwenza eyakho incwadi yokudlala akunzima. Kwanele ukwazi kahle i-cli mikrotik. Ake sicabange ngesimo lapho udinga ukususa uhlu lwamakheli ngedatha ethile kuwo wonke ama-routers, bese:
Thola futhi ususe/ip firewal address-list susa [thola lapho list="gov.ru"]
Angizange ngamabomu ngilufake lonke uhlu lwama-firewall lapha ngoba... kuzoba umuntu ngamunye kuphrojekthi ngayinye. Kodwa into eyodwa engingayisho ngokuqinisekile, sebenzisa uhlu lwamakheli kuphela.
Ngokusho kwe-GITLAB konke kucacile. Ngeke ngigxile kuleli phuzu. Konke kuhle kumisebenzi ngayinye, izifanekiso, izibambi.
I-Powershell
Kuzoba namafayela angu-3 lapha. Kungani i-powershell? Ungakhetha noma yiliphi ithuluzi lokukhiqiza izilungiselelo, noma yini ekulungele kakhudlwana. Kulokhu, wonke umuntu uneWindows ku-PC yakhe, kungani ukwenze ku-bash lapho i-powershell ilula kakhulu. Iyiphi elula kakhulu?
Iskripthi ngokwaso (silula futhi siyaqondakala):[cmdletBinding()]
I-Param(
[Ipharamitha(Iyadingeka=$true)]
[string]$EXTERNALIPADDRESS,
[Ipharamitha(Iyadingeka=$true)]
[string]$EXTERNALIPROUTE,
[Ipharamitha(Iyadingeka=$true)]
[string]$BWorknets,
[Ipharamitha(Iyadingeka=$true)]
[string]$CWorknets,
[Ipharamitha(Iyadingeka=$true)]
[string]$BVoipNets,
[Ipharamitha(Iyadingeka=$true)]
[string]$CVoipNets,
[Ipharamitha(Iyadingeka=$true)]
[string]$CClients,
[Ipharamitha(Iyadingeka=$true)]
[string]$BVPNWORKs,
[Ipharamitha(Iyadingeka=$true)]
[string]$CPWORKs,
[Ipharamitha(Iyadingeka=$true)]
[string]$BVPNCLIENTSs,
[Ipharamitha(Iyadingeka=$true)]
[string]$cVPNCLIENTSs,
[Ipharamitha(Iyadingeka=$true)]
[string]$NAMEROUTER,
[Ipharamitha(Iyadingeka=$true)]
[string]$ServerCertificates,
[Ipharamitha(Iyadingeka=$true)]
[string]$infile,
[Ipharamitha(Iyadingeka=$true)]
[string]$outfile
)
Thola-Okuqukethwe $infile | I-Foreach-Object {$_.Miselela("EXTERNIP", $EXTERNALIPADDRESS)} |
I-Foreach-Object {$_.Miselela("EXTROUTE", $EXTERNALIPROUTE)} |
I-Foreach-Object {$_.Faka esikhundleni("BWorknet", $BWorknets)} |
I-Foreach-Object {$_.Replace("CWorknet", $CWorknets)} |
I-Foreach-Object {$_.Replace("BVoipNet", $BVoipNets)} |
I-Foreach-Object {$_.Replace("CVoipNet", $CVoipNets)} |
I-Foreach-Object {$_.Replace("CClients", $CClients)} |
I-Foreach-Object {$_.Buyisela("BVPNWORK", $BVPNWORKs)} |
I-Foreach-Object {$_.Buyisela("CPVWORK", $CPWORKs)} |
I-Foreach-Object {$_.Faka esikhundleni("BVPNCLIENTS", $BVPNCLIENTSs)} |
I-Foreach-Object {$_.Faka esikhundleni("CPVCLIENTS", $cVPNCLIENTSs)} |
I-Foreach-Object {$_.Miselela("MYNAMERROUTER", $NAMEROUTER)} |
I-Foreach-Object {$_.Replace("ServerCertificate", $ServerCertificates)} | I-Set-Content $outfile
Ngicela ungixolele, angikwazi ukuthumela yonke imithetho ngoba... ngeke kube kuhle kakhulu. Ungenza imithetho ngokwakho, uholwa yizinqubo ezihamba phambili.
Isibonelo, nalu uhlu lwezixhumanisi engizilandele::Ivikela_Irutha_Yakho
:IP/Firewall/Hlunga
:OSPF-izibonelo
:Winbox
:Upgrading_RouterOS
:IP/Fasttrack - lapha udinga ukwazi ukuthi uma i-fasttrack inikwe amandla, ukubeka kuqala kwethrafikhi nemithetho yokubunjwa ngeke kusebenze - kuwusizo kumadivayisi abuthakathaka.
Izimpawu zokuguquguquka:Amanethiwekhi alandelayo athathwa njengesibonelo:
192.168.0.0/24 inethiwekhi esebenzayo
172.22.4.0/24 inethiwekhi ye-VOIP
10.0.0.0/24 inethiwekhi yamaklayenti ngaphandle kokufinyelela kunethiwekhi yendawo
192.168.255.0/24 inethiwekhi ye-VPN yamagatsha amakhulu
172.19.255.0/24 inethiwekhi ye-VPN encane
Ikheli lenethiwekhi liqukethe izinombolo zamadesimali ezi-4, ngokulandelana A.B.C.D, ukushintshwa kusebenza ngesimiso esifanayo, uma ekuqaleni icela u-B, kusho ukuthi udinga ukufaka inombolo engu-192.168.0.0 yenethiwekhi 24/0, kanye ne-C. = 0.
$EXTERNALIPADDDRESS - ikheli elinikelwe elivela kumhlinzeki.
$EXTERNALIPROUTE - umzila ozenzakalelayo oya kunethiwekhi engu-0.0.0.0/0
$BWorknets - Inethiwekhi yomsebenzi, esibonelweni sethu kuzoba ne-168
$CWorknets - Inethiwekhi esebenzayo, esibonelweni sethu lokhu kuzoba ngu-0
$BVoipNets - Inethiwekhi ye-VOIP esibonelweni sethu lapha 22
$CVoipNets - Inethiwekhi ye-VOIP esibonelweni sethu lapha 4
$CClients - Inethiwekhi yamakhasimende - Ukufinyelela i-inthanethi kuphela, kithi lapha 0
$BVPNWORKs - Inethiwekhi ye-VPN yamagatsha amakhulu, esibonelweni sethu sama-20
$CPWORKs - Inethiwekhi ye-VPN yamagatsha amakhulu, kusibonelo sethu sama-255
$BVPNCLIENTS - Inethiwekhi ye-VPN yamagatsha amancane, okusho ukuthi 19
$CPVCLIENTS - Inethiwekhi ye-VPN yamagatsha amancane, okusho ukuthi 255
$NAMEROUTER - igama lerutha
$ServerCertificate - igama lesitifiketi osingenisile ngaphambilini
$infile — Cacisa indlela eya efayeleni lapho sizofunda khona ukumisa, isibonelo D:config.txt (okungcono indlela yesiNgisi ngaphandle kwamacaphuno nezikhala)
$outfile — cacisa indlela lapho izogcinwa khona, isibonelo D:MT-test.txt
Ngishintshe ngamabomu amakheli ezibonelweni ngezizathu ezisobala.
Ngiphuthelwe iphuzu mayelana nokuthola ukuhlaselwa kanye nokuziphatha okuxakile - lokhu kufanele i-athikili ehlukile. Kodwa kufanelekile ukukhomba ukuthi kulesi sigaba ungasebenzisa amanani edatha yokuqapha kusuka ku-Zabbix + idatha ye-curl ecutshungulwe kusuka ku-elasticsearch.
Imaphi amaphuzu okufanele uwanake:
- Uhlelo lwenethiwekhi. Kungcono ukuyiqamba ngokushesha ngendlela efundekayo. I-Excel izokwanela. Ngeshwa, ngivame ukubona ukuthi amanethiwekhi akhiwa ngokuvumelana nesimiso "Igatsha elisha selivele, nali /24 lakho." Akekho othola ukuthi mangaki amadivayisi alindelwe endaweni ethile noma ukuthi kuzoba khona okunye ukukhula. Isibonelo, kwavulwa isitolo esincane lapho kwacaca ekuqaleni ukuthi idivayisi ngeke ibe ngaphezu kwe-10, kungani kwabiwa /24? Amagatsha amakhulu, ngokuphambene nalokho, anikezela / 24, futhi kukhona amadivaysi angu-500 - ungamane wengeze inethiwekhi, kodwa ufuna ukucabanga ngakho konke ngesikhathi esisodwa.
- Imithetho yokuhlunga. Uma iphrojekthi icabanga ukuthi kuzoba nokuhlukaniswa kwamanethiwekhi nokuhlukaniswa okuphezulu. Imikhuba Engcono Kakhulu iyashintsha ngokuhamba kwesikhathi. Ngaphambilini, inethiwekhi ye-PC kanye nenethiwekhi yephrinta yahlukaniswa, kodwa manje sekuvamile ukuthi ungawahlukanisi lawa manethiwekhi. Kuyafaneleka ukusebenzisa ingqondo futhi ungadali ama-subnet amaningi lapho engadingeki khona futhi ungahlanganisi wonke amadivaysi kunethiwekhi eyodwa.
- Izilungiselelo "zegolide" kuwo wonke amarutha. Labo. uma unqume uhlelo. Kuyafaneleka ukubona konke kusengaphambili futhi uzame ukwenza isiqiniseko sokuthi zonke izilungiselelo ziyefana - uhlu lwamakheli kuphela namakheli e-IP ahlukile. Uma kuphakama izinkinga, isikhathi sokulungisa iphutha sizoba sincane.
- Izinkinga zenhlangano azibalulekile kangako kunezobuchwepheshe. Ngokuvamile abasebenzi abavilaphayo bafeza lezi zincomo "ngesandla", ngaphandle kokusebenzisa ukulungiselelwa okwenziwe ngomumo kanye nemibhalo, okuholela ezinkingeni ekugcineni.
Ngomzila oguquguqukayo. I-OSPF ene-zone division yasetshenziswa. Kodwa leli ibhentshi lokuhlola; kuthakazelisa kakhulu ukusetha izinto ezinjalo ezimweni zokulwa.
Ngithemba ukuthi akekho ophatheke kabi ngokuthi angizange ngithumele ukulungiselelwa komzila. Ngicabanga ukuthi izixhumanisi zizokwanela, bese konke kuncike ezidingweni. Futhi-ke izivivinyo, ukuhlolwa okwengeziwe kuyadingeka.
Ngifisa wonke umuntu afeze amaphrojekthi abo onyakeni omusha. Kwangathi ukufinyelela okunikiwe kungaba nawe!!!
Source: www.habr.com