Bangani, sanibona!
Kunezindlela eziningi zokuxhuma usuka ekhaya uye endaweni yakho yokusebenza yasehhovisi. Enye yazo ukusebenzisa iMicrosoft Remote Desktop Gateway. Lena i-RDP phezu kwe-HTTP. Angifuni ukuthinta ukusetha i-RDGW ngokwayo lapha, angifuni ukuxoxa ngokuthi kungani kuhle noma kubi, masiyiphathe njengenye yamathuluzi okufinyelela kude. Ngifuna ukukhuluma ngokuvikela iseva yakho ye-RDGW ku-inthanethi embi. Lapho ngimisa iseva ye-RDGW, ngavele ngakhathazeka ngokuphepha, ikakhulukazi ukuvikelwa embuthweni we-password brute. Ngamangala ukuthi angizange ngithole noma yiziphi izihloko ku-inthanethi mayelana nendlela yokwenza lokhu. Hhayi-ke, uzofanele ukwenze ngokwakho.
I-RDGW ngokwayo ayinazo izivikelo. Yebo, ingavezwa ngesixhumi esibonakalayo esingenalutho kunethiwekhi emhlophe futhi izosebenza kahle. Kodwa lokhu kuzokwenza umlawuli olungile noma uchwepheshe wezokuphepha kolwazi angakhululeki. Ngaphezu kwalokho, kuzokuvumela ukuthi ugweme isimo sokuvinjwa kwe-akhawunti, lapho isisebenzi esinganaki sikhumbula iphasiwedi ye-akhawunti yebhizinisi kukhompyutha yasekhaya, bese sishintsha iphasiwedi yakhe.
Indlela enhle yokuvikela izinsiza zangaphakathi endaweni yangaphandle ukusebenzisa ama-proxi ahlukahlukene, amasistimu okushicilela, namanye ama-WAF. Masikhumbule ukuthi i-RDGW iseyi-http, bese icela nje ukuxhuma isixazululo esikhethekile phakathi kwamaseva angaphakathi ne-inthanethi.
Ngiyazi ukuthi kukhona i-F5 epholile, i-A10, i-Netscaler(ADC). Njengomphathi wolunye lwalezi zinhlelo, ngizosho ukuthi kungenzeka futhi ukuthi kumiswe isivikelo emandleni anonya kulezi zinhlelo. Futhi yebo, lezi zinhlelo zizokuvikela kunoma yisiphi isikhukhula se-syn.
Kodwa akuwona wonke inkampani engakwazi ukuthenga isisombululo esinjalo (futhi uthole umlawuli wesistimu enjalo :), kodwa ngesikhathi esifanayo bangakwazi ukunakekela ukuphepha!
Kungenzeka ngokuphelele ukufaka inguqulo yamahhala ye-HAProxy kusistimu yokusebenza yamahhala. Ngihlole ku-Debian 10, inguqulo ye-haproxy 1.8.19 endaweni yokugcina izinto ezinzile. Ngiphinde ngayihlola kunguqulo 2.0.xx kusuka endaweni yokuhlola.
Sizoshiya ukusetha i-debian ngokwayo ngaphandle kobubanzi balesi sihloko. Kafushane: kusixhumi esibonakalayo esimhlophe, vala yonke into ngaphandle kwembobo engu-443, kusixhumi esibonakalayo esimpunga - ngokuya ngenqubomgomo yakho, isibonelo, futhi vala yonke into ngaphandle kwembobo engu-22. Vula kuphela okudingekayo emsebenzini (i-VRRP ngokwesibonelo, ye-ip entantayo).
Okokuqala, ngilungiselele i-haproxy kumodi yokubhuloza ye-SSL (aka http mode) futhi ngavula ukungena ukuze ngibone ukuthi kwenzekani ngaphakathi kwe-RDP. Ngakho ukukhuluma, ngingene phakathi. Ngakho-ke, indlela ye-RDWeb ecaciswe kuma-athikili "wonke" ekusetheni i-RDGateway ayikho. Konke okukhona ngu/rpc/rpcproxy.dll kanye /remoteDesktopGateway/. Kulokhu, izicelo ezijwayelekile ze-GET/POST azisetshenziswa; uhlobo lwazo lwesicelo RDG_IN_DATA, RDG_OUT_DATA luyasetshenziswa.
Hhayi okuningi, kodwa okungenani okuthile.
Ake sihlole.
Ngethula i-mstsc, iya kuseva, bheka amaphutha amane angu-401 (angagunyaziwe) kulogi, bese ufaka igama lami lomsebenzisi/iphasiwedi bese ubona impendulo 200.
Ngiyicisha, ngiyiqale futhi, futhi ezingodweni ngibona amaphutha amane afanayo 401. Ngifaka ukungena / iphasiwedi engalungile futhi ngibone futhi amaphutha amane angu-401. Yilokho engikudingayo. Lokhu sizokubamba.
Njengoba kwakungenakwenzeka ukucacisa i-url yokungena, futhi ngaphandle kwalokho, angazi ukuthi ngingalibamba kanjani iphutha le-401 ku-haproxy, ngizobamba (hhayi empeleni ukubamba, kodwa ngibale) wonke amaphutha we-4xx. Futhi kufanelekile ukuxazulula inkinga.
Ingqikithi yokuvikela kuzoba ukuthi sizobala inani lamaphutha angu-4xx (emuva) ngeyunithi yesikhathi futhi uma yeqa umkhawulo oshiwo, bese wenqaba (ngaphambili) konke okunye ukuxhumana okuvela kule ip isikhathi esibekiwe. .
Ngobuchwepheshe, lokhu ngeke kube ukuvikela emandleni anonya ephasiwedi, kuzoba isivikelo kumaphutha e-4xx. Isibonelo, uma uvame ukucela i-url engekho (404), ukuvikela nakho kuzosebenza.
Indlela elula nephumelela kakhulu iwukubala ku-backend bese ubika uma kukhona okunye okuvelayo:
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/desktop.example.com.pem
mode http
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу, строковую, 1000 элементов, протухает через 15 сек, записать кол-во ошибок за последние 10 сек
stick-table type string len 128 size 1k expire 15s store http_err_rate(10s)
#запомнить ip
http-request track-sc0 src
#запретить с http ошибкой 429, если за последние 10 сек больше 4 ошибок
http-request deny deny_status 429 if { sc_http_err_rate(0) gt 4 }
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
Akuyona inketho engcono kakhulu, masiyixabanise. Sizobala ku-backend futhi sivimbe ku-frontend.
Sizophatha umhlaseli ngokungenangqondo futhi silahle uxhumano lwakhe lwe-TCP.
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/ertelecom_ru_2020_06_11.pem
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохрянять из глобального счётчика
stick-table type ip size 1k expire 15s store gpc0
#взять источник
tcp-request connection track-sc0 src
#отклонить tcp соединение, если глобальный счётчик >0
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
mode http
...
#создать таблицу ip адресов, 1000 элементов, протухнет через 15 сек, сохранять кол-во ошибок за 10 сек
stick-table type ip size 1k expire 15s store http_err_rate(10s)
#много ошибок, если кол-во ошибок за 10 сек превысило 8
acl errors_too_fast sc1_http_err_rate gt 8
#пометить атаку в глобальном счётчике (увеличить счётчик)
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
#обнулить глобальный счётчик
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
#взять источник
tcp-request content track-sc1 src
#отклонить, пометить, что атака
tcp-request content reject if errors_too_fast mark_as_abuser
#разрешить, сбросить флажок атаки
tcp-request content accept if !errors_too_fast clear_as_abuser
...
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
into efanayo, kodwa ngesizotha, sizobuyisela iphutha http 429 (Izicelo Eziningi Kakhulu)
frontend fe_rdp_tsc
...
stick-table type ip size 1k expire 15s store gpc0
http-request track-sc0 src
http-request deny deny_status 429 if { sc0_get_gpc0 gt 0 }
...
default_backend be_rdp_tsc
backend be_rdp_tsc
...
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
http-request track-sc1 src
http-request allow if !errors_too_fast clear_as_abuser
http-request deny deny_status 429 if errors_too_fast mark_as_abuser
...
Ngiyahlola: Ngethula i-mstsc bese ngiqala ukufaka amaphasiwedi ngokungahleliwe. Ngemuva komzamo wesithathu, kungakapheli imizuzwana eyi-10 ingibuyisela emuva, futhi i-mstsc inikeza iphutha. Njengoba kungabonakala ezingodweni.
Izincazelo. Ngikude ne-haproxy master. Angiqondi ukuthi kungani, isibonelo
http-request deny_status 429 uma {sc_http_err_rate(0) gt 4}
ikuvumela ukuthi wenze amaphutha angaba ngu-10 ngaphambi kokuthi isebenze.
Ngididekile ngezinombolo zamakhawunta. Master of haproxy, ngizojabula uma ningiphelezela, ningiqondise, ningenze ngibe ngcono.
Kumazwana ungaphakamisa ezinye izindlela zokuvikela i-RD Gateway, kuzothakazelisa ukutadisha.
Mayelana ne-Windows Remote Desktop Client (mstsc), kubalulekile ukuqaphela ukuthi ayisekeli i-TLS1.2 (okungenani ku-Windows 7), ngakho kwadingeka ngishiye i-TLS1; ayisekeli i-cipher yamanje, ngakho-ke kwadingeka ngishiye amadala.
Kulabo abangaqondi lutho, bafunda nje, futhi abafuna ukwenza kahle, ngizokunikeza yonke i-config.
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE
-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
ssl-default-bind-options no-sslv3
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 15m
timeout server 15m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend fe_rdp_tsc
bind *:443 ssl crt /etc/haproxy/cert/dektop.example.com.pem
mode http
capture request header Host len 32
log global
option httplog
timeout client 300s
maxconn 1000
stick-table type ip size 1k expire 15s store gpc0
tcp-request connection track-sc0 src
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl rdweb_domain hdr(host) -i beg dektop.example.com
http-request deny deny_status 400 if !rdweb_domain
default_backend be_rdp_tsc
backend be_rdp_tsc
balance source
mode http
log global
stick-table type ip size 1k expire 15s store http_err_rate(10s)
acl errors_too_fast sc1_http_err_rate gt 8
acl mark_as_abuser sc0_inc_gpc0(fe_rdp_tsc) gt 0
acl clear_as_abuser sc0_clr_gpc0(fe_rdp_tsc) ge 0
tcp-request content track-sc1 src
tcp-request content reject if errors_too_fast mark_as_abuser
tcp-request content accept if !errors_too_fast clear_as_abuser
option forwardfor
http-request add-header X-CLIENT-IP %[src]
option httpchk GET /
cookie RDPWEB insert nocache
default-server inter 3s rise 2 fall 3
server rdgw01 192.168.1.33:443 maxconn 1000 weight 10 ssl check cookie rdgw01
server rdgw02 192.168.2.33:443 maxconn 1000 weight 10 ssl check cookie rdgw02
frontend fe_stats
mode http
bind *:8080
acl ip_allow_admin src 192.168.66.66
stats enable
stats uri /stats
stats refresh 30s
#stats admin if LOCALHOST
stats admin if ip_allow_admin
Kungani amaseva amabili ku-backend? Ngoba ngale ndlela ungenza ukubekezelelana kwamaphutha. I-Haproxy ingenza futhi okubili nge-ip emhlophe entantayo.
Izinsiza zekhompiyutha: ungaqala “ngamagigi amabili, ama-cores amabili, i-PC yokudlala.” Ngokuvumelana ne lokhu kuzokwanela ukukushiya.
Izinkomba:
Source: www.habr.com