I-ProHoster > Блог > Ukuphatha > Umsebenzi wokude ehhovisi. RDP, Port Knocking, Mikrotik: elula futhi evikelekile

Umsebenzi wokude ehhovisi. RDP, Port Knocking, Mikrotik: elula futhi evikelekile

Ngenxa yobhadane lwegciwane le-covid-19 kanye nokuhlukaniswa okuvamile emazweni amaningi, okuwukuphela kwendlela izinkampani eziningi eziqhubeka nokusebenza ngayo ukufinyelela kude ezindaweni zokusebenza nge-inthanethi. Ziningi izindlela eziphephile uma kuqhathaniswa zomsebenzi wokude - kodwa uma kubhekwa ubukhulu benkinga, okudingekayo yindlela elula kunoma yimuphi umsebenzisi ukuthi axhume ehhovisi ekude futhi ngaphandle kwesidingo sezilungiselelo ezengeziwe, izincazelo, ukubonisana okuyisicefe kanye nokude. imiyalelo. Le ndlela ithandwa ngabalawuli abaningi be-RDP (Iphrothokholi Yedeskithophu Ekude). Ukuxhuma ngqo endaweni yokusebenzela nge-RDP kuyixazulula kahle inkinga yethu, ngaphandle kwempukane eyodwa enkulu esigcobeni - ukugcina ichweba le-RDP livulekile ku-inthanethi akuphephile neze. Ngakho-ke, ngezansi ngiphakamisa indlela elula kodwa enokwethenjelwa yokuvikela.Umsebenzi wokude ehhovisi. RDP, Port Knocking, Mikrotik: elula futhi evikelekile

Njengoba ngivame ukuhlangana nezinhlangano ezincane lapho kusetshenziswa amadivayisi we-Mikrotik njengoxhumano lwe-inthanethi, ngezansi ngizobonisa ukuthi lokhu kungenziwa kanjani ku-Mikrotik, kodwa indlela yokuvikela i-Port Knocking ingasetshenziswa kalula kwamanye amadivaysi ezinga eliphezulu anezilungiselelo ezifanayo zomzila wokufakwayo futhi i-firewall

Kafushane mayelana ne-Port Knocking. Ukuvikelwa kwangaphandle okufanelekile kwenethiwekhi exhunywe ku-inthanethi yilapho zonke izinsiza nezimbobo zivalwa ngaphandle ngodonga lokuvikela. Futhi nakuba irutha ene-firewall emisiwe ingasabeli nganoma iyiphi indlela kumaphakethe avela ngaphandle, iyawalalela. Ngakho-ke, ungamisa i-router ukuze kuthi lapho ithola ukulandelana okuthile (ikhodi) yamaphakethe enethiwekhi kumachweba ahlukene, yona (i-router) ye-IP lapho amaphakethe efika khona, iphika ukufinyelela kwezinsiza ezithile (amachweba, izivumelwano, njll. .).

Manje iphuzu. Ngeke nginikeze incazelo enemininingwane yokusetha i-firewall ku-Mikrotik - I-inthanethi igcwele imithombo yekhwalithi yalokhu. Ngokufanelekile, i-firewall ivimba wonke amaphakethe angenayo, kodwa 

/ip firewall filter
add action=accept chain=input comment="established and related accept" connection-state=established,related

Ivumela ithrafikhi engenayo kusukela ekuxhumekeni osekuvele kumisiwe (okumisiwe, okuhlobene).
Manje silungiselela i-Port Knocking ku-Mikrotik:

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
move [/ip firewall filter find comment=RemoteRules] 1
/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

Manje ngemininingwane eyengeziwe:

imithetho emibili yokuqala 

/ip firewall filter
add action=drop chain=input dst-port=19000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules
add action=drop chain=input dst-port=16000 protocol=tcp src-address-list="Black_scanners" comment=RemoteRules

nqabela amaphakethe angenayo avela kumakheli e-IP avinjelwe ngesikhathi sokuskena imbobo;

Umthetho wesithathu:

add action=add-src-to-address-list address-list="remote_port_1" address-list-timeout=1m chain=input dst-port=19000 protocol=tcp comment=RemoteRules

yengeza i-ip ohlwini lwababungazi abenze ukungqongqoza okulungile kokuqala echwebeni elifiselekayo (19000);
Imithetho emine elandelayo:

add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=19001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=18999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=16001 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules
add action=add-src-to-address-list address-list="Black_scanners" address-list-timeout=60m chain=input dst-port=15999 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

dala amachweba ogibe kulabo abafuna ukuskena izimbobo zakho, futhi lapho imizamo enjalo itholwa, bafaka i-IP yabo yokuvinjelwa imizuzu engu-60, lapho imithetho emibili yokuqala ingeke inikeze ababungazi abanjalo ithuba lokungqongqoza emachwebeni alungile;

Umthetho olandelayo:

add action=add-src-to-address-list address-list="allow_remote_users" address-list-timeout=1m chain=input dst-port=16000 protocol=tcp src-address-list="remote_port_1" comment=RemoteRules

ibeka i-ip ohlwini lwabavunyelwe iminithi elingu-1 (okwanele ukusungula uxhumano), njengoba ukungqongqoza kwesibili okulungile kwenziwa echwebeni elifunekayo (16000);

Umyalo olandelayo:

move [/ip firewall filter find comment=RemoteRules] 1

inyusa imithetho yethu ochungechungeni lokucubungula i-firewall, njengoba cishe sizobe sinemithetho ehlukahlukene evimbelayo emisiwe ezovimba ezisanda kwakhiwa ukuthi zisebenze. Umthetho wokuqala ku-Mikrotik uqala kusuka ku-zero, kodwa kudivayisi yami i-zero yayinomthetho owakhelwe ngaphakathi futhi kwakungenakwenzeka ukuwuhambisa - ngiwudlulisele ku-1. Ngakho-ke, sibheka izilungiselelo zethu - lapho singayihambisa khona. bese ukhombisa inombolo oyifunayo.

Isilungiselelo esilandelayo:

/ip firewall nat
add action=dst-nat chain=dstnat comment="remote_rdp_to_33" src-address-list="allow_remote_users" dst-port=33890 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.33 to-ports=3389

idlulisela imbobo ekhethwe ngokungahleliwe engu-33890 embobeni evamile ye-RDP engu-3389 kanye ne-IP yekhompyutha noma iseva yetheminali esiyidingayo. Sakha imithetho enjalo kuzo zonke izinsiza zangaphakathi ezidingekayo, okungcono simise izimbobo zangaphandle ezingajwayelekile (nezihlukile). Ngokwemvelo, i-IP yezinsiza zangaphakathi kufanele imile noma inikezwe iseva ye-DHCP.

Manje iMikrotik yethu isilungisiwe futhi sidinga inqubo elula ukuze umsebenzisi axhume ku-RDP yethu yangaphakathi. Njengoba isikhathi esiningi sinabasebenzisi be-Windows, sakha ifayela le-bat elilula futhi silibize ngokuthi i-StartRDP.bat:

1.htm
1.rdp

ngokufanelekile i-1.htm iqukethe ikhodi elandelayo:

<img src="http://my_router.sn.mynetname.net:19000/1.jpg">
нажмите обновить страницу для повторного захода по RDP
<img src="http://my_router.sn.mynetname.net:16000/2.jpg">

lapha kuqukethe izixhumanisi ezimbili zezithombe ezicatshangelwayo ezitholakala ekhelini elithi my_router.sn.mynetname.net - sithatha leli kheli ohlelweni lwe-Mikrotik DDNS ngemva kokunika amandla lokhu ku-Mikrotik yethu: iya ku-IP-> Cloud menu - hlola i-DDNS Inikwe amandla ibhokisi, chofoza okuthi Faka futhi ukopishe igama le-dns lerutha yethu. Kodwa lokhu kudingekile kuphela uma i-IP yangaphandle ye-router iguquguqukayo noma ukucushwa ngabahlinzeki abambalwa be-Inthanethi kusetshenziswa.

Ichweba elikusixhumanisi sokuqala: 19000 lihambisana nechweba lokuqala okufanele ungqongqoze kulo, okwesibili lihambisana nesibili. Phakathi kwezixhumanisi kukhona umyalelo omfushane obonisa ukuthi yini okufanele uyenze uma ngokuzumayo uxhumano lwethu luphazamiseka ngenxa yezinkinga ezimfushane zenethiwekhi - sivuselela ikhasi, i-port ye-RDP ivulwa kabusha ngomzuzu ongu-1 futhi iseshini yethu ibuyiselwe. Futhi, umbhalo phakathi kwamathegi e-img udala ukubambezeleka okuncane kwesiphequluli, okunciphisa amathuba okuthi iphakethe lokuqala lilethwe echwebeni lesibili (16000) - kuze kube manje azikho izimo ezinjalo emasontweni amabili okusetshenziswa (30). abantu).

Okulandelayo kuza ifayela elingu-1.rdp, esingalilungisela wonke umuntu noma ngokwehlukana komsebenzisi ngamunye (yilokho engikwenzile - kulula ukuchitha amaminithi angu-15 engeziwe kunamahora ambalwa uthintana nalabo abangakwazi ukukucacisa) 

screen mode id:i:2
use multimon:i:1
.....
connection type:i:6
networkautodetect:i:0
.....
disable wallpaper:i:1
.....
full address:s:my_router.sn.mynetname.net:33890
.....
username:s:myuserlogin
domain:s:mydomain

Esinye sezilungiselelo ezithokozisayo lapha ukusebenzisa i-multimon:i:1 - lokhu kuhlanganisa ukusetshenziswa kwamamonitha amaningi - abanye abantu bayakudinga lokhu, kodwa abacabangi ukuzivulela bona.

uhlobo lokuxhuma:i:6 kanye ne-networkautodetect:i:0 - njengoba iningi le-inthanethi lingaphezulu kuka-10 Mbit, bese uvumela uhlobo lokuxhuma 6 (inethiwekhi yendawo engu-10 Mbit nangaphezulu) futhi ukhubaze i-networkautodetect, njengoba uma okuzenzakalelayo kungu-(othomathikhi), khona-ke ngisho ne-Network latency encane engavamile kusetha ngokuzenzakalelayo isivinini seseshini yethu ngesivinini esiphansi isikhathi eside, okungadala ukubambezeleka okubonakalayo emsebenzini, ikakhulukazi ezinhlelweni zehluzo.

khubaza isithombe sangemuva:i:1 - khubaza isithombe sedeskithophu
igama lomsebenzisi:s:myuserlogin - sibonisa igama lomsebenzisi, njengoba ingxenye enkulu yabasebenzisi bethu ingakwazi ukungena kwabo
domain:s:mydomain - khombisa isizinda noma igama lekhompyutha

Kodwa uma sifuna ukwenza lula umsebenzi wokudala inqubo yokuxhuma, singasebenzisa futhi i-PowerShell - StartRDP.ps1

Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 19000
Test-NetConnection -ComputerName my_router.sn.mynetname.net -Port 16000
mstsc /v:my_router.sn.mynetname.net:33890

Futhi okuncane mayelana neklayenti le-RDP ku-Windows: I-MS ihambe ibanga elide ekuthuthukiseni umthetho olandelwayo kanye nesiphakeli sayo nezingxenye zeklayenti, isebenzisa izici eziningi eziwusizo - ezifana nokusebenza nge-hardware 3D, ukwenza ngcono ukulungiswa kwesikrini sokuqapha kwakho, isikrini esiningi, njll. Kodwa-ke, yonke into isetshenziswa ngemodi yokuvumelana emuva futhi uma iklayenti likhona Windows 7 kanye ne-PC ekude Windows 10, bese i-RDP izosebenza kusetshenziswa i-protocol version 7.0. Kodwa ngenhlanhla, ungakwazi ukubuyekeza izinguqulo ze-RDP zibe izinguqulo zakamuva - isibonelo, ungathuthukisa inguqulo yephrothokholi isuka ku-7.0 (Windows 7) iye ku-8.1. Ngakho-ke, ukuze amakhasimende akho abe lula, udinga ukukhulisa izinguqulo zengxenye yeseva, futhi futhi unikeze izixhumanisi zokuvuselela izinguqulo ezintsha zamaklayenti ephrothokholi ye-RDP.

Njengomphumela, sinobuchwepheshe obulula futhi obuvikelekile ngokuqhathaniswa bokuxhumeka okukude ku-PC yomsebenzi noma iseva yetheminali. Kodwa ngokuxhumeka okuphephile, indlela yethu ye-Port Knocking ingenziwa ibe nzima kakhulu ukuhlasela ngama-oda amaningana wobukhulu, ngokungeza amachweba ukuhlola - usebenzisa i-logic efanayo, ungakwazi ukwengeza i-3,4,5,6 ... port kanye kulokhu, ukungena okuqondile kunethiwekhi yakho cishe kungenzeki .

Amalungiselelo efayela okudala ukuxhumana okukude ku-RDP.

Source: www.habr.com

Engeza amazwana