Sekukaningi ngifunda umbono wokuthi ukugcina imbobo ye-RDP (Remote Desktop Protocol) ivuliwe ku-inthanethi akuphephile kakhulu futhi akufanele kwenziwe. Kodwa udinga ukunikeza ukufinyelela ku-RDP noma nge-VPN, noma ngamakheli athile e-IP “amhlophe” kuphela.
Ngiqondisa ama-Windows Server amaningana kumafemu amancane lapho nginikezwe umsebenzi wokunikeza ukufinyelela okukude ku-Windows Server yababalimali. Lona umkhuba wesimanje - ukusebenza ekhaya. Ngokushesha, ngabona ukuthi ukuhlukumeza ama-akhawunti e-VPN kuwumsebenzi ongabongi, futhi ukuqoqa wonke ama-IP ohlu olumhlophe ngeke kusebenze, ngoba amakheli e-IP abantu anamandla.
Ngakho-ke, ngithathe umzila olula - ngadlulisela imbobo ye-RDP ngaphandle. Ukuze bathole ukufinyelela, ababhali bamabhuku manje badinga ukusebenzisa i-RDP futhi bafake igama lomethuleli (kuhlanganise nechweba), igama lomsebenzisi nephasiwedi.
Kulesi sihloko ngizokwabelana ngolwazi lwami (oluhle futhi aluhle kangako) kanye nezincomo.
Izingozi
Yini ozifaka engozini ngokuvula ichweba le-RDP?
1) Ukufinyelela okungagunyaziwe kudatha ebucayi
Uma othile eqagela iphasiwedi ye-RDP, uzokwazi ukuthola idatha ofuna ukuyigcina iyimfihlo: isimo se-akhawunti, amabhalansi, idatha yekhasimende, ...
2) Ukulahleka kwedatha
Isibonelo, ngenxa yegciwane le-ransomware.
Noma isenzo samabomu somhlaseli.
3) Ukulahlekelwa indawo yokusebenza
Izisebenzi zidinga ukusebenza, kodwa uhlelo lusengozini futhi ludinga ukufakwa kabusha/ukubuyiselwa/ukulungiswa.
4) Ukuyekethisa kunethiwekhi yendawo
Uma umhlaseli efinyelele kukhompyutha ye-Windows, khona-ke kule khompyutha uzokwazi ukufinyelela izinhlelo ezingafinyeleleki ngaphandle, kusukela ku-intanethi. Isibonelo, ukufaka amasheya, kumaphrinta enethiwekhi, njll.
Ngibe necala lapho iWindows Server ibambe i-ransomware
futhi le-ransomware yaqala yabethela iningi lamafayela ku-C: drive yase iqala ukubethela amafayela ku-NAS phezu kwenethiwekhi. Njengoba i-NAS bekuyi-Synology, izifinyezo ezimisiwe, ngibuyisele i-NAS ngemizuzu emi-5, futhi ngafaka kabusha iWindows Server kusukela ekuqaleni.
Okubhekwayo Nezincomo
Ngiqapha ama-Windows Server ngisebenzisa , ethumela izingodo ku-ElasticSearch. I-Kibana ineziboniso ezimbalwa, futhi ngiphinde ngisethe ideshibhodi yangokwezifiso.
Ukuqapha ngokwakho akuvikeli, kodwa kusiza ukunquma izinyathelo ezidingekayo.
Nakhu okuphawuliwe:
a) I-RDP izophoqwa ngesihluku.
Kwenye yamaseva, angifakanga i-RDP echwebeni elijwayelekile 3389, kodwa ku-443 - kahle, ngizozifihla njenge-HTTPS. Cishe kufanelekile ukushintsha ichweba kusukela kwejwayelekile, kodwa ngeke kusize kakhulu. Nazi izibalo ezivela kule seva:
Kuyabonakala ukuthi ngesonto kube nemizamo ecishe ibe ngu-400 engaphumelelanga yokungena nge-RDP.
Kuyabonakala ukuthi kube nemizamo yokungena kusuka kumakheli e-IP angu-55 (amanye amakheli e-IP abesevele evinjwe yimina).
Lokhu kuphakamisa ngokuqondile isiphetho sokuthi udinga ukusetha i-fail2ban, kodwa
Alukho usizo olunjalo lweWindows.
Kunamaphrojekthi ambalwa alahliwe ku-Github abonakala enza lokhu, kodwa angikaze ngizame nokuwafaka:
Kukhona nezinsiza ezikhokhelwayo, kodwa angizange ngizicabangele.
Uma wazi insiza yomthombo ovulekile yale njongo, sicela wabelane ngayo kumazwana.
Update: Amazwana aphakamisa ukuthi i-port 443 iyisinqumo esibi, futhi kungcono ukukhetha amachweba aphezulu (32000+), ngoba i-443 iskenwa kaningi, futhi ukuqaphela i-RDP kule port akuyona inkinga.
buyekeza: Amazwana aphakamisa ukuthi insiza enjalo ikhona:
b) Kukhona amagama abasebenzisi athile abahlaseli abancamelayo
Kuyabonakala ukuthi ukusesha kwenziwa kusichazamazwi esinamagama ahlukene.
Kodwa nakhu engikuqaphelile: inombolo ebalulekile yemizamo isebenzisa igama leseva njengokungena ngemvume. Isincomo: Ungasebenzisi igama elifanayo kukhompuyutha kanye nomsebenzisi. Ngaphezu kwalokho, kwesinye isikhathi kubukeka sengathi bazama ukuncozulula igama leseva ngandlela thize: ngokwesibonelo, ohlelweni olunegama elithi DESKTOP-DFTHD7C, imizamo eminingi yokungena inegama elithi DFTHD7C:
Ngokufanelekile, uma unekhompyutha yeDESKTOP-MARIA, cishe uzozama ukungena njengomsebenzisi we-MARIA.
Enye into engiyiqaphele ezingodweni: kumasistimu amaningi, imizamo eminingi yokungena inegama elithi "administrator". Futhi lokhu akunasizathu, ngoba ezinguqulweni eziningi zeWindows, lo msebenzisi ukhona. Ngaphezu kwalokho, ayikwazi ukususwa. Lokhu kwenza umsebenzi wabahlaseli ube lula: esikhundleni sokuqagela igama nephasiwedi, udinga kuphela ukuqagela igama-mfihlo.
Ngendlela, isistimu ebambe i-ransomware yayinomlawuli womsebenzisi kanye nephasiwedi ye-Murmansk#9. Angikabi naso isiqiniseko sokuthi lelo sistimu ligqekezwe kanjani, ngoba ngaqala ukuqapha ngemuva nje kwaleso sigameko, kodwa ngicabanga ukuthi kungenzeka ukuthi ukweqisa kwempahla kungenzeka.
Ngakho-ke uma umsebenzisi Womlawuli engakwazi ukususwa, kufanele wenzeni? Ungayiqamba kabusha!
Izincomo ezivela kulesi sigaba:
- ungasebenzisi igama lomsebenzisi egameni lekhompyutha
- qiniseka ukuthi akekho umsebenzisi ongu-Administrator ohlelweni
- sebenzisa amagama ayimfihlo aqinile
Ngakho-ke, bengilokhu ngibuka ama-Windows Server ambalwa ngaphansi kolawulo lwami ephoqelelwa ngonya cishe iminyaka embalwa manje, futhi ngaphandle kwempumelelo.
Ngazi kanjani ukuthi ayiphumelelanga?
Ngoba ezithombeni-skrini ezingenhla ungabona ukuthi kukhona amalogi ezingcingo eziphumelelayo ze-RDP, eziqukethe ulwazi:
- kusuka lapho i-IP
- kusuka kuyiphi ikhompuyutha (igama lomethuleli)
- Igama lomsebenzisi
- Ulwazi lwe-GeoIP
Futhi ngibheka lapho njalo - akukho okudidayo okutholakele.
Kodwa-ke, uma i-IP ethile iphoqelelwa ngonya ikakhulukazi, ungavimba ama-IP ngamanye (noma ama-subnets) kanje ku-PowerShell:
New-NetFirewallRule -Direction Inbound -DisplayName "fail2ban" -Name "fail2ban" -RemoteAddress ("185.143.0.0/16", "185.153.0.0/16", "193.188.0.0/16") -Action BlockNgendlela, i-Elastic, ngaphezu kweWinlogbeat, nayo inakho , engaqapha amafayela nezinqubo kusistimu. Kukhona nesicelo se-SIEM (Ulwazi Lokuvikeleka Nokuphathwa Komcimbi) e-Kibana. Ngizame kokubili, kodwa angizange ngibone inzuzo enkulu - kubonakala sengathi i-Auditbeat izoba usizo kakhulu ezinhlelweni ze-Linux, futhi i-SIEM ayikangibonisi lutho oluqondakalayo okwamanje.
Nokho, izincomo zokugcina:
- Yenza izipele ezizenzakalelayo ezijwayelekile.
- faka Izibuyekezo Zokuvikela ngesikhathi esifanele
Ibhonasi: uhlu lwabasebenzisi abangu-50 abavame ukusetshenziselwa imizamo yokungena ngemvume ye-RDP
"user.name: Ukwehla"
Bala
dfthd7c (igama lomethuleli)
842941
winsrv1 (igama lomethuleli)
266525
UMPHATHI
180678
umlawuli
163842
Administrator
53541
michael
23101
Iseva
21983
Steve
21936
john
21927
paul
21913
ukwamukela
21909
Mike
21899
ihhovisi
21888
isithwebuli
21887
ukuskena
21867
david
21865
chris
21860
umnikazi
21855
umphathi
21852
umlawuli
21841
brian
21839
umlawuli
21837
uphawu
21824
abasebenzi
21806
ADMIN
12748
izimpande
7772
UMPHATHI
7325
UKUSEKELWA
5577
SUPPORT
5418
USER
4558
admin
2832
I-TEST
1928
I-MySql
1664
Admin
1652
ISIHAMBELI
1322
USER1
1179
Iskena
1121
ISCAN
1032
UMPHATHI
842
ADMIN1
525
BACKUP
518
I-MySqlAdmin
518
UKWAMUKELA
490
USER2
466
I-TEMP
452
I-SQLADMIN
450
USER3
441
1
422
UMPHATHI
418
OWNER
410
Source: www.habr.com