[初级脚本]关于ROS安全设置的(有详细注释),欢迎拍砖,
本帖最后由 ww111222 于 2011-10-9 15:17 编辑我 真正 下功夫使用 ROS 的时间不长, 在大家的帮助下觉得自己的水平已经从幼儿园到小学 一年级啦。 发一个 脚本给大家,
欢迎大家拍砖,指正。
如果大家经常 进ROS,在日志里也许能看到 下面这样的提示,反正我是在没有设置前经常看到。
在学习了 一些教程, 又在大伙的帮助指点下,我写了一个脚本,
大概思路就是:
增加一个 超级用户组,和一个 超级用户, 并设置 登录的IP范围
将系统自带的 admin 设置复杂密码,设置登录范围,并禁用。
将系统自带的 full,write,read组的权限 全部设置为最低。
禁止 ROS 不需要的服务, 我这里只开了 winbox服务,并且更换 端口,
再禁止 MAC地址登录。
最后设置 ROS 访问防火墙
没有通关密码 则无法通过 IP地址访问ROS
欢迎高手 指点呀。
#运行方式:
1:
# 登录 WinBox,点开 files, 将 "本文件.rsc" (英文文件名!) 拖到 winbox 的 file list 里
# 在 > 状态下执行 :
# import ***.rsc
# 如果在 New Terminal 下执行,则所有的中文注释将为空。
2:
# 登录 WinBox,点 system-> scripts ,在 Script List窗口里 再点 "+"
# 增加 一个 New Script窗口。
# 将下面的代码 复制到 Source ,并 点 OK 保存。如下图:
点Run Script 运行脚本。
代码如下:
#===================================================================================
#配置 ROS 安全
#===================================================================================
# 变量 LanIP 内网网段
# 变量 CustomFullgroup 自定义最高权限用户组
# 变量 CustomAdminUserName 自定义超级用户名称
# 变量 CustomAdminUserPass 自定义超级用户密码
# 变量 PassWD IP登录ROS时的通关密码
# 变量 RosPort 登录ROS的端口
# 变量 MacLogin 是否允许ROS用MAC登录
:global LanIP "192.168.88.0/24"
:global CustomFullGroup "test"
:global CustomAdminUserName "ww111222"
:global CustomAdminUserPass "cQZAQ@wsxcDFswershjCDEN98"
:global PassWD "64888"
:global RosPort "9988"
:global MacLogin "enable"
#===================================================================================
#配置 用户
#===================================================================================
# 1、新增超级用户,设置复杂密码,并限制登录IP地址
# 2、增加一个自定义full组test,并设置权限为最高,带!表示禁用
# 3、将ROS系统默认组(full ,read, write)的权限全部设置为最低。
# 4、为admin设置复杂密码,并限制登录IP地址
#
/ user group
add comment="最高权限组" \
name=$CustomFullGroup \
policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,ftp,write,policy"
/ user group
set read \
comment="系统读权限组,权限改为最低" \
policy="!local,!telnet,!ssh,!reboot,!read,!test,!winbox,!password,!web,!sniff,!sensitive,!ftp,!write,!policy"
set write \
comment="系统写权限组,权限改为最低" \
policy="!local,!telnet,!ssh,!reboot,!read,!test,!winbox,!password,!web,!sniff,!sensitive,!ftp,!write,!policy"
#不知道为什么,用脚本无法将系统自带的full权限改为全部没有!!!!
set full \
comment="系统所有权限组,权限改为最低" \
policy="!local,!telnet,!ssh,!reboot,!read,!test,!winbox,!password,!web,!sniff,!sensitive,!ftp,!write,!policy"
/ user
add name=$CustomAdminUserName \
password=$CustomAdminUserPass \
group=$CustomFullGroup \
comment="实际超级用户" \
address=$LanIP \
disable=no
/ user
set admin \
password="C!@#cq2cnzaqWWSXCDERfvbgtyhnasdfasdf" \
group=full \
comment="陷阱超级用户" \
address=$LanIP \
disable=no
#===================================================================================
#配置 WINBOX 服务
#===================================================================================
# 禁止不需要的 ROS服务,加强安全
# 将winbox服务的端口号 由 8291 改变为:自定义端口号 登录IP范围改为内网IP
/ip service
set telnet address=$LanIP disabled=yes port=23
set ftp address=$LanIP disabled=yes port=21
set www address=$LanIP disabled=yes port=80
set ssh address=$LanIP disabled=yes port=22
set www-ssl address=$LanIP certificate=none disabled=yes port=443
set api address=$LanIP disabled=yes port=8728
set winbox address=$LanIP disabled=no port=$RosPort
#===================================================================================
#配置 MAC 地址登录
#===================================================================================
# enable 允许MAC登录
# disable 禁止MAC登录
:if ($MacLogin="enable") do={/tool mac-server mac-winbox enable 0} else={/tool mac-server mac-winbox disable 0}
#===================================================================================
#更改ROS名称
#===================================================================================
#
/ system identity set name="ROS3.30_CQ"
#===================================================================================
#设置 ROS 访问防火墙
#===================================================================================
# 在些感谢 bbs.routerclub.com 论坛的 YAWPYNG 提供的脚本
# 网址:http://bbs.routerclub.com/forum.php?mod=viewthread&tid=48223
# 通关密码是"*****" <---- 自定义变量里的数字
# ROS 的端口号:前面自定义变量里的端口号
# 在浏览器输入http://你的ROS IP:****
# ROS 解析到"****"时 , 就自动将外网访问者的IP 加到address list.
# 再通过 WinBox 登录 你的ROS IP:****
/ip firewall filter
#将外网扫描的IP 拒绝访问
add action=drop chain=input comment=drop_scan_ip disabled=nosrc-address-list=drop_scan_ip
#阻挡PORT 扫描
add action=add-src-to-address-list address-list=drop_scan_ipaddress-list-timeout=1d chain=input comment=ip_scan disabled=no protocol=tcp psd=21,3s,3,1
#通关密码功能,将外网访问者的IP 加到白名单
add action=add-src-to-address-list address-list=Accept_admin_IPaddress-list-timeout=4w2d2h chain=input comment=TEMP_IP_add_to_address-list disabled=no dst-port=$PassWD protocol=tcpsrc-address-list=!Accept_admin_IP
#以下这一条是除了允许名单之外的IP 都拒绝访问自定义 PORT
add action=drop chain=input comment="" disabled=no dst-port=$RosPort protocol=tcp src-address-list=!Accept_admin_IP
bobwalker 发表于 2011-10-9 14:55 static/image/common/back.gif
为了一个登录的问题,有必要搞这么多明堂吗。把SSH过滤掉就可以了。
不好意思啦,
我 的 目的 之一 就是练习 编写脚本
之二 才是 安全, 不错的钻研精神。
用官方这个方法就很省事了。什么也不用关。并且别人也进不来。
之前已经有版主和技术支持发过这个方法
http://wiki.mikrotik.com/wiki/Port_Knocking host2318 发表于 2011-10-11 12:05 static/image/common/back.gif
不错的钻研精神。
用官方这个方法就很省事了。什么也不用关。并且别人也进不来。
Port Knocking
From MikroTik Wiki
Jump to: navigation, search
PORT KNOCKING IN MIKROTIK
In this article I want to describe how to use port knocking in mikrotik Router [ Board & OS ] . About Port Knocking :
This Feature allowed network administrators to configure Devices in more secure than default state .
In this way you can block SSH , Telnet , Mac Telnet , Winbox and etc. protocol to avoid hacking or brute force attack , and mikrotik only Listening to administrator acts and then Open That port administrator need to configure mikrotik and monitoring .
I want to block some TCP Protocols , They are may be Insecure your Router ( SSH , Telnet , Winbox ) . After administrator want to configure mikrotik , Should be Send ICMP Messages to Mirktoik And then Open or Send Web ( TCP 80 ) Rquest To mikrotik , then SSH , Telnet , Winbox Would be Opened For Specific time need .
Follow Me:/ip firewall filter
add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input \
disabled=no protocol=icmp
add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input
disabled=no dst-port=80 protocol=tcp src-address-list=ICMP
addaction=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp \
src-address-list="!ICMP + Http"
Explain :
we need to reminds ICMP packets received to Mikrotik , because Mikrtoik Router is to Listen to administrator , for this reason we use Address Lists . We add a new rule to filter every body send ICMP packet to Mikrtoik and this information can be valid 1 minutes for mikrotik .
add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input disabled=no protocol=icmp
then , mikrotik know , for open its Connection Port ( SSH , telnet , Winbox ) Need be listen to Web ( TCP 80 ) Request and if that person send ICMP packet , now send Web Request , Is Administrator , This Condition also Can be Match by Address List .
add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input disabled=no dst-port=80 protocol=tcp src-address-list=ICMP
in This step , mikrotik can be know , A Person in First Send ICMP , And Then That Person Send Web Request , So Mikrotik Open SSH , Telnet , Winbox , Only For That Person With That IP Addresses In Address List .
add action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp src-address-list="!ICMP + Http"
For Test : After Done All Rules , you can see loss connection to mikrotik . Please test Telnet , SSH , Winbox to connect to mikrtoik . First Ping Mikrtoikt , Second Enter Mikrotik IP Address In Your browser , Then you can made connection to mirktoik with SSH or Telnet or Winbox .
能不能帮我解释一下呀。 学习了:lol
页:
[1]