[¹ÌÅ©·Îƽ] ipsec Á¢¼Óº¸¾È Àû¿ë°ü·Ã

NGC   
   Á¶È¸ 5933   Ãßõ 0    

안녕하세요

집에서도, 회사에서도 미크로틱으로 IPSEC VPN을 하나 열어놓고 사용중입니다.

그런데 Log를 보면 해외에서 vpn접속 시도가 매일같이 이루어지네요..

제가 VPN접속시 정해진 네트웍 망에서만 접속하는게 아니라서

Source를 지정할수도 없는데 어떻게 하는게 더 보안적으로 안전하게 차단할 수 있을까요?



gentoo 2018-10
¾îÂ÷ÇÇ l2tp+ipsec±â¹ÝÀ̸é ÀÎÁõ¼­/psk(pre-shared-key) ÀÎÁõ ¹æ½ÄÀε¥ ¾È¶Õ¸³´Ï´Ù. broot-force°°Àº°É·Î´Â...
Á¤ °ÆÁ¤µÇ½Ã¸é psk ¸»°í ÀÎÁõ¼­·Î ÀÎÁõ ¹Þ°Ô ÇϽðí ÀÎÁõ¼­¸¦ µé°í´Ù´Ï½Ã´Â ¹æ¹ý Á¤µµ°¡ Àְڳ׿ä. ¾Æ´Ï¸é /ip firewall filter¿¡ °¡¼Å¼­ address-list¿Í address-list-timeoutÀ» Àß È°¿ëÇϽøé ƯÁ¤ ½Ã°£ ¾È¿¡ ƯÁ¤ Ƚ¼ö ÀÌ»ó Á¢¼Ó½Ã ÇØ´ç ip¸¦ ºí·ÏÇÒ ¼öµµ ÀÖ½À´Ï´Ù.
geoip¶ó´Â ±¹°¡º° ip db°¡ csv·Î ³ª¿Â°Ô Àִµ¥ ÀÌ°É ÆÄÀ̽ãÀ¸·Î ÆĽÌÇϼż­ ¹ÌÅ©·Îƽ address-list¿¡ Áý¾î³Ö´Â ½ºÅ©¸³Æ®¸¦ ´ëÃæ Â¥½Ç ¼ö ÀÖ´Ù¸é ±¹°¡º° ip ±â¹Ý ÆÐŶ ÇÊÅ͸µµµ ±×¸® ¾î·ÆÁö ¾Ê°Ô ÇÏ½Ç ¼ö ÀÖ°í¿ä. ¹°·Ð ÀÌ°Ç ¿ø·¡ ¸®´ª½º Ä¿³Î¿¡ ÀÖ´Â xtables¶ó´Â ³×Æ®¿÷ ÆÐŶ ÇÊÅÍ ¾Öµå¿Â¿¡ µé¾î°¡´Â ¶Ç´Ù¸¥ ¾Öµå¿Â¿¡ ¾²´Â°Å¶ó ÀÌ·± ´Ù¼Ò º¹ÀâÇÑ »ðÁúÀ» ÇؾßÇϴ°ÅÁö¸¸¿ä
¾ËÅä³É 2018-10
À§ÀÇ gentoo´ÔÀÌ ¸»¾¸ÇÑ´ë·Î ÀÎÁõ¼­À» ÀÌ¿ëÇÏ¸é ¶Õ¸± °¡´É¼ºÀº »ç½Ç»ó °ÅÀÇ ¾ø½À´Ï´Ù.

´Ù¸¸ ÀÌ°Ô ±ÍÂúÀ¸½Ã´Ù¸é Source¸¦ PortKnockingÀ» ÀÌ¿ëÇÏ¿© ÀÓ½ÃÁöÁ¤ÇÏ´Â ¹æ¹ýÀÌ ÀÖ½À´Ï´Ù.

https://wiki.mikrotik.com/wiki/Port_Knocking
¾ËÅä³É 2018-11
Èì Àúµµ ÃÖ±Ù¿¡ IPSEC VPNÀ» ȸ»ç¿¡ ±¸ÃàÇÏ°í ³Ê¹« °ø°Ý ½Ãµµ°¡ ¸¹ÀÌ µé¾î¿À±æ·¡ UDPÆ÷Æ® 500¿¡ ´ëÇØ ¹æÈ­º®À¸·Î BruteForce °ø°Ý Â÷´ÜÀ» °É¾ú½À´Ï´Ù.

¼³Á¤¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù.

https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

ps. Á¦°¡ ÀÌ¿ëÇÑ ½ºÅ©¸³Æ®ÀÔ´Ï´Ù.

/ip firewall filter
#  Jump ·êÀÇ °æ¿ì Input·ê¿¡¼­ Àüü Â÷´Ü ·ê º¸´Ù À§ÂÊÀ¸·Î ³õ¾ÆµÎ½Ã¸é µË´Ï´Ù.
add action=jump chain=input comment="in: Jump -> IPsec (New IPsec connection to UDP:500 WAN)" connection-state=new dst-port=500 in-interface-list=WAN jump-target=IPsec protocol=udp

# ³ª¸ÓÁö ·êÀº ¾Æ¹«°÷À̳ª ¿øÇÏ´Â °÷¿¡ ¹Ú¾ÆµÎ¼¼¿ä. ¾îÂ¥ÇÇ Ã¼Àο¡ µû¶ó¼­ ¿òÁ÷À̱⠶§¹®¿¡..
add action=add-src-to-address-list address-list=BlackList address-list-timeout=none-dynamic chain=IPsec comment="IPsec: Black List" log=yes log-prefix="IPsecBlackList] " src-address-list=IPsec_stage3
add action=add-src-to-address-list address-list=IPsec_stage3 address-list-timeout=10m chain=IPsec comment="IPsec: Stage 3" src-address-list=IPsec_stage2
add action=add-src-to-address-list address-list=IPsec_stage2 address-list-timeout=10m chain=IPsec comment="IPsec: Stage 2" src-address-list=IPsec_stage1
add action=add-src-to-address-list address-list=IPsec_stage1 address-list-timeout=10m chain=IPsec comment="IPsec: Stage 1"

# ±×¸®°í BlackList¸¦ Â÷´ÜÇÏ´Â ·êÀ» ¿øÇϽô ¹æ¹ýÀ¸·Î Ãß°¡Çϼ¼¿ä. Àú´Â RAW·ê¿¡ Ãß°¡Çß½À´Ï´Ù.
/ip firewall raw
add action=drop chain=prerouting comment="Pre: Drop anyone in Black List" in-interface-list=WAN src-address-list=BlackList


Á¦¸ñPage 3293/102
°Ô½Ã¹°ÀÌ ¾ø½À´Ï´Ù.