[¹ÌÅ©·Îƽ] ipsec Á¢¼Óº¸¾È Àû¿ë°ü·Ã

NGC   
   Á¶È¸ 6574   Ãßõ 0    

안녕하세요

집에서도, 회사에서도 미크로틱으로 IPSEC VPN을 하나 열어놓고 사용중입니다.

그런데 Log를 보면 해외에서 vpn접속 시도가 매일같이 이루어지네요..

제가 VPN접속시 정해진 네트웍 망에서만 접속하는게 아니라서

Source를 지정할수도 없는데 어떻게 하는게 더 보안적으로 안전하게 차단할 수 있을까요?



gentoo 2018-10
¾îÂ÷ÇÇ l2tp+ipsec±â¹ÝÀ̸é ÀÎÁõ¼­/psk(pre-shared-key) ÀÎÁõ ¹æ½ÄÀε¥ ¾È¶Õ¸³´Ï´Ù. broot-force°°Àº°É·Î´Â...
Á¤ °ÆÁ¤µÇ½Ã¸é psk ¸»°í ÀÎÁõ¼­·Î ÀÎÁõ ¹Þ°Ô ÇϽðí ÀÎÁõ¼­¸¦ µé°í´Ù´Ï½Ã´Â ¹æ¹ý Á¤µµ°¡ Àְڳ׿ä. ¾Æ´Ï¸é /ip firewall filter¿¡ °¡¼Å¼­ address-list¿Í address-list-timeoutÀ» Àß È°¿ëÇϽøé ƯÁ¤ ½Ã°£ ¾È¿¡ ƯÁ¤ Ƚ¼ö ÀÌ»ó Á¢¼Ó½Ã ÇØ´ç ip¸¦ ºí·ÏÇÒ ¼öµµ ÀÖ½À´Ï´Ù.
geoip¶ó´Â ±¹°¡º° ip db°¡ csv·Î ³ª¿Â°Ô Àִµ¥ ÀÌ°É ÆÄÀ̽ãÀ¸·Î ÆĽÌÇϼż­ ¹ÌÅ©·Îƽ address-list¿¡ Áý¾î³Ö´Â ½ºÅ©¸³Æ®¸¦ ´ëÃæ Â¥½Ç ¼ö ÀÖ´Ù¸é ±¹°¡º° ip ±â¹Ý ÆÐŶ ÇÊÅ͸µµµ ±×¸® ¾î·ÆÁö ¾Ê°Ô ÇÏ½Ç ¼ö ÀÖ°í¿ä. ¹°·Ð ÀÌ°Ç ¿ø·¡ ¸®´ª½º Ä¿³Î¿¡ ÀÖ´Â xtables¶ó´Â ³×Æ®¿÷ ÆÐŶ ÇÊÅÍ ¾Öµå¿Â¿¡ µé¾î°¡´Â ¶Ç´Ù¸¥ ¾Öµå¿Â¿¡ ¾²´Â°Å¶ó ÀÌ·± ´Ù¼Ò º¹ÀâÇÑ »ðÁúÀ» ÇؾßÇϴ°ÅÁö¸¸¿ä
¾ËÅä³É 2018-10
À§ÀÇ gentoo´ÔÀÌ ¸»¾¸ÇÑ´ë·Î ÀÎÁõ¼­À» ÀÌ¿ëÇÏ¸é ¶Õ¸± °¡´É¼ºÀº »ç½Ç»ó °ÅÀÇ ¾ø½À´Ï´Ù.

´Ù¸¸ ÀÌ°Ô ±ÍÂúÀ¸½Ã´Ù¸é Source¸¦ PortKnockingÀ» ÀÌ¿ëÇÏ¿© ÀÓ½ÃÁöÁ¤ÇÏ´Â ¹æ¹ýÀÌ ÀÖ½À´Ï´Ù.

https://wiki.mikrotik.com/wiki/Port_Knocking
¾ËÅä³É 2018-11
Èì Àúµµ ÃÖ±Ù¿¡ IPSEC VPNÀ» ȸ»ç¿¡ ±¸ÃàÇÏ°í ³Ê¹« °ø°Ý ½Ãµµ°¡ ¸¹ÀÌ µé¾î¿À±æ·¡ UDPÆ÷Æ® 500¿¡ ´ëÇØ ¹æÈ­º®À¸·Î BruteForce °ø°Ý Â÷´ÜÀ» °É¾ú½À´Ï´Ù.

¼³Á¤¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù.

https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

ps. Á¦°¡ ÀÌ¿ëÇÑ ½ºÅ©¸³Æ®ÀÔ´Ï´Ù.

/ip firewall filter
#  Jump ·êÀÇ °æ¿ì Input·ê¿¡¼­ Àüü Â÷´Ü ·ê º¸´Ù À§ÂÊÀ¸·Î ³õ¾ÆµÎ½Ã¸é µË´Ï´Ù.
add action=jump chain=input comment="in: Jump -> IPsec (New IPsec connection to UDP:500 WAN)" connection-state=new dst-port=500 in-interface-list=WAN jump-target=IPsec protocol=udp

# ³ª¸ÓÁö ·êÀº ¾Æ¹«°÷À̳ª ¿øÇÏ´Â °÷¿¡ ¹Ú¾ÆµÎ¼¼¿ä. ¾îÂ¥ÇÇ Ã¼Àο¡ µû¶ó¼­ ¿òÁ÷À̱⠶§¹®¿¡..
add action=add-src-to-address-list address-list=BlackList address-list-timeout=none-dynamic chain=IPsec comment="IPsec: Black List" log=yes log-prefix="IPsecBlackList] " src-address-list=IPsec_stage3
add action=add-src-to-address-list address-list=IPsec_stage3 address-list-timeout=10m chain=IPsec comment="IPsec: Stage 3" src-address-list=IPsec_stage2
add action=add-src-to-address-list address-list=IPsec_stage2 address-list-timeout=10m chain=IPsec comment="IPsec: Stage 2" src-address-list=IPsec_stage1
add action=add-src-to-address-list address-list=IPsec_stage1 address-list-timeout=10m chain=IPsec comment="IPsec: Stage 1"

# ±×¸®°í BlackList¸¦ Â÷´ÜÇÏ´Â ·êÀ» ¿øÇϽô ¹æ¹ýÀ¸·Î Ãß°¡Çϼ¼¿ä. Àú´Â RAW·ê¿¡ Ãß°¡Çß½À´Ï´Ù.
/ip firewall raw
add action=drop chain=prerouting comment="Pre: Drop anyone in Black List" in-interface-list=WAN src-address-list=BlackList


Á¦¸ñPage 66/105
2014-04   6937   ȸ¿øK
2020-03   4899   µ·´ë½Å¸öÀ¸·Î
2021-09   2854   redqqqq
2015-10   9023   °³¹é¼ö28È£
2018-04   10533   »ý¸ÆÁÖ
2019-02   5491   ±èÀºÈ£
2019-10   6939   ÁغñµÈ¹é¼ö
2020-06   4514   ·ù½Â¿Ï
2020-07   4229   ÁÒ½´¾Æ
2023-07   21789   Chobo01
2015-07   6218   »É¶ì
2016-09   11632   ¸®¾óÄíÆÛ
2018-04   10215   º¸³ëº¸³ë
2018-10   6506   ±øÅëÀÌ
2021-05   6000   ÇãÇãÇãÇã
2021-11   3193   asdf123123
2022-08   4506   ¾Ë·ÁÁÖ¼¼À¯
2017-10   21761   Ȧ¸¯0o0
2018-08   5575   ¾ãÀºÇϸ¶
2019-06   6857   NeTe