1
Сетевое оборудование / Re: [ПРОДАЮ] Mini-PCI WiFi 5GHz карта Mikrotik R5SHPn повышеной мощности 800мВт
« Последний ответ от Дмитрий Февраля 18, 2024, 09:29:28 pm »UP! еще в наличии
Цена снижена
Цена снижена
## Open SSH Port 22 by Knocking ports 6531-->7482-->8273-->9634
## создаем дополнительные цепочки
-N STAGE1
-N STAGE2
-N STAGE3
# Разрешить подключение, если ip есть в списке и последнее подключение осуществлялось не позднее часа (3600 секунд)
#-A INPUT -p tcp --syn -m conntrack --ctstate NEW --dport 22 -m recent --update --seconds 3600 --name ACCES -j ACCEPT
# Разрешить новое подключение, если ip есть в списке и только в течение 10 секунд и не секундой больше! :-)
-A INPUT -p tcp --syn -m conntrack --ctstate NEW --dport 22 -m recent --rcheck --seconds 10 --name ACCES -j ACCEPT
## Открытие SSH
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -m recent --name ACCES --remove -j DROP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW --dport 9634 -m recent --rcheck --name 3HIT -j STAGE3
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -m recent --name 3HIT --remove -j DROP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW --dport 8273 -m recent --rcheck --name 2HIT -j STAGE2
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -m recent --name 2HIT --remove -j DROP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW --dport 7482 -m recent --rcheck --name 1HIT -j STAGE1
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -m recent --name 1HIT --remove -j DROP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW --dport 6531 -m recent --name 1HIT --set -j DROP
-A STAGE1 -m recent --name 2HIT --set -j DROP
-A STAGE2 -m recent --name 3HIT --set -j DROP
-A STAGE3 -m recent --name ACCES --set -j DROP
add chain=input connection-state=new protocol=tcp dst-port=9634 in-interface-list=WAN action=add-src-to-address-list address-list=Knock_stage1 address-list-timeout=3s comment="Knock for SSH ACCESS"
add chain=input connection-state=new protocol=tcp dst-port=8273 in-interface-list=WAN action=add-src-to-address-list address-list=Knock_stage2 address-list-timeout=3s src-address-list=Knock_stage1
add chain=input connection-state=new protocol=tcp dst-port=7482 in-interface-list=WAN action=add-src-to-address-list address-list=Knock_stage3 address-list-timeout=3s src-address-list=Knock_stage2
add chain=input connection-state=new protocol=tcp dst-port=6531 in-interface-list=WAN action=add-src-to-address-list address-list=Knock_SSH address-list-timeout=1d src-address-list=Knock_stage3 log=yes log-prefix="By knocking added SSH"
и дальше делаем проброс порта SSH из списка Knock_SSH и за ним ниже сразу запрещаем его:add chain=forward connection-state=new dst-port=22 protocol=tcp src-address-list=Knock_SSH action=accept comment="Accept Knocked to SSH"
add chain=forward connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp action=drop
knock -v archlinux.sytes.net -d 500 6531 7482 8273 9634
Host archlinux
HostName archlinux.sytes.net
Port 22
User admin
Match host archlinux.sytes.net exec "knock -v archlinux.sytes.net -d 500 6531 7482 8273 9634"
ssh-keygen -o -a 100 -t rsa -b 4096 -C " admin@archlinux.sytes.net "
ssh-keygen -f ~/.ssh/id_rsa -p -o -a 100
ssh-copy-id -i ~/.ssh/id_rsa.pub admin@archlinux.sytes.net -p 2200
ssh-keygen -a 100 -t ed25519 -b 4096 -C " admin@archlinux.sytes.net "
ssh-add ~/.ssh/id_ed25519
ssh-add ~/.ssh/id_rsa
Host archlinux archlinux.sytes.net
HostName archlinux.sytes.net
User admin
Port 2200
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
# или другой тип
#IdentityFile ~/.ssh/id_ed2551
Match host archlinux.sytes.net exec "knock -v archlinux.sytes.net -d 500 6531 7482 8273 9634"
/ip firewall mangle add chain=prerouting protocol=tcp dst-port=443 content="40324-gw.ourserver" action=add-src-to-address-list address-list="SSTP_Client" address-list-timeout="00:01:00"
/ip firewall nat add chain=dstnat action=netmap dst-port=443 dst-address-list=WAN protocol=tcp src-address-list=!SSTP_Client to-addresses=192.168.1.80
/tool fetch url=https://40324-gw.ourserver.net.ua/ mode=https keep-result=no
{
:if ([/interface get sstp-vpn running]=true) do={
# Uncomment if u wanna read msg in log
#:log info "SSTP interface running... don't need knocking!"
} else={[/tool fetch url=https://40324-gw.ourserver.net.ua/ mode=https keep-result=no]}
}
iptables -A INPUT -p tcp -m pknock --knockports 4002,31337,2195,34344 --strict --name SSH --time 30 --autoclose 5 --dport 22 -j ACCEPT
$ sudo hping3 -c 1 -S 192.168.1.5 -p 4002
$ sudo hping3 -c 1 -S 192.168.1.5 -p 31337
$ sudo hping3 -c 1 -S 192.168.1.5 -p 2195
$ sudo hping3 -c 1 -S 192.168.1.5 -p 34344
/tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
/certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase=""
/ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns set servers=""
/ip dns set use-doh-server=https://dns.quad9.net/dns-query verify-doh-cert=yes
/ip dns set servers=""
{
/tool fetch "https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites" output=file check-certificate=no dst-path=/Common-CA-DB-IncludedRoots.pem
/certificate import file-name=Common-CA-DB-IncludedRoots.pem name=CCADBRoots passphrase=""
}
# Import Mozilla CCADB Roots
:do {
:do {/tool fetch "https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites" output=file check-certificate=no dst-path=/Common-CA-DB-IncludedRoots.pem} \
while=([/file print count-only where name="Common-CA-DB-IncludedRoots.pem"]=0);
:do {/certificate import file-name=Common-CA-DB-IncludedRoots.pem name=CCADBRoots passphrase=""} \
if=([/certificate print count-only where name="Common-CA-DB-IncludedRoots.pem"]=0);
}
:global temphigh
:global templow
:set temphigh 50
:set templow 0
:global temptmp [/system health get temperature]
:if ($temptmp > $temphigh) do= {/tool e-mail send to=EMAIL@gmail.com subject=Warning_Temperature body="Warning!!! Router temperature - $temptmp High Degrees"}
:if ($temptmp < $templow) do= {/tool e-mail send to=EMAIL@gmail.com subject=Warning_Temperature body="Warning!!! Router temperature - $temptmp low now"}
/system script run temperature
### Mikrotik's logs send to e-mail
:global logMessages;
:set logMessages ""
:foreach i in=[/log find ] do={
:set logMessages ($logMessages. [/log get $i time ]. " ");
:set logMessages ($logMessages. [/log get $i message ]);
:set logMessages ($logMessages. "\n")
}
/tool e-mail send subject="$[/system identity get name] MikroTik system logs" to="admin@ix-ua.net" body="$logMessages"
# BEGIN SETUP
:local scheduleName "LoginALERT"
:local emailAddress "admin@ix-ua.net"
:local startBuf [:toarray [/log find message~"logged in" || message~"login failure"]]
:local removeThese {"telnet";"whatever string you want"}
# END SETUP
# warn if schedule does not exist
:if ([:len [/system scheduler find name="$scheduleName"]] = 0) do={
/log warning "[LOGMON] ERROR: Schedule does not exist. Create schedule and edit script to match name"
}
# get last time
:local lastTime [/system scheduler get [find name="$scheduleName"] comment]
# for checking time of each log entry
:local currentTime
# log message
:local message
# final output
:local output
:local keepOutput false
# if lastTime is empty, set keepOutput to true
:if ([:len $lastTime] = 0) do={
:set keepOutput true
}
:local counter 0
# loop through all log entries that have been found
:foreach i in=$startBuf do={
# loop through all removeThese array items
:local keepLog true
:foreach j in=$removeThese do={
# if this log entry contains any of them, it will be ignored
:if ([/log get $i message] ~ "$j") do={
:set keepLog false
}
}
:if ($keepLog = true) do={
:set message [/log get $i message]
# LOG DATE
# depending on log date/time, the format may be different. 3 known formats
# format of jan/01/2002 00:00:00 which shows up at unknown date/time. Using as default
:set currentTime [ /log get $i time ]
# format of 00:00:00 which shows up on current day's logs
:if ([:len $currentTime] = 8 ) do={
:set currentTime ([:pick [/system clock get date] 0 11]." ".$currentTime)
} else={
# format of jan/01 00:00:00 which shows up on previous day's logs
:if ([:len $currentTime] = 15 ) do={
:set currentTime ([:pick $currentTime 0 6]."/".[:pick [/system clock get date] 7 11]." ".[:pick $currentTime 7 15])
}
}
# if keepOutput is true, add this log entry to output
:if ($keepOutput = true) do={
:set output ($output.$currentTime." ".$message."\r\n")
}
# if currentTime = lastTime, set keepOutput so any further logs found will be added to output
# reset output in the case we have multiple identical date/time entries in a row as the last matching logs
# otherwise, it would stop at the first found matching log, thus all following logs would be output
:if ($currentTime = $lastTime) do={
:set keepOutput true
:set output ""
}
}
# if this is last log entry
:if ($counter = ([:len $startBuf]-1)) do={
# If keepOutput is still false after loop, this means lastTime has a value, but a matching currentTime was never found.
# This can happen if 1) The router was rebooted and matching logs stored in memory were wiped, or 2) An item is added
# to the removeThese array that then ignores the last log that determined the lastTime variable.
# This resets the comment to nothing. The next run will be like the first time, and you will get all matching logs
:if ($keepOutput = false) do={
# if previous log was found, this will be our new lastTime entry
:if ([:len $message] > 0) do={
:set output ($output.$currentTime." ".$message."\r\n")
}
}
}
:set counter ($counter + 1)
}
# If we have output, save new date/time, and send email
if ([:len $output] > 0) do={
/system scheduler set [find name="$scheduleName"] comment=$currentTime
/tool e-mail send to="$emailAddress" subject="MikroTik alert $currentTime" body="$output"
/log info "[LOGMON] New logs found, send email"
}
{
:log info "Starting Backup Script...";
:local sysname [/system identity get name];
:local sysver [/system package get system version];
:local model [/system routerboard get model];
:delay 2;
:log info "Deleting last Backups...";
:foreach i in=[/file find] do={:if ([:typeof [:find [/file get $i name] "$sysname.backup"]]!="nil") do={/file remove $i}};
:delay 2;
:local EMail "admin@ix-ua.net";
:local backupfile ("(" . [:pick [/system clock get date] 0 3 ] . "." . [:pick [/system clock get date] 4 6] . "." . [:pick [/system clock get date] 7 11] . ")$model-v$sysver.$sysname.backup");
:log info "Creating new Full Backup file...";
/system backup save password=YOURPASS name=$backupfile; ### <---- set YOURPASS or delete all "password=YOURPASS"
:delay 2;
:log info "Sending Full Backup file via E-mail...";
/tool e-mail send to=$EMail file=$backupfile \
subject=("$sysname Full Backup (" . [/system clock get date] . ")") \
body=("$sysname full Backup file see in attachment.\nRouterOS version: \
$sysver\nTime and Date stamp: " . [/system clock get time] . " " . \
[/system clock get date]);
:delay 5;
:local exportfile ("$sysname-backup-" . \
[:pick [/system clock get date] 7 11] . [:pick [/system \
clock get date] 0 3] . [:pick [/system clock get date] 4 6] . ".rsc");
:log info "Creating new Setup Script file...";
/export verbose file=$exportfile;
:delay 2;
:log info "Sending Setup Script file via E-mail...";
/tool e-mail send to=$EMail file=$exportfile \
subject=("$sysname Setup Script Backup (" . [/system clock get date] . \
")") body=("$sysname Setup Script file see in attachment.\nRouterOS \
version: $sysver\nTime and Date stamp: " . [/system clock get time] . " \
" . [/system clock get date]);
:delay 5;
:log info "All System Backups emailed successfully.\nBackuping completed.";
}
{
:log info "Starting Backup Script...";
:local sysname [/system identity get name];
:local sysver [/system package get system version];
:local model [/system routerboard get model];
:delay 2;
:log info "Deleting last Backups...";
:foreach i in=[/file find] do={:if ([:typeof [:find [/file get $i name] "$sysname.backup"]]!="nil") do={/file remove $i}};
:delay 2;
:local EMail "admin@ix-ua.net";
:local backupfile ("(" . [:pick [/system clock get date] 8 10 ] . "." . [:pick [/system clock get date] 5 7] . "." . [:pick [/system clock get date] 0 4] . ")$model-v$sysver.$sysname.backup");
:log info "Creating new Full Backup file...";
/system backup save password=YOURPASS name=$backupfile; ### <---- set YOURPASS or delete all "password=YOURPASS"
:delay 2;
:log info "Sending Full Backup file via E-mail...";
/tool e-mail send to=$EMail file=$backupfile \
subject=("$sysname Full Backup (" . [/system clock get date] . ")") \
body=("$sysname full Backup file see in attachment.\nRouterOS version: \
$sysver\nTime and Date stamp: " . [/system clock get time] . " " . \
[/system clock get date]);
:delay 5;
:local exportfile ("$sysname-backup-" . \
[:pick [/system clock get date] 7 11] . [:pick [/system \
clock get date] 0 3] . [:pick [/system clock get date] 4 6] . ".rsc");
:log info "Creating new Setup Script file...";
/export verbose file=$exportfile;
:delay 2;
:log info "Sending Setup Script file via E-mail...";
/tool e-mail send to=$EMail file=$exportfile \
subject=("$sysname Setup Script Backup (" . [/system clock get date] . \
")") body=("$sysname Setup Script file see in attachment.\nRouterOS \
version: $sysver\nTime and Date stamp: " . [/system clock get time] . " \
" . [/system clock get date]);
:delay 5;
:log info "All System Backups emailed successfully.\nBackuping completed.";
}
ip firewall export file=ip-firewall.rsc
ip pool export file=ip-pool.rsc
ip route export file=ip-route.rsc
import file=ip-firewall.rsc
import file=ip-pool.rsc
import file=ip-route.rsc
{
local username "никнейм"
#ftp account
local ftphost "имя сервера"
local ftpuser "логин"
local ftppassword "пароль"
local ftppath "/uploads/Administrators/mikrotik-backups"
#create full system backup files
/system backup save name="$username.backup"
:delay 30s;
#create config export files
/export compact file="$username.rsc"
:delay 30s;
# upload the system backup
:log info message="Uploading system backup"
/tool fetch address="$ftphost" src-path="$username.backup" user="$ftpuser" mode=ftp password="$ftppassword" dst-path="$ftppath/$username.backup" upload=yes
:delay 30s;
# upload the config export
:log info message="Uploading config export"
/tool fetch address="$ftphost" src-path="$username.rsc" user="$ftpuser" mode=ftp password="$ftppassword" dst-path="$ftppath/$username.rsc" upload=yes
:delay 30s;
# find file name $username- then remove
:foreach i in=[/file find] do={ :if ([:typeof [:find [/file get $i name] "$username"]]!="nil") do={/file remove $i}; }
:log info message="Configuration backup finished.";
}
/system script run BackupsToFTP