Increase the security of the RemoteApp server
It's no secret that the RemoteApp technology implemented in Windows 2008 is Microsoft's answer to the technologies for accessing Citrix applications. All anything, but to use this technology in everyday life, without the presence of RD Gateway, you need an open outside RDP Port tcp / 3389. Watching my terminal servers, I discovered that the servers are constantly undergoing brute-force attacks against various user passwords.
In order not to tempt fate, I slightly modified the RDP access scheme.
Since the servers are in most cases located behind the router from which the port is being forwarded to the terminal server, we will make a knight's move and we will dynamically open port 3389 for those who have logged in correctly.
To do this, we edit the Windows \ Web \ RDWeb \ Pages \ Default.aspx file , adding some new functionality to it.
')
When loading a portal page with a Remote Application list, iis internal authentication is used. The above script will be executed only if the authorization is correct.
On the router set "net-mgmt / pftabled".
create a key
and activate the service in rc.conf
Further we lift thttpd and we create open.cgi script in cgi-bin
Now you can fix the configuration pf.
If the authentication is successful, the user name and the IP address from which the request was made are transferred to the script. Information about the IP address is placed in the RDP table and the user gets access to the RDP connection.
You can enable windows authentication on the RDP server in the file C: \ Windows \ Web \ RDWeb \ Pages \ Web.config
If you wish, you can use custom errorpages and block the addresses of intruders in the same way during several unsuccessful attempts to enter a login password. Truth can be FP. But without this you cannot get anywhere.
Aborche 2013
In order not to tempt fate, I slightly modified the RDP access scheme.
Since the servers are in most cases located behind the router from which the port is being forwarded to the terminal server, we will make a knight's move and we will dynamically open port 3389 for those who have logged in correctly.
To do this, we edit the Windows \ Web \ RDWeb \ Pages \ Default.aspx file , adding some new functionality to it.
')
void goToFolder(string getLangVal) { Response.Redirect(getLangVal + "/Default.aspx" + Request.Url.Query,true); } private float getInternetExplorerVersion() { // Returns the version of Internet Explorer or a -1 // (indicating the use of another browser). float rv = -1; System.Web.HttpBrowserCapabilities browser = Request.Browser; if (browser.Browser == "IE") rv = (float)(browser.MajorVersion + browser.MinorVersion); return rv; } void Page_Load(Object sender, EventArgs e) { string UserIPAddress = Request.ServerVariables["REMOTE_ADDR"]; string UserName = Request.ServerVariables["AUTH_USER"]; string safeString = System.Security.SecurityElement.Escape(UserName); string url = "http://myrouter/cgi-bin/open.cgi?ip=" + UserIPAddress + "&user=" + safeString ; HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(url); request.Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"; request.AllowAutoRedirect = false; request.KeepAlive = true; HttpWebResponse response = (HttpWebResponse)request.GetResponse(); double ver = getInternetExplorerVersion(); if (ver > 0.0) { if (ver < 7.0) Response.Redirect("TSWeb/Default.asp",true); } else { Response.Redirect("Unsupported/Default.asp",true); } string langCode = null; System.Globalization.CultureInfo culture; // For each request initialize the culture values with // the user language as specified by the browser. When loading a portal page with a Remote Application list, iis internal authentication is used. The above script will be executed only if the authorization is correct.
On the router set "net-mgmt / pftabled".
create a key
dd if=/dev/random bs=20 count=1 | md5 | cut -c 1-19 > /etc/pftabled.key and activate the service in rc.conf
pftabled_enable="YES" pftabled_flags="-d -k /etc/pftabled.key -t 432000" Further we lift thttpd and we create open.cgi script in cgi-bin
#!/usr/bin/perl use strict; use warnings; use CGI qw/:standard/; use IO::Socket; use Digest::HMAC_SHA1 qw(hmac_sha1); use Net::SMTP; use vars qw/%macs $pftabled $key %mac_ip/; use constant PFTBLPORT => 56789; use constant pfip => "127.0.0.1"; use constant PFTBLVERSION => 2; use constant PFTABLED_CMD_ADD => 1; use constant PFTABLED_CMD_DEL => 2; use constant PFTABLED_CMD_FLUSH => 3; use constant PFTBLCOMMAND => 1; use constant PFTBLMASK => 32; use constant SHA1_DIGEST_LENGTH => 20; use constant PFTBLNAME => "RDP"; my $keyfile = "/etc/pftabled.key"; if (! -r $keyfile) { print STDERR "Cannot Read KeyFile $keyfile\n"; exit 1; } open(KEY, "<$keyfile"); sysread KEY, $key, SHA1_DIGEST_LENGTH; close KEY; $pftabled = IO::Socket::INET->new(Proto => 'udp', PeerPort => PFTBLPORT, PeerAddr => pfip) or die "Creating socket: $!\n"; #prepare struct for pftabled my $command = '1'; my $iparray = param("ip"); #print @iparray; my $addr = inet_aton($iparray); my $time = time(); my $block = pack("C1 S1 C1",PFTBLVERSION,$command,PFTBLMASK).$addr.pack("a32 N*",PFTBLNAME,$time); my $digest = hmac_sha1($block, $key); $block .= $digest; $pftabled->send($block); print header(); my $smtp = Net::SMTP->new('mysmtpserver.mydomain.ru'); $smtp->mail('terminal_guard@mydomain.ru'); $smtp->to('account_admin@mydomain.ru'); $smtp->data(); $smtp->datasend("To: account_admin\@mydomain.ru\n"); $smtp->datasend("Subject: Terminal server logon detected\n"); $smtp->datasend("\n"); $smtp->datasend("User ".param("user")." logged on from ".param("ip")."\n"); $smtp->dataend(); $smtp->quit; exit(0); Now you can fix the configuration pf.
external_addr="1.1.1.1" terminal_server_addr="192.168.1.1" table <RDP> persist { } rdr on $ext_if proto tcp from <RDP> to $external_addr port 3389 -> $terminal_server_addr port 3389 # terminal pass in on $ext_if proto tcp from <RDP> to { $external_addr, $terminal_server_addr } port { 3389 } flags S/SA keep state If the authentication is successful, the user name and the IP address from which the request was made are transferred to the script. Information about the IP address is placed in the RDP table and the user gets access to the RDP connection.
You can enable windows authentication on the RDP server in the file C: \ Windows \ Web \ RDWeb \ Pages \ Web.config
If you wish, you can use custom errorpages and block the addresses of intruders in the same way during several unsuccessful attempts to enter a login password. Truth can be FP. But without this you cannot get anywhere.
Aborche 2013
Source: https://habr.com/ru/post/176657/
All Articles