Fórum Root.cz
Hlavní témata => Sítě => Téma založeno: シ 13. 03. 2018, 12:06:39
-
Ahoj,
Nemate nekdo zkusenosti s L7 FW na Mikrotiku?
Postupoval jsem podle:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7
Zadefinoval SSH:
[root@mt] > ip firewall layer7-protocol print
# NAME REGEXP
0 ssh ^ssh-[12]\.[0-9]
Dal na prvni mozne misto:
[root@mt] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=accept layer7-protocol=ssh protocol=tcp
Ale netece skrz nej zadny provoz.. proste ne-matchuje:
[root@mt] > ip firewall filter print stats
Flags: X - disabled, I - invalid, D - dynamic
# CHAIN ACTION BYTES PACKETS
0 D ;;; special dummy rule to show fasttrack counters
forward passthrough 36 426 913 703 69 653 867
1 forward accept 0 0
Muj MT:
[root@mt] > system resource print
uptime: 3d17h54m30s
version: 6.41.2 (stable)
build-time: Feb/06/2018 12:29:02
factory-software: 6.36
free-memory: 35.5MiB
total-memory: 64.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 0%
free-hdd-space: 1164.0KiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 4385
write-sect-total: 12973
bad-blocks: 0%
architecture-name: mipsbe
board-name: mAP lite
platform: MikroTik
Nevite co s tim?
-
si si isty ze ten REGEX string vidno v nesifrovanej forme? :)
4.2. Protocol Version Exchange
***When the connection has been established***, both sides MUST send an
identification string. This identification string MUST be
SSH-protoversion-softwareversion SP comments CR LF
Since the protocol being defined in this set of documents is version
2.0, the 'protoversion' MUST be "2.0". The 'comments' string is
OPTIONAL. If the 'comments' string is included, a 'space' character
(denoted above as SP, ASCII 32) MUST separate the 'softwareversion'
and 'comments' strings. The identification MUST be terminated by a
single Carriage Return (CR) and a single Line Feed (LF) character
(ASCII 13 and 10, respectively). Implementers who wish to maintain
-
Ten regex jsem vycetl z te MT stranky, konkretne:
http://l7-filter.sourceforge.net/layer7-protocols/protocols/ssh.pat
Zkusil jsem tedy i HTTP a stejny vysledek.
Jen tak jsem zkusil zachytit SSH exchange a je v clear textu:
SSH-2.0-OpenSSH_7.6
SSH-2.0-OpenSSH_7.6
...L........d..v
.L..i...0curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c..."ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....none,zlib@openssh.com,zlib....none,zlib@openssh.com,zlib.....................4....%U
`..b0.Y..O ....curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1...Assh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....none,zlib@openssh.com....none,zlib@openssh.com......................,..... .q..^.....S...M.....vZ...8..*'............
....h....ecdsa-sha2-nistp256....nistp256...A...<%.....8..........Vi........*..(...W...J7.T'eN..P../....p6..f4... ..+#.
>C...J.u..;.p.........~.k....d....ecdsa-sha2-nistp256...I...!.....p..)..kB.2.B+...IY..l.D...S.... Z.n`V6.......c..X.A .....
....q...............
...........CvC...x'Ut.J{.....*F..N.n3 ..=....b."m....HgA
N.
..-s_...V..u....s....z=....j..l.nG....|.Qq...w.s.(..F .~....oiq....4..2.0-.H.6...o.......L.
.lF.dO.|h*...J.:.d.....mU.g........
.....................i.E.\.. .r/.
XV..K..|...8.[2S.Z7....z..........6>.. `A.r..M.".,...s......... ......=..=...B.JVc..r.T....DC........[...%_.m ..c...{$B.G.w...U.\..S
. ...q).pi...'..V.].F.+..sd..!.....
-
Mozna maji nekde vedle nastavene ze regex ma defaultne matchovat case-insensitive? Protoze ja na zacatku radku vidim jenom SSH, ne ssh.
-
To jsem zkousel hned po tom, co jsem odchytil ten SSH handshake.
-
Doplnim.. Zkousel jsem ^SSH-[12]\.[0-9] misto ^ssh-[12]\.[0-9]. A take nefungovalo.