Layer 7 firewall na Mikrotiku

Layer 7 firewall na Mikrotiku
« kdy: 13. 03. 2018, 12:06:39 »
Ahoj,

Nemate nekdo zkusenosti s L7 FW na Mikrotiku?

Postupoval jsem podle:
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/L7

Zadefinoval SSH:
Kód: [Vybrat]
[root@mt] > ip firewall layer7-protocol print
 # NAME                                               REGEXP
 0 ssh                                                ^ssh-[12]\.[0-9]

Dal na prvni mozne misto:
Kód: [Vybrat]
[root@mt] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    chain=forward action=accept layer7-protocol=ssh protocol=tcp

Ale netece skrz nej zadny provoz.. proste ne-matchuje:
Kód: [Vybrat]
[root@mt] > ip firewall filter print stats
Flags: X - disabled, I - invalid, D - dynamic
 #    CHAIN                                       ACTION                            BYTES         PACKETS
 0  D ;;; special dummy rule to show fasttrack counters
      forward                                     passthrough              36 426 913 703      69 653 867
 1    forward                                     accept                                0               0

Muj MT:
Kód: [Vybrat]
[root@mt] > system resource print
                   uptime: 3d17h54m30s
                  version: 6.41.2 (stable)
               build-time: Feb/06/2018 12:29:02
         factory-software: 6.36
              free-memory: 35.5MiB
             total-memory: 64.0MiB
                      cpu: MIPS 24Kc V7.4
                cpu-count: 1
            cpu-frequency: 650MHz
                 cpu-load: 0%
           free-hdd-space: 1164.0KiB
          total-hdd-space: 16.0MiB
  write-sect-since-reboot: 4385
         write-sect-total: 12973
               bad-blocks: 0%
        architecture-name: mipsbe
               board-name: mAP lite
                 platform: MikroTik

Nevite co s tim?



asdf111

Re:Layer 7 firewall na Mikrotiku
« Odpověď #1 kdy: 13. 03. 2018, 12:27:32 »
si si isty ze ten REGEX string vidno v nesifrovanej forme? :)
Kód: [Vybrat]
4.2.  Protocol Version Exchange

   ***When the connection has been established***, both sides MUST send an
   identification string.  This identification string MUST be

      SSH-protoversion-softwareversion SP comments CR LF

   Since the protocol being defined in this set of documents is version
   2.0, the 'protoversion' MUST be "2.0".  The 'comments' string is
   OPTIONAL.  If the 'comments' string is included, a 'space' character
   (denoted above as SP, ASCII 32) MUST separate the 'softwareversion'
   and 'comments' strings.  The identification MUST be terminated by a
   single Carriage Return (CR) and a single Line Feed (LF) character
   (ASCII 13 and 10, respectively).  Implementers who wish to maintain

Re:Layer 7 firewall na Mikrotiku
« Odpověď #2 kdy: 13. 03. 2018, 13:23:40 »
Ten regex jsem vycetl z te MT stranky, konkretne:
Kód: [Vybrat]
http://l7-filter.sourceforge.net/layer7-protocols/protocols/ssh.pat
Zkusil jsem tedy i HTTP a stejny vysledek.

Jen tak jsem zkusil zachytit SSH exchange a je v clear textu:
Kód: [Vybrat]
SSH-2.0-OpenSSH_7.6
SSH-2.0-OpenSSH_7.6
...L........d..v
.L..i...0curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c..."ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....none,zlib@openssh.com,zlib....none,zlib@openssh.com,zlib.....................4....%U
`..b0.Y..O ....curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1...Assh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com...lchacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1....none,zlib@openssh.com....none,zlib@openssh.com......................,..... .q..^.....S...M.....vZ...8..*'............
....h....ecdsa-sha2-nistp256....nistp256...A...<%.....8..........Vi........*..(...W...J7.T'eN..P../....p6..f4... ..+#.
>C...J.u..;.p.........~.k....d....ecdsa-sha2-nistp256...I...!.....p..)..kB.2.B+...IY..l.D...S.... Z.n`V6.......c..X.A .....
....q...............
...........CvC...x'Ut.J{.....*F..N.n3 ..=....b."m....HgA
N.
..-s_...V..u....s....z=....j..l.nG....|.Qq...w.s.(..F .~....oiq....4..2.0-.H.6...o.......L.
.lF.dO.|h*...J.:.d.....mU.g........
.....................i.E.\.. .r/.
XV..K..|...8.[2S.Z7....z..........6>.. `A.r..M.".,...s......... ......=..=...B.JVc..r.T....DC........[...%_.m ..c...{$B.G.w...U.\..S
. ...q).pi...'..V.].F.+..sd..!.....


Re:Layer 7 firewall na Mikrotiku
« Odpověď #3 kdy: 13. 03. 2018, 15:31:09 »
Mozna maji nekde vedle nastavene ze regex ma defaultne matchovat case-insensitive? Protoze ja na zacatku radku vidim jenom SSH, ne ssh.

Re:Layer 7 firewall na Mikrotiku
« Odpověď #4 kdy: 13. 03. 2018, 17:02:41 »
To jsem zkousel hned po tom, co jsem odchytil ten SSH handshake.


Re:Layer 7 firewall na Mikrotiku
« Odpověď #5 kdy: 13. 03. 2018, 17:04:17 »
Doplnim.. Zkousel jsem ^SSH-[12]\.[0-9] misto ^ssh-[12]\.[0-9]. A take nefungovalo.