tinyding 發表於 20-9-21 20:59

Single Packet Authorization with Fwknop.


原文在 => Single Packet Authorization with Fwknop by Michael Rash   December, 2005.



一年多以前, 我看到 朝陽 洪朝貴 老師 寫了這篇文章 "連鑰匙孔都藏起來的 ssh 完全防禦: SPA" ... 當時, 我沒有實測, 不了解整個運作起來是怎樣的情形 ... 我認為有 Fail2Ban 就足夠了 ...


有灌過 SSH Server 的人, 如果查看伺服器的日誌(例如 : /var/log/auth.log ) , 可能多多少少會發現每天有些許外面的程式, 以 "root" ID, 或"某某某" User ID 來嘗試看看能否登入到你的 SSH Server ... 我的伺服器即便有灌 Fail2Ban 也是躲不過 ... 於是, 我從允許 ""root" 帶密碼" 登入 SSH Server, 改成 "PermitRootLogin no" ... 過一段日子, 覺得還是不太放心, 再改成 ... :
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

PasswordAuthentication no

...一般身份者也禁止使用密碼登入, 改採用 "Public-key cryptography" 或稱 "asymmetric cryptography" 非對稱式密碼方式登入. (注意!!! 在你還不確定是否備妥相關密碼和以這種方式登入無誤運作前, 切記! 留個後路(VNC or TTY1 方式登入系統) , 以免 ssh 方式登入失敗時, 你沒有其他管道再進到系統裡頭 ... ) 相關參考可參註一.


幾個星期前, 我再次觀看 "連鑰匙孔都藏起來的 ssh 完全防禦: SPA", 並且實測 ... 我想, 如果連"孔洞"都消失的話, 那麼, 要登入伺服器, 可能得另謀其他管道 ... 所以, 我就來學學該怎麼樣能讓鑰匙孔消失和適時的出現 ...

經過幾番周折, 終於學會使用這項技巧 ... {:4_158:}


現我在伺服器(ip : 45.77.17.138) 這邊安裝了 SSH Server 以及 Fwknop Server ...
提供 Tcp Port 7, 用於 echo 測試 ...


/etc/fwknop/fwknopd.conf :
PCAP_INTF                   ens3;
PCAP_FILTER               udp port 62201;


/etc/fwknop/access.conf :
REQUIRE_SOURCE_ADDRESSN

SOURCE                  ANY
OPEN_PORTS            tcp/22
KEY_BASE64            保密不公開
HMAC_KEY_BASE64         保密不公開

SOURCE                  ANY
OPEN_PORTS            tcp/7
KEY_BASE64            e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=
HMAC_KEY_BASE64         MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==



伺服器的防火牆設定 ... :
root@vultr:~# iptables -L
Chain INPUT (policy ACCEPT)
target   prot opt source               destination
FWKNOP_INPUTall--anywhere             anywhere
f2b-sshd   tcp--anywhere             anywhere             multiport dports ssh
ACCEPT   tcp--anywhere             anywhere             tcp dpt:ssh ctstate RELATED,ESTABLISHED
DROP       tcp--anywhere             anywhere             tcp dpt:ssh
DROP       tcp--anywhere             anywhere             tcp dpt:echo

Chain FORWARD (policy ACCEPT)
target   prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target   prot opt source               destination

Chain f2b-sshd (1 references)
target   prot opt source               destination
RETURN   all--anywhere             anywhere

Chain FWKNOP_INPUT (1 references)
target   prot opt source               destination


Client 端, /root/.fwknoprc :

WGET_CMD                /usr/bin/wget


ACCESS                  tcp/22
KEY_BASE64 保密不公開
HMAC_KEY_BASE64 保密不公開
SPA_SERVER            45.77.17.138
USE_HMAC                Y



ACCESS                  tcp/7
KEY_BASE64            e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=
HMAC_KEY_BASE64         MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==
SPA_SERVER            45.77.17.138
USE_HMAC                Y




底下顯示了這台伺服器, 大概有三個 Tcp Port 可能被過濾掉了 ... :
root@debian:~# nmap -A -v 45.77.17.138
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-21 17:45 CST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:45
Completed NSE at 17:45, 0.00s elapsed
Initiating NSE at 17:45
Completed NSE at 17:45, 0.00s elapsed
Initiating Ping Scan at 17:45
Scanning 45.77.17.138
Completed Ping Scan at 17:45, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:45
Completed Parallel DNS resolution of 1 host. at 17:45, 0.00s elapsed
Initiating SYN Stealth Scan at 17:45
Scanning 45.77.17.138.vultr.com (45.77.17.138)
Increasing send delay for 45.77.17.138 from 0 to 5 due to 37 out of 121 dropped probes since last increase.
Increasing send delay for 45.77.17.138 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 45.77.17.138 from 10 to 20 due to 11 out of 31 dropped probes since last increase.
Increasing send delay for 45.77.17.138 from 20 to 40 due to max_successful_tryno increase to 5
Increasing send delay for 45.77.17.138 from 40 to 80 due to 11 out of 22 dropped probes since last increase.
Increasing send delay for 45.77.17.138 from 80 to 160 due to 11 out of 27 dropped probes since last increase.
Increasing send delay for 45.77.17.138 from 160 to 320 due to 11 out of 27 dropped probes since last increase.
SYN Stealth Scan Timing: About 31.16% done; ETC: 17:47 (0:01:08 remaining)
SYN Stealth Scan Timing: About 40.54% done; ETC: 17:48 (0:01:29 remaining)
SYN Stealth Scan Timing: About 66.96% done; ETC: 17:49 (0:01:13 remaining)
SYN Stealth Scan Timing: About 76.34% done; ETC: 17:49 (0:00:55 remaining)
SYN Stealth Scan Timing: About 85.74% done; ETC: 17:49 (0:00:35 remaining)
Completed SYN Stealth Scan at 17:50, 263.77s elapsed (1000 total ports)
Initiating Service scan at 17:50
Initiating OS detection (try #1) against 45.77.17.138.vultr.com (45.77.17.138)
adjust_timeouts2: packet supposedly had rtt of -189579 microseconds.Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -189579 microseconds.Ignoring time.
Retrying OS detection (try #2) against 45.77.17.138.vultr.com (45.77.17.138)
Initiating Traceroute at 17:50
Completed Traceroute at 17:50, 3.02s elapsed
Initiating Parallel DNS resolution of 10 hosts. at 17:50
Completed Parallel DNS resolution of 10 hosts. at 17:50, 0.05s elapsed
NSE: Script scanning 45.77.17.138.
Initiating NSE at 17:50
Completed NSE at 17:50, 0.01s elapsed
Initiating NSE at 17:50
Completed NSE at 17:50, 0.00s elapsed
Nmap scan report for 45.77.17.138.vultr.com (45.77.17.138)
Host is up (0.063s latency).
Not shown: 997 closed ports
PORT    STATE    SERVICE   VERSION
7/tcp   filtered echo
22/tcpfiltered ssh
139/tcp filtered netbios-ssn
Too many fingerprints match this host to give specific OS details
Network Distance: 15 hops

TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   1.56 msI-040GW.cht.com.tw (192.168.1.1)
2   2.61 mstp240-143.dialup.seed.net.tw (139.175.240.143)
3   2.18 ms192.72.223.9
4   8.46 msr58-205.seed.net.tw (139.175.58.205)
5   8.96 msr58-145.seed.net.tw (139.175.58.145)
6   9.95 msh202-192-72-155.seed.net.tw (192.72.155.202)
7   9.94 msh202-192-72-155.seed.net.tw (192.72.155.202)
8   9.95 ms199.245.16.37
9   38.43 ms ae-7.r31.tokyjp05.jp.bb.gin.ntt.net (129.250.7.5)
1065.63 ms ce-0-14-0-1.r02.tokyjp05.jp.ce.gin.ntt.net (120.88.54.98)
11... 14
1562.59 ms 45.77.17.138.vultr.com (45.77.17.138)

NSE: Script Post-scanning.
Initiating NSE at 17:50
Completed NSE at 17:50, 0.00s elapsed
Initiating NSE at 17:50
Completed NSE at 17:50, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 271.50 seconds
         Raw packets sent: 1329 (62.326KB) | Rcvd: 1284 (55.408KB)


送 "Hello" 字眼過去至伺服器, 但沒能收到 echo ... :
root@debian:~# echo "Hello" | nc 45.77.17.138 7
(UNKNOWN) 7 (echo) : Connection timed out


送 "密語" 至伺服器, 請它暫時(30秒)打開 Tcp Port 7 的通道 ... 我並緊接著送 "Hello" 字眼過去, 隨後即收到正確的 echo ... :
root@debian:~# fwknop -n my.server.com_tcp7 --verbose -R

[+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.10 --secure-protocol=auto --quiet -O - https://www.cipherdyne.org/cgi-bin/myip') as: 112.105.240.229
SPA Field Values:
=================
   Random Value: 4646262537257489
       Username: root
      Timestamp: 1600683550
    FKO Version: 3.0.0
   Message Type: 1 (Access msg)
Message String: 112.105.240.229,tcp/7
   Nat Access: <NULL>
    Server Auth: <NULL>
Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
   Encoded Data: 4646262537257489:cm9vdA:1600683550:3.0.0:1:MTEyLjEwNS4yNDAuMjI5LHRjcC83
SPA Data Digest: YGFMxQ+C2a4HojasVflYqm05eRC0DWaNrmM6ewF7Ukw
         HMAC: dGpdcQ3rXvKbxFIWBCDdCVmaSU+QNL31fHDYtEBstUg
Final SPA Data: 8hcLdcIPNfRHY1t1KHrFh6vLxUAlXG4kS287gTMhYdzc7g+lL0X0kCbc4WvB65ZwVrmHp78s0mNVVM7jtMUwcgLF1Vb7jqBpEL/YF9wvk6R5V/V+CJK6pGeKJgf8nnfI8GOOztsRufKl3W47qsBWJxt2Iu0jyNz7rhNa/UcmWCZMjIH4MI+KAXdGpdcQ3rXvKbxFIWBCDdCVmaSU+QNL31fHDYtEBstUg

Generating SPA packet:
            protocol: udp
         source port: <OS assigned>
    destination port: 62201
             IP/host: 45.77.17.138
send_spa_packet: bytes sent: 225

root@debian:~#
root@debian:~# echo "Hello" | nc 45.77.17.138 7
Hello
^C





使用 Windows 版的 fwknop-gui.exe 來送 "密語" 至伺服器, 請它暫時(30秒)打開 Tcp Port 7 的通道 ... :


在 Fwknop-gui 的 "Rijndael Key" 欄, 應填入與伺服器同樣的 KEY_BASE64 值, 這台伺服器(ip : 45.77.17.138) 的 KEY_BASE64 值如下 :
e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=


在 Fwknop-gui 的 "HMAC Key" 欄, 應填入與伺服器同樣的 HMAC_KEY_BASE64 值, 這台伺服器(ip : 45.77.17.138) 的 HMAC_KEY_BASE64 值如下 :
MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==

Windows 版 fwknop-gui by jp-bennett



倒數 30 秒 ... :



再緊接著送 "Hello" 字眼過去, 隨後即收到正確的 echo ... :
D:\Download-Files\Netcat\netcat-master\netcat-master>echo "Hello" | nc.exe 45.77.17.138 7
"Hello"
^C

Windows 環境下可用的 Netcat(即 nc ) by diegocr




產生自己要用的相關鍵值, 但不存檔 ... :

root@vultr:~# fwknop -A tcp/7 -D my.server.com --key-gen --use-hmac
[*] Creating initial rc file: /root/.fwknoprc.
KEY_BASE64: 4EDJvs0WnM69iWi2Z89LdTcmanyE2zBQK5qJNjjkakg=
HMAC_KEY_BASE64: Xjp80RpD9hSrYCnBPKgwNFtOINH8C9wVNAny4v+aWyATGOoHuY6MDhladFhgOeoRpFp7T9/o/sprxqb6N+Y2vw==




產生自己要用的相關鍵值, 並且存檔記錄下來 ... :

root@vultr:~# fwknop -A tcp/22 -D my.server.com --key-gen --use-hmac --save-rc-stanza
[+] Wrote Rijndael and HMAC keys to rc file: /root/.fwknoprc
root@vultr:~# ls -la
total 80
drwx------4 root root4096 Sep 21 11:57 .
drwxr-xr-x 18 root root4096 Sep5 06:43 ..
-rw-------1 root root 10467 Sep 20 06:43 .bash_history
-rw-r--r--1 root root   564 Sep5 00:41 .bashrc
-rw-r--r--1 root root   570 Jan 312010 .bashrc.first
-rw-------1 root root    43 Sep 20 22:12 .fwknop.run
-rw-------1 root root   324 Sep 21 11:57 .fwknoprc
-rw-------1 root root   513 Sep 20 22:06 .fwknoprc.Good
drwx------3 root root4096 Sep 11 20:09 .gnupg
-rw-------1 root root    92 Sep 20 19:00 .lesshst
-rw-r--r--1 root root   148 Aug 172015 .profile
drwx------2 root root4096 Sep5 15:09 .ssh
-rw-------1 root root 11609 Sep 20 23:23 .viminfo
-rw-r--r--1 root root 10240 Sep 12 18:29 iptables.20200913-0230.tar
root@vultr:~# cat .fwknoprc



ACCESS                      tcp/22
SPA_SERVER                  my.server.com
KEY_BASE64                  3AVKPD/09DNHwxKSvZ0eH9GxOwMGbp4apbzayPU2C3U=
HMAC_KEY_BASE64             yGlj/yT1OepkrE6dGCdpzuqwJAe+7h26K/y487cMrOxGmhfVBw1n/v+vuKpg3NffxiIaqASCPRZ0zMbPyS1gzw==
USE_HMAC                  Y





沒有送打開孔洞的通關密語, 所以, 連接 Tcp Port 22 失敗 ... :
root@debian:~# ssh 45.77.17.138
ssh: connect to host 45.77.17.138 port 22: Connection timed out



送了打開孔洞的通關密語過去, 可以正常連接到 Tcp Port 22 ... :
root@debian:~# fwknop -n my.server.com_tcp22 --verbose -R

[+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.10 --secure-protocol=auto --quiet -O - https://www.cipherdyne.org/cgi-bin/myip') as: 112.105.240.229
SPA Field Values:
=================
   Random Value: 4699983468226520
       Username: root
      Timestamp: 1600691688
    FKO Version: 3.0.0
   Message Type: 1 (Access msg)
Message String: 112.105.240.229,tcp/22
   Nat Access: <NULL>
    Server Auth: <NULL>
Client Timeout: 0
    Digest Type: 3 (SHA256)
      HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
   Encoded Data: 4699983468226520:cm9vdA:1600691688:3.0.0:1:MTEyLjEwNS4yNDAuMjI5LHRjcC8yMg
SPA Data Digest: fMAweWrcz3BrxIQ7gz2Kxfq1RthpwWJgrDJco60m3sI
         HMAC: 2uVqLu2+dHq7w7zIGueebYmrLq5nu7pUiwaZyW6MFck
Final SPA Data: /7VtsmqmKFl6Nf1e3QuyjFucoWJF88419LlSOfnRXKHauKNVDkpHqBSCV4gEAYoqrpo6i9M38j5S9KqEdYqHjTsDotMIwUWPKOmPYAtBmhneH3+CfmkrlLCJmXma9MnUfCNF3jrZdGN89zZw+qYAmlm9+5INTIro49iyKfa8wWPabLWSTnr1Ld2uVqLu2+dHq7w7zIGueebYmrLq5nu7pUiwaZyW6MFck

Generating SPA packet:
            protocol: udp
         source port: <OS assigned>
    destination port: 62201
             IP/host: 45.77.17.138
send_spa_packet: bytes sent: 225


root@debian:~# ssh 45.77.17.138
The authenticity of host '45.77.17.138 (45.77.17.138)' can't be established.
ECDSA key fingerprint is SHA256:8wtDpO6DT2WzDO5wdU9pHBJU3iOELf0Q/EXfnoZioJ8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '45.77.17.138' (ECDSA) to the list of known hosts.
root@45.77.17.138's password:


在這裡, 因為我沒有公佈伺服器(ip : 45.77.17.138) 現在 Tcp Port 22 所使用的相關鍵值, 所以, 請有興趣要測試 Fwknop Server 的人, 使用 Tcp Port 7, 及其相關鍵值來測試...


相關參考網頁, 參註二.



註一.
Understanding the SSH Encryption and Connection Process

設定密不透水的 ssh 服務

定期排程異地備份不需要密碼, 就交給 ssh 的信任機制與身份識別吧!

關閉sshd的登入密碼認證(PasswordAuthentication)



註二.Fwknop, Debian and Ansible

Single Packet Authorization with GnuPG Keys

利用fwknop給sshd加一道門,向暴力黑客Say no-way!





頁: [1]
查看完整版本: Single Packet Authorization with Fwknop.