Single Packet Authorization with Fwknop.

tinyding

原文在 => Single Packet Authorization with Fwknop by Michael Rash   December, 2005.



一年多以前, 我看到 朝陽 洪朝貴 老師 寫了這篇文章 "連鑰匙孔都藏起來的 ssh 完全防禦： SPA" ... 當時, 我沒有實測, 不了解整個運作起來是怎樣的情形 ... 我認為有 Fail2Ban 就足夠了 ...


有灌過 SSH Server 的人, 如果查看伺服器的日誌(例如 : /var/log/auth.log ) , 可能多多少少會發現每天有些許外面的程式, 以 "root" ID, 或"某某某" User ID 來嘗試看看能否登入到你的 SSH Server ... 我的伺服器即便有灌 Fail2Ban 也是躲不過 ... 於是, 我從允許 ""root" 帶密碼" 登入 SSH Server, 改成 "PermitRootLogin no" ... 過一段日子, 覺得還是不太放心, 再改成 ... :

1. PermitRootLogin no
   
2. PubkeyAuthentication yes
   
3. AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2
   
4. 
   
5. PasswordAuthentication no
   
6. 
   
7. ...

複製代碼

一般身份者也禁止使用密碼登入, 改採用 "Public-key cryptography" 或稱 "asymmetric cryptography" 非對稱式密碼方式登入. (注意!!! 在你還不確定是否備妥相關密碼和以這種方式登入無誤運作前, 切記! 留個後路(VNC or TTY1 方式登入系統) , 以免 ssh 方式登入失敗時, 你沒有其他管道再進到系統裡頭 ... ) 相關參考可參註一.


幾個星期前, 我再次觀看 "連鑰匙孔都藏起來的 ssh 完全防禦： SPA", 並且實測 ... 我想, 如果連"孔洞"都消失的話, 那麼, 要登入伺服器, 可能得另謀其他管道 ... 所以, 我就來學學該怎麼樣能讓鑰匙孔消失和適時的出現 ...

經過幾番周折, 終於學會使用這項技巧 ...


現我在伺服器(ip : 45.77.17.138) 這邊安裝了 SSH Server 以及 Fwknop Server ...
提供 Tcp Port 7, 用於 echo 測試 ...


/etc/fwknop/fwknopd.conf :

1. PCAP_INTF                   ens3;
   
2. PCAP_FILTER                 udp port 62201;
   

複製代碼

/etc/fwknop/access.conf :

1. REQUIRE_SOURCE_ADDRESS  N
   
2. 
   
3. SOURCE                  ANY
   
4. OPEN_PORTS              tcp/22
   
5. KEY_BASE64              保密不公開
   
6. HMAC_KEY_BASE64         保密不公開
   
7. 
   
8. SOURCE                  ANY
   
9. OPEN_PORTS              tcp/7
   
10. KEY_BASE64              e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=
    
11. HMAC_KEY_BASE64         MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==
    
12. 
    

複製代碼

伺服器的防火牆設定 ... :

1. root@vultr:~# iptables -L
   
2. Chain INPUT (policy ACCEPT)
   
3. target     prot opt source               destination
   
4. FWKNOP_INPUT  all  --  anywhere             anywhere
   
5. f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
   
6. ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate RELATED,ESTABLISHED
   
7. DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh
   
8. DROP       tcp  --  anywhere             anywhere             tcp dpt:echo
   
9. 
   
10. Chain FORWARD (policy ACCEPT)
    
11. target     prot opt source               destination
    
12. 
    
13. Chain OUTPUT (policy ACCEPT)
    
14. target     prot opt source               destination
    
15. 
    
16. Chain f2b-sshd (1 references)
    
17. target     prot opt source               destination
    
18. RETURN     all  --  anywhere             anywhere
    
19. 
    
20. Chain FWKNOP_INPUT (1 references)
    
21. target     prot opt source               destination

複製代碼

Client 端, /root/.fwknoprc :

1. [default]
   
2. WGET_CMD                /usr/bin/wget
   
3. 
   
4. [my.server.com_tcp22]
   
5. ACCESS                  tcp/22
   
6. KEY_BASE64 保密不公開
   
7. HMAC_KEY_BASE64 保密不公開
   
8. SPA_SERVER              45.77.17.138
   
9. USE_HMAC                Y
   
10. 
    
11. 
    
12. [my.server.com_tcp7]
    
13. ACCESS                  tcp/7
    
14. KEY_BASE64              e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=
    
15. HMAC_KEY_BASE64         MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==
    
16. SPA_SERVER              45.77.17.138
    
17. USE_HMAC                Y
    
18. 
    
19. 
    

複製代碼

底下顯示了這台伺服器, 大概有三個 Tcp Port 可能被過濾掉了 ... :

1. root@debian:~# nmap -A -v 45.77.17.138
   
2. Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-21 17:45 CST
   
3. NSE: Loaded 148 scripts for scanning.
   
4. NSE: Script Pre-scanning.
   
5. Initiating NSE at 17:45
   
6. Completed NSE at 17:45, 0.00s elapsed
   
7. Initiating NSE at 17:45
   
8. Completed NSE at 17:45, 0.00s elapsed
   
9. Initiating Ping Scan at 17:45
   
10. Scanning 45.77.17.138 [4 ports]
    
11. Completed Ping Scan at 17:45, 0.20s elapsed (1 total hosts)
    
12. Initiating Parallel DNS resolution of 1 host. at 17:45
    
13. Completed Parallel DNS resolution of 1 host. at 17:45, 0.00s elapsed
    
14. Initiating SYN Stealth Scan at 17:45
    
15. Scanning 45.77.17.138.vultr.com (45.77.17.138) [1000 ports]
    
16. Increasing send delay for 45.77.17.138 from 0 to 5 due to 37 out of 121 dropped probes since last increase.
    
17. Increasing send delay for 45.77.17.138 from 5 to 10 due to max_successful_tryno increase to 4
    
18. Increasing send delay for 45.77.17.138 from 10 to 20 due to 11 out of 31 dropped probes since last increase.
    
19. Increasing send delay for 45.77.17.138 from 20 to 40 due to max_successful_tryno increase to 5
    
20. Increasing send delay for 45.77.17.138 from 40 to 80 due to 11 out of 22 dropped probes since last increase.
    
21. Increasing send delay for 45.77.17.138 from 80 to 160 due to 11 out of 27 dropped probes since last increase.
    
22. Increasing send delay for 45.77.17.138 from 160 to 320 due to 11 out of 27 dropped probes since last increase.
    
23. SYN Stealth Scan Timing: About 31.16% done; ETC: 17:47 (0:01:08 remaining)
    
24. SYN Stealth Scan Timing: About 40.54% done; ETC: 17:48 (0:01:29 remaining)
    
25. SYN Stealth Scan Timing: About 66.96% done; ETC: 17:49 (0:01:13 remaining)
    
26. SYN Stealth Scan Timing: About 76.34% done; ETC: 17:49 (0:00:55 remaining)
    
27. SYN Stealth Scan Timing: About 85.74% done; ETC: 17:49 (0:00:35 remaining)
    
28. Completed SYN Stealth Scan at 17:50, 263.77s elapsed (1000 total ports)
    
29. Initiating Service scan at 17:50
    
30. Initiating OS detection (try #1) against 45.77.17.138.vultr.com (45.77.17.138)
    
31. adjust_timeouts2: packet supposedly had rtt of -189579 microseconds.  Ignoring time.
    
32. adjust_timeouts2: packet supposedly had rtt of -189579 microseconds.  Ignoring time.
    
33. Retrying OS detection (try #2) against 45.77.17.138.vultr.com (45.77.17.138)
    
34. Initiating Traceroute at 17:50
    
35. Completed Traceroute at 17:50, 3.02s elapsed
    
36. Initiating Parallel DNS resolution of 10 hosts. at 17:50
    
37. Completed Parallel DNS resolution of 10 hosts. at 17:50, 0.05s elapsed
    
38. NSE: Script scanning 45.77.17.138.
    
39. Initiating NSE at 17:50
    
40. Completed NSE at 17:50, 0.01s elapsed
    
41. Initiating NSE at 17:50
    
42. Completed NSE at 17:50, 0.00s elapsed
    
43. Nmap scan report for 45.77.17.138.vultr.com (45.77.17.138)
    
44. Host is up (0.063s latency).
    
45. Not shown: 997 closed ports
    
46. PORT    STATE    SERVICE     VERSION
    
47. 7/tcp   filtered echo
    
48. 22/tcp  filtered ssh
    
49. 139/tcp filtered netbios-ssn
    
50. Too many fingerprints match this host to give specific OS details
    
51. Network Distance: 15 hops
    
52. 
    
53. TRACEROUTE (using port 8888/tcp)
    
54. HOP RTT      ADDRESS
    
55. 1   1.56 ms  I-040GW.cht.com.tw (192.168.1.1)
    
56. 2   2.61 ms  tp240-143.dialup.seed.net.tw (139.175.240.143)
    
57. 3   2.18 ms  192.72.223.9
    
58. 4   8.46 ms  r58-205.seed.net.tw (139.175.58.205)
    
59. 5   8.96 ms  r58-145.seed.net.tw (139.175.58.145)
    
60. 6   9.95 ms  h202-192-72-155.seed.net.tw (192.72.155.202)
    
61. 7   9.94 ms  h202-192-72-155.seed.net.tw (192.72.155.202)
    
62. 8   9.95 ms  199.245.16.37
    
63. 9   38.43 ms ae-7.r31.tokyjp05.jp.bb.gin.ntt.net (129.250.7.5)
    
64. 10  65.63 ms ce-0-14-0-1.r02.tokyjp05.jp.ce.gin.ntt.net (120.88.54.98)
    
65. 11  ... 14
    
66. 15  62.59 ms 45.77.17.138.vultr.com (45.77.17.138)
    
67. 
    
68. NSE: Script Post-scanning.
    
69. Initiating NSE at 17:50
    
70. Completed NSE at 17:50, 0.00s elapsed
    
71. Initiating NSE at 17:50
    
72. Completed NSE at 17:50, 0.00s elapsed
    
73. Read data files from: /usr/bin/../share/nmap
    
74. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    
75. Nmap done: 1 IP address (1 host up) scanned in 271.50 seconds
    
76.            Raw packets sent: 1329 (62.326KB) | Rcvd: 1284 (55.408KB)

複製代碼

送 "Hello" 字眼過去至伺服器, 但沒能收到 echo ... :

1. root@debian:~# echo "Hello" | nc 45.77.17.138 7
   
2. (UNKNOWN) [45.77.17.138] 7 (echo) : Connection timed out

複製代碼

送 "密語" 至伺服器, 請它暫時(30秒)打開 Tcp Port 7 的通道 ... 我並緊接著送 "Hello" 字眼過去, 隨後即收到正確的 echo ... :

1. root@debian:~# fwknop -n my.server.com_tcp7 --verbose -R
   
2. 
   
3. [+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.10 --secure-protocol=auto --quiet -O - https://www.cipherdyne.org/cgi-bin/myip') as: 112.105.240.229
   
4. SPA Field Values:
   
5. =================
   
6.    Random Value: 4646262537257489
   
7.        Username: root
   
8.       Timestamp: 1600683550
   
9.     FKO Version: 3.0.0
   
10.    Message Type: 1 (Access msg)
    
11. Message String: 112.105.240.229,tcp/7
    
12.      Nat Access: <NULL>
    
13.     Server Auth: <NULL>
    
14. Client Timeout: 0
    
15.     Digest Type: 3 (SHA256)
    
16.       HMAC Type: 3 (SHA256)
    
17. Encryption Type: 1 (Rijndael)
    
18. Encryption Mode: 2 (CBC)
    
19.    Encoded Data: 4646262537257489:cm9vdA:1600683550:3.0.0:1:MTEyLjEwNS4yNDAuMjI5LHRjcC83
    
20. SPA Data Digest: YGFMxQ+C2a4HojasVflYqm05eRC0DWaNrmM6ewF7Ukw
    
21.            HMAC: dGpdcQ3rXvKbxFIWBCDdCVmaSU+QNL31fHDYtEBstUg
    
22. Final SPA Data: 8hcLdcIPNfRHY1t1KHrFh6vLxUAlXG4kS287gTMhYdzc7g+lL0X0kCbc4WvB65ZwVrmHp78s0mNVVM7jtMUwcgLF1Vb7jqBpEL/YF9wvk6R5V/V+CJK6pGeKJgf8nnfI8GOOztsRufKl3W47qsBWJxt2Iu0jyNz7rhNa/UcmWCZMjIH4MI+KAXdGpdcQ3rXvKbxFIWBCDdCVmaSU+QNL31fHDYtEBstUg
    
23. 
    
24. Generating SPA packet:
    
25.             protocol: udp
    
26.          source port: <OS assigned>
    
27.     destination port: 62201
    
28.              IP/host: 45.77.17.138
    
29. send_spa_packet: bytes sent: 225
    
30. 
    
31. root@debian:~#
    
32. root@debian:~# echo "Hello" | nc 45.77.17.138 7
    
33. Hello
    
34. ^C
    
35. 
    

複製代碼

使用 Windows 版的 fwknop-gui.exe 來送 "密語" 至伺服器, 請它暫時(30秒)打開 Tcp Port 7 的通道 ... :


在 Fwknop-gui 的 "Rijndael Key" 欄, 應填入與伺服器同樣的 KEY_BASE64 值, 這台伺服器(ip : 45.77.17.138) 的 KEY_BASE64 值如下 :

1. e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=

複製代碼

在 Fwknop-gui 的 "HMAC Key" 欄, 應填入與伺服器同樣的 HMAC_KEY_BASE64 值, 這台伺服器(ip : 45.77.17.138) 的 HMAC_KEY_BASE64 值如下 :

1. MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==

複製代碼

Windows 版 fwknop-gui by jp-bennett



倒數 30 秒 ... :



再緊接著送 "Hello" 字眼過去, 隨後即收到正確的 echo ... :

1. D:\Download-Files\Netcat\netcat-master\netcat-master>echo "Hello" | nc.exe 45.77.17.138 7
   
2. "Hello"
   
3. ^C

複製代碼

Windows 環境下可用的 Netcat(即 nc ) by diegocr




產生自己要用的相關鍵值, 但不存檔 ... :

1. 
   
2. root@vultr:~# fwknop -A tcp/7 -D my.server.com --key-gen --use-hmac
   
3. [*] Creating initial rc file: /root/.fwknoprc.
   
4. KEY_BASE64: 4EDJvs0WnM69iWi2Z89LdTcmanyE2zBQK5qJNjjkakg=
   
5. HMAC_KEY_BASE64: Xjp80RpD9hSrYCnBPKgwNFtOINH8C9wVNAny4v+aWyATGOoHuY6MDhladFhgOeoRpFp7T9/o/sprxqb6N+Y2vw==
   
6. 
   

複製代碼

產生自己要用的相關鍵值, 並且存檔記錄下來 ... :

1. 
   
2. root@vultr:~# fwknop -A tcp/22 -D my.server.com --key-gen --use-hmac --save-rc-stanza
   
3. [+] Wrote Rijndael and HMAC keys to rc file: /root/.fwknoprc
   
4. root@vultr:~# ls -la
   
5. total 80
   
6. drwx------  4 root root  4096 Sep 21 11:57 .
   
7. drwxr-xr-x 18 root root  4096 Sep  5 06:43 ..
   
8. -rw-------  1 root root 10467 Sep 20 06:43 .bash_history
   
9. -rw-r--r--  1 root root   564 Sep  5 00:41 .bashrc
   
10. -rw-r--r--  1 root root   570 Jan 31  2010 .bashrc.first
    
11. -rw-------  1 root root    43 Sep 20 22:12 .fwknop.run
    
12. -rw-------  1 root root   324 Sep 21 11:57 .fwknoprc
    
13. -rw-------  1 root root   513 Sep 20 22:06 .fwknoprc.Good
    
14. drwx------  3 root root  4096 Sep 11 20:09 .gnupg
    
15. -rw-------  1 root root    92 Sep 20 19:00 .lesshst
    
16. -rw-r--r--  1 root root   148 Aug 17  2015 .profile
    
17. drwx------  2 root root  4096 Sep  5 15:09 .ssh
    
18. -rw-------  1 root root 11609 Sep 20 23:23 .viminfo
    
19. -rw-r--r--  1 root root 10240 Sep 12 18:29 iptables.20200913-0230.tar
    
20. root@vultr:~# cat .fwknoprc
    
21. [default]
    
22. 
    
23. [my.server.com]
    
24. ACCESS                      tcp/22
    
25. SPA_SERVER                  my.server.com
    
26. KEY_BASE64                  3AVKPD/09DNHwxKSvZ0eH9GxOwMGbp4apbzayPU2C3U=
    
27. HMAC_KEY_BASE64             yGlj/yT1OepkrE6dGCdpzuqwJAe+7h26K/y487cMrOxGmhfVBw1n/v+vuKpg3NffxiIaqASCPRZ0zMbPyS1gzw==
    
28. USE_HMAC                    Y
    
29. 
    
30. 
    

複製代碼

沒有送打開孔洞的通關密語, 所以, 連接 Tcp Port 22 失敗 ... :

1. root@debian:~# ssh 45.77.17.138
   
2. ssh: connect to host 45.77.17.138 port 22: Connection timed out
   

複製代碼

送了打開孔洞的通關密語過去, 可以正常連接到 Tcp Port 22 ... :

1. root@debian:~# fwknop -n my.server.com_tcp22 --verbose -R
   
2. 
   
3. [+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.10 --secure-protocol=auto --quiet -O - https://www.cipherdyne.org/cgi-bin/myip') as: 112.105.240.229
   
4. SPA Field Values:
   
5. =================
   
6.    Random Value: 4699983468226520
   
7.        Username: root
   
8.       Timestamp: 1600691688
   
9.     FKO Version: 3.0.0
   
10.    Message Type: 1 (Access msg)
    
11. Message String: 112.105.240.229,tcp/22
    
12.      Nat Access: <NULL>
    
13.     Server Auth: <NULL>
    
14. Client Timeout: 0
    
15.     Digest Type: 3 (SHA256)
    
16.       HMAC Type: 3 (SHA256)
    
17. Encryption Type: 1 (Rijndael)
    
18. Encryption Mode: 2 (CBC)
    
19.    Encoded Data: 4699983468226520:cm9vdA:1600691688:3.0.0:1:MTEyLjEwNS4yNDAuMjI5LHRjcC8yMg
    
20. SPA Data Digest: fMAweWrcz3BrxIQ7gz2Kxfq1RthpwWJgrDJco60m3sI
    
21.            HMAC: 2uVqLu2+dHq7w7zIGueebYmrLq5nu7pUiwaZyW6MFck
    
22. Final SPA Data: /7VtsmqmKFl6Nf1e3QuyjFucoWJF88419LlSOfnRXKHauKNVDkpHqBSCV4gEAYoqrpo6i9M38j5S9KqEdYqHjTsDotMIwUWPKOmPYAtBmhneH3+CfmkrlLCJmXma9MnUfCNF3jrZdGN89zZw+qYAmlm9+5INTIro49iyKfa8wWPabLWSTnr1Ld2uVqLu2+dHq7w7zIGueebYmrLq5nu7pUiwaZyW6MFck
    
23. 
    
24. Generating SPA packet:
    
25.             protocol: udp
    
26.          source port: <OS assigned>
    
27.     destination port: 62201
    
28.              IP/host: 45.77.17.138
    
29. send_spa_packet: bytes sent: 225
    
30. 
    
31. 
    
32. root@debian:~# ssh 45.77.17.138
    
33. The authenticity of host '45.77.17.138 (45.77.17.138)' can't be established.
    
34. ECDSA key fingerprint is SHA256:8wtDpO6DT2WzDO5wdU9pHBJU3iOELf0Q/EXfnoZioJ8.
    
35. Are you sure you want to continue connecting (yes/no)? yes
    
36. Warning: Permanently added '45.77.17.138' (ECDSA) to the list of known hosts.
    
37. root@45.77.17.138's password:
    

複製代碼

在這裡, 因為我沒有公佈伺服器(ip : 45.77.17.138) 現在 Tcp Port 22 所使用的相關鍵值, 所以, 請有興趣要測試 Fwknop Server 的人, 使用 Tcp Port 7, 及其相關鍵值來測試...


相關參考網頁, 參註二.



註一.
Understanding the SSH Encryption and Connection Process

設定密不透水的 ssh 服務

定期排程異地備份不需要密碼， 就交給 ssh 的信任機制與身份識別吧!

關閉sshd的登入密碼認證(PasswordAuthentication)



註二.Fwknop, Debian and Ansible

Single Packet Authorization with GnuPG Keys

利用fwknop給sshd加一道門，向暴力黑客Say no-way!