COCO研究院

 找回密碼
 註冊
搜索
查看: 5800|回復: 0

[心得] Single Packet Authorization with Fwknop.

[複製鏈接]
發表於 20-9-21 20:59 | 顯示全部樓層 |閱讀模式

原文在 => Single Packet Authorization with Fwknop by Michael Rash   December, 2005.



一年多以前, 我看到 朝陽 洪朝貴 老師 寫了這篇文章 "連鑰匙孔都藏起來的 ssh 完全防禦: SPA" ... 當時, 我沒有實測, 不了解整個運作起來是怎樣的情形 ... 我認為有 Fail2Ban 就足夠了 ...


有灌過 SSH Server 的人, 如果查看伺服器的日誌(例如 : /var/log/auth.log ) , 可能多多少少會發現每天有些許外面的程式, 以 "root" ID, 或"某某某" User ID 來嘗試看看能否登入到你的 SSH Server ... 我的伺服器即便有灌 Fail2Ban 也是躲不過 ... 於是, 我從允許 ""root" 帶密碼" 登入 SSH Server, 改成 "PermitRootLogin no" ... 過一段日子, 覺得還是不太放心, 再改成 ... :
  1. PermitRootLogin no
  2. PubkeyAuthentication yes
  3. AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys2

  4. PasswordAuthentication no

  5. ...
複製代碼
一般身份者也禁止使用密碼登入, 改採用 "Public-key cryptography" 或稱 "asymmetric cryptography" 非對稱式密碼方式登入. (注意!!! 在你還不確定是否備妥相關密碼以這種方式登入無誤運作前, 切記! 留個後路(VNC or TTY1 方式登入系統) , 以免 ssh 方式登入失敗時, 你沒有其他管道再進到系統裡頭 ... ) 相關參考可參註一.


幾個星期前, 我再次觀看 "連鑰匙孔都藏起來的 ssh 完全防禦: SPA", 並且實測 ... 我想, 如果連"孔洞"都消失的話, 那麼, 要登入伺服器, 可能得另謀其他管道 ... 所以, 我就來學學該怎麼樣能讓鑰匙孔消失和適時的出現 ...

經過幾番周折, 終於學會使用這項技巧 ...


現我在伺服器(ip : 45.77.17.138) 這邊安裝了 SSH Server 以及 Fwknop Server ...
提供 Tcp Port 7, 用於 echo 測試 ...


/etc/fwknop/fwknopd.conf :
  1. PCAP_INTF                   ens3;
  2. PCAP_FILTER                 udp port 62201;
複製代碼


/etc/fwknop/access.conf :
  1. REQUIRE_SOURCE_ADDRESS  N

  2. SOURCE                  ANY
  3. OPEN_PORTS              tcp/22
  4. KEY_BASE64              保密不公開
  5. HMAC_KEY_BASE64         保密不公開

  6. SOURCE                  ANY
  7. OPEN_PORTS              tcp/7
  8. KEY_BASE64              e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=
  9. HMAC_KEY_BASE64         MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==

複製代碼


伺服器的防火牆設定 ... :
  1. root@vultr:~# iptables -L
  2. Chain INPUT (policy ACCEPT)
  3. target     prot opt source               destination
  4. FWKNOP_INPUT  all  --  anywhere             anywhere
  5. f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
  6. ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate RELATED,ESTABLISHED
  7. DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh
  8. DROP       tcp  --  anywhere             anywhere             tcp dpt:echo

  9. Chain FORWARD (policy ACCEPT)
  10. target     prot opt source               destination

  11. Chain OUTPUT (policy ACCEPT)
  12. target     prot opt source               destination

  13. Chain f2b-sshd (1 references)
  14. target     prot opt source               destination
  15. RETURN     all  --  anywhere             anywhere

  16. Chain FWKNOP_INPUT (1 references)
  17. target     prot opt source               destination
複製代碼



Client 端, /root/.fwknoprc :
  1. [default]
  2. WGET_CMD                /usr/bin/wget

  3. [my.server.com_tcp22]
  4. ACCESS                  tcp/22
  5. KEY_BASE64 保密不公開
  6. HMAC_KEY_BASE64 保密不公開
  7. SPA_SERVER              45.77.17.138
  8. USE_HMAC                Y


  9. [my.server.com_tcp7]
  10. ACCESS                  tcp/7
  11. KEY_BASE64              e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=
  12. HMAC_KEY_BASE64         MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==
  13. SPA_SERVER              45.77.17.138
  14. USE_HMAC                Y


複製代碼


底下顯示了這台伺服器, 大概有三個 Tcp Port 可能被過濾掉了 ... :
  1. root@debian:~# nmap -A -v 45.77.17.138
  2. Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-21 17:45 CST
  3. NSE: Loaded 148 scripts for scanning.
  4. NSE: Script Pre-scanning.
  5. Initiating NSE at 17:45
  6. Completed NSE at 17:45, 0.00s elapsed
  7. Initiating NSE at 17:45
  8. Completed NSE at 17:45, 0.00s elapsed
  9. Initiating Ping Scan at 17:45
  10. Scanning 45.77.17.138 [4 ports]
  11. Completed Ping Scan at 17:45, 0.20s elapsed (1 total hosts)
  12. Initiating Parallel DNS resolution of 1 host. at 17:45
  13. Completed Parallel DNS resolution of 1 host. at 17:45, 0.00s elapsed
  14. Initiating SYN Stealth Scan at 17:45
  15. Scanning 45.77.17.138.vultr.com (45.77.17.138) [1000 ports]
  16. Increasing send delay for 45.77.17.138 from 0 to 5 due to 37 out of 121 dropped probes since last increase.
  17. Increasing send delay for 45.77.17.138 from 5 to 10 due to max_successful_tryno increase to 4
  18. Increasing send delay for 45.77.17.138 from 10 to 20 due to 11 out of 31 dropped probes since last increase.
  19. Increasing send delay for 45.77.17.138 from 20 to 40 due to max_successful_tryno increase to 5
  20. Increasing send delay for 45.77.17.138 from 40 to 80 due to 11 out of 22 dropped probes since last increase.
  21. Increasing send delay for 45.77.17.138 from 80 to 160 due to 11 out of 27 dropped probes since last increase.
  22. Increasing send delay for 45.77.17.138 from 160 to 320 due to 11 out of 27 dropped probes since last increase.
  23. SYN Stealth Scan Timing: About 31.16% done; ETC: 17:47 (0:01:08 remaining)
  24. SYN Stealth Scan Timing: About 40.54% done; ETC: 17:48 (0:01:29 remaining)
  25. SYN Stealth Scan Timing: About 66.96% done; ETC: 17:49 (0:01:13 remaining)
  26. SYN Stealth Scan Timing: About 76.34% done; ETC: 17:49 (0:00:55 remaining)
  27. SYN Stealth Scan Timing: About 85.74% done; ETC: 17:49 (0:00:35 remaining)
  28. Completed SYN Stealth Scan at 17:50, 263.77s elapsed (1000 total ports)
  29. Initiating Service scan at 17:50
  30. Initiating OS detection (try #1) against 45.77.17.138.vultr.com (45.77.17.138)
  31. adjust_timeouts2: packet supposedly had rtt of -189579 microseconds.  Ignoring time.
  32. adjust_timeouts2: packet supposedly had rtt of -189579 microseconds.  Ignoring time.
  33. Retrying OS detection (try #2) against 45.77.17.138.vultr.com (45.77.17.138)
  34. Initiating Traceroute at 17:50
  35. Completed Traceroute at 17:50, 3.02s elapsed
  36. Initiating Parallel DNS resolution of 10 hosts. at 17:50
  37. Completed Parallel DNS resolution of 10 hosts. at 17:50, 0.05s elapsed
  38. NSE: Script scanning 45.77.17.138.
  39. Initiating NSE at 17:50
  40. Completed NSE at 17:50, 0.01s elapsed
  41. Initiating NSE at 17:50
  42. Completed NSE at 17:50, 0.00s elapsed
  43. Nmap scan report for 45.77.17.138.vultr.com (45.77.17.138)
  44. Host is up (0.063s latency).
  45. Not shown: 997 closed ports
  46. PORT    STATE    SERVICE     VERSION
  47. 7/tcp   filtered echo
  48. 22/tcp  filtered ssh
  49. 139/tcp filtered netbios-ssn
  50. Too many fingerprints match this host to give specific OS details
  51. Network Distance: 15 hops

  52. TRACEROUTE (using port 8888/tcp)
  53. HOP RTT      ADDRESS
  54. 1   1.56 ms  I-040GW.cht.com.tw (192.168.1.1)
  55. 2   2.61 ms  tp240-143.dialup.seed.net.tw (139.175.240.143)
  56. 3   2.18 ms  192.72.223.9
  57. 4   8.46 ms  r58-205.seed.net.tw (139.175.58.205)
  58. 5   8.96 ms  r58-145.seed.net.tw (139.175.58.145)
  59. 6   9.95 ms  h202-192-72-155.seed.net.tw (192.72.155.202)
  60. 7   9.94 ms  h202-192-72-155.seed.net.tw (192.72.155.202)
  61. 8   9.95 ms  199.245.16.37
  62. 9   38.43 ms ae-7.r31.tokyjp05.jp.bb.gin.ntt.net (129.250.7.5)
  63. 10  65.63 ms ce-0-14-0-1.r02.tokyjp05.jp.ce.gin.ntt.net (120.88.54.98)
  64. 11  ... 14
  65. 15  62.59 ms 45.77.17.138.vultr.com (45.77.17.138)

  66. NSE: Script Post-scanning.
  67. Initiating NSE at 17:50
  68. Completed NSE at 17:50, 0.00s elapsed
  69. Initiating NSE at 17:50
  70. Completed NSE at 17:50, 0.00s elapsed
  71. Read data files from: /usr/bin/../share/nmap
  72. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  73. Nmap done: 1 IP address (1 host up) scanned in 271.50 seconds
  74.            Raw packets sent: 1329 (62.326KB) | Rcvd: 1284 (55.408KB)
複製代碼



送 "Hello" 字眼過去至伺服器, 但沒能收到 echo ... :
  1. root@debian:~# echo "Hello" | nc 45.77.17.138 7
  2. (UNKNOWN) [45.77.17.138] 7 (echo) : Connection timed out
複製代碼



送 "密語" 至伺服器, 請它暫時(30秒)打開 Tcp Port 7 的通道 ... 我並緊接著送 "Hello" 字眼過去, 隨後即收到正確的 echo ... :
  1. root@debian:~# fwknop -n my.server.com_tcp7 --verbose -R

  2. [+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.10 --secure-protocol=auto --quiet -O - https://www.cipherdyne.org/cgi-bin/myip') as: 112.105.240.229
  3. SPA Field Values:
  4. =================
  5.    Random Value: 4646262537257489
  6.        Username: root
  7.       Timestamp: 1600683550
  8.     FKO Version: 3.0.0
  9.    Message Type: 1 (Access msg)
  10. Message String: 112.105.240.229,tcp/7
  11.      Nat Access: <NULL>
  12.     Server Auth: <NULL>
  13. Client Timeout: 0
  14.     Digest Type: 3 (SHA256)
  15.       HMAC Type: 3 (SHA256)
  16. Encryption Type: 1 (Rijndael)
  17. Encryption Mode: 2 (CBC)
  18.    Encoded Data: 4646262537257489:cm9vdA:1600683550:3.0.0:1:MTEyLjEwNS4yNDAuMjI5LHRjcC83
  19. SPA Data Digest: YGFMxQ+C2a4HojasVflYqm05eRC0DWaNrmM6ewF7Ukw
  20.            HMAC: dGpdcQ3rXvKbxFIWBCDdCVmaSU+QNL31fHDYtEBstUg
  21. Final SPA Data: 8hcLdcIPNfRHY1t1KHrFh6vLxUAlXG4kS287gTMhYdzc7g+lL0X0kCbc4WvB65ZwVrmHp78s0mNVVM7jtMUwcgLF1Vb7jqBpEL/YF9wvk6R5V/V+CJK6pGeKJgf8nnfI8GOOztsRufKl3W47qsBWJxt2Iu0jyNz7rhNa/UcmWCZMjIH4MI+KAXdGpdcQ3rXvKbxFIWBCDdCVmaSU+QNL31fHDYtEBstUg

  22. Generating SPA packet:
  23.             protocol: udp
  24.          source port: <OS assigned>
  25.     destination port: 62201
  26.              IP/host: 45.77.17.138
  27. send_spa_packet: bytes sent: 225

  28. root@debian:~#
  29. root@debian:~# echo "Hello" | nc 45.77.17.138 7
  30. Hello
  31. ^C

複製代碼




使用 Windows 版的 fwknop-gui.exe 來送 "密語" 至伺服器, 請它暫時(30秒)打開 Tcp Port 7 的通道 ... :
Fwknop-gui-20200921-1835-01.png

在 Fwknop-gui 的 "Rijndael Key" 欄, 應填入與伺服器同樣的 KEY_BASE64 值, 這台伺服器(ip : 45.77.17.138) 的 KEY_BASE64 值如下 :
  1. e4HchGSfm4DdfpI8LQsUPe/dVVeI0xZBDq6cpC8arO8=
複製代碼



在 Fwknop-gui 的 "HMAC Key" 欄, 應填入與伺服器同樣的 HMAC_KEY_BASE64 值, 這台伺服器(ip : 45.77.17.138) 的 HMAC_KEY_BASE64 值如下 :
  1. MK4MKf/em/E/ZtZ3cRFn5wFEM0NKCtODBhjzt9FOnmJOVEis3gluhKPlSCobtH9r/UnpqsD7vLN8kXueKcmvyA==
複製代碼


Windows 版 fwknop-gui by jp-bennett



倒數 30 秒 ... :
Fwknop-gui-20200921-1835-02.png


再緊接著送 "Hello" 字眼過去, 隨後即收到正確的 echo ... :
  1. D:\Download-Files\Netcat\netcat-master\netcat-master>echo "Hello" | nc.exe 45.77.17.138 7
  2. "Hello"
  3. ^C
複製代碼


Windows 環境下可用的 Netcat(即 nc ) by diegocr




產生自己要用的相關鍵值, 但不存檔 ... :

  1. root@vultr:~# fwknop -A tcp/7 -D my.server.com --key-gen --use-hmac
  2. [*] Creating initial rc file: /root/.fwknoprc.
  3. KEY_BASE64: 4EDJvs0WnM69iWi2Z89LdTcmanyE2zBQK5qJNjjkakg=
  4. HMAC_KEY_BASE64: Xjp80RpD9hSrYCnBPKgwNFtOINH8C9wVNAny4v+aWyATGOoHuY6MDhladFhgOeoRpFp7T9/o/sprxqb6N+Y2vw==

複製代碼



產生自己要用的相關鍵值, 並且存檔記錄下來 ... :

  1. root@vultr:~# fwknop -A tcp/22 -D my.server.com --key-gen --use-hmac --save-rc-stanza
  2. [+] Wrote Rijndael and HMAC keys to rc file: /root/.fwknoprc
  3. root@vultr:~# ls -la
  4. total 80
  5. drwx------  4 root root  4096 Sep 21 11:57 .
  6. drwxr-xr-x 18 root root  4096 Sep  5 06:43 ..
  7. -rw-------  1 root root 10467 Sep 20 06:43 .bash_history
  8. -rw-r--r--  1 root root   564 Sep  5 00:41 .bashrc
  9. -rw-r--r--  1 root root   570 Jan 31  2010 .bashrc.first
  10. -rw-------  1 root root    43 Sep 20 22:12 .fwknop.run
  11. -rw-------  1 root root   324 Sep 21 11:57 .fwknoprc
  12. -rw-------  1 root root   513 Sep 20 22:06 .fwknoprc.Good
  13. drwx------  3 root root  4096 Sep 11 20:09 .gnupg
  14. -rw-------  1 root root    92 Sep 20 19:00 .lesshst
  15. -rw-r--r--  1 root root   148 Aug 17  2015 .profile
  16. drwx------  2 root root  4096 Sep  5 15:09 .ssh
  17. -rw-------  1 root root 11609 Sep 20 23:23 .viminfo
  18. -rw-r--r--  1 root root 10240 Sep 12 18:29 iptables.20200913-0230.tar
  19. root@vultr:~# cat .fwknoprc
  20. [default]

  21. [my.server.com]
  22. ACCESS                      tcp/22
  23. SPA_SERVER                  my.server.com
  24. KEY_BASE64                  3AVKPD/09DNHwxKSvZ0eH9GxOwMGbp4apbzayPU2C3U=
  25. HMAC_KEY_BASE64             yGlj/yT1OepkrE6dGCdpzuqwJAe+7h26K/y487cMrOxGmhfVBw1n/v+vuKpg3NffxiIaqASCPRZ0zMbPyS1gzw==
  26. USE_HMAC                    Y


複製代碼



沒有送打開孔洞的通關密語, 所以, 連接 Tcp Port 22 失敗 ... :
  1. root@debian:~# ssh 45.77.17.138
  2. ssh: connect to host 45.77.17.138 port 22: Connection timed out
複製代碼



送了打開孔洞的通關密語過去, 可以正常連接到 Tcp Port 22 ... :
  1. root@debian:~# fwknop -n my.server.com_tcp22 --verbose -R

  2. [+] Resolved external IP (via '/usr/bin/wget -U Fwknop/2.6.10 --secure-protocol=auto --quiet -O - https://www.cipherdyne.org/cgi-bin/myip') as: 112.105.240.229
  3. SPA Field Values:
  4. =================
  5.    Random Value: 4699983468226520
  6.        Username: root
  7.       Timestamp: 1600691688
  8.     FKO Version: 3.0.0
  9.    Message Type: 1 (Access msg)
  10. Message String: 112.105.240.229,tcp/22
  11.      Nat Access: <NULL>
  12.     Server Auth: <NULL>
  13. Client Timeout: 0
  14.     Digest Type: 3 (SHA256)
  15.       HMAC Type: 3 (SHA256)
  16. Encryption Type: 1 (Rijndael)
  17. Encryption Mode: 2 (CBC)
  18.    Encoded Data: 4699983468226520:cm9vdA:1600691688:3.0.0:1:MTEyLjEwNS4yNDAuMjI5LHRjcC8yMg
  19. SPA Data Digest: fMAweWrcz3BrxIQ7gz2Kxfq1RthpwWJgrDJco60m3sI
  20.            HMAC: 2uVqLu2+dHq7w7zIGueebYmrLq5nu7pUiwaZyW6MFck
  21. Final SPA Data: /7VtsmqmKFl6Nf1e3QuyjFucoWJF88419LlSOfnRXKHauKNVDkpHqBSCV4gEAYoqrpo6i9M38j5S9KqEdYqHjTsDotMIwUWPKOmPYAtBmhneH3+CfmkrlLCJmXma9MnUfCNF3jrZdGN89zZw+qYAmlm9+5INTIro49iyKfa8wWPabLWSTnr1Ld2uVqLu2+dHq7w7zIGueebYmrLq5nu7pUiwaZyW6MFck

  22. Generating SPA packet:
  23.             protocol: udp
  24.          source port: <OS assigned>
  25.     destination port: 62201
  26.              IP/host: 45.77.17.138
  27. send_spa_packet: bytes sent: 225


  28. root@debian:~# ssh 45.77.17.138
  29. The authenticity of host '45.77.17.138 (45.77.17.138)' can't be established.
  30. ECDSA key fingerprint is SHA256:8wtDpO6DT2WzDO5wdU9pHBJU3iOELf0Q/EXfnoZioJ8.
  31. Are you sure you want to continue connecting (yes/no)? yes
  32. Warning: Permanently added '45.77.17.138' (ECDSA) to the list of known hosts.
  33. root@45.77.17.138's password:
複製代碼


在這裡, 因為我沒有公佈伺服器(ip : 45.77.17.138) 現在 Tcp Port 22 所使用的相關鍵值, 所以, 請有興趣要測試 Fwknop Server 的人, 使用 Tcp Port 7, 及其相關鍵值來測試...


相關參考網頁, 參註二.



註一.
Understanding the SSH Encryption and Connection Process

設定密不透水的 ssh 服務

定期排程異地備份不需要密碼, 就交給 ssh 的信任機制與身份識別吧!

關閉sshd的登入密碼認證(PasswordAuthentication)



註二.Fwknop, Debian and Ansible

Single Packet Authorization with GnuPG Keys

利用fwknop給sshd加一道門,向暴力黑客Say no-way!





您需要登錄後才可以回帖 登錄 | 註冊

本版積分規則

手機版|Archiver|站長信箱|廣告洽詢|COCO研究院

GMT+8, 24-11-21 21:17

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回復 返回頂部 返回列表
理財討論網站 |