狗东西的防黑之路
狗东西的防黑之路
本文章基于 SSH 出发 作者很随性,随缘写文 涉及知识面:openssh ,proxy ,fwknop ,docker
OPENSSH
OpenSSH (also known as OpenBSD Secure Shell[a]) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.[4][5]
OpenSSH started as a fork of the free SSH program developed by Tatu Ylönen; later versions of Ylönen’s SSH were proprietary software offered by SSH Communications Security.[6] OpenSSH was first released in 1999 and is currently developed as part of the OpenBSD operating system.
yum/apt install openssh-serverssh -p[serverPort] [user]@[serverIP]SSH PORT FORWARDING
ssh -C -T -N -L [localIP]:[localPort]:[remoteIP]:[remotePort] [SSHserverIP]:[SSHserverPort]
ssh -T -N -R [remoteIP]:[remotePort]:[localIP]:[localPort] [SSHserverIP]:[SSHserverPort]
ssh -C -T -N -D [localIP]:[localPort] [SSHserverIP]:[SSHserverPort]NAT
没有备案,也不敢开放 80 端口,公司网络还有流量检测,不敢走V**,怎么办?
#!/usr/bin/env sh
clear
ps_ssh_pid="$(ps -e | grep "0.0.0.0:9999" | grep -v "grep" | cut -d " " -f 1)"
ServerIP="bit"
ServerNatIP="10.0.4.8"
echo "#########################\n\nWorking on the WIZ tunnel\n"
if [ "$ps_ssh_pid" == "" ]; then
ssh -C -T -N -L 0.0.0.0:9999:"$ServerNatIP":80 wiz@"$ServerIP" &
echo "#########################\n"
else
kill $ps_ssh_pid
ssh -C -T -N -L 0.0.0.0:9999:"$ServerNatIP":80 wiz@"$ServerIP" &
echo "#########################\n"
fi
现在已经成功打通隧道,所有流量通过 ssh 转发,怎么配置的呢?
➜ ~ cat /etc/ssh/sshd_config
...
Match User wiz
AllowTcpForwarding yes
PermitTunnel yes
PermitOpen 10.0.4.6:80 10.0.4.6:33008 10.0.4.6:33099➜ ~ chsh -s /sbin/nologin
➜ ~ cat /etc/passwd | grep wiz那万一遇见SSH 爆破呢?
➜ ~ cat /etc/ssh/sshd_config
...
PasswordAuthentication no
AuthorizedKeysFile .ssh/authorized_keys同时 passwd 禁用用户登录权限即可
同样可以采取 fwknop 认证
fwknop 单包授权 > 端口敲门
经测试,不建议 Centos 使用,本地环境 Openwrt
# dnf config-manager --set-enabled powertools && dnf install texinfo -y
yum install gcc gcc-c++ openssl libtool m4 automake libpcap-devel texinfo -y
git clone https://github.com/mrash/fwknop fwknop.git
cd fwknop.git
./autogen.sh
./configure --with-iptables=/usr/sbin/iptables --prefix=/usr --sysconfdir=/etc --localstatedir=/run
make
make install
➜ ~ fwknop --version
fwknop client 2.6.10, FKO protocol version 3.0.0
➜ ~ systemctl enable fwknopd.service
➜ ~ systemctl start fwknopd.service
#FIREWALL_EXECLIENT
# PLAN1
fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --server-port 9999 --key-base64-rijndael 0sZirx/3/68oIAmyT4OubNm2r/x4ZCyafcVX5YcVDU= --key-base64-hmac ahpupE+rQ9DnZYqt5RgCsp58ThOSeuosFtL+Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoM== --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# Plan2
fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --use-hmac --server-port 9999 --server-proto udp --key-gen --save-rc-stanza
cat ~/.fwknoprc | grep KEY
# COPY KEY TO SERVER
fwknop -n [SERVER_IP] --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# DOMAIN NAMES CANNOT BE USEDSERVER
# COPY CLINET KEY TO ACCESS
cat /etc/fwknop/access.conf | grep KEY
# IF THE CLIENT DEFINES THE PORT NUMBER, THE SERVER MUST ALSO CHANGE IT
cat /etc/fwknop/fwknopd.conf | grep PCAP_FILTER
cat /etc/fwknop/fwknopd.conf | grep PCAP_INTF
# START FWKNOP SERVER
fwknopd
# CLOSE THE PORT STATUS UNTIL THE KNOCK ON THE DOOR SUCCEEDS
iptables --insert INPUT --protocol tcp --dport 22 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
iptables --insert INPUT 2 --protocol tcp --dport 22 --jump DROP
# RUN CLIENT AND CHECK PLAN [ 1 / 2 ]
iptables -L FWKNOP_INPUT -n
# Note that the iptables rules should not be overwritten, it is best to keep one hand
exitMAIN
# RUN CLIENT AND CHECK PLAN [ 1 / 2 ]
# SERVER RUN
ssh [user]@[SERVER_IP]
iptables -L FWKNOP_INPUT -n
# YOU CAN SEE THAT YOUR IP IS ALLOWED TO ACCESS
# IF YOU CAN, YOU CAN MODIFY THE TIME, THE DEFAULT CONNECTION IS 30SPREVIEW
➜ ~ ssh n1
ssh: connect to host nas.zygd.site port 25002: Operation timed out
➜ ~ fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --server-port 9999 --key-base64-rijndael 0sZirx/3/68oIAmyT4OubNm2r/x4ZCyafcVX5YcVDU= --key-base64-hmac ahpupE+rQ9DnZYqt5RgCsp58ThOSeuosFtL+Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoM== --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
➜ ~ ssh n1
XRSec has the right to modify and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all contents such as copyright notice. Without the permission of the author, the content of this article shall not be modified or increased or decreased arbitrarily, and it shall not be used for commercial purposes in any way