本文章基于 SSH 出发

作者很随性,随缘写文

涉及知识面:openssh ,proxy ,fwknop ,docker

OPENSSH

OpenSSH (also known as OpenBSD Secure Shell[a]) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.[4][5]

OpenSSH started as a fork of the free SSH program developed by Tatu Ylönen; later versions of Ylönen’s SSH were proprietary software offered by SSH Communications Security.[6] OpenSSH was first released in 1999 and is currently developed as part of the OpenBSD operating system.

1
yum/apt install openssh-server
1
ssh -p[serverPort] [user]@[serverIP]

SSH PORT FORWARDING

1
2
3
ssh -C -T -N -L [localIP]:[localPort]:[remoteIP]:[remotePort] [SSHserverIP]:[SSHserverPort]
ssh -T -N -R [remoteIP]:[remotePort]:[localIP]:[localPort] [SSHserverIP]:[SSHserverPort]
ssh -C -T -N -D [localIP]:[localPort] [SSHserverIP]:[SSHserverPort]

NAT

image-20220104154333122

image-20220104154426835

没有备案,也不敢开放 80 端口,公司网络还有流量检测,不敢走VPN,怎么办?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/env sh

clear
ps_ssh_pid="$(ps -e | grep "0.0.0.0:9999" | grep -v "grep" | cut -d " " -f 1)"
ServerIP="bit"
ServerNatIP="10.0.4.8"

echo "#########################\n\nWorking on the WIZ tunnel\n"

if [ "$ps_ssh_pid" == "" ]; then
 ssh -C -T -N -L 0.0.0.0:9999:"$ServerNatIP":80 wiz@"$ServerIP" &
 echo "#########################\n"
else
 kill $ps_ssh_pid
 ssh -C -T -N -L 0.0.0.0:9999:"$ServerNatIP":80 wiz@"$ServerIP" &
 echo "#########################\n"
fi

image-20220104154816624

image-20220104154841581

现在已经成功打通隧道,所有流量通过 ssh 转发,怎么配置的呢?

image-20220104155354602

1
2
3
4
5
6
➜  ~ cat /etc/ssh/sshd_config
...
Match User wiz
    AllowTcpForwarding yes
    PermitTunnel yes
    PermitOpen 10.0.4.6:80 10.0.4.6:33008 10.0.4.6:33099
1
2
➜  ~ chsh -s /sbin/nologin
➜  ~ cat /etc/passwd | grep wiz

那万一遇见SSH 爆破呢?

1
2
3
4
➜  ~ cat /etc/ssh/sshd_config
...
PasswordAuthentication no
AuthorizedKeysFile .ssh/authorized_keys

同时 passwd 禁用用户登录权限即可

同样可以采取 fwknop 认证

fwknop 单包授权 > 端口敲门

经测试,不建议 Centos 使用,本地环境 Openwrt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# dnf config-manager --set-enabled powertools && dnf install texinfo -y
yum install gcc gcc-c++ openssl libtool m4 automake libpcap-devel texinfo -y
git clone https://github.com/mrash/fwknop fwknop.git
cd fwknop.git
./autogen.sh
./configure --with-iptables=/usr/sbin/iptables --prefix=/usr --sysconfdir=/etc --localstatedir=/run
make
make install


➜  ~ fwknop --version
fwknop client 2.6.10, FKO protocol version 3.0.0
➜  ~ systemctl enable fwknopd.service
➜  ~ systemctl start fwknopd.service

#FIREWALL_EXE

CLIENT

1
2
3
4
5
6
7
8
9
10
# PLAN1
fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --server-port 9999 --key-base64-rijndael 0sZirx/3/68oIAmyT4OubNm2r/x4ZCyafcVX5YcVDU= --key-base64-hmac ahpupE+rQ9DnZYqt5RgCsp58ThOSeuosFtL+Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoM== --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)

# Plan2
fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --use-hmac --server-port 9999 --server-proto udp --key-gen --save-rc-stanza

cat ~/.fwknoprc | grep KEY
# COPY KEY TO SERVER
fwknop -n [SERVER_IP] --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# DOMAIN NAMES CANNOT BE USED

SERVER

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# COPY CLINET KEY TO ACCESS
cat /etc/fwknop/access.conf | grep KEY

# IF THE CLIENT DEFINES THE PORT NUMBER, THE SERVER MUST ALSO CHANGE IT
cat /etc/fwknop/fwknopd.conf | grep PCAP_FILTER
cat /etc/fwknop/fwknopd.conf | grep PCAP_INTF

# START FWKNOP SERVER
fwknopd

# CLOSE THE PORT STATUS UNTIL THE KNOCK ON THE DOOR SUCCEEDS
iptables --insert INPUT --protocol tcp --dport 22 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
iptables --insert INPUT 2 --protocol tcp --dport 22 --jump DROP

# RUN CLIENT AND CHECK PLAN [ 1 / 2 ]
iptables -L FWKNOP_INPUT -n
# Note that the iptables rules should not be overwritten, it is best to keep one hand
exit

MAIN

1
2
3
4
5
6
# RUN CLIENT AND CHECK PLAN [ 1 / 2 ]
# SERVER RUN
ssh [user]@[SERVER_IP]
iptables -L FWKNOP_INPUT -n
# YOU CAN SEE THAT YOUR IP IS ALLOWED TO ACCESS
# IF YOU CAN, YOU CAN MODIFY THE TIME, THE DEFAULT CONNECTION IS 30S

PREVIEW

1
2
3
4
➜  ~ ssh n1
ssh: connect to host nas.zygd.site port 25002: Operation timed out
➜  ~ fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --server-port 9999 --key-base64-rijndael 0sZirx/3/68oIAmyT4OubNm2r/x4ZCyafcVX5YcVDU= --key-base64-hmac ahpupE+rQ9DnZYqt5RgCsp58ThOSeuosFtL+Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoM== --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
➜  ~ ssh n1

image-20220105190537400

XRSec has the right to modify and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all contents such as copyright notice. Without the permission of the author, the content of this article shall not be modified or increased or decreased arbitrarily, and it shall not be used for commercial purposes in any way