狗东西的防黑之路

yum/apt install openssh-server

ssh -p[serverPort] [user]@[serverIP]

ssh -C -T -N -L [localIP]:[localPort]:[remoteIP]:[remotePort] [SSHserverIP]:[SSHserverPort]
ssh -T -N -R [remoteIP]:[remotePort]:[localIP]:[localPort] [SSHserverIP]:[SSHserverPort]
ssh -C -T -N -D [localIP]:[localPort] [SSHserverIP]:[SSHserverPort]

#!/usr/bin/env sh
clear
ps_ssh_pid="$(ps -e | grep "0.0.0.0:9999" | grep -v "grep" | cut -d " " -f 1)"
ServerIP="bit"
ServerNatIP="10.0.4.8"
echo "#########################\n\nWorking on the WIZ tunnel\n"
if [ "$ps_ssh_pid" == "" ]; then
    ssh -C -T -N -L 0.0.0.0:9999:"$ServerNatIP":80 wiz@"$ServerIP" &
    echo "#########################\n"
else
    kill $ps_ssh_pid
    ssh -C -T -N -L 0.0.0.0:9999:"$ServerNatIP":80 wiz@"$ServerIP" &
    echo "#########################\n"
fi

➜  ~ cat /etc/ssh/sshd_config
...
Match User wiz
    AllowTcpForwarding yes
    PermitTunnel yes
    PermitOpen 10.0.4.6:80 10.0.4.6:33008 10.0.4.6:33099

➜  ~ chsh -s /sbin/nologin
➜  ~ cat /etc/passwd | grep wiz

➜  ~ cat /etc/ssh/sshd_config
...
PasswordAuthentication no
AuthorizedKeysFile .ssh/authorized_keys

# dnf config-manager --set-enabled powertools && dnf install texinfo -y
yum install gcc gcc-c++ openssl libtool m4 automake libpcap-devel texinfo -y
git clone https://github.com/mrash/fwknop fwknop.git
cd fwknop.git
./autogen.sh
./configure --with-iptables=/usr/sbin/iptables --prefix=/usr --sysconfdir=/etc --localstatedir=/run
make
make install
➜  ~ fwknop --version
fwknop client 2.6.10, FKO protocol version 3.0.0
➜  ~ systemctl enable fwknopd.service
➜  ~ systemctl start fwknopd.service
#FIREWALL_EXE

# PLAN1
fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --server-port 9999 --key-base64-rijndael 0sZirx/3/68oIAmyT4OubNm2r/x4ZCyafcVX5YcVDU= --key-base64-hmac ahpupE+rQ9DnZYqt5RgCsp58ThOSeuosFtL+Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoM== --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# Plan2
fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --use-hmac --server-port 9999 --server-proto udp --key-gen --save-rc-stanza
cat ~/.fwknoprc | grep KEY
# COPY KEY TO SERVER
fwknop -n [SERVER_IP] --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
# DOMAIN NAMES CANNOT BE USED

# COPY CLINET KEY TO ACCESS
cat /etc/fwknop/access.conf | grep KEY
# IF THE CLIENT DEFINES THE PORT NUMBER, THE SERVER MUST ALSO CHANGE IT
cat /etc/fwknop/fwknopd.conf | grep PCAP_FILTER
cat /etc/fwknop/fwknopd.conf | grep PCAP_INTF
# START FWKNOP SERVER
fwknopd
# CLOSE THE PORT STATUS UNTIL THE KNOCK ON THE DOOR SUCCEEDS
iptables --insert INPUT --protocol tcp --dport 22 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
iptables --insert INPUT 2 --protocol tcp --dport 22 --jump DROP
# RUN CLIENT AND CHECK PLAN [ 1 / 2 ]
iptables -L FWKNOP_INPUT -n
# Note that the iptables rules should not be overwritten, it is best to keep one hand
exit

# RUN CLIENT AND CHECK PLAN [ 1 / 2 ]
# SERVER RUN
ssh [user]@[SERVER_IP]
iptables -L FWKNOP_INPUT -n
# YOU CAN SEE THAT YOUR IP IS ALLOWED TO ACCESS
# IF YOU CAN, YOU CAN MODIFY THE TIME, THE DEFAULT CONNECTION IS 30S

➜  ~ ssh n1
ssh: connect to host nas.zygd.site port 25002: Operation timed out
➜  ~ fwknop --destination [SERVER_IP] --access tcp/22,udp/22 --server-port 9999 --key-base64-rijndael 0sZirx/3/68oIAmyT4OubNm2r/x4ZCyafcVX5YcVDU= --key-base64-hmac ahpupE+rQ9DnZYqt5RgCsp58ThOSeuosFtL+Co2bACGJqQvEIFaOocnE+ozXI2aG5Tc3ZCpq5z1YFpfpVlgoM== --source-ip $(curl -s cip.cc | grep IP | cut -d " " -f 2)
➜  ~ ssh n1