海运的博客

Centos服务器安全配置SSH使用Google Authenticator二次验证

发布时间:August 30, 2012 // 分类:网络安全 // 2 Comments

CentOS安装所需组件:

yum -y install mercurial pam-devel

安装Google Authenticator:

#https://www.haiyun.me
wget --no-check-certificate https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
tar jxvf libpam-google-authenticator-1.0-source.tar.bz2 
cd libpam-google-authenticator-1.0
make
make install

SSH登录时调用google-authenticator模块,编辑:

/etc/pam.d/sshd

第一行添加:

auth       required     pam_google_authenticator.so

修改SSH配置文件:

vim /etc/ssh/sshd_config

添加或修改以下内容:

ChallengeResponseAuthentication yes
UsePAM yes

重启SSH:

/etc/init.d/sshd restart

生成google-authenticator配置,运行:

google-authenticator 
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@node1.www.haiyun.me%3Fsecret%3DABEXG5K6CVB56BXY
#此网址为生成的二维码,客户端扫描
Your new secret key is: www.haiyun.me
Your verification code is 582849
Your emergency scratch codes are:
  30776626
  14200155
  80795568
  23936997
  21919909
#上面几行数字为应急码
Do you want me to update your "/root/.google_authenticator" file (y/n) y
#更新配置文件
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
#禁止一个口令多用
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
#客户端与服务器时间误差
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
#次数限制

Android安装google-authenticator客户端,扫描添加上方网址的二维码,以后在登录服务器时输入账号密码的同时还需输入google-authenticator即时生成的验证码才能登录。

ssh www.haiyun.me
Verification code: 
Password: 

Centos5.8安装使用多功能网络工具hping3

发布时间:August 9, 2012 // 分类:网络工具 // No Comments

Hping3可以自定义发送多种类型的数据包,可以用来测试网络及服务器的安全。
Centos下安装:

yum install libpcap-devel tc-devel
ln -s /usr/include/pcap-bpf.h /usr/include/net/bpf.h
wget http://www.hping.org/hping3-20051105.tar.gz
tar zxvf hping3-20051105.tar.gz 
cd hping3-20051105
./configure 
make 
make install

使用参数:

usage: hping host [options]
  -c  --count     包数量
  -i  --interval  包间隔,默认单位秒
      --fast      u10000,每秒10个,u单位微秒
      --faster    u1000,每秒100个
      --flood      疯狂模式,尽最大能力发包,不显示回应。
  -n  --numeric   不进行域名解析
  -q  --quiet     安静模式,不输出详细信息
  -I  --interface 指定网卡界面,默认为路由网卡
  -V  --verbose   输出详细信息
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
  -9  --listen     listen mode
IP
  -a  --spoof      源地址欺骗
  --rand-dest      随机目标地址
  --rand-source    随机源地址
  -t  --ttl        TTL数值,默认64
  -N  --id         设定ID,默认随机
ICMP
  -C  --icmptype   ICMP类型,默认请求
  -K  --icmpcode   ICMP代码,如0请求,8回显请求
      --force-icmp 强制ICMP
      --icmp-gw    ICMP重定向
UDP/TCP
  -s  --baseport   源端口,默认随机
  -p  --destport   目标端口,默认0
  -k  --keep       保持源端口
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --syn        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
Common
  -d  --data       数据大小,默认0
  -E  --file       从文件中发送

应用示例:
端口扫描:

hping3 --scan 1-100 -S 192.168.1.1 
Scanning 192.168.1.1 (192.168.1.1), port 1-100
100 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   21 ftp        : .S..A...  64     0  5840    46
   22 ssh        : .S..A...  64     0  5840    46
   53 domain     : .S..A...  64     0  5840    46
   80 www        : .S..A...  64     0  5840    46
All replies received. Done.

SYN Flooding

hping -S -i u1000 192.168.1.1 -a 8.8.8.8

ICMP Flooding

hping -1 -i u1000 192.168.1.1 -a 8.8.8.8

Linux下用arptables防arp攻击

发布时间:August 6, 2012 // 分类:Iptables // No Comments

Linux下网络层防火墙iptables很强大,链路层也有类似的防火墙arptables,可针对arp地址进行限制,防止ARP网关欺骗攻击,再配合静态绑定MAC向网关报告正确的本机MAC地址,有效解决ARP攻击问题。
Centos5安装:

#https://www.haiyun.me
wget http://superb-sea2.dl.sourceforge.net/project/ebtables/arptables/arptables-v0.0.3/arptables-v0.0.3-4.tar.gz
tar zxvf arptables-v0.0.3-4.tar.gz 
cd arptables-v0.0.3-4
make
make install

arptables规则设置:

arptables -F
arptables -P INPUT ACCEPT
#默认策略
arptables -A INPUT --src-ip 192.168.1.1 --src-mac 7A:31:14:42:10:01 -j ACCEPT
#允许本网段特定MAC可进入,且IP与MAC相符
arptables -A INPUT --src-mac ! 74:8E:F8:53:DC:C0 -j DROP
#拒绝非网关MAC
arptables -A INPUT --src-ip ! 192.168.1.1 -j DROP
#拒绝非网关IP

保存规则并开机加载:

iptables-save > /etc/sysconfig/arptables
/etc/init.d/arptables save
chkconfig arptables on

规则保存后重新加载会出错,去除以下文件内-o any字段。

/etc/sysconfig/arptables 

用knockd远程管理iptables防火墙SSH端口

发布时间:June 28, 2012 // 分类:网络安全 // No Comments

之前有介绍Iptables模块recent通过暗语来开启SSH端口,knockd也可实现此功能。
knockd监听3个自定义端口,如果收到客户端请求符合要求即执行设置的指令,让iptables开启SSH端口允许客户IP连接。
安装所需组件,不然编译会提示错误。

yum install libpcap-devel

knockd源码编译安装:

wget http://www.zeroflux.org/proj/knock/files/knock-0.5.tar.gz
tar zxvf knock-0.5.tar.gz 
cd knock-0.5
./configure 
make
make install

下载knock rpm包安装:

wget http://pkgs.repoforge.org/knock/knock-0.5-1.el5.rf.i386.rpm
rpm -ivh knock-0.5-1.el5.rf.i386.rpm 

knockd配置:

cat /etc/knockd.conf
  [options]
        logfile = /var/log/knockd.log #日志记录目录
        interface = eth0  #监听网卡

  [opencloseSSH]
        sequence      = 6000:udp,5000:tcp,4000:udp #knock侦听端口协议
        seq_timeout   = 15 #单位时间内连续触发上面的端口规则
        tcpflags      = syn #封包标志,syn/ack/fin
        start_command = iptables -I INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
        #如果触发规则执行的iptables操作
        cmd_timeout   = 10 #规则触发后未连接超时时间        
        stop_command  = iptables -D INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
        #如超时未连接或断开连接执行iptalbes操作

knock init启动管理脚本:

#!/bin/sh
# chkconfig: - 99 00
# description: Start and stop knockd

# Check that config file exist
[ -f /etc/knockd.conf ] || exit 0

# Source function library
. /etc/rc.d/init.d/functions

# Source networking configuration
. /etc/sysconfig/network

# Check that networking is up
[ "$NETWORKING" = "no" ] && exit 0

start() {
  echo "Starting knockd ..."
  /usr/local/sbin/knockd -d
  }

stop() {
  echo "Shutting down knockd ..."
  pkill knockd
  }

case "$1" in
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    stop
    start
    ;;
  *)
    echo "Usage: $0 {start|stop|restart}"
    ;;
esac

exit 0

客户端连接SSH需先使用telnet依次连接knock设定端口,或使用knock客户端连接。

knock -v www.haiyun.me 6000:udp 5000:tcp 4000:udp

查看knock日志:

cat /var/log/knockd.log 
[2012-08-31 10:41] 192.168.1.16: opencloseSSH: Stage 1
[2012-08-31 10:41] 192.168.1.16: opencloseSSH: Stage 2
[2012-08-31 10:41] 192.168.1.16: opencloseSSH: Stage 3
[2012-08-31 10:41] 192.168.1.16: opencloseSSH: OPEN SESAME
[2012-08-31 10:41] opencloseSSH: running command: iptables -I INPUT -s 192.168.1.16 -p tcp --syn --dport 22 -j ACCEPT

[2012-08-31 10:41] 192.168.1.16: opencloseSSH: command timeout
[2012-08-31 10:41] opencloseSSH: running command: iptables -D INPUT -s 192.168.1.16 -p tcp --syn --dport 22 -j ACCEPT

备注:如果网络较差,且同时使用tcp和udp进行验证可能会导致数据包到达顺序不一致或某个包丢失导致验证失败。

Linux/Centos服务器安装portsentry防恶意端口扫描

发布时间:June 28, 2012 // 分类:网络安全 // No Comments

端口做为服务器的大门安全很重要,当服务器运行很多服务时并向外提供服务,为防止有人恶意侦测服务器用途,可使用portsentry来迷惑对方。
portsentry可设定侦听指定的TCP/UDP端口,当遇到扫描时会回应端口开放,并记录扫描者信息可做相应处理:防火墙阻止、路由定向、执行自定义脚本。
portsentry安装之rpm:

rpm -ivh http://flexbox.sourceforge.net/centos/5/x86_64/portsentry-1.2-1.el5.x86_64.rpm

portsentry编译安装:

wget http://sourceforge.net/projects/sentrytools/files/portsentry%201.x/portsentry-1.2/portsentry-1.2.tar.gz
cd portsentry_beta/
#编辑portsentry.c修改以下为一行
#printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n"); 
make linux
make install

portsentry配置文件:

cat /usr/local/psionic/portsentry/portsentry.conf
#TCP和UDP模式监听的端口,可自定义
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
#忽略IP
IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore"
#所有拒绝IP记录
HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history"
#启动后拒绝IP记录
BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked"
#对扫描IP的操作,0为无动作,1防火墙阻止,2执行脚本
BLOCK_UDP="0"
BLOCK_TCP="0"
#路由数据包
KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
#Iptables阻止
KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"
#TCP wrappers阻止
KILL_HOSTS_DENY="ALL: $TARGET$"
#执行脚本
KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"

portsentry启动模式:

/usr/local/psionic/portsentry/portsentry -tcp 
#TCP基本端口绑定,以配置文件端口为准
/usr/local/psionic/portsentry/portsentry -udp
#UDP基本端口绑定,以配置文件端口为准
/usr/local/psionic/portsentry/portsentry -stcp
#TCP私密检测,只记录不回应端口开放
/usr/local/psionic/portsentry/portsentry -sudp
#UDP私密检测,只记录不回应端口开放
/usr/local/psionic/portsentry/portsentry -atcp
#UDP高级秘密检测,自动选择监听端口
/usr/local/psionic/portsentry/portsentry -audp 
#UDP高级秘密检测,自动选择监听端口

以基本TCP检测模式启动,用nmap扫描测试:

[root@xenserver5 ~]# nmap -sS  www.haiyun.me
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-06-11 22:35 CST
Interesting ports on typecho.domain.com (192.168.1.2):
Not shown: 1654 closed ports
PORT      STATE SERVICE
1/tcp     open  tcpmux
11/tcp    open  systat
15/tcp    open  netstat
22/tcp    open  ssh
79/tcp    open  finger
80/tcp    open  http
111/tcp   open  rpcbind
119/tcp   open  nntp
143/tcp   open  imap
443/tcp   open  https
540/tcp   open  uucp
635/tcp   open  unknown
1080/tcp  open  socks
1524/tcp  open  ingreslock
2000/tcp  open  callbook
3306/tcp  open  mysql
6667/tcp  open  irc
12345/tcp open  NetBus
12346/tcp open  NetBus
27665/tcp open  Trinoo_Master
31337/tcp open  Elite
32771/tcp open  sometimes-rpc5
32772/tcp open  sometimes-rpc7
32773/tcp open  sometimes-rpc9
32774/tcp open  sometimes-rpc11
54320/tcp open  bo2k

查看防火墙阻止记录:

cat /etc/hosts.deny 
ALL: 192.168.1.6
分类
最新文章
最近回复
  • opnfense: 谢谢博主!!!解决问题了!!!我之前一直以为内置的odhcp6就是唯一管理ipv6的方式
  • liyk: 这个方法获取的IPv6大概20分钟之后就会失效,默认路由先消失,然后Global IPV6再消失
  • 海运: 不好意思,没有。
  • zongboa: 您好,請問一下有immortalwrt設定guest Wi-Fi的GUI教學嗎?感謝您。
  • 海运: 恩山有很多。
  • swsend: 大佬可以分享一下固件吗,谢谢。
  • Jimmy: 方法一 nghtp3步骤需要改成如下才能编译成功: git clone https://git...
  • 海运: 地址格式和udpxy一样,udpxy和msd_lite能用这个就能用。
  • 1: 怎么用 编译后的程序在家里路由器内任意一台设备上运行就可以吗?比如笔记本电脑 m参数是笔记本的...
  • 孤狼: ups_status_set: seems that UPS [BK650M2-CH] is ...