1. Install fwknop server
This tutorial uses the original code of github to compile and install, and you can also use apt to download directly (not on this page)
Download the original code compression package from GitHub
https://github.com/mrash/fwknop
Enter the file path after decompression
First make sure to install the following software
sudo apt-get install libtool sudo apt-get install automake sudo apt-get install libpcap-dev sudo apt-get install texinfo sudo apt-get install make
2. Install fwknop server
-
Run
./autogen.sh -
Run
./configure
After success, this effect is displayed. If it is not displayed, please check whether the previous dependencies are installed correctly.
3. Compile and install
execute compile
sudo make
Install
sudo make install
uninstall
sudo make uninstall
After installation, use which fwknop to view the installation location
Refresh with ldconfig
Use sudo fwknop -V to check the version
After the correct display, the installation is successful
4. Configuration
1) The client generates a secret key
$ fwknop -A tcp/22 -a 192.168.163.1 -D 192.168.163.129 -p 62201 -P udp --key-gen --use-hmac --save-rc-stanza
After -a is the client ip, after -D is the server ip, after -p is the port where the server listens to SPA packets, and after -P is the protocol of the SPA packet sent, generally using UDP packets.
After successful execution, the following information is output: [ + ] Wrote Rijndael and HMAC keys to rc file: (omitted)
The path is generally /root/next file
View the file, the content is as follows:
[192.168.163.129] SPA_SERVER_PROTO udp SPA_SERVER_PORT 62201 ALLOW_IP 192.168.163.1 ACCESS tcp/22 SPA_SERVER 192.168.163.129 KEY_BASE64 gqkSa8ghIDlAfv3FDEAdyyMfC6Q + j9RI + BhodFdifok= HMAC_KEY_BASE64 IPsM8dg8JLaYvRS3UVEoNiuQ9nBu7FB86tOmQyF7HF0 + 7cT33pxUHAX5zGcYidP5T03zJLR3ejjrJgR1PezLvA== USE_HMAC Y
2) Server configuration settings
Edit the sudo vim /usr/local/etc/fwknop/access.conf file and modify the contents as follows:
OPEN_PORTS tcp/22 FW_ACCESS_TIMEOUT 20 SOURCE ANY #KEY_BASE64 __CHANGEME__ #HMAC_KEY_BASE64 __CHANGEME__ KEY_BASE64 gqkSa8ghIDlAfv3FDEAdyyMfC6Q + j9RI + BhodFdifok= HMAC_KEY_BASE64 IPsM8dg8JLaYvRS3UVEoNiuQ9nBu7FB86tOmQyF7HF0 + 7cT33pxUHAX5zGcYidP5T03zJLR3ejjrJgR1PezLvA==
Pay attention to the spelling of the key-value
Edit the file sudo vim /usr/local/etc/fwknop/fwknopd.conf
Add the following:
PCAP_INTF ens33;
ens33 is the name of the network card found out with the ifconfig command:
[jelly@localhost ~]$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.163.129 netmask 255.255.255.0 broadcast 192.168.163.255
inet6 fe80::37c8:6a00:e56c:9bf5 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:66:79:23 txqueuelen 1000 (Ethernet)
RX packets 1336 bytes 112165 (109.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1197 bytes 208285 (203.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000
3) Start and stop fwknop on the server side
[jelly@localhost ~]$ sudo fwknopd start //Start fwknop [*] An instance of fwknopd is already running: (PID=4196). [jelly@localhost ~]$ [jelly@localhost ~]$ sudo fwknopd -S //View fwknop status Detected fwknopd is running (pid=4196). [jelly@localhost ~]$ [jelly@localhost ~]$ sudo kill 4196
4) Open the firewall on the server and block port 22
Test if ssh is available before doing this
sudo ps -e | grep ssh
If there is no result, use the following to install ssh
sudo apt-get install openssh-server
Check again if ssh is available
sudo ps -e | grep ssh
If there is sshd, it means that the ssh service has been started. If not, enter the following command to start the ssh service
sudo service ssh start
Next set up the firewall
[jelly@localhost ~]$ sudo iptables -I INPUT 1 -i ens33 -p tcp --dport 22 -j DROP [jelly@localhost ~] $ sudo iptables -I INPUT 1 -i ens33 -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Notice
- Ubuntu 22.04 uses nftables as the firewall by default instead of iptables.
solve
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
5) Use the knock command on the client side (it is the server ip)
fwknop -n 192.168.163.129
6) Detect monitoring status
sudo fwknopd --fw-list
If the following information appears, the knock on the door is successful
Chain FWKNOP_INPUT (1 references)num? target? ? prot opt source?
1? ? ACCEPT? ? tcp? --? 192.168.224.128? ? ? 0.0.0.0/0? ?
The client uses the nmap command to scan the server, and the result is:
PORT STATE SERVICE
22/tcp open?ssh
SPA verification complete!
Using tcpdump to monitor the data packets received by the server, it is found that before and after fwknop knocking, the client sends a verification packet to port 62201 of the server through the udp protocol, but the ports and protocols involved in this behavior can be modified using the --server-port parameter.
I didn’t find out how to modify the default parameter --server-port, but you can specify the port every time you knock on the door. The operation command is as follows
fwknop -n 192.168.224.130:12345
The port number range is between 10000-65535. At the same time, it may be necessary to modify the PCAP_FILTER field in the server's /etc/fwknop/fwknopd.conf.
PCAP_FILTER udp port 62201;
This article refers to fwknop SPA server source code compilation_fwknop source code analysis_angry little yellow duck's blog-CSDN blog fwknop installation and use test_Jelly-clownfish blog-CSDN blog
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. Network skill treeHomepageOverview 35786 people are studying systematically