Fwknop ubuntu Docker 实验
目录
- 前言
- 1. 实验准备
- 2. fwknop客户端的dockerfile
- 3. fwknop服务器的dockerfile
- 4. 启动容器实验
-
- 4.1 Docker-Compose文件
- 4.2 启动客户端和服务器
- 总结
前言
零信任安全架构(Zero Trust Architecture)的理念是“基于身份计算信任、基于信任控制访问、持续评估信任、无时限控制访问”。其中控制访问的关键技术是软件定义边界(software defined perimeter,缩写SDP)实现被访问资源的隐身,从将网络安全工作的思路从被动转变为主动,大大改观处处漏洞处处封堵的困难局面。
SDP是国际云安全联盟(CSA)推出的一套网络访问控制协议,通过可软件定义边界技术,从而提供按需、动态配置的安全隔离的可信任网络,实现与不安全网络隔离,达到避免网络攻击的目的。
为实现软件定义边界,网络访问主体通过请求SDP控制器访问客体,SDP控制器根据安全策略来控制SDP网关是否允许主体访问客体,因此传统网络边界的不再是访问控制的关键要素。SDP中主体、控制器、网关的通信启动采用的是单包授权技术(SPA)。
目前Fwknop是最为火热的SPA开源工具,网络上和CSDN博客有很多资料。本文就是基于网络资料,用比较方便的Docker技术安装相关客户端和服务器,进行Fwknop的实验。
1. 实验准备
1)Windows 10 安装 Docker环境,DockerForwin。对Docker操作比较熟悉。
2)172.16.18.2:fwknop 服务器,Ubuntu,安装iptables,ssh
3)172.16.18.3:fwknop 客户端
2. fwknop客户端的dockerfile
1)ADD命令将源改为清华大学的安装源。
2)安装相关的工具(iptables、nmap、openssh-server等)、fwknop-client
3)生成客户端密钥
FROM ubuntu:20.04
ADD sources.list /etc/apt/
RUN apt-get update -y && \
apt-get upgrade -y
RUN apt-get install -y wget iptables net-tools vim nmap openssh-server fwknop-client
RUN mkdir -p /var/run/sshd && \
fwknop -A tcp/22 -a 172.16.18.3 -D 172.16.18.2 --key-gen --use-hmac --save-rc-stanza
CMD ["/usr/sbin/sshd", "-D"]
用如下命令生成客户端镜像
docker build -f clientdockerfile -t fwknop:client .
启动客户端,用“grep KEY /root/.fwknoprc”可以查看KEY,以便写入服务器的dockerfile中,大大简化了在容器运行时生成后在修改服务器配置的麻烦。
root@fwknop_c1:/# grep KEY /root/.fwknoprc
KEY_BASE64 aVlsPWjAcaE9kz7em5mmygrk3aMu8EmPK7bcnPr9Ux8=
HMAC_KEY_BASE64 CB+A6iITsHEnH9xbwlry04btAhq1i8Yq/A+HoIVI0PBB+BTH9PwQQpFHdEOUzaBB12gB9DrZtfc5uDf8XbDBrQ==
3. fwknop服务器的dockerfile
1)ADD命令将源改为清华大学的安装源。
2)安装相关的工具(iptables、nmap、openssh-server等)、fwknop-server
3)服务器密码重置为123456
4)修改ssh的配置文件
5)修改fwknop-server配置文件,将fwknop客户端生成的密钥写入access.conf
FROM ubuntu:20.04
ADD sources.list /etc/apt/
RUN apt-get update -y && \
apt-get upgrade -y
RUN apt-get install -y wget iptables net-tools vim nmap openssh-server fwknop-server
RUN mkdir -p /var/run/sshd && echo root:123456 | chpasswd && \
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
sed -i 's/#PCAP_INTF eth0/PCAP_INTF eth0/' /etc/fwknop/fwknopd.conf && \
sed -i 's/# REQUIRE_SOURCE_ADDRESS /REQUIRE_SOURCE_ADDRESS Y/' /etc/fwknop/access.conf && \
sed -i 's/KEY_BASE64 __CHANGEME__/KEY_BASE64 aVlsPWjAcaE9kz7em5mmygrk3aMu8EmPK7bcnPr9Ux8=/' /etc/fwknop/access.conf && \
sed -i 's/HMAC_KEY_BASE64 __CHANGEME__/HMAC_KEY_BASE64 CB+A6iITsHEnH9xbwlry04btAhq1i8Yq\/A+HoIVI0PBB+BTH9PwQQpFHdEOUzaBB12gB9DrZtfc5uDf8XbDBrQ==/' /etc/fwknop/access.conf
CMD ["/usr/sbin/sshd", "-D"]
用如下命令生成服务器镜像
docker build -f serverdockerfile -t fwknop:server .
4. 启动容器实验
4.1 Docker-Compose文件
通过docker-compose.yml文件来启动客户端和服务器镜像。
version: '3'
services:
fw_sever:
image: fwknop:server
container_name: fw_sever
hostname: fwknop_server
privileged: true
networks:
fw_net:
ipv4_address: 172.16.18.2
fw_client1:
image: fwknop:client
container_name: fw_c1
hostname: fwknop_c1
privileged: true
networks:
fw_net:
ipv4_address: 172.16.18.3
networks:
fw_net:
ipam:
driver: default
config:
- subnet: "172.16.18.0/24"
4.2 启动客户端和服务器
- 命令行进入dockercompose.yml所在路径(我用得是Gitbash),运行docker-compose up -d,如下:
$ docker-compose up -d
Creating network "fwknop_fw_net" with the default driver
Creating fw_c1 ... done
Creating fw_sever ... done
- 连接服务器容器,查看进程,配置iptables规则,并启动fwknop,如下:
root@fwknop_server:/# ps -e
PID TTY TIME CMD
1 ? 00:00:00 sshd
6 pts/0 00:00:00 bash
14 pts/0 00:00:00 ps
root@fwknop_server:/# iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP
root@fwknop_server:/# iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
root@fwknop_server:/# fwknopd
root@fwknop_server:/# fwknopd -S
Detected fwknopd is running (pid=18).
root@fwknop_server:/# fwknopd --fw-list-all
Listing all iptables rules in applicable tables...
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 FWKNOP_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate RELATED,ESTABLISHED
3 0 0 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain FWKNOP_INPUT (1 references)
num pkts bytes target prot opt in out source destination
- 连接客户端容器,端口扫描,单包认证后ssh,再端口扫描,可以看出22端口ssh服务从filtered状态变为open状态。
root@fwknop_c1:/# nmap 172.16.18.2
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-06 00:41 UTC
Nmap scan report for fw_sever.fwknop_fw_net (172.16.18.2)
Host is up (0.000025s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
root@fwknop_c1:/# fwknop -n 172.16.18.2
root@fwknop_c1:/# nmap 172.16.18.2
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-06 00:42 UTC
Nmap scan report for fw_sever.fwknop_fw_net (172.16.18.2)
Host is up (0.000017s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
- 在客户端ssh登录服务器,可以看出成功登录到服务器。
root@fwknop_c1:/# fwknop -n 172.16.18.2
root@fwknop_c1:/# ssh [email protected]
The authenticity of host '172.16.18.2 (172.16.18.2)' can't be established.
ECDSA key fingerprint is SHA256:IGpxKlgpruL6uoY8JczqREi8cBid9IvREG5Mk9hyn1w.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.18.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.39-linuxkit x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@fwknop_server:~#
总结
整个实验过程主要是准备镜像的相关工具,没有什么坑。我自己则是在拷贝KEY到服务器access.conf时因为粗心导致fwknopd启动不了,通过运行fwknopd -f发现KEY有问题从而解决。
fwknop其实是网络攻防工程师经常使用的一个工具,使用比较成熟。只不过我是从零信任才接触到。目前Waverley开源了SDP控制器,不知道如何与fwknop配合使用?如何将fwknop真正应用到SDP方案中还有好多的工作。
欢迎交流!
文件和资源下载地址:csdn下载