基于totp的下一代端口敲门服务。
c-lock的Python项目详细描述
C锁
基于totp的下一代端口敲门服务。每一个时隙,它都会生成一个端口序列,在最后一个端口(它是为保护SSH服务而设计的)被打开之前,端口序列必须是tocked(按正确的顺序)
Yeah, I'm not very good with graphics...
目录
安装
系统依赖性
这是我使用过的Wich软件:
python 3.x
iptables >= v1.6
它已经在ubuntu 16.04和debian 9中进行了测试,但是应该可以与安装了这些系统的任何其他系统一起工作。
软件依赖性
由于它只是一个alpha版本,目前还没有一个自动安装程序,因为在调试和改进之前,它不应该与系统集成。
由于某些依赖项需要python-cryptography
,因此必须在其他任何依赖项之前安装它:Building cryptography on linux
对于安装依赖项,有两个选项:
- 选项A:Pipenv(推荐)
pip3 install pipenv pipenv install -r requeriments.txt
- 选项B:requiresents.txt
pip3 install -r requeriments.txt
用法
步骤1-服务器设置
$ c-lockd --gen-secret
步骤2-设置2fa应用程序
步骤3(服务器)-启动服务器端
# For example, protecting SSH port $ c-lockd --secret NPAR2VWV5HX5BI4BIE6PKWUROWYHJE3CCGWZYVBT6AJ2H3DGFKZA -p 22
步骤3(客户端)-使用TOTP引脚进行端口敲除
$ c-lock --address $SERVER_ADDRESS --pin 084678
步骤3(客户端)-使用secret进行端口敲门
$ c-lock --address $SERVER_ADDRESS --secret NPAR2VWV5HX5BI4BIE6PKWUROWYHJE3CCGWZYVBT6AJ2H3DGFKZA
第4步-连接到受保护的服务=)
ssh $USER@$SERVER_ADDRESS
服务器
必须以根用户身份启动(用于管理iptables规则):
usage: c-lockd [-h] [-ts SLOT] [-a ADDRESS] [-s SECRET] [-p PROTECTED_PORTS]
[-o OPENED_PORTS] [--gen-secret] [--clean-firewall]
[--log-level LOG_LEVEL]
Launch TOTP based port knocking protection
optional arguments:
-h, --help show this help message and exit
-ts SLOT, --time-slot SLOT
Time slot for TOTP
-a ADDRESS, --address ADDRESS
Address to protect
-s SECRET, --secret SECRET
Secret part of TOTP
-p PROTECTED_PORTS, --protected-ports PROTECTED_PORTS
Port which has to be protected
-o OPENED_PORTS, --opened-ports OPENED_PORTS
Port which should be opened
--gen-secret Generate random secret
--clean-firewall Clean firewall configuration (e.g., after a bad close)
--log-level LOG_LEVEL
Log level
客户
usage: c-lock [-h] [-ts SLOT] -a ADDRESS [-s SECRET] [-p PIN] [-n PORTS]
Launch TOTP based port knocking protection
optional arguments:
-h, --help show this help message and exit
-ts SLOT, --time-slot SLOT
Time slot for TOTP
-a ADDRESS, --address ADDRESS
Address to knock
-s SECRET, --secret SECRET
Secret part of TOTP
-p PIN, --pin PIN TOTP pin
-n PORTS, --ports PORTS
Number of ports configured
示例
客户
在本例中:
客户端扫描服务器端口而不激活c-lockd
当
c-lockd
在服务器中工作时,只能扫描打开的端口对pin使用
c-lock
受保护的端口现在在客户端可见
服务器
这是客户端指向的服务器:
生成pin生成的密钥
启动
c-lockd
服务器打开端口80
和5432
,并关闭端口22
当客户端使用正确的端口组合时,它将打开受保护端口30秒
贡献
现在,在我完成第一个稳定版本之前,我想控制代码。对这个项目做出贡献的最好方式是提出想法和审查代码。欢迎任何帮助
例如,很明显,我需要帮助与文件图像,设计,标志…:腮红:
学分
@ldxpython-iptables
@乔施林克特markdown-toc
@mnooner256pyqrcode
许可证
MIT License
Copyright (c) 2018 Javier Junquera Sánchez
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.