发布时间: 2014-12-25 00:24:00
refer to: http://blog.linjunhalida.com/blog/obfuscated-openssh/ and https://github.com/brl/obfuscated-openssh
(世界很小,圈子很大。搜索到这位朋友的BLOG, 又继续翻看了下,发现居然跟我也有交集 ^_^ )
安装过程:
直接根据 Halida的 这个安装脚本来吧:
3.1 登陆到服务器上之后, $ wget --no-check-certificate https://github.com/halida/install_script/raw/master/obsh_server.sh
3.2 $ chmod +x obsh_server.sh
3.3 $ ./obsh_server.sh
3.4 $ vim /etc/init.d/obsshd ,(基本都不用动)把 SSH_HOME, 变量设置好, 以及 sshd的路径,例如:
# /etc/init.d/obssd 的内容:
#!/bin/bash
# obfuscated ssh service script by halida
# USAGE: start|stop
#
export SSH_HOME=/opt/obfuscated-openssh
case "$1" in
start)
echo "Starting obfuscated ssh."
$SSH_HOME/sbin/sshd -f $SSH_HOME/sshd_config
;;
stop)
echo "Stopping obfuscated ssh."
PID=`ps aux|grep $SSH_HOME/sshd | grep -v grep | awk ' { print ( $(2) ) }'`
kill $PID
;;
*)
echo "obfuscated ssh service"
echo "Usage: $0 {start|stop}"
exit 1
esac
exit 0
记得:默认是安装到 /opt/obfuscated-openssh ,直接查看 <obssh_folder>/sshd_config 这个文件,修改其中的 "Port" 就可以。 前面的几个参数不用修改:
#sshd_config 文件的内容: ObfuscatedPort 22333 # 修改这一项就可以。 ObfuscateKeyword today_is_sunday Port 2201 # 这里不用动 Protocol 2 HostKey /opt/obfuscated-openssh/ssh_host_rsa_key RSAAuthentication yes PubkeyAuthentication yes Subsystem sftp /usr/libexec/sftp-server
启动的方式: /etc/init.d/obssh start|stop
4. 客户端:
$ sudo apt-get update && sudo apt-get build-dep -y openssh (ubuntu14.04 出错安装不了就算了)
$ git clone git://github.com/brl/obfuscated-openssh.git
$ cd obfuscated-openssh && ./configure --prefix=/opt/obssh && make && sudo make install
$ sudo mv /usr/bin/ssh /usr/bin/raw_ssh # 原来的 ssh 命令变成 raw_ssh
$ sudo ln -s /workspace/obssh/bin/ssh /usr/bin/ssh # 新的ssh 命令还叫ssh
用法: 对于已经加密的远程服务器, $ /workspace/obssh/bin/ssh -zZ <remote_server_secret> -p <remote_port> root@<remote_ip>
记得,务必使用 -zZ 两个选项,否则你会连不上。 如果只用 -Z 而不用 -z 的话,你的handshake过程就不是加密的。
p.s. 附:
加密式握手是为了加强 SSH 过程的保密性,避免被某些 外部系统(GFW)通过检查数据交换中的 static sinatures 来识别。 Handshake obfuscation strengthens the initial SSH handshake against systems
that identify or classify various network protocols by examining data in
transit for static signatures. Such automatic classification of traffic is
often used to provide different levels of network service for each protocol
and sometimes used to implement policies which prohibit certain uses of a
network.
当一个SSH 连接在初始化时,需要交换 几个 数据包,这样才能进行下一步的加密配置。因为此时加密尚未开始,所以这几个数据包是明文的,因此很容易被识别。When an SSH connection is initiated, the client and server exchange several
packets to configure the cryptographic parameters for the session. Since
the encryption algorithms and keys have not yet been determined, this exchange
of messages is not encrypted and is vulnerable to analysis which can conclusively
identify the connection as SSH protocol traffic no matter what port the server
is listening on. For most users this is of no concern, because merely being
able to identify a connection as an SSH session does not introduce any security
vulnerabilities in the protocol itself.
但是总有些用户希望他们的SSH不应该被识别到。 所以 handshake obfuscation就这样出现了。它能加密整个 握手过程。 Some users may have special security needs where they would prefer not to
disclose that they are using the SSH protocol to somebody who may be monitoring
the network. Handshake obfuscation prevents automatic identification of SSH
protocol traffic by encrypting the entire handshake with a stream cipher, and
is designed to make it difficult to implement an automated analysis tool even
understanding how the obfuscation protocol works.
混淆用的 encryption key 具有很强的隐蔽性。无法被其他的系统(GFW)所识别。
The obfuscation encryption key is generated in a way which is deliberately
slow to make it difficult to implement on the type of high performance network
hardware which is usually used for classifying protocol traffic.
另外,在client和server之前,还能配置一个 keyword, 用来对整个handshake过程进行保护(一种简单的口令机制)。
Additionally
an option is provided for the client and server to share a 'keyword' which is
a simple kind of password that is used only for securing the handshake. No
connection can be initiated to a server which has keyword obfuscation enabled
without knowing the keyword, and the obfuscation keyword is used to derive the
keys that encrypt the handshake in order prevent decrypting the handshake
traffic without knowing the keyword.