分类 网络安全 下的文章

现在越来越多的项目在设计的过程中会很注重网络安全,银行金融业和监管机构之间一般采用金融城域网专线连接,在链路上面也使用CA数字证书,一般金融业的CA证书都是CFCA颁发,或者使用制定型号的 加密机。本章主要介绍一下CA服务器的搭建、证书的申请和吊销(也可以自己做加密机),后续有时间会写一下关于程序中怎么使用CA证书进行安全校验的。
openssl安装:
先来介绍一下openssl的安装,一般LINUX发行版都会自带openssl工具,裁剪系统中一般自己来编译安装。
我们的编译和测试环境如下:

key1088@key1088-host:~$ uname -a
Linux key1088-host 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
key1088@key1088-host:~$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.2) 5.4.0 20160609
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

1.下载openssl源代码
https://www.openssl.org/

wget https://www.openssl.org/source/openssl-1.1.0.tar.gz

2.编译安装

tar xvf openssl-1.1.0.tar.gz
cd openssl-1.1.0
./config
make

咱们这次就不make install了,就在这个目录下面操作了,需要临时设置一下环境变量
这个版本默认编译出来静态bin文件在apps下面

-rw-rw-r-- 1 key1088 key1088    911 9月   4 13:49 x509.d
-rwxrwxr-x 1 key1088 key1088 680616 9月   4 13:49 openssl
-rwxrwxr-x 1 key1088 key1088   6755 9月   4 13:50 CA.pl
-rwxrwxr-x 1 key1088 key1088   6613 9月   4 13:50 tsget

3.环境变量设置

key1088@key1088-host:~/openssl-1.1.0/apps$ ./openssl version
./openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
key1088@key1088-host:~/openssl-1.1.0/apps$ LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HOME/openssl-1.1.0
key1088@key1088-host:~/openssl-1.1.0/apps$ export LD_LIBRARY_PATH
key1088@key1088-host:~/openssl-1.1.0/apps$ ./openssl versionOpenSSL 1.1.0  25 Aug 2016

出现版本号就证明环境变量设置正确,openssl可以用了。
CA服务器证书生成:
CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。
所有的操作默认在openssl-1.1.0目录下进行
2.生成CA密钥

mkdir -p CA/private
key1088@key1088-host:~/openssl-1.1.0$ (umask 077;./apps/openssl genrsa -out CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................................+++
..........+++
unable to write 'random state'
e is 65537 (0x010001)

如果出现这个“unable to write 'random state'”设置一下环境变量即可

key1088@key1088-host:~/openssl-1.1.0$ export RANDFILE=$HOME/.rnd
key1088@key1088-host:~/openssl-1.1.0$ (umask 077;./apps/openssl genrsa -out CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................................+++
.....................................................................................+++
e is 65537 (0x010001)

2.生成自签名证书
创建配置文件目录

mkdir etc
cp apps/openssl.cnf etc

为了简化证书制作过程中的输入 修改了etc/openssl.cnf,修改对比内容如下

key1088@key1088-host:~/openssl-1.1.0$ diff etc/openssl.cnf apps/openssl.cnf
42c42
< dir		= ./CA		# Where everything is kept
---
> dir		= ./demoCA		# Where everything is kept
129c129
< countryName_default		= CN
---
> countryName_default		= AU
134c134
< stateOrProvinceName_default	= BJ
---
> stateOrProvinceName_default	= Some-State
139c139
< 0.organizationName_default	= key1088.info
---
> 0.organizationName_default	= Internet Widgits Pty Ltd
151c151
< emailAddress			= key1088@163.com
---
> emailAddress			= Email Address

根据密钥生存证书

key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl req -new -x509 -key CA/private/cakey.pem -out CA/cacert.pem -days 1000 -config etc/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) []:
Organization Name (eg, company) [key1088.info]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:key1088
key1088@163.com []:

创建CA服务器所需文件

key1088@key1088-host:~/openssl-1.1.0$ touch CA/{index.txt,serial}
key1088@key1088-host:~/openssl-1.1.0$ ls -l CA/
总用量 8
-rw-rw-r-- 1 key1088 key1088 1176 9月   4 14:07 cacert.pem
-rw-rw-r-- 1 key1088 key1088    0 9月   4 14:09 index.txt
drwxrwxr-x 2 key1088 key1088 4096 9月   4 13:57 private
-rw-rw-r-- 1 key1088 key1088    0 9月   4 14:09 serial

证书序号开始值设置

key1088@key1088-host:~/openssl-1.1.0$ echo "01" > CA/serial

3.生成客户端证书,也称为节点证书。

key1088@key1088-host:~/openssl-1.1.0$ (umask 077;./apps/openssl genrsa -out CA/client/c01.key 2048)
Generating RSA private key, 2048 bit long modulus
............+++
................................................................................................+++
e is 65537 (0x10001)
key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl req -new -key CA/client/c01.key -out CA/client/c01.csr -config etc/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) []:
Organization Name (eg, company) [key1088.info]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:c01		#此处不能和CA中的名称相同
key1088@163.com []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:1234

4.部署到CA中

mkdir -p CA/newcerts
key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl ca -in CA/client/c01.csr -out CA/client/c01.crt -days 1000 -config etc/openssl.cnf
Using configuration from etc/openssl.cnf
Can't open ./CA/index.txt.attr for reading, No such file or directory
140399448418048:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:74:fopen('./CA/index.txt.attr','r')
140399448418048:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:77:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  4 06:58:17 2016 GMT
            Not After : Jun  1 06:58:17 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = key1088.info
            commonName                = c01
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AB:F4:CB:4F:13:28:F8:5D:A7:DB:A0:E3:F3:52:86:C1:25:D1:EB:A0
            X509v3 Authority Key Identifier:
                keyid:68:82:F2:71:02:9C:92:00:F4:05:72:30:24:97:6B:80:2E:69:AF:EA
Certificate is to be certified until Jun  1 06:58:17 2019 GMT (1000 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
key1088@key1088-host:~/openssl-1.1.0$ du -a CA/
8	CA/newcerts/01.pem		        #自动生成的PEM文件,按照序号命名
12	CA/newcerts
4	CA/private/cakey.pem
8	CA/private
4	CA/serial
4	CA/serial.old
0	CA/index.txt.old
4	CA/cacert.pem
4	CA/index.txt
8	CA/client/c01.crt			#生成的证书
4	CA/client/c01.key
4	CA/client/c01.csr
20	CA/client
4	CA/index.txt.attr
64	CA/

openssl自带的样例:
openssl-1.1.0/apps/demoCA/下面的内容
5.转换给pfx格式(可选)

key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl pkcs12 -export -clcerts -in CA/client/c01.crt -inkey CA/client/c01.key -out CA/client/c01.pfx
Enter Export Password:					#12345678
Verifying - Enter Export Password:		#同上

pfx文件包含数字签名证书和私钥,可以进行密钥转移,也可以导入到浏览器中查看。
6.验证证书是否正确

key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl verify -CAfile CA/cacert.pem  CA/client/c01.crt
CA/client/c01.crt: OK

吊销证书
1.查看客户端证书序号

key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl x509 -in CA/client/c01.crt -noout -serial -subject
serial=01
subject=C = CN, ST = BJ, O = key1088.info, CN = c01

2.吊销证书

key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl ca -revoke CA/newcerts/01.pem -config etc/openssl.cnf
Using configuration from etc/openssl.cnf
Revoking Certificate 01.
Data Base Updated

3.生成吊销列表

key1088@key1088-host:~/openssl-1.1.0$ echo "01" > CA/crlnumber
key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl ca -gencrl -out CA/all.crl -config etc/openssl.cnf
Using configuration from etc/openssl.cnf

4.查看吊销

key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl crl -in CA/all.crl -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=BJ/O=key1088.info/CN=key1088
        Last Update: Sep  4 07:37:17 2016 GMT
        Next Update: Oct  4 07:37:17 2016 GMT
        CRL extensions:
            X509v3 CRL Number:
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Sep  4 07:34:48 2016 GMT
    Signature Algorithm: sha256WithRSAEncryption
         a7:98:6c:8f:77:d2:52:6a:57:eb:27:75:6f:17:eb:3c:30:19:
         78:bb:4f:77:aa:94:74:28:e5:7a:05:38:8d:03:6c:7c:8f:63:
         de:a9:fd:d3:ed:77:70:7d:24:9a:b9:da:42:05:9b:d1:73:92:
         6c:0c:13:88:16:16:d7:e1:4f:6f:62:90:8a:11:b1:c5:b7:80:
         c8:6c:76:e5:d2:eb:a9:f4:ee:da:85:56:9e:f2:97:02:43:ef:
         3d:ea:77:af:5b:f1:ed:4b:39:c7:7e:9c:22:62:91:ee:17:30:
         10:d2:49:82:9a:0d:9c:0c:ad:63:1e:cb:30:33:f0:5f:55:dc:
         b6:6c:70:61:82:ba:e0:d3:98:96:f3:3d:8b:0c:02:0d:fd:ac:
         61:e5:24:46:a0:52:94:05:f4:a9:a8:8b:25:40:db:a4:e5:58:
         4f:bd:37:1d:44:87:f1:3f:f9:06:d5:47:aa:0c:8f:1e:ba:d6:
         99:ef:f7:77:e0:af:05:a3:08:78:06:0f:e2:6a:a4:cd:ac:1a:
         45:d3:18:9a:18:25:ee:c3:7b:66:51:77:52:64:5e:4a:81:9e:
         84:be:16:bc:da:7d:83:7b:49:d1:5a:0f:4f:02:e4:fa:fb:80:
         53:7f:7f:72:02:17:31:25:c6:6e:cc:1e:4f:7e:9c:f4:ae:d1:
         85:a2:6a:d6
key1088@key1088-host:~/openssl-1.1.0$ cat CA/serial
03
key1088@key1088-host:~/openssl-1.1.0$ cat CA/crlnumber
02
key1088@key1088-host:~/openssl-1.1.0$ cat CA/index.txt
R	190601065817Z	160904073448Z	01	unknown	/C=CN/ST=BJ/O=key1088.info/CN=c01
V	190601073145Z		02	unknown	/C=CN/ST=BJ/O=key1088.info/CN=c02
key1088@key1088-host:~/openssl-1.1.0$ cat CA/index.txt.old
V	190601065817Z		01	unknown	/C=CN/ST=BJ/O=key1088.info/CN=c01
V	190601073145Z		02	unknown	/C=CN/ST=BJ/O=key1088.info/CN=c02

5.验证吊销的证书和正常使用的证书

key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl  verify -crl_check -CRLfile CA/all.crl -CAfile CA/cacert.pem CA/client/c01.crt
C = CN, ST = BJ, O = key1088.info, CN = c01
error 23 at 0 depth lookup: certificate revoked
error CA/client/c01.crt: verification failed

再新生成一个02的证书验证一下,验证结果。
key1088@key1088-host:~/openssl-1.1.0$ ./apps/openssl verify -crl_check -CRLfile CA/all.crl -CAfile CA/cacert.pem CA/client/c02.crt
CA/client/c02.crt: OK
参考文章:
http://www.yunweipai.com/archives/4513.html%20r
http://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html

Denyhosts防止暴力破解主要是根据登录的日志/var/log/secure(centos为例),登录失败次数超过一定的阀值将IP写入/etc/hosts.deny文件中。文件格式如下:

#服务名称:ip地址
sshd: 180.97.239.49
ALL: 180.78.180.186

Denyhosts是专门用于防止SSHD登录,默认也是防止sshd登录的配置;如果想让vsftpd也添加一个安全的墙,需要在配置中添加以下信息,主要是格式化了匹配的正则表达式。

denyhosts.cfg:
SSHD_FORMAT_REGEX=.* (sshd.*:|[sshd]|vsftpd.*:) (?P.*)
USERDEF_FAILED_ENTRY_REGEX=authentication failure.* ruser=(?PS+) rhost=(?PS+)
BLOCK_SERVICE  = ALL

修改后,需要重启denghosts服务。
vsftpd如果使用这种机制需要开启tcp_wrappers(默认是开启的)

tcp_wrappers=YES

在Unix操作系统的动态链接库的世界中,LD_PRELOAD就是这样一个环境变量,它可以影响程序的运行时的链接(Runtime linker),它允许你定义在程序运行前优先加载的动态链接库。
大家想到着就邪恶了吧,今天看proxychanis代码发现的,和win平台sockscap32类似。
看代码test.c

#include 
#include 
#include 
int main(void)
{
    char *passwd="abcd";
    char in_buff[10];
    printf("-->input your passwd:");
    scanf("%s", in_buff);
    if( strcmp(passwd,in_buff) != 0) {
        printf("passwd errn");
        exit(-1);
    }
    printf("ok!. open doorn");
}

库代码hack.c

#include 
int strcmp(const char *s1, const char *s2)
{
    printf("hack function invoked. s1=[%s],s2=[%s]n", s1, s2);
    return 0;
}
[root@localhost preload]# gcc -o test test.c
[root@localhost preload]# ./test
-->input your passwd:123
passwd err
[root@localhost preload]# gcc -shared -o hack.o hack.c
[root@localhost preload]# ls -l hack.so
-rwxr-xr-x 1 root root 4116 Apr 13 15:52 hack.so
[root@localhost preload]# LD_PRELOAD="./hack.so"
[root@localhost preload]# ./test
-->input your passwd:123
passwd err
[root@localhost preload]# export LD_PRELOAD="./hack.so"
[root@localhost preload]# ./test
-->input your passwd:123
hack function invoked. s1=[abcd],s2=[123]
ok!. open door
[root@localhost preload]#

这是一种思路,还有一种最直接的办法用ltrace
ltrace是跟踪调用库函数的工具

[root@localhost preload]# export LD_PRELOAD=
[root@localhost preload]# ltrace ./test
(0x69951c, 0x699ab0, 0, 0, 0x699e58)                                              = 0x6998e4
__libc_start_main(0x80484a4, 1, 0xbf948364, 0x8048530, 0x8048520 
printf("-->input your passwd:")                                                   = 21
__isoc99_scanf(0x80485ff, 0xbf9482a2, 0x9acce0, 0x9abff4, 0x8048530-->input your passwd:123
)              = 1
strcmp("abcd", "123")                                                             = 1
puts("passwd err"passwd err
)                                                                = 11
exit(1 
+++ exited (status 1) +++
[root@localhost preload]#

openssl genkey 和 ssk-keygen 密钥的格式是不一样的
“RFC4716” (RFC 4716/SSH2 public or private key)
“PKCS8” (PEM PKCS8 public key)
ubuntu:
ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_pub.pem
ssh-keygen -f ~/.ssh/id_rsa_pub.pem -i -m RFC4716 > ~/.ssh/id_rsa.pub
windows:
1)Use the puttyGen
2) Run puttygen and click generate
3) Run your mouse round the blank part for a while.
4) Enter a keyphrase (and repeat)
5) Click save public key and save it publickey
6) Click save private key and save it privatekey (extension gets added automatically, this is no good for spoon, but good for putty)
7) Click Conversions->Export OpenSSH key and save as sshkey.pem
8) In the main window is you key for pasting into OpenSSH authorized_keys file. Copy this in its entirety and past it into your ubuntu machine in /home//.ssh/authorized_keys file.
9) Ok, you can close putty key generator.
10) Utilize the .pem in the tool.
http://www.yinqisen.cn/blog-177.html