be29a34732
Single Packet Authorization (SPA). fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through an iptables policy and/or complete commands to execute on the target system. By using iptables to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. With fwknop deployed, anyone using nmap to look for sshd can't even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from an fwknop client (see the following network diagram; the SSH session can only take place after the SPA packet is monitored): PR: ports/118229 Submitted by: Sean Greven <sean.greven@gmail.com>
20 lines
1.1 KiB
Text
20 lines
1.1 KiB
Text
--- access.conf.orig 2007-11-21 20:59:13.000000000 +0200
|
|
+++ access.conf 2007-11-21 21:00:47.000000000 +0200
|
|
@@ -5,7 +5,7 @@
|
|
#
|
|
# Purpose: This file defines how fwknop will modify iptables access controls
|
|
# for specific IPs/networks. It gets installed by default at
|
|
-# /etc/fwknop/access.conf and is consulted by fwknop when run in
|
|
+# %%PREFIX%%/etc/fwknop/access.conf and is consulted by fwknop when run in
|
|
# "access control mode", which is the default (i.e. when fwknop is
|
|
# run from the command line without any command line arguments).
|
|
# The corresponding file ~/.fwknoprc defines how fwknop will
|
|
@@ -96,7 +96,7 @@
|
|
# fwknopd to read packets from a file that is written to by a sniffer
|
|
# process or by something like the ulogd pcap writer (use ULOG_PCAP for
|
|
# this). The specific file path is defined by the PCAP_FILE keyword in
|
|
-# /etc/fwknop/fwknop.conf). We also require that the username on the
|
|
+# %%PREFIX%%/etc/fwknop/fwknop.conf). We also require that the username on the
|
|
# system that generates the authorization packet is "mbr":
|
|
#
|
|
# SOURCE: ANY;
|