The Linux Society

Single Packet Authorisation using FWKNOP

Port knocking
Security is always an issue, and you can never be too careful. If your a security nut such as myself, Port knocking, and the more effective Single Packet Authorisation methods are invaluable.

Port knocking is a method by which you can keep services running on your machine hidden from the outside world, and is another layer of authentication for a malicious user to get through.

Upon a port scan of a computer running a port knocking daemon, all ports will be shown as closed. All attempted connections to the machine will be refused.

the port knocking daemon listens for a pre-configured set of "knocks".
If a user wishes to connect to, for example SSHD on the machine, it must first request access to port 22. It does this by SYN'ing each of the ports in the pre-configured list on the server.  the port knocking daemon recognises the signal, and opens port 22 for a specified amount of time, set in a cfg (30 secs default) The port opens for 30 seconds, allowing the user to connect through. when the 30 seconds is over, (and hopefully the user has authed on SSHD), port 22 is closed to external connections, without dropping the users session.

The developers of this system decided that it still was not secure enough, as an attacker logging connections to the server could detect the port knocking sequence, and get access anyway, so they developed a wonderful package called FWKNOP, which uses a slightly different method of port knocking, called Single Packet Authorisation.

instead of a bunch of knocks, it uses an encrypted passphrase, coupled with an IP address. This system requires both server and client applications, however the client application is tiny.


The client app generates a small, heavily encrypted packet with information such as the originating IP address, and the passphrase.
when sniffed it appears as:

Raw packet data (single line): +CqkFkQUcR/9N5pdkpid6bZPnMJ60l49WOXm4/cDEDkL8xyC5nnPdmMZYCrTXkTyxWO1IsvrW6wWdyIhrOhFhOz0kEknCuHl2Iiz4rs0ZOUG4etcPczuspp1
FumPXbtdmnM7KmEAbTyFuGvYCWFMwZfoXjlhI0E75q3Yl2GAi974kfJi2hbI3L

upon the daemon recieving this packet, it opens up the specified port, allowing connections only from the IP address named in the encrypted packet.

much more secure.



Installation.

First install all dependancies

sudo aptitude install build-essential linux-headers-$(uname -r) libpcap-dev nmap


Then download and install the additional Perl dependancies for FWKNOP

cd ~
mkdir Source
cd Source
mkdir fwknop
cd fwknop
wget http://search.cpan.org/CPAN/authors/id/S/SA/SAPER/Net-Pcap-0.16.tar.gz
tar zxvf Net-Pcap-0.16.tar.gz
cd Net-Pcap-0.16.tar.gz
perl ./Makefile.PL
make
sudo make install



**NOTE** you will recieve an error message in terminal about the cpan method failing for net::pcap don't fret, its no problem.


then download and install FWKNOP itself

cd ~
cd Source/fwknop
wget http://www.cipherdyne.org/fwknop/download/fwknop-1.9.3.tar.bz2
tar -jxvf fwknop-1.9.3.tar.bz2
cd fwknop-1.9.3
sudo ./install.pl

during the install please select the Pcap option upon request.




Now to test your install of FWKNOP

the application comes with a perl script to test your installation. It expects an MTA to be running on /bin/mail

If you do not have one, you will get BUCKETS of errors. (beleive me, I almost shat myself)

so in order to replace it with echos,

sudo ln -s /bin/echo /bin/mail

now we can run the installation test without all the errors (hopefully)

cd ~/Source/fwknop/fwknop-1.9.3/test
sudo perl fwknop_test.pl

if you get errors, dont worry so much, i have a working FWKNOP server with 4 errors during test.


After you have checked your install, you will need to configure it.

There are two conf files:

sudo su
cd /etc/fwknop
gksu gedit <filename>  (examples: gsku gedit fwknop.conf, gksu gedit access.conf)
exit

things I changed to get a working server were:


fwknop.conf

changed ALERTING_METHODS to noemail (because i have no Mail Transfer Agent)
changed ShCmd from /bin/sh to /bin/bash (because bourne knows best)

access.conf

fairly straight forward to edit, stick your passphrase in it, the defaults for all the rest are quite sensible.


for starting Fwknop server side, a nice script that I leeched from DrSmall on the ubuntu forums does this perfectly, with brilliant IPtables config.



#!/bin/bash
# Simple Script for starting and
# stoping FWKNOP, a little better.


start()
    {
# Save current Firewall Rules
iptables-save -c > /etc/iptables-save

# Flush Existing Rules
iptables -F

# Keep existing connections open.
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A INPUT -i ! lo -j DROP

# Start fwknop
/etc/init.d/fwknop start

# Disable SSH Connections
/sbin/iptables -A INPUT -p tcp --dport ssh -j DROP
    }

stop()
    {
# Stop FWKNOP
/etc/init.d/fwknop stop

# Flush Firewall rules
iptables -F

# Restore Firewall Rules
cat /etc/iptables-save | iptables-restore -c
    }

install()
    {
# Running this option, installs this script
# to init.d and rc.d while removing fwknop
# from those places.
# Basically, this script would be the control
# operator, instead of the fwknop init script.

# Remove fwknop from rc.d
update-rc.d -f fwknop remove
echo 'FWKNOP Removed from rc.d...'

# Copy THIS script (which is not
# in init.d) to init.d
cp $0 /etc/init.d/portknock
echo $0 'copied to init.d...'

# Add portknock to rc.d
update-rc.d portknock defaults 99
echo 'portknock successfully added to rc.d...'
echo ''
echo 'Installation Complete.'
    }

remove()
    {
# Running this option will
# remove 'portknock' from
# init.d and rc.d. fwknop will
# then be re-added back to rc.d.

# Remove portknock from rc.d
update-rc.d -f portknock remove
echo 'portknock removed from rc.d...'

# Remove portknock from init.d
rm /etc/init.d/portknock
echo 'portknock removed from init.d...'

# Restore fwknop to rc.d
update-rc.d fwknop defaults 99
echo 'fwknop restored to rc.d...'
echo ''
echo 'Portknock removed successfully.'
    }

case "$1" in

 start|restart)
   stop
   start
   ;;
 stop)
   stop
   ;;
 install)
   install
   ;;
 remove)
   remove
   ;;
 *)
   echo "usage: start|stop|restart|install|remove."
   ;;

esac
exit 0




in order to connect to a server and open the port for connection, install the client using the method above, only during install.PL choose client rather than server.

then using the client:



fwknop -A <protocol/port> -a <client IP address> -D <server IP address>


This should result in:

$ fwknop -A tcp/22 -a 192.168.1.101 -D 192.168.1.102
[+] Starting fwknop client (SPA mode)...
[+] Enter an encryption key. This key must match a key in the file
    /etc/fwknop/access.conf on the remote system.

Encryption Key:

[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:

        Random data:    5817642240590499
        Username:       <username>
        Timestamp:      1212123357
        Version:        1.9.4-pre3
        Type:           1 (access mode)
        Access:         192.168.1.101,tcp/22
        SHA256 digest:  NvUBz8l+T76KPqOSwvLMJO1n6sNjTLjuScSz6IIp5m8

[+] Sending 182 byte message to 192.168.1.102 over udp/62201...


the port will open, and allow you to connect on the port you requested.




happy fwknopping!


tel0s




tutorial re-written from : http://ubuntuforums.org/showthread.php?t=812573