Dec 11 2010

LinuxBasix 034 Podcast segment notes

FWKNOP Tech Segment

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called Single Packet Authorization exists, where only a single ‘knock’ is needed, consisting of an encrypted packet.[1

Single Packet Authorization

Single Packet Authorization (a form of Port Knocking), is a technique for securely communicating authentication and authorization information across closed firewall ports, usually with the goal of opening certain ports to allow temporary access. By keeping most or all ports closed on a server hosting remotely-accessible services, it is possible to make that host invisible to the outside, thus protecting each listening service.

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA).

Steps to take:

Install fwknop Server

pre-requisite for fwknop:
# apt-get install libgdbm-dev

Download and install fwknop(client and server)
# wget -c
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# ./configure
# make
# make install

Side note: If you get the following error while loading  “shared libraries: cannot open shared object file: no such file or directory” then you may need to create a symbolic link in the /usr/lib directory for the library file:

# cd /usr/lib
# ln -s /usr/local/lib/

Config files:

Browse to –> /usr/local/etc/fwknop), you will see two files access.conf and fwknop.conf.

Edit the  fwknop.conf file, and  uncomment and set the options  for your interface “PCAP_INTF eth0”.

Next edit your access.conf file to allow access  based on your liking (users, port, key, etc).

A simple suitable config:

KEY: P@$$W0r); //must be over 8 characters
OPEN_PORTS: tcp/222;

clear out your old IP rules and some default rules to drop all incoming traffic.

IP Tables rule:

# Script to reset your iptable rules

# Load modules for  tracking and NAT
modprobe iptable_nat

# Initialize all the chains by removing all rules
iptables –flush
iptables -t nat –flush
iptables -t mangle –flush

# Delete any user-defined chains
iptables –delete-chain
iptables -t nat –delete-chain
iptables -t mangle –delete-chain

# Set default policies
iptables –policy INPUT DROP
iptables –policy OUTPUT ACCEPT
iptables –policy FORWARD DROP

# Accept all traffic on the loopback (lo) device
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# log all incoming and forward traffic on eth0 device
#iptables -A INPUT -i eth0 -p all -j DROP
iptables -A INPUT -i eth0 -j LOG –log-prefix “DROP”
iptables -A FORWARD -i eth0 -j LOG –log-prefix “DROP”

# Accept internally-requested input
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept internally-requested forward
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Accept user-specified traffic
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo “iptables policy enabled”

Start the server with –> # fwknopd -f -vv

Testing rules after configuration:

I tried to ssh to the Ubuntu server via my windows box which is IP on port 22 and as you can see from the below image I was block and it was logged as expected:

Next I launched the windows client and typed in my configured information that was set-up during the config stage. Once you click “Send SPA” then try to login again via your SSH client within 30 secs and you should be able to now get in.

Additional reading: –> Windows client

Leave a Reply

You must be logged in to post a comment.

Alibi3col theme by Themocracy

Read previous post:
Linux Kernel Exploit PoC Testing

About an hour or so ago I notice a posting on the Full Disclosure mailing list with a proof of...