FWKNOP Tech Segment
In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called Single Packet Authorization exists, where only a single ‘knock’ is needed, consisting of an encrypted packet.[1
Single Packet Authorization
Single Packet Authorization (a form of Port Knocking), is a technique for securely communicating authentication and authorization information across closed firewall ports, usually with the goal of opening certain ports to allow temporary access. By keeping most or all ports closed on a server hosting remotely-accessible services, it is possible to make that host invisible to the outside, thus protecting each listening service.
fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA).
Steps to take:
Install fwknop Server
pre-requisite for fwknop:
# apt-get install libgdbm-dev
Download and install fwknop(client and server)
# wget -c http://www.cipherdyne.org/fwknop/download/fwknop-2.0.0rc2.tar.gz
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# make install
Side note: If you get the following error while loading “shared libraries: libfko.so.0: cannot open shared object file: no such file or directory” then you may need to create a symbolic link in the /usr/lib directory for the library file:
# cd /usr/lib
# ln -s /usr/local/lib/libfko.so.o.o.2 libfko.so.0
Browse to –> /usr/local/etc/fwknop), you will see two files access.conf and fwknop.conf.
Edit the fwknop.conf file, and uncomment and set the options for your interface “PCAP_INTF eth0”.
Next edit your access.conf file to allow access based on your liking (users, port, key, etc).
A simple suitable config:
KEY: P@$$W0r); //must be over 8 characters
clear out your old IP rules and some default rules to drop all incoming traffic.
IP Tables rule:
# Script to reset your iptable rules
# Load modules for tracking and NAT
# Initialize all the chains by removing all rules
iptables -t nat –flush
iptables -t mangle –flush
# Delete any user-defined chains
iptables -t nat –delete-chain
iptables -t mangle –delete-chain
# Set default policies
iptables –policy INPUT DROP
iptables –policy OUTPUT ACCEPT
iptables –policy FORWARD DROP
# Accept all traffic on the loopback (lo) device
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
# log all incoming and forward traffic on eth0 device
#iptables -A INPUT -i eth0 -p all -j DROP
iptables -A INPUT -i eth0 -j LOG –log-prefix “DROP”
iptables -A FORWARD -i eth0 -j LOG –log-prefix “DROP”
# Accept internally-requested input
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Accept internally-requested forward
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
# Accept user-specified traffic
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo “iptables policy enabled”
Start the server with –> # fwknopd -f -vv
Testing rules after configuration:
I tried to ssh to the Ubuntu server via my windows box which is IP 192.168.19.1 on port 22 and as you can see from the below image I was block and it was logged as expected:
Next I launched the windows client and typed in my configured information that was set-up during the config stage. Once you click “Send SPA” then try to login again via your SSH client within 30 secs and you should be able to now get in.
http://www.cipherdyne.org/fwknop/download/ –> Windows client