Permalink
Browse files

Added perl/legacy distribution (fwknop-1.9.12). Renamed this distribu…

…tion from fwknop-c to simply fwknop. Made the version 2.0.0-alpha.

git-svn-id: file:///home/mbr/svn/fwknop/trunk@143 510a4753-2344-4c79-9c09-4d669213fbeb
  • Loading branch information...
1 parent a07decf commit 2bf25e62a7ed95057ea7c85c2f1f52dd6fcb7cb2 Damien Stuart committed Sep 11, 2009
Showing 477 changed files with 78,106 additions and 3 deletions.
View
@@ -14,6 +14,7 @@ SUBDIRS = \
doc
EXTRA_DIST = \
+ perl/legacy \
perl/FKO/README \
perl/FKO/inc/Devel/CheckLib.pm \
perl/FKO/MANIFEST \
View
@@ -2,15 +2,15 @@ dnl Process thie file with autoconf to produce the configure script
AC_PREREQ(2.61)
-m4_define(my_package, [fwknop-c])
-m4_define(my_version, [0.63])
+m4_define(my_package, [fwknop])
+m4_define(my_version, [2.0.0-alpha])
m4_define(my_bug_email, [dstuart@dstuart.org])
AC_INIT(my_package, my_version, my_bug_email)
AC_CONFIG_AUX_DIR(config)
-AM_INIT_AUTOMAKE([-Wall -Werror foreign])
+AM_INIT_AUTOMAKE([tar-ustar -Wall -Werror foreign])
dnl AM_MAINTAINER_MODE
View

Large diffs are not rendered by default.

Oops, something went wrong.
View

Large diffs are not rendered by default.

Oops, something went wrong.

Large diffs are not rendered by default.

Oops, something went wrong.
View
@@ -0,0 +1,31 @@
+
+The installation of fwknop is handled by the perl script "install.pl" that
+is bundled with the fwknop sources. Just run:
+
+./install.pl
+
+This will result in a functioning fwknop installation on your Linux system.
+If you run the installer as a non-root user, fwknop will be installed in your
+home directory (specifically in ~/bin and a few perl modules in ~/lib). In
+this case fwknop can only be used as an authentication client against an
+fwknop server on a different system.
+
+DEPENDENCIES:
+ fwknop requires several perl modules that may or may not already be
+installed on your Linux system. These modules are included in the deps/
+directory in the fwknop sources (unless you have installed one of the -nodeps
+tarballs), and the list of modules is:
+
+Class-MethodMaker
+Crypt-CBC
+Crypt-Rijndael
+Digest-SHA
+GnuPG-Interface
+IPTables-ChainMgr
+IPTables-Parse
+Net-IPv4Addr
+Net-Pcap
+Net-RawIP
+Net-Ping-External
+TermReadKey
+Unix-Syslog
View

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -0,0 +1,47 @@
+#
+##########################################################################
+#
+# Author: Michael Rash (mbr@cipherdyne.org)
+#
+# Version: 0.1
+#
+# Copyright (C) 2004-2006 Michael Rash (mbr@cipherdyne.org)
+#
+# License (GNU Public License):
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+# USA
+#
+##########################################################################
+#
+# $Id: Makefile 1201 2008-08-13 02:03:02Z mbr $
+#
+
+OPTS = -Wall -O
+
+### default
+all : knopmd.c knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c fwknop.h
+ /usr/bin/gcc $(OPTS) knopmd.c fwknop_funcs.c strlcpy.c strlcat.c -o knopmd
+ /usr/bin/gcc $(OPTS) knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c -o knopwatchd
+
+### debug mode
+debug : knopmd.c knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c fwknop.h
+ /usr/bin/gcc -Wall -g -DDEBUG knopmd.c fwknop_funcs.c strlcpy.c strlcat.c -o knopmd
+ /usr/bin/gcc -Wall -g -DDEBUG knopwatchd.c fwknop_funcs.c strlcpy.c strlcat.c -o knopwatchd
+
+#install : knopmd
+# if [ -x knopmd ]; then \
+# /bin/cp knopmd /usr/sbin/knopmd
+
+clean :
+ if [ -f a.out ]; then rm a.out; fi
+ if [ -f core ]; then rm core; fi
+ if [ -f knopmd ]; then rm knopmd; fi
+ if [ -f knopwatchd ]; then rm knopwatchd; fi
View
@@ -0,0 +1,51 @@
+
+fwknop - Firewall Knock Operator
+
+fwknop implements an authorization scheme that requires only a single
+encrypted packet to communicate various pieces of information including
+desired access through an iptables policy and/or specific commands to execute
+on the target system. The main application of this program is to protect
+services such as SSH with an additional layer of security in order to make the
+exploitation of vulnerabilities (both 0-day and unpatched code) much more
+difficult. The authorization server passively monitors authorization packets
+via libcap and hence there is no "server" to which to connect in the
+traditional sense. Any service protected by fwknop is inaccessible (by using
+iptables to intercept packets within the Linux kernel) before authenticating;
+anyone scanning for the service will not be able to detect that it is even
+listening. This authorization scheme offers many advantages over port
+knocking (*), include being non-replayable, much more data can be communicated,
+and the scheme cannot be broken by simply connecting to extraneous ports on
+the server in an effort to break knock sequences. The authorization packets
+can easiliy be spoofed as well, and this makes it possible to make it appear
+as though, say, www.yahoo.com is trying to authenticate to a target system but
+in reality the actual connection will come from a seemingly unrelated IP.
+Although the default data collection method is to use libpcap to sniff
+packets off the wire, fwknop can also read packets out of a file that is
+written by the Netfilter ulogd pcap writer.
+
+More information can be found in the fwknop(8) man page.
+
+In addition, fwknop maintains an implementation of a port knocking scheme
+based around iptables log messages. Supported knock sequences include both
+encrypted and shared sequences which can be augmented with both relative and
+absolute timeouts, multi-protocol usage (tcp, udp, and icmp), and passive OS
+guess masking.
+
+fwknop operates in two modes, "server" and "client". When running in server
+mode, fwknop parses the file /etc/fwknop/access.conf to get all access
+definitions (source address, sequence type, access port(s) and protocol, OS
+fingerprint requirements, etc.) and then begins watching all iptables log
+messages as they are written to syslog. If a matching sequence is monitored
+then the iptables ruleset on the underlying system will be modified to allow
+access to the port(s) that are either defined in access.conf or contained
+within the knock sequence (for encrypted sequences). When running in client
+mode, fwknop sends either a shared or an encrypted knock sequence to the
+destination system (which must be running fwknop in server mode). In client
+mode fwknop parses the file ~/.fwknoprc if sending a shared knock sequence
+to the destination or for encrypted sequences fwknop accepts command line
+input. Also, for a
+graphical front-end to fwknop see "fwknopFE"
+(http://www.snipes.org/index.php?page=fwknopFE) written by Brian Snipes.
+
+* The term "port knocking" was coined by Martin Krzywinski, see
+http://www.portknocking.org
@@ -0,0 +1,90 @@
+
+This file describes some common example configurations for the
+/etc/fwknop/access.conf file.
+
+1) Define parameters for accepting single-packet authorization messages
+ from any source IP address via libpcap. Fwknop will reconfigure the
+ local iptables policy to allow access to SSHD (TCP port 22) for 30
+ seconds from the IP also specified in the packet. This example probably
+ represents the best configuration for most needs:
+
+ SOURCE: ANY;
+ OPEN_PORTS: tcp/22;
+ DATA_COLLECT_MODE: PCAP;
+ KEY: myencryptkey;
+ FW_ACCESS_TIMEOUT: 30;
+
+2) If you would like the fwknop client to specify which port is opened by
+ fwknopd through the firewall, then replace the OPEN_PORTS variable with
+ PERMIT_CLIENT_PORTS as follows:
+
+ SOURCE: ANY;
+ PERMIT_CLIENT_PORTS: Y;
+ DATA_COLLECT_MODE: PCAP;
+ KEY: myencryptkey;
+ FW_ACCESS_TIMEOUT: 30;
+
+3) This example is identical to example 1) above, but now we add GPG keys
+ as an alternate encryption method. The original symmetric key will
+ still be accepted, but only if an attempted GPG decrypt does not
+ succeed. The GPG_REMOTE_ID is the key ID that the encrypted packet is
+ signed with by the fwknop client. Note that using GPG keys requires
+ that the client key has been imported (and signed) into the
+ GPG_HOME_DIR key ring on the server side, and the server key has been
+ imported (and signed) into the GPG key ring on the client side. Because
+ the GPG password for the server key is put within the access.conf, the
+ server key should be specifically generated and used only for fwknop
+ server functions; it should not a valuable GPG key that is used for
+ things like personal email encryption. See the fwknop man page for
+ examples of how to use the GPG encryption method from the fwknop
+ command line on the client side. To match any GPG key, set
+ GPG_REMOTE_ID to ANY. The GPG_AGENT_INFO variable is included for
+ reference if fwknopd is run in gpg-agent mode.
+
+ SOURCE: ANY;
+ OPEN_PORTS: tcp/22;
+ DATA_COLLECT_MODE: PCAP;
+ KEY: myencryptkey;
+ GPG_HOME_DIR: /root/.gnupg;
+ GPG_DECRYPT_ID: ABCD1234;
+ GPG_DECRYPT_PW: myGpgPassword;
+ GPG_REMOTE_ID: 1234ABCD;
+ GPG_AGENT_INFO: /tmp/gpg-n7jEPC/S.gpg-agent:18333:1; ### only for gpg-agent
+ FW_ACCESS_TIMEOUT: 30;
+
+4) This example is identical to example 1) above, but now we allow a
+ remote fwknop client to send a command to the fwknopd server (which it
+ will execute as root):
+
+ SOURCE: ANY;
+ OPEN_PORTS: tcp/22;
+ DATA_COLLECT_MODE: PCAP;
+ ENABLE_CMD_EXEC;
+ KEY: myencryptkey;
+ FW_ACCESS_TIMEOUT: 30;
+
+5) This example is identical to example 4) above, but now we specify a
+ regular expression which any remote command must match before being
+ executed:
+
+ SOURCE: ANY;
+ OPEN_PORTS: tcp/22;
+ DATA_COLLECT_MODE: PCAP;
+ ENABLE_CMD_EXEC;
+ CMD_REGEX: /sbin/iptables.*ACCEPT;
+ KEY: myencryptkey;
+ FW_ACCESS_TIMEOUT: 30;
+
+6) This example is similar to example 1) above, but this time instruct
+ fwknopd to read packets from a file that is written to by a sniffer
+ process or by something like the ulogd pcap writer (use ULOG_PCAP for
+ this). The specific file path is defined by the PCAP_FILE keyword in
+ /etc/fwknop/fwknop.conf). We also require that the username on the
+ system that generates the authorization packet is "mbr":
+
+ SOURCE: ANY;
+ OPEN_PORTS: tcp/22;
+ DATA_COLLECT_MODE: FILE_PCAP;
+ KEY: myencryptkey;
+ FW_ACCESS_TIMEOUT: 30;
+ REQUIRE_USERNAME: mbr;
@@ -0,0 +1,89 @@
+
+This HOWTO is available online at the following link:
+
+http://www.cipherdyne.org/fwknop/docs/gpghowto.html
+
+
+If you want to use GnuPG to encrypt communications from the fwknop client to
+the fwknopd server, you will need to first create the necessary GnuPG keys on
+both the client and server. If you already have a GnuPG key that you use for
+email (or other) encryption, you can safely use this key on the client side
+since it will only be used for message signing by fwknop. On the fwknopd
+server you will need to create a special GnuPG key that is exclusively used
+for fwknop communications. The reason stems from the fact that the password
+used to unlock this key must be stored within the /etc/fwknop/access.conf
+file; fwknopd must be able to decrypt messages that have been encrypted by an
+fwknop client with the server's public key. Hence, it is not a good idea to
+use a highly valuable personal GnuPG key on the server. Once you have created
+the requisite keys, you will need to import and sign each key into its
+"opposite" system; e.g. import and sign the server key into the client's GnuPG
+key ring, and vice-versa.
+
+* Note *
+Because SPA messages must fit within a single IP packet, it is recommended to
+choose a key size of 2048 bits or less for an fwknopd server GnuPG key. The
+process of generating the necessary GnuPG keys from the perspectives of both
+the client and server is outlined below. First we generate GnuPG keys and then
+export them to ascii files:
+
+ [server]# gpg --gen-key
+ [server]# gpg --list-keys
+ pub 1024D/ABCD1234 2006-05-01
+ uid fwknop server key
+ sub 2048g/EFGH1234 2006-05-01
+ [server]# gpg -a --export ABCD1234 > server.asc
+
+ [client]$ gpg --gen-key
+ [client]$ gpg --list-keys
+ pub 1024D/1234ABCD 2006-05-01
+ uid fwknop client key
+ sub 2048g/1234EFGH 2006-05-01
+ [client]$ gpg -a --export 1234ABCD > client.asc
+
+Next, we transfer the ascii files between the two systems. In this example we
+use scp (which will presumably be firewalled off after fwknop is deployed!),
+but any other transfer mechanism (ftp, http, etc.) will work:
+
+ [client]$ scp client.asc root@serverhost:
+
+ [server]# scp server.asc user@clienthost:
+
+Now we import and sign each key:
+ [server]# gpg --import client.asc
+
+ [server]# gpg --edit-key 1234ABCD
+ Command> sign
+
+ [client]$ gpg --import server.asc
+ [client]$ gpg --edit-key ABCD1234
+ Command> sign
+
+On the server side, we need to add several configuration directives to the
+/etc/fwknop/access.conf file so that fwknopd uses GnuPG to verify and decrypt
+SPA packets and are signed and encrypted with GnuPG. Note that the server key
+ID is ABCD1234 and the client key ID is 1234ABCD:
+
+ SOURCE: ANY;
+ OPEN_PORTS: tcp/22;
+ DATA_COLLECT_MODE: PCAP;
+ GPG_REMOTE_ID: 1234ABCD;
+ GPG_DECRYPT_ID: ABCD1234;
+ GPG_DECRYPT_PW: <your decryption password>;
+ GPG_HOME_DIR: /root/.gnupg;
+ FW_ACCESS_TIMEOUT: 60;
+
+More information on the access.conf directives above can be found in the
+fwknop man pages. See fwknop(8) and fwknopd(8). Finally, to see fwknop in
+action in GnuPG mode, on the client side we execute the following fwknop
+command to gain access to sshd after fwknopd reconfigures the local Netfilter
+policy:
+
+ $ fwknop -A tcp/22 --gpg-recip ABCD1234 --gpg-sign 1234ABCD -w -k <host>
+
+On the server side, fwknopd messages such as the following will be written to
+syslog:
+
+Jan 14 20:12:37 host fwknopd: adding FWKNOP_INPUT ACCEPT rule for
+72.x.x.x -> tcp/22 (10 seconds)
+Jan 15 10:13:09 host fwknopd: received valid GnuPG encrypted packet
+(signed with required key ID: 1234ABCD) from: 72.x.x.x, remote user: mbr
@@ -0,0 +1,51 @@
+
+***NOTE*** The information in this file is for archiving purposes only to show
+how to use the deprecated port knocking mode offered by fwknop. Single Packet
+Authorization (SPA) is the most secure method of passive authorization; see
+the following link for more information:
+
+http://www.cipherdyne.org/fwknop/docs/SPA.html
+
+The sections below illustrate how to configure SOURCE blocks in the
+/etc/fwknop/access.conf file for the legacy port knocking modes.
+
+
+1) OLD STRATEGY: define parameters for accepting an encrypted knock
+ sequence from any source IP address. Note that the specific port that
+ will be opened is sent within the encrypted sequence (see the -p and -P
+ options when running fwknop in client mode) since the OPEN_PORTS
+ variable is not defined.
+
+ SOURCE: ANY;
+ DATA_COLLECT_MODE: ENCRYPT_SEQUENCE;
+ KEY: myencryptkey;
+
+2) OLD STRATEGY: Define parameters for an encrypted sequence that requires
+ the operating system from which the encrypted sequence originates be
+ identified as a Linux system (any kernel version). In addition, define
+ the firewall access timeout to be 10 minutes instead of the default of
+ 5 minutes, and restrict access for only those source IP addresses that
+ are within a specific subnet:
+
+ SOURCE: 192.168.10.0/24;
+ DATA_COLLECT_MODE: ENCRYPT_SEQUENCE;
+ KEY: myencryptkey;
+ FW_ACCESS_TIMEOUT: 600;
+ REQUIRE_OS_REGEX: linux;
+
+3) OLD STRATEGY: Define parameters for a shared knock sequence originating
+ from any source IP address, and use the tcp, udp, and icmp protocols in
+ the knock sequence. The sequence consists of a total of four ports:
+
+ SOURCE: ANY;
+ SHARED_SEQUENCE: tcp/65531, udp/65533, tcp/65532, udp/65530;
+
+1) OLD STRATEGY: Define parameters for a shared knock sequence identical
+ to 7) above, but require the operating system from which the sequence
+ originates to be exactly "OpenBSD:3.0-3.5::OpenBSD 3.0-3.5" (see the
+ file /etc/fwknop/pf.os):
+
+ SOURCE: ANY;
+ SHARED_SEQUENCE: tcp/65531, udp/65533, tcp/65532, udp/65530;
+ REQUIRE_OS: OpenBSD:3.0-3.5::OpenBSD 3.0-3.5;
+
Oops, something went wrong.

0 comments on commit 2bf25e6

Please sign in to comment.