fwknop 1.0 reviewDownload
fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme based around Netfilter and libpcap that requi
fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme based around Netfilter and libpcap that requires only a single encrypted packet in order to communicate various pieces of information including desired access through a Netfilter policy and/or complete commands to execute on the target system.
By using Netfilter to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult.
The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored.
This method is similar to the Single Packet Authorization scheme proposed by Simple Nomad and the folks at NMRC
fwknop project was also the first tool to combine traditional encrypted port knocking with passive OS fingerprinting. This makes it possible to do things like only allow, say, Linux-2.4/2.6 systems to connect to your SSH daemon.
What's New in This Release:
The OpenSSH-4.3p2 patch was fixed to make sure to include the spa.h header file.
Access hashes accumluating when multiple ports are requested to be opened by a client were fixed.
Validation of the IPT_AUTO_CHAIN variable was improved so that the from_chain cannot be identical to the to_chain.
A bug in which the MD5 sum for an SPA packet is not examined for each SOURCE block was fixed.
This fixes a problem where an SPA packet could appear to be replayed if multiple SOURCE blocks are defined in /etc/fwknop/access.conf.
The main SPA access loop was refactored so that it is clearer how and when SPA clients are granted access.
fwknop 1.0 keywords