Changeset 686
- Timestamp:
- 06/03/07 22:13:34 (1 year ago)
- Files:
-
- fwknop/trunk/CREDITS (modified) (1 diff)
- fwknop/trunk/ChangeLog (modified) (3 diffs)
- fwknop/trunk/README (modified) (3 diffs)
- fwknop/trunk/TODO (modified) (2 diffs)
- fwknop/trunk/access.conf (modified) (1 diff)
- fwknop/trunk/fwknop.8 (modified) (6 diffs)
- fwknop/trunk/fwknop.conf (modified) (2 diffs)
- fwknop/trunk/install.pl (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
fwknop/trunk/CREDITS
r651 r686 68 68 measure for the fwknopd daemon to validate incoming SPA packets (this 69 69 will probably be enabled by default). 70 - Suggested a new method of interacting with Netfilterto redirect70 - Suggested a new method of interacting with iptables to redirect 71 71 connections to one port to another port on the same system. 72 72 - Suggested making the --Spoof-user argument useable by non-root users. fwknop/trunk/ChangeLog
r684 r686 186 186 - Removed legacy port knocking installation in install.pl (fwknopfifo, 187 187 and fwdata file) unless the data collection mode is set to syslog or 188 syslog-ng for legacy Netfilterlog messages.188 syslog-ng for legacy iptables log messages. 189 189 - Added inode checking for PCAP_PKT_FILE. This helps to ensure that log 190 190 rotation schemes don't interfere with reading packets out of the file … … 210 210 - Updated fwknop to communicate with knoptm via a UNIX domain socket 211 211 instead of the previous file-based communication. 212 - Updated to flush the fwknop Netfilterchains at start time.212 - Updated to flush the fwknop iptables chains at start time. 213 213 - Bugfix for removing the wrong hash key in the knoptm IP cache. 214 214 … … 259 259 be replayed against an fwknop server. 260 260 - Updated to fall back to getpwuid() if getlogin() fails (Blair Zajac). 261 - Added --ipt-list to list all current rules in the FWKNOP Netfilter261 - Added --ipt-list to list all current rules in the FWKNOP iptables 262 262 chains. 263 - Added --ipt-flush to flush all current rules in the FWKNOP Netfilter263 - Added --ipt-flush to flush all current rules in the FWKNOP iptables 264 264 chains. 265 265 - Bugfix for the installer dying if ~/lib already exists (Blair Zajac). fwknop/trunk/README
r292 r686 4 4 fwknop implements an authorization scheme that requires only a single 5 5 encrypted packet to communicate various pieces of information including 6 desired access through a Netfilterpolicy and/or specific commands to execute6 desired access through an iptables policy and/or specific commands to execute 7 7 on the target system. The main application of this program is to protect 8 8 services such as SSH with an additional layer of security in order to make the … … 11 11 via libcap and hence there is no "server" to which to connect in the 12 12 traditional sense. Any service protected by fwknop is inaccessible (by using 13 Netfilterto intercept packets within the Linux kernel) before authenticating;13 iptables to intercept packets within the Linux kernel) before authenticating; 14 14 anyone scanning for the service will not be able to detect that it is even 15 15 listening. This authorization scheme offers many advantages over port … … 27 27 28 28 In addition, fwknop maintains an implementation of a port knocking scheme 29 based around Netfilterlog messages. Supported knock sequences include both29 based around iptables log messages. Supported knock sequences include both 30 30 encrypted and shared sequences which can be augmented with both relative and 31 31 absolute timeouts, multi-protocol usage (tcp, udp, and icmp), and passive OS fwknop/trunk/TODO
r581 r686 8 8 - Solve the key management issue by interfacing with various existing 9 9 authentication systems (LDAP, Radius, Unix crypt(), etc.). 10 - Update IPTables::ChainMgr to be able to manage a Netfilterruleset on a10 - Update IPTables::ChainMgr to be able to manage an iptables ruleset on a 11 11 remote system. 12 12 - Client derived access timeouts. … … 35 35 - Scp patch. 36 36 - Privledge separation to reduce code that executes as root. 37 - ssh-agent and gpg-agentintegration.37 - ssh-agent integration. 38 38 - Destination IP address restriction restrictions in access.conf. 39 39 - Web SPA proxy. fwknop/trunk/access.conf
r677 r686 22 22 # 1) Define parameters for accepting single-packet authorization messages 23 23 # from any source IP address via libpcap. Fwknop will reconfigure the 24 # local Netfilterpolicy to allow access to SSHD (TCP port 22) for 3024 # local iptables policy to allow access to SSHD (TCP port 22) for 30 25 25 # seconds from the IP also specified in the packet. This example probably 26 26 # represents the best configuration for most needs: fwknop/trunk/fwknop.8
r680 r686 14 14 that requires only a single encrypted 15 15 packet to communicate various pieces of information including desired access 16 through a Netfilterpolicy and/or specific commands to execute on the target16 through an iptables policy and/or specific commands to execute on the target 17 17 system. The main application of this program is to protect services such as 18 18 .B SSH … … 23 23 and hence there is no "server" to which to connect in the traditional sense. 24 24 Any service protected by fwknop 25 is inaccessible (by using Netfilterto intercept packets within the Linux25 is inaccessible (by using iptables to intercept packets within the Linux 26 26 kernel) before authenticating; anyone scanning for the service will not be 27 27 able to detect that it is even listening. This authorization scheme offers … … 35 35 collection method in Single Packet Authorization mode is to use libpcap to sniff 36 36 packets off the wire, fwknop can also read packets out of a file that is written 37 by the Netfilter37 by the iptables 38 38 . B ulogd 39 39 pcap writer (or a separate sniffer process that is writing to a file). … … 77 77 A note about the interaction between 78 78 .B fwknop 79 and Netfilter; fwknop maintains a strict separation between dynamically80 generated rules and any existing Netfilterpolicy by adding all rules79 and iptables; fwknop maintains a strict separation between dynamically 80 generated rules and any existing iptables policy by adding all rules 81 81 to a custom chain "FWKNOP_INPUT". Packets are jumped to this chain from 82 82 the INPUT chain. Interaction with the FORWARD chain can be accomplished … … 88 88 them with passive OS fingerprinting, but this mode is not enabled by 89 89 default. This scheme is based around log 90 messages generated by the Netfilterfirewall in the Linux kernel.90 messages generated by the iptables firewall in the Linux kernel. 91 91 .B fwknop 92 92 supports both shared and encrypted port knock sequences, passive OS fingerprinting, … … 453 453 .B fwknop 454 454 requires perl. To take advantage of all of the features in fwknop when run 455 in server mode a functioning Netfilterfirewall is required on the underlying455 in server mode a functioning iptables firewall is required on the underlying 456 456 operating system. If fwknop is being run in the legacy port knocking mode, 457 then Netfiltermust log packets via syslog, and ideally the --log-tcp-options457 then iptables must log packets via syslog, and ideally the --log-tcp-options 458 458 argument will be specified in the iptables logging rule so that fwknop will 459 459 be able to use a strategy similar to fwknop/trunk/fwknop.conf
r654 r686 136 136 137 137 ### Fwknop uses the IPTables::ChainMgr module to add allow rules to a 138 ### custom Netfilterchain "FWKNOP_INPUT". This chain is called from139 ### the INPUT chain, and by default no other Netfilterchains are used.138 ### custom iptables chain "FWKNOP_INPUT". This chain is called from 139 ### the INPUT chain, and by default no other iptables chains are used. 140 140 ### However, additional chains can be added (say, if access needs to 141 141 ### be allowed through the local system via the FORWARD chain) by … … 148 148 ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \ 149 149 ### <To_chain>,<Rule_position>. 150 ### "Target": Can be any legitimate Netfiltertarget, but should usually150 ### "Target": Can be any legitimate iptables target, but should usually 151 151 ### just be "DROP". 152 152 ### "Direction": Can be "src", "dst", or "both", which correspond to the 153 153 ### INPUT, OUTPUT, and FORWARD chains. 154 ### "Table": Can be any Netfiltertable, but the default is "filter".154 ### "Table": Can be any iptables table, but the default is "filter". 155 155 ### "From_chain": Is the chain from which packets will be jumped. 156 156 ### "Jump_rule_position": Defines the position within the From_chain where fwknop/trunk/install.pl
r668 r686 1326 1326 " generated by a sniffer (or through the Netfilter ulogd pcap writer), or\n", 1327 1327 " by sniffing packets directly off the wire via the Net::Pcap perl module.\n", 1328 " Fwknop can also acquire packet data from Netfiltersyslog messages, but\n",1328 " Fwknop can also acquire packet data from iptables syslog messages, but\n", 1329 1329 " this is only supported for the legacy port knocking mode; Single Packet\n", 1330 1330 " Authorization (SPA), which is used in the pcap modes, is a better\n", 1331 1331 " authorization strategy from every perspective (see the fwknop man page for\n", 1332 " more information). If you intend to use Netfilterlog messages (only makes\n",1332 " more information). If you intend to use iptables log messages (only makes\n", 1333 1333 " sense for the legacy port knocking mode), then fwknop will need to\n", 1334 1334 " reconfigure your syslog daemon to write kern.info messages to the\n",
