Chapter 13: Introducing fwknop
There are only a few SPA implementations available today, and fwknop is one of the most actively developed and supported. This chapter shows you how to install and make use of fwknop together with iptables to maintain a default-drop stance against all unauthenticated and unauthorized attempts to connect to your SSH daemon.A patch that allows the fwknop client to be executed directly by OpenSSH can be downloaded here. Also, the default fwknop configuration file can be downloaded here (or see below).
# ############################################################################# # # [+] fwknop - Firewall Knock Operator [+] # # This is the configuration file for fwknop, the Firewall Knock Operator. # The primary authentication and authorization mechanism offered by fwknop # is known as Single Packet Authorization (SPA). More information about # SPA can be found at: http://www.cipherdyne.org/fwknop/docs/SPA.html # # Note there are no access control directives in this file. All access # control directives are located in the file # /etc/fwknop/access.conf. You will need to edit the access.conf file in # order for fwknop to function correctly. # ############################################################################# # # $Id: index.html 2980 2011-01-09 15:27:41Z mbr $ # ### Supports multiple email addresses (as a comma separated ### list). EMAIL_ADDRESSES root@localhost; ### Machine hostname HOSTNAME _CHANGEME_; ### Define the firewall type. The default is "iptables" for Linux systems, ### but this can be set to "ipfw" for *BSD systems. FIREWALL_TYPE iptables; ### This defines the general strategy fwknop uses to authenticate remote ### clients. Possible values are "PCAP" (authenticate via regular pcap; this ### is the default and puts the interface in promiscuous mode unless ### ENABLE_PCAP_PROMISC is turned off) FILE_PCAP (authenticate via a pcap file ### that is built by a sniffer), ULOG_PCAP (authenticate via the ulogd pcap ### writer). AUTH_MODE PCAP; ### Define the ethernet interface on which we will sniff packets. Note ### that this is only used if the AUTH_MODE keyword above is set to ### "PCAP" PCAP_INTF eth0; ### Define whether put the pcap interface in promiscuous mode. ENABLE_PCAP_PROMISC Y; ### Define the filters used for PCAP and FILE_PCAP modes; we default ### to udp port 62201. Note that either of these variables can be ### set to NONE in order to look at all packets. PCAP_FILTER udp port 62201; ### This instructs fwknopd to not honor SPA packets that have an old time ### stamp. The value for "old" is defined by the MAX_SPA_PACKET_AGE variable. ### If ENABLE_SPA_PACKET_AGING is set to "N", fwknopd will not use the client ### time stamp at all. ENABLE_SPA_PACKET_AGING Y; ### Defines the maximum age (in seconds) that an SPA packet will be accepted. ### This requires that the client system is in relatively close time ### synchronization with the fwknopd server system (NTP is good). The default ### age is two minutes. MAX_SPA_PACKET_AGE 120; ### Track md5 sums associated with previous fwknop process. This allows ### md5 sums to remain persistent across executions of fwknop. ENABLE_MD5_PERSISTENCE Y; ### Force all SPA packets to contain a real IP address within the encrypted ### data. This makes it impossible to use the -s command line argument on ### the fwknop command line, so either -R has to be used to automatically ### resolve the external address (if the client behind a NAT) or the client ### must know the external IP. REQUIRE_SOURCE_ADDRESS N; ### Flush all existing rules in the fwknop chains at fwknop start time. FLUSH_IPT_AT_INIT Y; ### If running on ipfw firewalls, this variable defines the rule number IPFW_RULE_NUM 1; ### Define the timeout for running a command PCAP_CMD_TIMEOUT 10; ### If GPG keys are used instead of a Rijndael symmetric key, this is ### the default GPG keys directory. Note that each access block in ### /etc/fwknop/access.conf can specify its own GPG directory to override ### this default. GPG_DEFAULT_HOME_DIR /root/.gnupg; ### This gets used if AUTH_MODE is set to "FILE_PCAP". This file must ### be created by a sniffer process (or something like the ulogd pcap ### writer). PCAP_PKT_FILE /var/log/sniff.pcap; ### Defines interval fwknop will use to check for more iptables ### messages (this is only used in the legacy port knocking mode). SLEEP_INTERVAL 2; ### seconds ### TTL values are decremented depending on the number of hops the packet ### has taken before it hits the firewall. We will assume packets will not ### jump through more than 20 hops on average. MAX_HOPS 20; ### Note that fwknopd still only gets its data via pcap, so the filter ### defined by PCAP_FILTER needs to be updated to include this TCP port. ENABLE_TCP_SERVER N; ### Set the default port number that the fwknop_serv "dummy" TCP server ### listens on. This server is only spawned when ENABLE_TCP_SERVER is set ### to "Y". TCPSERV_PORT 62201; ### Set the type of syslog daemon that is used. The SYSLOG_DAEMON variable ### accepts three possible values: syslogd, syslog-ng, or metalog. SYSLOG_DAEMON syslogd; ### syslog facility and priority (the defaults are usually ok) ### The SYSLOG_FACILITY variable can be set to one of LOG_LOCAL{0-7}, and ### SYSLOG_PRIORITY can be set to one of LOG_INFO, LOG_DEBUG, LOG_NOTICE, ### LOG_WARNING, LOG_ERR, LOG_CRIT, LOG_ALERT, or LOG_EMERG SYSLOG_IDENTITY fwknopd; SYSLOG_FACILITY LOG_LOCAL7; SYSLOG_PRIORITY LOG_INFO; ### Allow reporting methods to be enabled/restricted. This keyword can ### accept values of "nosyslog" (don't write any messages to syslog), ### "noemail" (don't send any email messages), or "ALL" (to generate both ### syslog and email messages). "ALL" is the default. Both "nosyslog" ### and "noemail" can be combined with a comma to disable all logging ### and alerting. ALERTING_METHODS ALL; ### The following variables can be modified to look for logging messages ### that are specific to your firewall configuration (specified by the ### "--log-prefix" for iptables firewalls). For example, if your firewall ### uses the string "Audit" for packets that have been blocked, then you ### could set FW_MSG_SEARCH = "Audit"; FW_MSG_SEARCH DROP; ### For knopwatchd KNOPWATCHD_CHECK_INTERVAL 5; ### seconds KNOPWATCHD_MAX_RETRIES 10; ### Default minimum message size SPA messages encrypted with GnuPG. The ### fwknopd daemon will not attempt to decrypt any packet with gpg that is not ### at least as large as this value. MIN_GNUPG_MSG_SIZE 400; ### Fwknop uses the IPTables::ChainMgr module to add allow rules to a ### custom iptables chain "FWKNOP_INPUT". This chain is called from ### the INPUT chain, and by default no other iptables chains are used. ### However, additional chains can be added (say, if access needs to ### be allowed through the local system via the FORWARD chain) by ### altering the "IPT_AUTO_CHAIN" keywords below. For a discussion of ### the format followed by these keywords, read on: ### Specify chain names to which iptables blocking rules will be ### added with the IPT_AUTO_CHAIN{n} keyword. There is no limit on the ### number of IPT_AUTO_CHAIN{n} keywords; just increment the {n} number ### to add an additional IPT_AUTO_CHAIN requirement. The format for this ### variable is: <Target>,<Direction>,<Table>,<From_chain>,<Jump_rule_position>, \ ### <To_chain>,<Rule_position>. ### "Target": Can be any legitimate iptables target, but should usually ### just be "DROP". ### "Direction": Can be "src", "dst", or "both", which correspond to the ### INPUT, OUTPUT, and FORWARD chains. ### "Table": Can be any iptables table, but the default is "filter". ### "From_chain": Is the chain from which packets will be jumped. ### "Jump_rule_position": Defines the position within the From_chain where ### the jump rule is added. ### "To_chain": Is the chain to which packets will be jumped. This is the ### main chain where fwknop rules are added. ### "Rule_position": Defines the position where rule are added within the ### To_chain. IPT_AUTO_CHAIN1 ACCEPT, src, filter, INPUT, 1, FWKNOP_INPUT, 1; ### Directories FWKNOP_DIR /var/log/fwknop; FWKNOP_RUN_DIR /var/run/fwknop; FWKNOP_LIB_DIR /var/lib/fwknop; # for legacy port knocking mode FWKNOP_MOD_DIR /usr/lib/fwknop; FWKNOP_CONF_DIR /etc/fwknop; FWKNOP_ERR_DIR $FWKNOP_DIR/errs; ### Files FW_DATA_FILE $FWKNOP_DIR/fwdata; # legacy port knocking mode ACCESS_CONF $FWKNOP_CONF_DIR/access.conf; P0F_FILE $FWKNOP_CONF_DIR/pf.os; ### p0f-based fingerprints MD5_FILE $FWKNOP_DIR/md5sums; KNOPTM_TIMEOUT_FILE $FWKNOP_DIR/knoptm.cache; ### timeout cache FWKNOP_PID_FILE $FWKNOP_RUN_DIR/fwknopd.pid; FWKNOP_CMDLINE_FILE $FWKNOP_RUN_DIR/fwknopd.cmd; TCPSERV_PID_FILE $FWKNOP_RUN_DIR/fwknop_serv.pid; KNOPWATCHD_PID_FILE $FWKNOP_RUN_DIR/knopwatchd.pid; KNOPMD_PID_FILE $FWKNOP_RUN_DIR/knopmd.pid; KNOPTM_PID_FILE $FWKNOP_RUN_DIR/knoptm.pid; KNOPTM_IP_TIMEOUT_SOCK $FWKNOP_RUN_DIR/knoptm_ip_timeout.sock; KNOPMD_FIFO $FWKNOP_LIB_DIR/fwknopfifo; ### iptables command output and error collection files; these are ### used by IPTables::ChainMgr IPT_OUTPUT_FILE $FWKNOP_DIR/fwknopd.iptout; IPT_ERROR_FILE $FWKNOP_DIR/fwknopd.ipterr; KNOPTM_IPT_OUTPUT_FILE $FWKNOP_DIR/knoptm.iptout; KNOPTM_IPT_ERROR_FILE $FWKNOP_DIR/knoptm.ipterr; ### system binaries mailCmd /bin/mail; shCmd /bin/sh; iptablesCmd /sbin/iptables; ipfwCmd /sbin/ipfw; ### BSD and Mac OS X only fwknopdCmd /usr/sbin/fwknopd; fwknop_servCmd /usr/sbin/fwknop_serv; knopmdCmd /usr/sbin/knopmd; knoptmCmd /usr/sbin/knoptm; knopwatchdCmd /usr/sbin/knopwatchd;