cipherdyne.org

Michael Rash, Security Researcher



Port Knocking and SPA Coming to Fedora with fwknop

fwknop on Fedora It appears that fwknop is going to be bundled within the next release of the Fedora Linux distribution thanks to the work of Mirek Trmac and sponsored by Red Hat. One of the most significant contributions made by Mirek can be seen in this patch that removes the dependency in the fwknopd daemon on the NetPacket perl module, which seems not to be actively developed anymore. An RPM of fwknop has been built for Fedora 10, and the build and approval status can be viewed on the Fedora package page.

Although fwknop will certainly not be enabled by default on Fedora at boot time, at least the infrastructure will be there to implement Single Packet Authorization on Fedora with greater ease. Well before Fedora 10 is released, I will also have a comprehensive tutorial on the theory, implementation, and deployment of fwknop (in both port knocking and SPA modes) available on cipherdyne.org.

Given the recent problems that Debian and Red Hat have had with encryption keys and the maintenance of server security, there is always room for additional protection measures to make it more difficult to compromise systems. The features offered by fwknop make it ideally suited to combine a default-drop iptables policy with dynamic access from authenticated networks to services such as SSH.