Skip to content

Posts tagged ‘fwknop’

11
Oct

WebKnock.org: An fwknop SPA web-interface

Vasilis Mavroudis has launched WebKnock.org, a web-based front end to the fwknop (Single Packet Authorization) client. It does not yet seem to support the full suite of fwknop features, but the WebKnock site allows you to send basic auth packets to your fwknop server in order to open firewall ports. This can definitely come in handy if you need access to a port on your server, and don’t have the fwknop client handy on the computer, Android or iPhone (coming soon).

Note that although WebKnock uses SSL to protect the HTTP session, you are required to supply your fwknop password. If logged or intercepted, your knock details could be used to open firewall ports or even run commands on your server (depending on how you’ve configured fwknop). While WebKnock may be useful in a bind, from a purely security standpoint I don’t recommend using it regularly due to this risk. If you do use it, you should consider changing your fwknop passphrase.

I hope that WebKnock is eventually open-sourced to allow both for the code to be reviewed, and for people to host their own instance of WebKnock. It would also be nice to see more fwknop features being added, including the ability to define a username, and open multiple ports at once (eg. by entering: tcp/22 udp/53 tcp/80). The ‘Allow IP’ field should also get pre-populated with the visitor’s IP address for convenience.

Source: Cipherdyne

14
May

Fwknop in BackTrack 5 Repository

Just a quick update to say that fwknop (Single Packet Authorization tool) has made it into the BackTrack 5 repository. Although it’s not installed by default, it’s a few keystrokes away, and can be installed by typing the following into the terminal:

apt-get install fwknop-client

apt-get install fwknop-server (if you want to use the server on your BackTrack install)

Note that it’s still version 1.9.12 of the Perl implementation, as the the C++ port (v 2.0) is still in the Release Candidate stage. Those of you who have been meaning to experiment with Single Packet Authorization and have already downloaded BT5, now’s a good time to install fwknop and give it a try! When installing fwknop-server it brings up an ultra-simple config screen that allows you to set up your initial passphrase.
Read moreRead more

8
Jan

Single Packet Authorization on Android with fwknop

Users of Single Packet Authorization and fwknop can now do so on their Android phones, thanks to an app by Max Kastansas. This was achieved using the libfko library provided by fwknop.

The open source Android client can be used to send authorization packets to a server running fwknop, thus opening ports based on a predefined ruleset. The application also has the ability to launch ‘Connectbot’ and connect to SSH, if this is the port being opened. Note that at the moment the Android client only provides only the most basic options of fwknop, and lacks GPG functionality, but hopefully we can look forward to these being added in the future.

Using a phone-based client to send an authorization packet on behalf of another computer can actually improve the security somewhat, as you’re sending that packet out-of-band (OOB), making it less susceptible to interception if the computer’s network traffic is being monitored.

Now we just need an iPhone/iOS app! Come on developers.

Related: Cipherdyne (source code)

25
Nov

Pauldotcom Episode 221 – Talking Single Packet Authorization

Episode 221 of Pauldotcom Security Weekly is available for download. In it I give a tech segment about Single Packet Authorization, briefly describe how to configure your firewall and use fwknop to dynamically open ports.

The podcast is available on iTunes, and by direct download. Check out the show notes for full details. Thanks for having me on the show guys!

Here is a short video I made showing fwknop in action:

21
Nov

Talking Single Packet Authorization on Pauldotcom Security Weekly

I’ve been invited to give a technical segment on Single Packet Authorization on the Pauldotcom Security Weekly podcast ‘Thanksgiving Special’ episode on Tuesday 23rd November. I’ve been listening to PSW practically from its very beginning, and if you’re only going to listen to one weekly security podcast, it’s definitely the one I’d recommend.

I’ll be giving an introduction into Single Packet Authorization, and show you how to install fwknop to protect your system and potentially vulnerable services from attack and exploitation.

[Update] Episode 221 is out!

26
Jul

fwknop 2.0 (C implementation)

After many months of work, fwknop (the Perl Single Packet Authorization implementation) has been entirely rewritten in C. The purpose of the C redesign has been primarily to allow an even more widespread deployment of SPA to devices on which the Perl implementation may not be suitable. One example of this is the OpenWRT platform which turns many entry-level routers into more flexible and powerful network devices. This now allows border routers to perform SPA and firewall manipulation, instead of doing this at the host-level (although it can be done at both).

The core of the C implementation is the libfko library which can be used by other applications to perform fwknop-compatible SPA. The Perl and C implementations are compatible with each other and the Perl version will continue being maintained. At the moment fwknop is still in Release Candidate, and will initially only support iptables. Further versions will bring it in line with the Perl version which supports additional firewall software and features.

fwknop offers both a server-side daemon – which listens for valid authorization packets and performs pre-defined activities (such as opening a firewall port) – as well as an SPA client which is used to construct authorization packets and send them to the target server. The Perl version of fwknop runs on Linux/Unix, Mac OS X, Windows and anything else capable of running Perl. The fwknop-C implementation should run on any device capable of compiling the necessary libraries. I haven’t yet tested it on OSX, but expect it will probably compile. The server-side functionality on OSX will have to wait until ipfw (OSX’s firewall) support is ported over.

The fwknop 2.0 source as well as a package for OpenWRT are available for download here.

15
May

Mitigating SSH Vulnerabilities Using Single Packet Authorization

Note: This is a 2008 post I managed to recover from my archive of Securethoughts.net

This past week has seen a bit of activity on the SSH security front. To begin with, on Tuesday (13/05/08) Linux distributions Debian and Ubuntu announced that due to a flaw in the random number generator used to generate cryptographic keys used by OpenSSL, OpenSSH and OpenVPN, making these keys far more predictable than they should be, and can be discovered by performing a brute force attack. This is particularly true of the encryption keys used by OpenSSH. HD Moore of the Metasploit project has created a page cover these vulnerabilities, with links to tools that can be used to check for weak keys, as well as key blacklists.

Coincidentally, on Wednesday (14/05/08) a number of network administrators issued warnings of increased brute force and dictionary attacks on systems running SSH. It is believed, however, that these increased attacks are most likely unrelated to the vulnerabilities disclosed in SSH the day before.
As a result of the vulnerability disclosures, users of Ubuntu and Debian systems are not only strongly encouraged to update their software, but also delete all cryptographic keys generated between September 2006 and the 13th of May 2008, and re-generate new keys. Some Debian system administrators, whose systems make significant OpenSSH and OpenVPN, frantically trying to determine which systems are vulnerable and where new keys need to be generated.
As you can expect, due to the nature of services like SSH, it is quite a crucial service to keep secure. Doing so is potentially a complex task due to brute force/dictionary attacks, weak key attacks, and 0day exploits. This is one area in particular where Single Packet Authorization (SPA) excels.
SPA is a method for keeping a host’s firewall completely closed down until a valid authorization packet is received, which will then allow the authorized client to connect during a very short timeframe. As such, an attacker cannot even reach the SSH daemon in order to carry out the attacks mentioned above. This would give system administrators a lot more breathing room for carrying out updates, re-generating keys, etc. It essentially adds an extra layer of security, and adds to the concept of defense-in-depth which is an important part good all-round security.

A very robust implementation of SPA is the Firewall Knock Operator (fwknop), developed in Perl by Michael Rash, which includes features such as replay-protection. I’ll be posting a tutorial on setting up fwknop on OS X very soon. Aldaba, another implementation by Luis Martin Garcia, is written entirely in C, and offers similar functionality to fwknop. Finally the latest implementation that has come to my attention in the past few days is “Ramius“, written entirely in Bash by John Brendler. Although I have not tested it yet, it’s good to see new implementations using readily-available tools.

css.php