Single Packet Authorization (SPA).
fwknop stands for the "FireWall KNock OPerator", and
implements an authorization scheme called Single Packet
Authorization (SPA). This method of authorization is based
around a default-drop packet filter (fwknop supports both
iptables on Linux systems and ipfw on FreeBSD and Mac OS X
systems) and libpcap.
SPA requires only a single encrypted packet in order to
communicate various pieces of information including desired
access through an iptables policy and/or complete commands
to execute on the target system. By using iptables to
maintain a "default drop" stance, the main application of
this program is to protect services such as OpenSSH with
an additional layer of security in order to make the
exploitation of vulnerabilities (both 0-day and unpatched
code) much more difficult. With fwknop deployed, anyone
using nmap to look for sshd can't even tell that it is
listening; it makes no difference if they have a 0-day
exploit or not. The authorization server passively monitors
authorization packets via libcap and hence there is no
"server" to which to connect in the traditional sense.
Access to a protected service is only granted after a valid
encrypted and non-replayed packet is monitored from an
fwknop client (see the following network diagram; the SSH
session can only take place after the SPA packet is monitored):
PR: ports/118229
Submitted by: Sean Greven <sean.greven@gmail.com>
the vpopmail support was removed with 0.60.3 (because none felt responsible
for maintaining it in courier-authlib) - this commit adds - togehter with
this update - a patch which patches the vpopmail support back into 0.60.4
(because at least I need the interaction with vpopmail!).
seven years...
- make aesget actually work with the default keysize (initialize it!)
- do not overflow the key filename buffers while parsing command-line options
- break out common code into a single file
- make the read()/write() loops a bit more robust
- fix lots of compiler warnings
- use snprintf() instead of strcpy()/strcat()
- write mdoc manual pages for aescrypt(1) and aesget(1)
- install the binaries and the manual pages with the correct permission mode
- Move Makefile.common from server to libraries port
- Minor fixes
PR: ports/124331 ports/124335-7 ports/124371
Submitted by: Tomoyuki Sakurai <cherry@trombik.org> (maintainer)
The affected ports are the ones with gettext as a run-dependency
according to ports/INDEX-7 (5007 of them) and the ones with USE_GETTEXT
in Makefile (29 of them).
PR: ports/124340
Submitted by: edwin@
Approved by: portmgr (pav)
are hosting browser exploits that can infect visiting users with
malware. It functions as an HTTP proxy server and intercepts all
browser requests. SpyBye uses a few simple rules to determine if
embedded links on your web page are harmlesss, unknown or maybe
even dangerous.
SpyBye analyzes all downloads in the background and provides you
with a warning notification whenever it encounters content that
is potentially malicious. At that point, you can click on the link
in the notification and receive a more detailed analysis of the web page.
WWW: http://www.spybye.org/
PR: ports/123945
Submitted by: Paul Schmel <pauls utdallas.edu>
Approved by: tabthorpe (mentor)
OpenVAS stands for Open Vulnerability Assessment System and
is a network security scanner with associated tools like a
graphical user fontend. The core is a server component with
a set of network vulnerability tests (NVTs) to detect
security problems in remote systems and applications.
WWW: http://www.openvas.org/
PR: ports/123128
Submitted by: Tomoyuki Sakurai <cherry@trombik.org>
OpenVAS stands for Open Vulnerability Assessment System and
is a network security scanner with associated tools like a
graphical user fontend. The core is a server component with
a set of network vulnerability tests (NVTs) to detect
security problems in remote systems and applications.
WWW: http://www.openvas.org/
PR: ports/123130
Submitted by: Tomoyuki Sakurai <cherry@trombik.org>
OpenVAS stands for Open Vulnerability Assessment System and
is a network security scanner with associated tools like a
graphical user fontend. The core is a server component with
a set of network vulnerability tests (NVTs) to detect
security problems in remote systems and applications.
WWW: http://www.openvas.org/
PR: ports/123127
Submitted by: Tomoyuki Sakurai <cherry@trombik.org>
OpenVAS stands for Open Vulnerability Assessment System and
is a network security scanner with associated tools like a
graphical user fontend. The core is a server component with
a set of network vulnerability tests (NVTs) to detect
security problems in remote systems and applications.
WWW: http://www.openvas.org/
PR: ports/123129
Submitted by: Tomoyuki Sakurai <cherry@trombik.org>
OpenVAS stands for Open Vulnerability Assessment System and
is a network security scanner with associated tools like a
graphical user fontend. The core is a server component with
a set of network vulnerability tests (NVTs) to detect
security problems in remote systems and applications.
WWW: http://www.openvas.org/
PR: ports/123131
Submitted by: Tomoyuki Sakurai <cherry@trombik.org>
-current archs). This has been broken for over 3 months.
configure incorrectly assumes that since FreeBSD has sqrtl,
that it also has other long math functions. Also, configure
seems to have 2 separate checks for the long math functions:
the first check looks for both asinl and sqrtl, the second
check looks for just sqrtl. FreeBSD does not currently have
asinl, so if configure just went by the first check it would
correctly determine that we do not have all the long math
functions. Remove the second check to fix the problem.
No response from: kde@
