mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-14 03:10:47 +00:00
be29a34732
Single Packet Authorization (SPA). fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through an iptables policy and/or complete commands to execute on the target system. By using iptables to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. With fwknop deployed, anyone using nmap to look for sshd can't even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from an fwknop client (see the following network diagram; the SSH session can only take place after the SPA packet is monitored): PR: ports/118229 Submitted by: Sean Greven <sean.greven@gmail.com>
66 lines
2.1 KiB
Groff
66 lines
2.1 KiB
Groff
--- fwknop.8.orig 2007-11-21 20:59:13.000000000 +0200
|
|
+++ fwknop.8 2007-11-21 21:01:07.000000000 +0200
|
|
@@ -43,7 +43,7 @@
|
|
or via GnuPG and associated asymmetric ciphers. If the symmetric encryption
|
|
method is chosen, then the encryption key is shared between between the
|
|
client and server (see the
|
|
-.I /etc/fwknop/access.conf
|
|
+.I %%PREFIX%%/etc/fwknop/access.conf
|
|
file). If the GnuPG
|
|
method is chosen, then the encryption keys are derived from GnuPG key
|
|
rings. SPA packets generated by fwknop running as a client adhere
|
|
@@ -76,7 +76,7 @@
|
|
this can be tuned via the
|
|
.B ALERTING_METHODS
|
|
variable in the
|
|
-.I /etc/fwknop/fwknop.conf
|
|
+.I %%PREFIX%%/etc/fwknop/fwknop.conf
|
|
file). By default, the
|
|
.B fwknop
|
|
client sends authorization packets over UDP
|
|
@@ -310,7 +310,7 @@
|
|
.B REQUIRE_USERNAME
|
|
keyword that might
|
|
be specified in
|
|
-.I /etc/fwknop/access.conf.
|
|
+.I %%PREFIX%%/etc/fwknop/access.conf.
|
|
.TP
|
|
.BR \-\^\-Spoof-user\ \<user>
|
|
Specify the username that is included within SPA packet. This allows
|
|
@@ -352,7 +352,7 @@
|
|
and have it execute the command). This option is not needed when trying to
|
|
gain access to a service via the SPA mechanism. To use this feature, please
|
|
ensure that ENABLE_CMD_EXEC; is set in the file
|
|
-.I /etc/fwknop/access.conf
|
|
+.I %%PREFIX%%/etc/fwknop/access.conf
|
|
on the
|
|
.B fwknopd
|
|
server you are sending the command to.
|
|
@@ -363,7 +363,7 @@
|
|
server, which will execute the command as root. Command execution is enabled only
|
|
if the
|
|
.B ENABLE_CMD_EXEC keyword is given in
|
|
-.I /etc/fwknop/access.conf
|
|
+.I %%PREFIX%%/etc/fwknop/access.conf
|
|
(note that commands can easily be restricted with the
|
|
.B CMD_REGEX
|
|
keyword as well).
|
|
@@ -502,7 +502,7 @@
|
|
.RS
|
|
.B NOTE:
|
|
Please ensure that ENABLE_CMD_EXEC; is set in the file
|
|
-.I /etc/fwknop/access.conf
|
|
+.I %%PREFIX%%/etc/fwknop/access.conf
|
|
on the
|
|
.B fwknopd
|
|
server you are attempting to connect to.
|
|
@@ -563,7 +563,7 @@
|
|
will read the sequence out of the file
|
|
.B ~/.fwknoprc
|
|
and the server will read the sequence out of
|
|
-.B /etc/fwknop/access.conf:
|
|
+.B %%PREFIX%%/etc/fwknop/access.conf:
|
|
.PP
|
|
.B $ fwknop --Server-mode 'knock' -D 10.11.11.123
|
|
.RE
|