Jump to content

Fwknopd - Single Packet Authorization


Recommended Posts

Website: http://cipherdyne.org/fwknop

From the FAQ:

fwknop implements an authorization scheme known as Single Packet Authorization (SPA) that requires only a single encrypted packet to communicate various pieces of information including desired access through a Netfilter policy and/or specific commands to execute on the target system. The main application of this program is to protect services such as SSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. The authorization server passively monitors authorization packets via libpcap and hence there is no "server" to which to connect in the traditional sense. Any service protected by fwknop is inaccessible (by using Netfilter to intercept packets within the Linux kernel) before authenticating; anyone scanning for the service will not be able to detect that it is even listening. This authorization scheme offers many advantages over port knocking, include being non-replayable, much more data can be communicated, and the scheme cannot be broken by simply connecting to extraneous ports on the server in an effort to break knock sequences. The authorization packets can easily be spoofed as well, and this makes it possible to make it appear as though, say, www.yahoo.com is trying to authenticate to a target system but in reality the actual connection will come from a seemingly unrelated IP. Although the default data collection method is to use libpcap to sniff packets off the wire, fwknop can also read packets out of a file that is written by the Netfilter ulogd pcap writer.

One more thing. You don't allow any service in iptables like ssh, ...

fwknopd inserts the appropriate iptables rules when you send the SPA to it with the port you want to allow, temporarily, for you to connect.

Edited by prometheus
Link to comment
Share on other sites

I've been using fwknop for about 4 years now (shortly after it switched from port-knocking to SPA) and it works very well. I run it on all of my systems except for one, which is intentionally accessible to the public. I always strongly recommend it to my clients.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...