InsideTech

How To >> Browse Articles >> Security

Single Packet Authorization

Single Packet Authorization using FWKNOP

Port knocking Security is always an issue, and you can never be too careful. If your a security nut such as myself, Port knocking, and the more effective Single Packet Authorization methods are invaluable.

Port knocking is a method by which you can keep services running on your machine hidden from the outside world, and is another layer of authentication for a malicious user as myself to get through. ( boy am i gonna regret this)
If your wondering why am I posting this, the reason is because I want a challenge.

Upon a port scan of a computer running a port knocking daemon, all ports will be shown as closed. All attempted connections to the machine will thus be refused.
The port knocking daemon listens for a pre-configured set of "knocks".
If a user wishes to connect to, for example SSHD on the machine, it must first request access to port 22. It does this by syn'ing each of the ports in the pre-configured list on the server. The port knocking daemon recognizes the signal, and opens port 22 for a specified amount of time, set in a cfg (30 secs default) The port opens for 30 seconds, allowing the user to connect through. when the 30 seconds is over, and hopefully the user has authed on SSHD, port 22 is closed to external connections, without dropping the users session. Doing such also lets you access a terminal "under cover".

The developers of this system decided that it still was not secure enough, as an attacker logging connections to the server could detect the port knocking sequence, and get access anyway, so they developed a wonderful package called fwknop, which uses a slightly different method of port knocking, called Single Packet Authorisation, or SPA

Instead of a bunch of knocks, it uses an encrypted passphrase, coupled with an IP address. This system requires both server and client applications, however the client application is tiny.

The client app generates a small, heavily encrypted packet (MD5 Hashing) with information such as the originating IP address, and the passphrase.
when sniffed it appears as:

Raw packet data (single line): +CqkFkQUcR/9N5pdkpid6bZPnMJ60l49WOXm4/cDEDkL8xyC5nnPdmMZYCrTXkTyxWO1IsvrW6wWdyIhrOhFhOz0kEknCuHl2Iiz4rs0ZOUG4etcPczuspp1
FumPXbtdmnM7KmEAbTyFuGvYCWFMwZfoXjlhI0E75q3Yl2GAi974kfJi2hbI3L

Upon the daemon recieving this packet, it opens up the specified port, allowing connections only from the IP address named in the encrypted packet, much more secure.

Installation.

First install all dependancies

sudo aptitude install build-essential linux-headers-$(uname -r) libpcap-dev nmap

Then download and install the additional Perl dependancies for FWKNOP
cd ~
mkdir Source
cd Source
mkdir fwknop
cd fwknop
wget http://search.cpan.org/CPAN/authors/id/S/SA/SAPER/Net-Pcap-0.16.tar.gz
tar zxvf Net-Pcap-0.16.tar.gz
cd Net-Pcap-0.16.tar.gz
perl ./Makefile.PL
make
sudo make install

**NOTE** You will recieve an error message in terminal about the cpan method failing for net::pcap don't fret, its no problem.

then download and install fwknop itself

cd ~
cd Source/fwknop
wget http://www.cipherdyne.org/fwknop/download/fwknop-1.9.3.tar.bz2
tar -jxvf fwknop-1.9.3.tar.bz2
cd fwknop-1.9.3
sudo ./install.pl

During the install please select the Pcap option upon request. (solving your error)

Now to test your installation the application comes with a perl script to test your installation. It expects an MTA to be running on /bin/mail

If you do not have one, you will get tons of errors. (beleive me,I went cashews and almost shat myself) so in order to replace it with echos,

sudo ln -s /bin/echo /bin/mail

Now we can run the installation test without all the errors ... hopefully

cd ~/Source/fwknop/fwknop-1.9.3/test
sudo perl fwknop_test.pl

If you get errors, dont worry so much, i have it working on my server with 4 errors during the actual test.

After you have checked your install, you will need to configure it.
There are two config files:

sudo su
cd /etc/fwknop
gksu gedit (examples: gsku gedit fwknop.conf, gksu gedit access.conf)
exit

Things I changed to get a working server were:
- fwknop.conf
- changed ALERTING_METHODS to noemail (because i have no Mail Transfer Agent runnig at this moment)

-changed ShCmd from /bin/sh to /bin/bash (because bourne knows best)
access.conf

Fairly straight forward to edit, stick your passphrase in it, the defaults for all the rest are quite sensible.
For starting fwknop server side, a nice script that i have posted earlier with more details ( also below) with brilliant IPtables config.

!/bin/bash
Simple Script for starting and
stoping FWKNOP, a little better.

start()
{
Save current Firewall Rules
iptables-save -c > /etc/iptables-save

Flush Existing Rules
iptables -F

Keep existing connections open.
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i ! lo -j DROP

Start fwknop
/etc/init.d/fwknop start

Disable SSH Connections
/sbin/iptables -A INPUT -p tcp --dport ssh -j DROP
}

stop()
{
Stop FWKNOP
/etc/init.d/fwknop stop

Flush Firewall rules
iptables -F

Restore Firewall Rules
cat /etc/iptables-save | iptables-restore -c
}

install()
{
Running this option, installs this script
to init.d and rc.d while removing fwknop
from those places.
Basically, this script would be the control
operator, instead of the fwknop init script.

Remove fwknop from rc.d
update-rc.d -f fwknop remove
echo 'FWKNOP Removed from rc.d...'

Copy THIS script (which is not
in init.d) to init.d
cp $0 /etc/init.d/portknock
echo $0 'copied to init.d...'

Add portknock to rc.d
update-rc.d portknock defaults 99
echo 'portknock successfully added to rc.d...'
echo ''
echo 'Installation Complete.'
}

remove()
{
Running this option will
remove 'portknock' from
init.d and rc.d. fwknop will
then be re-added back to rc.d.

Remove portknock from rc.d
update-rc.d -f portknock remove
echo 'portknock removed from rc.d...'

Remove portknock from init.d
rm /etc/init.d/portknock
echo 'portknock removed from init.d...'

Restore fwknop to rc.d
update-rc.d fwknop defaults 99
echo 'fwknop restored to rc.d...'
echo ''
echo 'Portknock removed successfully.'
}

case "$1" in

start|restart)
stop
start
;;
stop)
stop
;;
install)
install
;;
remove)
remove
;;
*)
echo "usage: start|stop|restart|install|remove."
;;

esac
exit 0

In order to connect to a server and open the port for connection, install the client using the method above, only during install.PL choose client rather than server.
Then using the client:

fwknop -A ..ort> -a -D

This should result in:

$ fwknop -A tcp/22 -a 192.168.1.101 -D 192.168.1.102
[+] Starting fwknop client (SPA mode)...
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.

Encryption Key:

[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:

Random .. 5817642240590499
Username:
Timestamp: 1212123357
Version: 1.9.4-pre3
Type: 1 (access mode)
Access: 192.168.1.101,tcp/22
SHA256 digest: NvUBz8l+T76KPqOSwvLMJO1n6sNjTLjuScSz6IIp5m8

[+] Sending 182 byte message to 192.168.1.102 over udp/62201...

The port will open, and allow you to connect on the port you requested.

---