Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 40

Thread: How To: Install a Port Knocker - FWKNOP

  1. #11
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    Dr. Small

    You are about 1 day behind me, because I just discovered that problem and solution yesterday.

    Here is the solution

    Although the fwknop daemon modifies the iptables, it does it through some secondary process that doesn't conflict with any rules in place prior to running the program. The way I wrote the tutorial, I basically flushed and deleted the current ruleset, although in a working environment you would probably just want to keep your existing ruleset, and avoid this step. Basically if you have your iptables set up the way you want (through firestarter, by hand, what ever method) you can continue using these rules EXCEPT you would probably want to change port 22 (or whatever port you are using with fwknop) to a default DROP stance.

    You also want to include the following within the iptables ruleset:

    Code:
    sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo /sbin/iptables -A INPUT -i ! lo -j DROP
    sudo /sbin/iptables -F FORWARD -i ! lo -j DROP
    These lines for example would keep open existing connections (or forwarding connection) when for example the ssh rule set after 30 seconds (or whatever you have specified) changes from ACCEPT to DROP. That way the ssh connection will be maintained.

    If you want I can extend the tutorial to work with GPG keys. I didn't include this originally because I didn't know what kind of response I was going to get. Its fairly easy to do however if you have worked with GnuPG before.

    Also if you could either post or upload your changes or writeup changes you made to make this work on Arch, it would be great (or just submit them to the author directly).

    Thanks, hopefully that clarifies things.

  2. #12
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How To: Install a Port Knocker - FWKNOP

    Thanks kevdog. You truely are a help. One thing I should note though, is that if you run:
    Code:
    /sbin/iptables -A INPUT -i ! lo -j DROP
    It blocks all pings, and then nmap can't function properly, because it can't ping the host. Then you can't tell if the port is being filtered or not.

    But I wrote a simple little script, which automates the proccess a little bit better, after you have FWKNOP installed, which is basically just juggling the firewall rules around and start / stopping the FWKNOP daemon.
    Script Updated.
    Code:
    #!/bin/bash
    # Simple Script for starting and
    # stoping FWKNOP, a little better.
    
    
    start()
    	{
    # Save current Firewall Rules
    iptables-save -c > /etc/iptables-save
    
    # Flush Existing Rules
    iptables -F
    
    # Keep existing connections open.
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    #/sbin/iptables -A INPUT -i ! lo -j DROP
    
    # Start fwknop
    /etc/init.d/fwknop start
    
    # Disable SSH Connections
    /sbin/iptables -A INPUT -p tcp --dport ssh -j DROP
    	}
    
    stop()
    	{
    # Stop FWKNOP
    /etc/init.d/fwknop stop
    
    # Flush Firewall rules
    iptables -F
    
    # Restore Firewall Rules
    cat /etc/iptables-save | iptables-restore -c
    	}
    
    install()
    	{
    # Running this option, installs this script
    # to init.d and rc.d while removing fwknop
    # from those places. 
    # Basically, this script would be the control
    # operator, instead of the fwknop init script.
    
    # Remove fwknop from rc.d
    update-rc.d -f fwknop remove
    echo 'FWKNOP Removed from rc.d...'
    
    # Copy THIS script (which is not
    # in init.d) to init.d
    cp $0 /etc/init.d/portknock
    echo $0 'copied to init.d...'
    
    # Add portknock to rc.d
    update-rc.d portknock defaults 99
    echo 'portknock successfully added to rc.d...'
    echo ''
    echo 'Installation Complete.'
    	}
    
    remove()
    	{
    # Running this option will
    # remove 'portknock' from 
    # init.d and rc.d. fwknop will
    # then be re-added back to rc.d.
    
    # Remove portknock from rc.d
    update-rc.d -f portknock remove
    echo 'portknock removed from rc.d...'
    
    # Remove portknock from init.d
    rm /etc/init.d/portknock
    echo 'portknock removed from init.d...'
    
    # Restore fwknop to rc.d
    update-rc.d fwknop defaults 99
    echo 'fwknop restored to rc.d...'
    echo ''
    echo 'Portknock removed successfully.'
    	}
    
    case "$1" in
    
     start|restart)
       stop
       start
       ;;
     stop)
       stop
       ;;
     install)
       install
       ;;
     remove)
       remove
       ;;
     *)
       echo "usage: start|stop|restart|install|remove."
       ;;
    
    esac
    exit 0

    As for getting FWKNOP installed on Arch, it was basically the same as it is for Debian based systems. I just meerely ended up compiling it all from source. Worked much faster. I trashed my PKGBUILD file since it wasn't turning out correctly. The same instructions you supplied can be used for installing on Arch.

    I'll be expirimenting more with FWKNOP in the very near future for using GPG keys with it. It doesn't look like it will be that hard.

    Dr Small
    Last edited by Dr Small; June 1st, 2008 at 07:01 PM.
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  3. #13
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    If you want to allow ping requests (which are useful of course) I think you can do the following(untested as of yet):

    sudo /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    sudo /sbin/iptables -A INPUT -i ! lo -j DROP
    sudo /sbin/iptables -F FORWARD -i ! lo -j DROP

    I'll try this setup. Since the ping rule is listed prior to the drop rule for everything else, I think rules listed first in the iptables have priority. This I will have to check.

    That script of yours is awesome -- I prefer scripts myself, but never no how they go over in a general tutorial. Downloading, saving the script, making it executable, and then running the script always seems like such a chore for beginners. But your script really automates a bunch of things that saves a lot of time.
    Last edited by kevdog; June 2nd, 2008 at 12:03 AM.

  4. #14
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How To: Install a Port Knocker - FWKNOP

    I am not being able to get the GPG part of it to work. My current configuration looks like this:
    Code:
    ### default Single Packet Authorization (SPA) via libpcap:
    SOURCE: ANY;
    OPEN_PORTS: tcp/22;   ### for ssh (change for access to other services)
    #KEY: 12345678;
    FW_ACCESS_TIMEOUT: 30;
    ### if you want to use GnuPG keys (recommended) then define the following
    ### variables
    GPG_HOME_DIR: /root/.gnupg;
    GPG_DECRYPT_ID: 7B0FE328;
    GPG_DECRYPT_PW: MYPASS;
    GPG_REMOTE_ID: 26FD8AF9;
    7B0FE328 = Server's GPG Key (also has private key).
    26FD8AF9 = My GPG Key (has my private key on it too).

    The server key has signed my key, and my key has signed the server's key. All of this is on root's gpg keyring /root/.gnupg

    Now at the client side, after I start FWKNOP, I run:
    Code:
    sudo fwknop -A tcp/22 --gpg-recip 7B0FE328 --gpg-sign 26FD8AF9 -s -k 192.168.0.70
    And I get:
    Code:
    [+] Starting fwknop client (SPA mode)...
    Can't locate Class/MethodMaker.pm in @INC (@INC contains: /usr/lib/fwknop/i686-linux-thread-multi /usr/lib/fwknop /usr/lib/perl5/site_perl/5.10.0 /usr/share/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5/core_perl /usr/share/perl5/core_perl /usr/lib/perl5/current /usr/lib/perl5/site_perl/current .) at /usr/lib/fwknop/GnuPG/Options.pm line 59.
    BEGIN failed--compilation aborted at /usr/lib/fwknop/GnuPG/Options.pm line 59.
    Compilation failed in require at /usr/lib/fwknop/GnuPG/Interface.pm line 28.
    BEGIN failed--compilation aborted at /usr/lib/fwknop/GnuPG/Interface.pm line 28.
    Compilation failed in require at /usr/bin/fwknop line 1117.
    I even found this guide at Ubuntu Wiki which I followed, but I don't get the same output as they do:
    https://help.ubuntu.com/community/Si...tAuthorization

    Any idea where I messed up?
    Dr Small
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  5. #15
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    I'll look at this tonight when I get home -- I had gpg working with fwknop version 1.9.3. Over the weekend 1.9.4 was released and I haven't tried the gpg feature in 1.9.4 yet. What version of fwknop are you running on client and server. I believe Arch is your server and ubuntu is your client?

    I you don't have 1.9.4 installed, try installing this so we are working with the same version. It has some really neat features with NAT redirection, that will randomly assign you a ssh port. You ssh into the random port
    ssh -p <random_number_assigned> user@server

    With the IPtables, the random_port_number is reassigned to port 22 (its own NAT redirection). I thought this feature was worth mentioning.

  6. #16
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How To: Install a Port Knocker - FWKNOP

    I am running Version 1.9.3 for both client and server, currently. But I'll change that so we both are in the same boat.

    ArchLinux is my desktop, and Ubuntu is running my Server.
    Arch runs the client (and is 192.168.0.16).
    Ubuntu is the server (and is 192.168.0.70).

    Both are behind a router with several other systems on the network. That will give you an idea of how things look behing the router.

    Edit: Ahoy matey! I be in da same boat as ye now
    And by the way, it is still giving me the same errors. I must be doing something wrong :S

    Dr Small
    Last edited by Dr Small; June 4th, 2008 at 01:57 AM.
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  7. #17
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    I'm sure I will be of no help, since everything works for me.

    But a few suggestions.

    Just to let you know my setup since it differs from you.
    Client (Cygwin) = Windows
    Server (Ubuntu)
    All version 1.9.4

    Both are behind a NAT router with 2 other computers on the LAN. I haven't actually tried to connect from external IP address. I'm using local IP's on all my attempted connections (port knocker program still in beta phase for me).

    I'd just double check
    $gpg --list-keys on both server and client and make sure the keys are installed (which I'm sure they are). Here is my output:

    Client:
    Code:
    $ gpg --list-keys
    gpg: WARNING: This version has been built with support for the Camellia cipher.
    gpg:          It is for testing only and is NOT for production use!
    gpg: WARNING: using insecure memory!
    gpg: please see http://www.gnupg.org/faq.html for more information
    /home/klal/.gnupg/pubring.gpg
    -----------------------------
    pub   4096R/7EBCE6DE 2007-11-14
    uid                  KevDog (Kevdog) <email@gmail.com>
    uid                  [jpeg image of size 3122]
    sub   4096R/E4193E1A 2008-02-15
    
    pub   2048R/3A3A2A81 2008-05-27
    uid                  fwknopd (fwknop server key) <fwknopd@localhost>
    sub   2048R/81C0D5C6 2008-05-27
    Server:
    Code:
    root@sudarshan:/etc/fwknop# gpg --list-keys
    gpg: WARNING: This version has been built with support for the Camellia cipher.
    gpg:          It is for testing only and is NOT for production use!
    /root/.gnupg/pubring.gpg
    ------------------------
    pub   2048R/3A3A2A81 2008-05-27
    uid                  fwknopd (fwknop server key) <fwknopd@localhost>
    sub   2048R/81C0D5C6 2008-05-27
    
    pub   4096R/7EBCE6DE 2007-11-14
    uid                  Kevdog (Kevdog) <email@gmail.com>
    uid                  [jpeg image of size 3122]
    sub   4096R/E4193E1A 2008-02-15
    My access.conf file (similar to yours on server -- relevant section)
    Code:
    ### default Single Packet Authorization (SPA) via libpcap:
    SOURCE: ANY;
    OPEN_PORTS: tcp/22;   ### for ssh (change for access to other services)
    #KEY: <key>;
    DATA_COLLECT_MODE: PCAP;
    GPG_REMOTE_ID: 7EBCE6DE;
    GPG_DECRYPT_ID: 3A3A2A81;
    GPG_DECRYPT_PW: <password>;
    GPG_HOME_DIR: /root/.gnupg;
    FW_ACCESS_TIMEOUT: 30;
    My command line that connected from client to server (Notice this is different than yours):

    Code:
    $ fwknop -A tcp/22 --gpg-recip 3A3A2A81 --gpg-sign 7EBCE6DE -s -D 192.168.1.105
    
    [+] Starting fwknop client (SPA mode)...
    [+] Enter the GnuPG password for signing key: 7EBCE6DE
    
    GnuPG signing password:
    
    [+] Building encrypted Single Packet Authorization (SPA) message...
    [+] Packet fields:
    
            Random data:    2659950876413823
            Username:       klal
            Timestamp:      1212585655
            Version:        1.9.4
            Type:           1 (access mode)
            Access:         0.0.0.0,tcp/22
            SHA256 digest:  l6S1cxMko5vmvc8+GQ0Ufm4nXZBTtrDqGEto94kSip8
    
    [+] Sending 1340 byte message to 192.168.1.105 over udp/62201...
    And resultant log on server:
    Code:
    Jun  4 08:21:03 sudarshan fwknopd: received valid GnuPG encrypted packet (signed with required key ID: "7EBCE6DE") from: 192.168.1.103, remote user: klal, client version: 1.9.4 (SOURCE line num: 115)
    Jun  4 08:21:03 sudarshan fwknopd: add FWKNOP_INPUT 192.168.1.103 -> 0.0.0.0/0(tcp/22) ACCEPT rule 30 sec
    Jun  4 08:21:34 sudarshan fwknop(knoptm): removed iptables FWKNOP_INPUT ACCEPT rule for 192.168.1.103 -> 0.0.0.0/0(tcp/22), 30 sec timeout exceeded
    Testing:
    To See if port was actually opened:
    Client before fwknop invocation:
    Code:
    $ nmap -p 22 192.168.1.105
    
    Starting Nmap 4.62 ( http://nmap.org ) at 2008-06-04 08:37 Central Daylight Time
    
    Interesting ports on 192.168.1.105:
    PORT   STATE    SERVICE
    22/tcp filtered ssh
    MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
    
    Nmap done: 1 IP address (1 host up) scanned in 0.692 seconds
    After invocation:
    Code:
    $ nmap -p 22 192.168.1.105
    
    Starting Nmap 4.62 ( http://nmap.org ) at 2008-06-04 08:38 Central Daylight Time
    
    Interesting ports on 192.168.1.105:
    PORT   STATE SERVICE
    22/tcp open  ssh
    MAC Address: 00:40:96:AF:E3:0C (Cisco Systems)
    
    Nmap done: 1 IP address (1 host up) scanned in 0.444 seconds
    Probably not helpful except my command line invocation was different.
    Last edited by kevdog; June 4th, 2008 at 02:38 PM.

  8. #18
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How To: Install a Port Knocker - FWKNOP

    Ok. Michael Rash told me to try fwknop-1.9.5-pre1, which did fix my GPG problem, as now, when I run:
    Code:
    fwknop -A tcp/22 --gpg-recip 7B0FE328 --gpg-sign 26FD8AF9 -s -D 192.168.0.70
    I get the following:
    Code:
    [+] Starting fwknop client (SPA mode)...
    [+] Enter the GnuPG password for signing key: 26FD8AF9
    
    GnuPG signing password:
    I enter my password, then get this:
    Code:
    [+] Building encrypted Single Packet Authorization (SPA) message...
    [+] Packet fields:
    
            Random data:    3490835496495545
            Username:       drsmall
            Timestamp:      1212772260
            Version:        1.9.5-pre1
            Type:           1 (access mode)
            Access:         0.0.0.0,tcp/22
            SHA256 digest:  94ZeBt99aGAdbfuPhgp4w4WHPiwUMrB29TG71pYNII0
    
    [+] Sending 716 byte message to 192.168.0.70 over udp/62201...
    But it never opens the port. I can't connect to the SSH server and nmap is still telling me it is filtered. Have a quick look at access.conf again. If you see nothing wrong, I contact Michael again.

    Code:
    SOURCE: ANY;
    OPEN_PORTS: tcp/22;
    #KEY: 12345678;
    DATA_COLLECT_MODE: PCAP;
    GPG_HOME_DIR: /root/.gnupg;
    GPG_DECRYPT_ID: 7B0FE328;
    GPG_DECRYPT_PW: <password>;
    GPG_REMOTE_ID: 26FD8AF9;
    FW_ACCESS_TIMEOUT: 30;
    Dr Small
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  9. #19
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    where do I find the 1.9.5 pre 1 release?

  10. #20
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How To: Install a Port Knocker - FWKNOP

    Here:
    http://www.cipherdyne.org/fwknop/dow....5-pre1.tar.gz

    Michael Rash sent it to me by email.
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

Page 2 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •