Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 40

Thread: How To: Install a Port Knocker - FWKNOP

  1. #21
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How To: Install a Port Knocker - FWKNOP

    Michael Rash helped my solve the problem. Apparently the server's clock is 1 minute or so ahead of the client's clock, so the packet was aged as soon as it was sent / received. Therefore in never opened the port.

    I am now running fwknop-1.9.5-pre1 on both client and server, and have GPG working for it. Yay! Then I wrote a simple little script to connect to mycroft (since I keep port 22 blocked now):
    Code:
    #!/bin/bash
    # Usage: unlock <host>
    
    fwknop -A tcp/22 --gpg-recip 7B0FE328 --gpg-sign 26FD8AF9 -a 192.168.0.16 -D $1 && ssh -XC $1
    I then made a launcher to it in my toolbar in IceWM and get prompted for my password at the click of a button
    Last edited by Dr Small; June 8th, 2008 at 06:37 PM.
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  2. #22
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,585
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    Just wondering if your script should be:


    fwknop -A tcp/22 --gpg-recip 7B0FE328 --gpg-sign 26FD8AF9 -a 192.168.0.16 -D $1 && ssh -XC -c blowfish $1

    Are you using ssh version 1? For version 2, the cipher list is different?

    I ran into a problem with the clocks on my original setup, having to disable the timestamp feature, even though the clocks were registering the same time. I think he told me at that time is was going to build in a time offset feature into the server software. I'll have to get this pre-release up and working.

    I'll add to the tutorial that now it has been tested and successfully used in Ubuntu,Arch,Cygwin environments. Any other information you specifically needed to do to get it up in running in Arch?

  3. #23
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,585
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    Have you had the opportunity to play with the random port or nat features yet? Do you think I should add a section to the original guide that would detail use with GnuPG or simply refer to the GnuPg instruction page written at the fwknop website:
    http://cipherdyne.org/fwknop/docs/gpghowto.html

  4. #24
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How To: Install a Port Knocker - FWKNOP

    Yeah, that should be && after the command. Forgot about that. And as to the ssh cipher, I have just always done it like that. Bodhi told me to use that for xephyr'ing over SSH. I now see that it is used for Protocol 1. But the SSH server is running on Protocol 2.

    No, I haven't got around to tinkering any further with it yet. I need to, so I can further understand it. Just linking to the GPG Howto page should be suficient.

    Now... we just need to get Tronyx busy with trying this

    Dr Small
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  5. #25
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,585
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    Tronyx?? Have we met before? Surprised Bodhi has commented on this method. Seems like his cup of tea!

  6. #26
    Join Date
    Nov 2006
    Location
    40.31996,-80.607213
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: How To: Install a Port Knocker - FWKNOP

    Quote Originally Posted by kevdog View Post
    Tronyx?? Have we met before? Surprised Bodhi has commented on this method. Seems like his cup of tea!
    lol. yes
    http://ubuntuforums.org/showpost.php...48&postcount=4

    Tronyx is his IRC name, which we all call him
    I seem to recall bodhi commenting something about it, recently...
    "Security lies within the user of who runs the system. Think smart, live safe." - Dr Small
    Linux User #441960 | Wiki: DrSmall

  7. #27
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: How To: Install a Port Knocker - FWKNOP

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Nice write up. FYI folks, the following guide is available on the
    community documentation site [1].

    I just updated it for 1.9.4, and it does include a sample firewall
    script for those of you that want to try it out. I plan to update the
    guide to use ufw in the near future to keep things consistent with
    Ubuntu objectives.

    Cheers.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFITIceBZd5UQddvKkRApr4AKCFzdyLVjyZCfslZpRVRX Y57hRwBACdGJFi
    F7C+0K7tlDkmQe8BKyYJaWU=
    =A/g6
    -----END PGP SIGNATURE-----

    [1] https://help.ubuntu.com/community/Si...tAuthorization
    Last edited by gmendoza; June 9th, 2008 at 02:28 AM. Reason: URL truncation messes up PGP signature; URL relocated.

  8. #28
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,585
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    gmendoza

    I found your guide after I had written mine, however I had problems with the actual installation -- particularly with installing the necessary perl libraries that are needed -- particularly Net:cap. This step was one of the biggest hurdles that I had with the initial install. The code has since been patched since the way the packets are timed (packet_aging parameter) is slightly buggy. You might want to include these steps, since they have given a few people including me a lot of problems.

  9. #29
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: How To: Install a Port Knocker - FWKNOP

    KevDog

    If you say you're having problems, I believe you, but I'm not quite certain why one would run into dependency issues, so long as you add libpcap-dev, build-essential, and mailx packages before hand.

    I've been running fwknop for quite some time now, and run through many installations using the same method without issue.

    The updated instructions outline all that is necessary to get fwknop running with the latest stable version and has been tested several times via cut and paste. I would appreciate it if you can outline exactly where the trouble is so I can add a note accordingly.

    Thanks.

  10. #30
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,585
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    The guide was written against fwknop v 1.9.3. At the time I was installing on Hardy Heron. Despite the Netcap lib that was supposed to be installed by default, for some reason this library was either corrupt, wasn't installed, or wasn't working as shown fwknop_test.pl output. I needed to manually install this library. This wouldn't have been such a big deal, however installation of this particular library using cpan does not work correctly (as I spent hours reading other posts documenting a similar problem before a manual installation method was defaulted to). Again, the fwknop installation script should install the Net:cap library, but it did not work for me. Additionally problematic was the fwknop_test.pl output that at times gave me errors, although the full blown installation would seemingly work. Additionally, topics such as debugging -- running fwknop outside of init.d and by checking the system logs /var/log/messages should be covered as an addendum (in addition to the use of nmap), since these give ways to actually verify if the server has received/decrypted the spa packet. Again a lot to cover, however as with any software package, never expect things to work as promised all the time. A tutorial should educate the installer where to consult for error messages, and if possible some basic methods to correct/verify the errors -- of course there is always the forums, however I believe the Ubuntu forums are a peripheral support mechanism for this product. Unfortunately the mailing lists at sourceforge for fwknop are quite dead, and really don't provide any useful feedback if you require rather rapid assistance.

Page 3 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •