Page 4 of 4 FirstFirst ... 234
Results 31 to 40 of 40

Thread: How To: Install a Port Knocker - FWKNOP

  1. #31
    Join Date
    Dec 2005
    Beans
    19,293
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: How To: Install a Port Knocker - FWKNOP

    Moved to Tips and Tutorials.
    Learning is not attained by chance, it must be sought for with ardor and attended to with diligence. Abigail Adams ( 1744 - 1818 ), 1780;

    My blog Poetry and More Free Ubuntu Magazine

  2. #32
    Join Date
    Nov 2006
    Location
    Southern California, USA
    Beans
    15
    Distro
    Ubuntu 8.04 Hardy Heron

    Smile Re: How To: Install a Port Knocker - FWKNOP

    Ahh... I see now. The problem was perhaps version specific. Yeah, the previous version on the doc was actually 1.9.0, so obviously later versions introduced new issues. Thanks for the info.

    The good news is, 1.9.4 works well, and adds the really nice feature of accepting SPA packets on a range of ports to avoid IDS signatures, etc.

    That would be cool to add to the doc as well.

  3. #33
    cprofitt's Avatar
    cprofitt is offline νόησις νοήσεως - nóesis noéseos
    Join Date
    Oct 2006
    Location
    平静
    Beans
    1,445
    Distro
    Ubuntu Development Release

    Re: How To: Install a Port Knocker - FWKNOP

    Very nice -- been reading about this but not seen any application to try it...

    I will have to follow this next weekend on my test server... looks like fun.

  4. #34
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    Version 1.96 Released

    Awaiting update of Change List
    (Will update guide once server appropriately tested with new version)

  5. #35
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    Version 1.9.7 Released - http://trac.cipherdyne.org/trac/fwkn....9.7/ChangeLog

    Supposedly an unofficial Debian repository has been created to simply installation of the fwknop server on Debian/Ubuntu. I have not yet verified these steps however instructions are given here:
    http://cipherdyne.org/blog/2008/08/i...nd-ubuntu.html

    Happy Port Knocking!!

  6. #36
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    For all you Arch users -- just to let you know that fwknop is being distributed:
    http://aur.archlinux.org/packages.php?ID=20630

  7. #37
    Join Date
    Apr 2007
    Beans
    12

    Re: How To: Install a Port Knocker - FWKNOP

    Ok, so I cannot get fwknop client working for the life of me on my linux box, internally and externally...it works fine from my Windows machine, where I then use putty after the encrypted packet is sent.

    On my linux box for fwknop, I use:

    Code:
    fwknop -A tcp/22 -a 192.168.1.6 -D 192.168.1.3
    ssh username@192.168.1.3
    Am I doing anything wrong here??? Does the windows client use different default options that aren't seen? I don't have iptables running on the linux fwknop client...so nothing should be blocked.

    Thanks to anyone who can help.

  8. #38
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    A couple of things you might want to try:

    fwknop can be run in debug mode with the --debug command line option. This will disable daemon mode execution, and print verbose information to the screen on STDERR as packets are received

    Also, after issuing the first command, port 22 should be open on the server. I would use nmap to scan the server for specifically port 22 to see if the port is open.

  9. #39
    Join Date
    Apr 2007
    Beans
    12

    Re: How To: Install a Port Knocker - FWKNOP

    I ran an nmap scan after issuing the fwknop command, and port 22 was "filtered" not open...so something is going wrong. I know I have the right key, and I know it's the right IP.

    I also ran it in debug mode...it didn't give me anything useful. It just spit back some perl paths, and then the steps it went through sending the SPA.

    There wasn't really any confirmation that it sent successfully...just:

    [+] Sending 182 byte message to 192.168.1.3 over udp 62201...

    That was the last line. Is that right? I guess I could always run a sniffer to see if it gets to my server.

  10. #40
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,554
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: How To: Install a Port Knocker - FWKNOP

    Ok, so you can confirm a packet was sent to the server from the client.

    On the server I would do the following:

    1. Wireshark -- A packet sniffer -- see if you get packet received from client

    2. The command:
    sudo iptables -L
    This will list your current firewall rules. If successful, you should see a change in this list if the packet was successful.

    3. Also, I think fwknopd keeps a log. Have you investigated this?

    Also a few things:
    Are you running the daemon in debug mode?: Similar to this:
    sudo perl ./fwknopd --debug

    If stuck can you post your script that establishes your iptables, and also your /etc/fwknop/access.conf file.
    Last edited by kevdog; February 13th, 2009 at 10:37 AM.

Page 4 of 4 FirstFirst ... 234

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •