Moved to Tips and Tutorials.
Ahh... I see now. The problem was perhaps version specific. Yeah, the previous version on the doc was actually 1.9.0, so obviously later versions introduced new issues. Thanks for the info.
The good news is, 1.9.4 works well, and adds the really nice feature of accepting SPA packets on a range of ports to avoid IDS signatures, etc.
That would be cool to add to the doc as well.
Very nice -- been reading about this but not seen any application to try it...
I will have to follow this next weekend on my test server... looks like fun.
Version 1.96 Released
Awaiting update of Change List
(Will update guide once server appropriately tested with new version)
Version 1.9.7 Released - http://trac.cipherdyne.org/trac/fwkn....9.7/ChangeLog
Supposedly an unofficial Debian repository has been created to simply installation of the fwknop server on Debian/Ubuntu. I have not yet verified these steps however instructions are given here:
Happy Port Knocking!!
For all you Arch users -- just to let you know that fwknop is being distributed:
Ok, so I cannot get fwknop client working for the life of me on my linux box, internally and externally...it works fine from my Windows machine, where I then use putty after the encrypted packet is sent.
On my linux box for fwknop, I use:
Am I doing anything wrong here??? Does the windows client use different default options that aren't seen? I don't have iptables running on the linux fwknop client...so nothing should be blocked.Code:fwknop -A tcp/22 -a 192.168.1.6 -D 192.168.1.3 ssh email@example.com
Thanks to anyone who can help.
A couple of things you might want to try:
fwknop can be run in debug mode with the --debug command line option. This will disable daemon mode execution, and print verbose information to the screen on STDERR as packets are received
Also, after issuing the first command, port 22 should be open on the server. I would use nmap to scan the server for specifically port 22 to see if the port is open.
I ran an nmap scan after issuing the fwknop command, and port 22 was "filtered" not open...so something is going wrong. I know I have the right key, and I know it's the right IP.
I also ran it in debug mode...it didn't give me anything useful. It just spit back some perl paths, and then the steps it went through sending the SPA.
There wasn't really any confirmation that it sent successfully...just:
[+] Sending 182 byte message to 192.168.1.3 over udp 62201...
That was the last line. Is that right? I guess I could always run a sniffer to see if it gets to my server.
Ok, so you can confirm a packet was sent to the server from the client.
On the server I would do the following:
1. Wireshark -- A packet sniffer -- see if you get packet received from client
2. The command:
sudo iptables -L
This will list your current firewall rules. If successful, you should see a change in this list if the packet was successful.
3. Also, I think fwknopd keeps a log. Have you investigated this?
Also a few things:
Are you running the daemon in debug mode?: Similar to this:
sudo perl ./fwknopd --debug
If stuck can you post your script that establishes your iptables, and also your /etc/fwknop/access.conf file.
Last edited by kevdog; February 13th, 2009 at 10:37 AM.