knutee

Like I promissed, I’m writing a guide on how to get single packet authorization working on your system. And it is quite easy!

Lets say you have a Linux gateway and a Windows client wanting to make an SSH connection. First, head over to http://cipherdyne.org/fwknop/ and download the fwknop application. You will need the Windows UI version for your Windows clients, and the Linux version for your server.

Server

Installing fwknop on the server is quite easy. First make sure you have the necissary packages for building installed, as well as PERL and the PERL module Net::pcap. Unpack the fwknop compressed file to a directory of your chosing, and by using the console navigate to this location. Aquire root access by sudo or su, and run the install.pl file. This can be done be either granting the file execute priveleges or using perl install.pl. The install will run for a while, and close to the end you will be asked a few questions:

• Type of installation: Server
• Data acqusistion method: Pcap (what I choose to use)
• Interface: Choose the interface you will be connecting to from the outside. Eth0 for me.
• Enable fwknop on boot: Yes

And thats it for the install part. Next up you need to configure your fwknop so it’s ready to handle your demands. There are two files you need to have a look at; access.conf and fwknop.conf. Both reside in /etc/fwknop. Open up the access.conf file and look for this section:

### default Single Packet Authorization (SPA) via libpcap:
SOURCE: ANY;
OPEN_PORTS: tcp/22;   ### for ssh (change for access to other services)
KEY: knuteruber;
REQUIRE_USERNAME: knut;
FW_ACCESS_TIMEOUT: 30;
### if you want to use GnuPG keys (recommended) then define the following
### variables
#GPG_HOME_DIR: /root/.gnupg;
#GPG_DECRYPT_ID: ABCD1234;
#GPG_DECRYPT_PW: myGpgPassword;
#GPG_REMOTE_ID: 1234ABCD;

This part should be fairly easy to understand.  Rule is for traffic from any source, on port 22 (change for other services) and allow a user with ASCII key X access for 30 seconds. If you want to use a GPG key instead, just remove commenting from the GPG section and add in your data.

In addition I had to make two other changes. First, I encountered a problem with my Windows client connecting due to timestamp on packets. Thsi might be because my virtual test server had some issues with NTP, so I edited fwknop.conf with this line: ENABLE_SPA_PACKET_AGING N; (N instead of the default Y). I also did not want to enable the e-mail function in fwknop since this was purely for experimenting. To avoid and issues with starting fwknop without e-mail, I linked mail to echo: sudo ln -s /bin/echo /bin/mail.

Client

Installing the Windows client is pretty straight forward. Just extract the compressed file and run the executable client. You wont have too many options to get lost in, which is a good thing. Enter the username, the IP of the server and the key you chose. Click add to store the entry. It will look something like this:

Testing it all

Now I guess you would like to try it out to see if it works! Well, thats easy, but remember to block the port of your service before you start experiementing. If your iptables is set to allow traffic on the selected port, fwknop will have no effect. A good way to run a test is to install openssh-server and block port 22. Start the fwknop daemon. Now, on your Windows machine, open fwknop client and putty. Try to connect to your server via ssh. If your ports are blocked your putty client will stall for a minute, then return an error message. Next, enter the correct information into the fwknop client and execute a “knock”. Tab over to putty again and repeat the last connection attempt. If fwknop is working correctly, you should now be presented with the ssh authentication questions.

I hope this guide on fwknop has been informative and helpfull! Questions, comments and corrections are very welcome.