Single Packet Authentication allows you to access services running on your machine and at the same time have your firewall filter block all incoming traffic, meaning have no ports open on your machine. How is this even possible? It just is and to learn more, google is your friend. Basically, you have a server but its no ordinary server running on your machine. Its a server that listens to all traffic like a sniffer. When it sees a specially crafted authentication packet it does something like execute commands or in our case open up a port. Whats kool about this and in particular fwknop is that we can setup our rules that when we open up the port, we do so for a certain amount of seconds then close back the port of the firewall. The already established connections continue to have connectivity (due to rules we set on the firewall to allow already established communications through).
Notes:
OS: Backtrack 4 RC1
Simple IP tables firewall rule:
#!/bin/shpre-requisite for fwknop:
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP "
$IPTABLES -A INPUT -i ! lo -j DROP
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP "
$IPTABLES -A FORWARD -i ! lo -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "iptables policy enabled"
exit
# apt-get install libgdbm-dev
Download and install fwknop(client and server)
# wget -c http://www.cipherdyne.org/fwknop/download/fwknop-2.0.0rc2.tar.gz
# tar -zxvf fwknop-2.0.0rc2.tar.gz
# ./configure
# make
# make install
Configuration: (config files are located at /usr/local/etc/fwknop)
In the fwknop.conf file, you need to uncomment and set the option for your interface "PCAP_INTF eth0".
Set up your access.conf file to allow access to what users what ports, etc. A simple suitable config:
SOURCE: ANY;To run the server:
KEY: 123456789; //must be over 8 characters
REQUIRE_USERNAME: admin;
OPEN_PORTS: tcp/22;
FW_ACCESS_TIMEOUT: 20;
# fwknopd -f -vv
if you get the following error message when you try to run the server:
fwknop: error while loading shared libraries: libfko.so.0: cannot open shared object file: no such file or directorythen you may need to create a symlink in the /usr/lib directory for the library file:
# cd /usr/lib
# ln -s /usr/local/lib/libfko.so.o.o.2 libfko.so.0
To authenticate using client:
# fwknop -D 192.168.0.5 -s -A tcp/22
There is also a windows client you can get here
Resources / Good Reading:
http://pauldotcom.com/wiki/index.php/Episode221
http://www.cipherdyne.org/fwknop/