Re: Request for review: fwknop package
Franck Joncourt wrote:
> Description: FireWall KNock OPerator server side
> It implements an authorization scheme called Single Packet Authorization
> (SPA) that is based around Netfilter and libpcap.
> .
> By using Netfilter to maintain a "default drop" stance, the main
> application of this program is to protect services such as OpenSSH with
> an additional layer of security in order to make the exploitation of
> vulnerabilities (both 0-day and unpatched code) much more difficult.
> .
> The authorization server passively monitors authorization packets via
> libcap and hence there is no "server" to which to connect in the
> traditional sense. Access to a protected service is only granted after a
> valid encrypted and non-replayed packet is monitored.
Description: FireWall KNock OPerator server side
The FireWall KNock OPerator implements an authorization scheme called
Single Packet Authorization (SPA), based on Netfilter and libpcap.
.
Its main application is to protect services such as OpenSSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult.
.
The authorization server passively listens for authorization packets via
libcap, so there is no service listening for network connections on the
traditional port. Access to a protected service is only granted after a
valid encrypted and non-replayed packet is detected.
You can't really deny there's a server; adding fwknopd increases the
number of installed servers by one! Even saying there's no service
is stretching things a bit.
> Description: FireWall KNock OPerator client side
> [...] idem as above
> .
> This is the client program responsible for accepting password input
> from the user; constructing SPA packets that conform to the fwknop
> packet format; encrypting packet data.
Instead of "doing X; doing Y; doing Z", make that "doing X, doing Y,
and doing Z":
This is the client program responsible for accepting password input
from the user, constructing SPA packets that conform to the fwknop
packet format, and encrypting packet data.
(Skipping the debconf part)
> README.Debian
> ----------------------------------------
>
> Quick setup
> --------------------------------------------------------------------------------
>
> As the FWKnop OPerator daemon can be configured in many ways, this
Wait, "FWKnop OPerator daemon"? Shouldn't that be "FireWall KNock
OPerator daemon"?
> package allows the user to turn the SSH protection on by the use of a
> Rjindael password. Although this provides decent security, moving to a
> GnuPG setup is recommended.
>
> During the installation process, if the daemon has not previously been
> configured, the user will be prompted for a quick setup. In case you
> decline the offer, you can still run it with the following command:
Not "In case". Make it "If" or "Even if".
("In case" means subtly different things in different parts of the
anglophone world. For some users, it's "conditionally, if"; for
others it's "unconditionally, lest". The instruction "unplug your
computer immediately in case it catches fire" is dangerously
ambiguous.)
> [code]
> # dpkg-reconfigure fwknop-server
> [/code]
>
> You will be asked few questions, then the FWKnop OPerator daemon will be
a few see above
> started according to your settings. Edit access.conf and fwknop.conf in
> /etc/fwknop/ if you would like to make some other changes and restart
> the daemon.
If you want to make any further
changes, edit access.conf and fwknop.conf in /etc/fwknop/ and restart
the daemon.
> [code]
> # invoke-rc.d fwknop-server restart
> [/code]
>
> Check your installation
> --------------------------------------------------------------------------------
>
> To verify that your installation was successful, try connecting to your
> SSH server using the fwknop client.
>
> [code]
> [...]
?
> [/code]
>
> Minimal steps to configure the FWKnop OPerator server
see above
> --------------------------------------------------------------------------------
>
> In case you would prefer to update both access.conf and fwknop.conf
If
> files in /etc/fwknop by hand, here is the list of the variables that
> have to be defined:
>
> in access.conf:
> -> KEY: myverylongkey
Distracting "->" bulletpoints; is this the syntax of the file or
would it make more sense to quote them like this?
in access.conf:
KEY=myverylongkey
> or
> -> GPG_HOME_DIR: /root/.gnupg;
> -> GPG_DECRYPT_ID: ABCD1234;
> -> GPG_DECRYPT_PW: myGpgPassword;
> -> GPG_REMOTE_ID: 1234ABCD;
>
> in fwknop.conf:
> -> HOSTNAME: diamond.dthconnex.com
> -> PCAP_INTF: eth0
>
> By default, the FWKnop OPerator daemon is not allowed to start at boot
see above say "is not started at boot"
> time through the init scripts in /etc/init.d/. You can change this
> behaviour by updating the START_DAEMON variable from "no" to "yes" in
en_US:behavior
> /etc/default/fwknop-server.
--
JBR
Ankh kak! (Ancient Egyptian blessing)
Reply to: