>> > described in the fwknop documentation. In the meantime, using Rjinda=
el
>> > for SPA encryption and decryption provides decent security.
>> >=20
>> > [...]
>> > _Description: Sniffing interface:
>> > By default, fwknop-server uses libpcap, and needs to know which Ethe=
rnet
>> > interface should be put in promiscuous mode.
>=20
> In my nitpicking mode, I'd say that programs "know"
> nothing..:-)...you *instruct* them to do something.
>=20
> "and should be configured to set the sniffing interface in promiscuous
> mode"
Added.
> I also wonder what value is added by saying that the program uses
> libpcap here. The important point is that we want to know the
> interface name....
>=20
> What about:
>=20
> _Description: Sniffing interface:
> Please specify which Ethernet interface should be put in promiscuous m=
ode.
You are not wrong, so I take it :p!
>> >=20
>> > [...]
>> > _Description: Encryption key to use:
>> > By default, SPA packets are encrypted with the Rijndael block cipher=
,
>> > which requires an encryption key. This password must be at least eig=
ht
>> > characters in length.
>=20
> The prompt asks for an encryption key but the text talks about a
> password. That's slightly inconsistent.
As a matter of fact, a key can be a password, a passphrase or a file
that contains informations:
Something like that
[code]
# cat rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "QJc01cnP1qkoF4a+eSZZbwx=3D";
};
[/code]
The Rijndael key is more a password to encrypt/decrypt SPA packets.
But I am not sure whether we can talk about encryption password or not.
To me, it does not sound good. However, I think that should be specify.
That is why I use
"This password must be at least eight characters in length."
Part of the debian/control file
-------------------------------
Justin B Rye wrote:
> Franck Joncourt wrote:
>=20
[...]
>> The authorization server passively monitors authorization packets via
>> libcap and hence there is no "server" to which to connect in the
>> traditional sense. Access to a protected service is only granted after=
a
>> valid encrypted and non-replayed packet is monitored.
>=20
[...]
> The authorization server passively listens for authorization packets =
via
> libcap, so there is no service listening for network connections on t=
he
> traditional port. Access to a protected service is only granted after=
a
> valid encrypted and non-replayed packet is detected.
>=20
> You can't really deny there's a server; adding fwknopd increases the
> number of installed servers by one! Even saying there's no service
> is stretching things a bit.=20
I am not sure about:
libpcap, so there is no service listening for network connections
The service is listening, but the current iptables policy prevents
connections from being processed by the service.
Maybe:
libpcap, thus preventing any connections from being processed
on the traditionnal port.
What do you think ?
[...]
>> This is the client program responsible for accepting password input
>> from the user; constructing SPA packets that conform to the fwknop
>> packet format; encrypting packet data.
>=20
> Instead of "doing X; doing Y; doing Z", make that "doing X, doing Y,
> and doing Z":
> This is the client program responsible for accepting password input
> from the user, constructing SPA packets that conform to the fwknop
> packet format, and encrypting packet data.
Ok.
Is there a mistake with the last comma, or is it an English syntax ?
"doing X, doing Y, and doing Z"
Part of the README.Debian file
------------------------------
a) Quick setup
>> As the FWKnop OPerator daemon can be configured in many ways, this
>=20
> Wait, "FWKnop OPerator daemon"? Shouldn't that be "FireWall KNock
> OPerator daemon"?
You are right. I was mistaken.
[...]
>> During the installation process, if the daemon has not previously been=
>> configured, the user will be prompted for a quick setup. In case you
>> decline the offer, you can still run it with the following command:
>=20
> Not "In case". Make it "If" or "Even if".
>=20
> ("In case" means subtly different things in different parts of the
> anglophone world. For some users, it's "conditionally, if"; for
> others it's "unconditionally, lest". The instruction "unplug your
> computer immediately in case it catches fire" is dangerously
> ambiguous.)=20
I take note.
[...]
>> You will be asked few questions, then the FWKnop OPerator daemon will =
be
> a few see above
>> started according to your settings. Edit access.conf and fwknop.conf i=
n
>> /etc/fwknop/ if you would like to make some other changes and restart
>> the daemon.
>=20
> If you want to make any further
> changes, edit access.conf and fwknop.conf in /etc/fwknop/ and restart=
> the daemon.
Done
b) Check your installation
>> To verify that your installation was successful, try connecting to you=
r
>> SSH server using the fwknop client.
>>
>> [code]
>> [...]
>=20
> ?
>=20
>> [/code]
I removed the code snippet since it was useless.
c) Minimal steps to configure the FWKnop OPerator server
>> In case you would prefer to update both access.conf and fwknop.conf
> If
>> files in /etc/fwknop by hand, here is the list of the variables that
>> have to be defined:
Done.
>> in access.conf:
>> -> KEY: myverylongkey
>=20
> Distracting "->" bulletpoints; is this the syntax of the file or
> would it make more sense to quote them like this?
>=20
> in access.conf:
> KEY=3Dmyverylongkey
>=20
>> or
>> -> GPG_HOME_DIR: /root/.gnupg;
>> -> GPG_DECRYPT_ID: ABCD1234;
>> -> GPG_DECRYPT_PW: myGpgPassword;
>> -> GPG_REMOTE_ID: 1234ABCD;
>>
>> in fwknop.conf:
>> -> HOSTNAME: diamond.dthconnex.com
>> -> PCAP_INTF: eth0
Updated.
>> By default, the FWKnop OPerator daemon is not allowed to start at boot=
> see above say "is not started at boot"
>> time through the init scripts in /etc/init.d/. You can change this
>> behaviour by updating the START_DAEMON variable from "no" to "yes" in
> en_US:behavior
>> /etc/default/fwknop-server.
So which one should I use, since to me there is no difference at all :)
In the same way, I used to use colour rather than color.
Here are the updated files:
Part of the fwknop-server.templates file
----------------------------------------
_Description: Configure fwknop to protect the SSH port?
The FireWall KNock OPerator daemon has not been set up yet. This install
process can configure fwknopd to protect the SSH port with a simple
Rijndael shared key, but moving to a GnuPG setup is recommended.
Setting up GnuPG for SPA communications involves a few manual steps
that are described in the fwknop documentation. In the meantime, using
Rjindael for SPA encryption and decryption provides decent security.
_Description: Sniffing interface:
Please specify which Ethernet interface should be put in promiscuous
mode.
_Description: Encryption key to use:
By default, SPA packets are encrypted with the Rijndael block cipher,
which requires an encryption key. This password must be at least eight
characters in length.
Part of the debian/control file
-------------------------------
Description: FireWall KNock OPerator server side
The FireWall KNock OPerator implements an authorization scheme called
Single Packet Authorization (SPA), based on Netfilter and libpcap.
.
Its main application is to protect services such as OpenSSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult.
.
The authorization server passively listens for authorization packets
via libcap, so there is no service listening for network connections on
the traditional port. Access to a protected service is only granted
after a valid encrypted and non-replayed packet is detected.
Description: FireWall KNock OPerator client side
The FireWall KNock OPerator implements an authorization scheme called
Single Packet Authorization (SPA), based on Netfilter and libpcap.
.
Its main application is to protect services such as OpenSSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult.
.
This is the client program responsible for accepting password input
from the user, constructing SPA packets that conform to the fwknop
packet format, and encrypting packet data.
README Debian file
------------------
Quick setup
-------------------------------------------------------------------------=
-------
As the FireWall KNock OPerator daemon can be configured in many ways,
this package allows the user to turn the SSH protection on by the use of
a Rjindael password. Although this provides decent security, moving to a
GnuPG setup is recommended.
During the installation process, if the daemon has not previously been
configured, the user will be prompted for a quick setup. If you decline
the offer, you can still run it with the following command:
[code]
# dpkg-reconfigure fwknop-server
[/code]
You will be asked a few questions, then the FireWall KNock OPerator
daemon will be started according to your settings. If you want to make
any further changes, edit access.conf and fwknop.conf in /etc/fwknop/
and restart the daemon.
[code]
# invoke-rc.d fwknop-server restart
[/code]
Check your installation
-------------------------------------------------------------------------=
-------
To verify that your installation was successful, try connecting to your
SSH server using the fwknop client.
[code]
$ nc -z -vv spaserver 22
spaserver (71.157.X.X) 22 (ssh) : Connection refused
$ fwknop -A tcp/22 -R -k spaserver
[+] Starting fwknop client (SPA mode)...
[+] Resolving hostname: spaserver
Resolving external IP via: http://www.whatismyip.org/
Got external address: 204.23.X.X
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.
Encryption Key:
[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:
Random data: 5300351470514251
Username: thialme
Timestamp: 1221761661
Version: 1.9.8-pre1
Type: 1 (access mode)
Access: 204.23.X.X,tcp/22
SHA256 digest: qlMNTa8d3JHexFeObFWowF/5FGQxCORVCy5u/YP/4KU
[+] Sending 182 byte message to 71.157.X.X over udp/62201...
# nc -z -vv spaserver 22
spaserver (71.157.X.X) 22 (ssh) open
[/code]
Minimal steps to configure the FWKnop OPerator server
-------------------------------------------------------------------------=
-------
If you would prefer to update both access.conf and fwknop.conf files in
/etc/fwknop by hand, here is the list of the variables that have to be
defined:
in access.conf:
KEY: myverylongkey;
or
GPG_HOME_DIR: /root/.gnupg;
GPG_DECRYPT_ID: ABCD1234;
GPG_DECRYPT_PW: myGpgPassword;
GPG_REMOTE_ID: 1234ABCD;
in fwknop.conf:
HOSTNAME diamond.dthconnex.com;
PCAP_INTF eth0;
By default, the FireWall KNock OPerator daemon is not started at boot
time through the init scripts in /etc/init.d/. You can change this
behaviour by updating the START_DAEMON variable from "no" to "yes" in
/etc/default/fwknop-server.
I hope I have not missed anything.
--=20
Franck Joncourt
http://debian.org - http://smhteam.info/wiki/
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: OpenPGP digital signature