>> > described in the fwknop documentation. In the meantime, using Rjinda= el >> > for SPA encryption and decryption provides decent security. >> >=20 >> > [...] >> > _Description: Sniffing interface: >> > By default, fwknop-server uses libpcap, and needs to know which Ethe= rnet >> > interface should be put in promiscuous mode. >=20 > In my nitpicking mode, I'd say that programs "know" > nothing..:-)...you *instruct* them to do something. >=20 > "and should be configured to set the sniffing interface in promiscuous > mode" Added. > I also wonder what value is added by saying that the program uses > libpcap here. The important point is that we want to know the > interface name.... >=20 > What about: >=20 > _Description: Sniffing interface: > Please specify which Ethernet interface should be put in promiscuous m= ode. You are not wrong, so I take it :p! >> >=20 >> > [...] >> > _Description: Encryption key to use: >> > By default, SPA packets are encrypted with the Rijndael block cipher= , >> > which requires an encryption key. This password must be at least eig= ht >> > characters in length. >=20 > The prompt asks for an encryption key but the text talks about a > password. That's slightly inconsistent. As a matter of fact, a key can be a password, a passphrase or a file that contains informations: Something like that [code] # cat rndc.key key "rndc-key" { algorithm hmac-md5; secret "QJc01cnP1qkoF4a+eSZZbwx=3D"; }; [/code] The Rijndael key is more a password to encrypt/decrypt SPA packets. But I am not sure whether we can talk about encryption password or not. To me, it does not sound good. However, I think that should be specify. That is why I use "This password must be at least eight characters in length." Part of the debian/control file ------------------------------- Justin B Rye wrote: > Franck Joncourt wrote: >=20 [...] >> The authorization server passively monitors authorization packets via >> libcap and hence there is no "server" to which to connect in the >> traditional sense. Access to a protected service is only granted after= a >> valid encrypted and non-replayed packet is monitored. >=20 [...] > The authorization server passively listens for authorization packets = via > libcap, so there is no service listening for network connections on t= he > traditional port. Access to a protected service is only granted after= a > valid encrypted and non-replayed packet is detected. >=20 > You can't really deny there's a server; adding fwknopd increases the > number of installed servers by one! Even saying there's no service > is stretching things a bit.=20 I am not sure about: libpcap, so there is no service listening for network connections The service is listening, but the current iptables policy prevents connections from being processed by the service. Maybe: libpcap, thus preventing any connections from being processed on the traditionnal port. What do you think ? [...] >> This is the client program responsible for accepting password input >> from the user; constructing SPA packets that conform to the fwknop >> packet format; encrypting packet data. >=20 > Instead of "doing X; doing Y; doing Z", make that "doing X, doing Y, > and doing Z": > This is the client program responsible for accepting password input > from the user, constructing SPA packets that conform to the fwknop > packet format, and encrypting packet data. Ok. Is there a mistake with the last comma, or is it an English syntax ? "doing X, doing Y, and doing Z" Part of the README.Debian file ------------------------------ a) Quick setup >> As the FWKnop OPerator daemon can be configured in many ways, this >=20 > Wait, "FWKnop OPerator daemon"? Shouldn't that be "FireWall KNock > OPerator daemon"? You are right. I was mistaken. [...] >> During the installation process, if the daemon has not previously been= >> configured, the user will be prompted for a quick setup. In case you >> decline the offer, you can still run it with the following command: >=20 > Not "In case". Make it "If" or "Even if". >=20 > ("In case" means subtly different things in different parts of the > anglophone world. For some users, it's "conditionally, if"; for > others it's "unconditionally, lest". The instruction "unplug your > computer immediately in case it catches fire" is dangerously > ambiguous.)=20 I take note. [...] >> You will be asked few questions, then the FWKnop OPerator daemon will = be > a few see above >> started according to your settings. Edit access.conf and fwknop.conf i= n >> /etc/fwknop/ if you would like to make some other changes and restart >> the daemon. >=20 > If you want to make any further > changes, edit access.conf and fwknop.conf in /etc/fwknop/ and restart= > the daemon. Done b) Check your installation >> To verify that your installation was successful, try connecting to you= r >> SSH server using the fwknop client. >> >> [code] >> [...] >=20 > ? >=20 >> [/code] I removed the code snippet since it was useless. c) Minimal steps to configure the FWKnop OPerator server >> In case you would prefer to update both access.conf and fwknop.conf > If >> files in /etc/fwknop by hand, here is the list of the variables that >> have to be defined: Done. >> in access.conf: >> -> KEY: myverylongkey >=20 > Distracting "->" bulletpoints; is this the syntax of the file or > would it make more sense to quote them like this? >=20 > in access.conf: > KEY=3Dmyverylongkey >=20 >> or >> -> GPG_HOME_DIR: /root/.gnupg; >> -> GPG_DECRYPT_ID: ABCD1234; >> -> GPG_DECRYPT_PW: myGpgPassword; >> -> GPG_REMOTE_ID: 1234ABCD; >> >> in fwknop.conf: >> -> HOSTNAME: diamond.dthconnex.com >> -> PCAP_INTF: eth0 Updated. >> By default, the FWKnop OPerator daemon is not allowed to start at boot= > see above say "is not started at boot" >> time through the init scripts in /etc/init.d/. You can change this >> behaviour by updating the START_DAEMON variable from "no" to "yes" in > en_US:behavior >> /etc/default/fwknop-server. So which one should I use, since to me there is no difference at all :) In the same way, I used to use colour rather than color. Here are the updated files: Part of the fwknop-server.templates file ---------------------------------------- _Description: Configure fwknop to protect the SSH port? The FireWall KNock OPerator daemon has not been set up yet. This install process can configure fwknopd to protect the SSH port with a simple Rijndael shared key, but moving to a GnuPG setup is recommended. Setting up GnuPG for SPA communications involves a few manual steps that are described in the fwknop documentation. In the meantime, using Rjindael for SPA encryption and decryption provides decent security. _Description: Sniffing interface: Please specify which Ethernet interface should be put in promiscuous mode. _Description: Encryption key to use: By default, SPA packets are encrypted with the Rijndael block cipher, which requires an encryption key. This password must be at least eight characters in length. Part of the debian/control file ------------------------------- Description: FireWall KNock OPerator server side The FireWall KNock OPerator implements an authorization scheme called Single Packet Authorization (SPA), based on Netfilter and libpcap. . Its main application is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. . The authorization server passively listens for authorization packets via libcap, so there is no service listening for network connections on the traditional port. Access to a protected service is only granted after a valid encrypted and non-replayed packet is detected. Description: FireWall KNock OPerator client side The FireWall KNock OPerator implements an authorization scheme called Single Packet Authorization (SPA), based on Netfilter and libpcap. . Its main application is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. . This is the client program responsible for accepting password input from the user, constructing SPA packets that conform to the fwknop packet format, and encrypting packet data. README Debian file ------------------ Quick setup -------------------------------------------------------------------------= ------- As the FireWall KNock OPerator daemon can be configured in many ways, this package allows the user to turn the SSH protection on by the use of a Rjindael password. Although this provides decent security, moving to a GnuPG setup is recommended. During the installation process, if the daemon has not previously been configured, the user will be prompted for a quick setup. If you decline the offer, you can still run it with the following command: [code] # dpkg-reconfigure fwknop-server [/code] You will be asked a few questions, then the FireWall KNock OPerator daemon will be started according to your settings. If you want to make any further changes, edit access.conf and fwknop.conf in /etc/fwknop/ and restart the daemon. [code] # invoke-rc.d fwknop-server restart [/code] Check your installation -------------------------------------------------------------------------= ------- To verify that your installation was successful, try connecting to your SSH server using the fwknop client. [code] $ nc -z -vv spaserver 22 spaserver (71.157.X.X) 22 (ssh) : Connection refused $ fwknop -A tcp/22 -R -k spaserver [+] Starting fwknop client (SPA mode)... [+] Resolving hostname: spaserver Resolving external IP via: http://www.whatismyip.org/ Got external address: 204.23.X.X [+] Enter an encryption key. This key must match a key in the file /etc/fwknop/access.conf on the remote system. Encryption Key: [+] Building encrypted Single Packet Authorization (SPA) message... [+] Packet fields: Random data: 5300351470514251 Username: thialme Timestamp: 1221761661 Version: 1.9.8-pre1 Type: 1 (access mode) Access: 204.23.X.X,tcp/22 SHA256 digest: qlMNTa8d3JHexFeObFWowF/5FGQxCORVCy5u/YP/4KU [+] Sending 182 byte message to 71.157.X.X over udp/62201... # nc -z -vv spaserver 22 spaserver (71.157.X.X) 22 (ssh) open [/code] Minimal steps to configure the FWKnop OPerator server -------------------------------------------------------------------------= ------- If you would prefer to update both access.conf and fwknop.conf files in /etc/fwknop by hand, here is the list of the variables that have to be defined: in access.conf: KEY: myverylongkey; or GPG_HOME_DIR: /root/.gnupg; GPG_DECRYPT_ID: ABCD1234; GPG_DECRYPT_PW: myGpgPassword; GPG_REMOTE_ID: 1234ABCD; in fwknop.conf: HOSTNAME diamond.dthconnex.com; PCAP_INTF eth0; By default, the FireWall KNock OPerator daemon is not started at boot time through the init scripts in /etc/init.d/. You can change this behaviour by updating the START_DAEMON variable from "no" to "yes" in /etc/default/fwknop-server. I hope I have not missed anything. --=20 Franck Joncourt http://debian.org - http://smhteam.info/wiki/ Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: OpenPGP digital signature