This message should be better than the first one.
(Please CC me) :)
Hi -
First, I answer your questions (Christian and Justin), and then I add
the updated files.
Part of the fwknop-server.templates
-----------------------------------
>> > _Description: Configure fwknop to protect the SSH port?
>> > The FireWall KNock OPerator daemon has not been set up yet. This install
>> > process can configure fwknopd to protect the SSH port with a simple
>
> I'm generally not fond of "this install process" or anything referring
> to what's happening.
>
> I'd suggest a more neutral wording such as "The fwknopd daemon may be
> configured to protect..." or "You can choose to configure fwknopd to..."
The FireWall KNock OPerator daemon has not been set up yet. You can
choose to configure fwknopd to protect the SSH port with a simple
Rijndael shared key, but moving to a GnuPG setup is recommended.
That is nice. However when I read the sentence, and its associated
description, I am not sure that I am going to configured fwknop with a
Rijndael shared key, if I answer Yes to the question.
If I append "with a shared key" to the description, it becomes a bit long.
>> > Rijndael shared key, but moving to a GnuPG setup is recommended. Setting
>> > up GnuPG for SPA communications involves a few manual steps that are
>> > described in the fwknop documentation. In the meantime, using Rjindael
>> > for SPA encryption and decryption provides decent security.
>> >
>> > [...]
>> > _Description: Sniffing interface:
>> > By default, fwknop-server uses libpcap, and needs to know which Ethernet
>> > interface should be put in promiscuous mode.
>
> In my nitpicking mode, I'd say that programs "know"
> nothing..:-)...you *instruct* them to do something.
>
> "and should be configured to set the sniffing interface in promiscuous
> mode"
Added.
> I also wonder what value is added by saying that the program uses
> libpcap here. The important point is that we want to know the
> interface name....
>
> What about:
>
> _Description: Sniffing interface:
> Please specify which Ethernet interface should be put in promiscuous mode.
You are not wrong, so I take it :p!
>> >
>> > [...]
>> > _Description: Encryption key to use:
>> > By default, SPA packets are encrypted with the Rijndael block cipher,
>> > which requires an encryption key. This password must be at least eight
>> > characters in length.
>
> The prompt asks for an encryption key but the text talks about a
> password. That's slightly inconsistent.
As a matter of fact, a key can be a password, a passphrase or a file
that contains informations:
Something like that
[code]
# cat rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "QJc01cnP1qkoF4a+eSZZbwx=";
};
[/code]
The Rijndael key is more a password to encrypt/decrypt SPA packets.
But I am not sure whether we can talk about encryption password or not.
To me, it does not sound good. However, I think that should be specify.
That is why I use
"This password must be at least eight characters in length."
Part of the debian/control file
-------------------------------
Justin B Rye wrote:
> Franck Joncourt wrote:
>
[...]
>> The authorization server passively monitors authorization packets via
>> libcap and hence there is no "server" to which to connect in the
>> traditional sense. Access to a protected service is only granted after a
>> valid encrypted and non-replayed packet is monitored.
>
[...]
> The authorization server passively listens for authorization packets via
> libcap, so there is no service listening for network connections on the
> traditional port. Access to a protected service is only granted after a
> valid encrypted and non-replayed packet is detected.
>
> You can't really deny there's a server; adding fwknopd increases the
> number of installed servers by one! Even saying there's no service
> is stretching things a bit.
I am not sure about:
libpcap, so there is no service listening for network connections
The service is listening, but the current iptables policy prevents
connections from being processed by the service.
Maybe:
libpcap, thus preventing any connections from being processed
on the traditionnal port.
What do you think ?
[...]
>> This is the client program responsible for accepting password input
>> from the user; constructing SPA packets that conform to the fwknop
>> packet format; encrypting packet data.
>
> Instead of "doing X; doing Y; doing Z", make that "doing X, doing Y,
> and doing Z":
> This is the client program responsible for accepting password input
> from the user, constructing SPA packets that conform to the fwknop
> packet format, and encrypting packet data.
Ok.
Is there a mistake with the last comma, or is it an English syntax ?
"doing X, doing Y, and doing Z"
Part of the README.Debian file
------------------------------
a) Quick setup
>> As the FWKnop OPerator daemon can be configured in many ways, this
>
> Wait, "FWKnop OPerator daemon"? Shouldn't that be "FireWall KNock
> OPerator daemon"?
You are right. I was mistaken.
[...]
>> During the installation process, if the daemon has not previously been
>> configured, the user will be prompted for a quick setup. In case you
>> decline the offer, you can still run it with the following command:
>
> Not "In case". Make it "If" or "Even if".
>
> ("In case" means subtly different things in different parts of the
> anglophone world. For some users, it's "conditionally, if"; for
> others it's "unconditionally, lest". The instruction "unplug your
> computer immediately in case it catches fire" is dangerously
> ambiguous.)
I take note.
[...]
>> You will be asked few questions, then the FWKnop OPerator daemon will be
> a few see above
>> started according to your settings. Edit access.conf and fwknop.conf in
>> /etc/fwknop/ if you would like to make some other changes and restart
>> the daemon.
>
> If you want to make any further
> changes, edit access.conf and fwknop.conf in /etc/fwknop/ and restart
> the daemon.
Done
b) Check your installation
>> To verify that your installation was successful, try connecting to your
>> SSH server using the fwknop client.
>>
>> [code]
>> [...]
>
> ?
>
>> [/code]
I removed the code snippet since it was useless.
c) Minimal steps to configure the FWKnop OPerator server
>> In case you would prefer to update both access.conf and fwknop.conf
> If
>> files in /etc/fwknop by hand, here is the list of the variables that
>> have to be defined:
Done.
>> in access.conf:
>> -> KEY: myverylongkey
>
> Distracting "->" bulletpoints; is this the syntax of the file or
> would it make more sense to quote them like this?
>
> in access.conf:
> KEY=myverylongkey
>
>> or
>> -> GPG_HOME_DIR: /root/.gnupg;
>> -> GPG_DECRYPT_ID: ABCD1234;
>> -> GPG_DECRYPT_PW: myGpgPassword;
>> -> GPG_REMOTE_ID: 1234ABCD;
>>
>> in fwknop.conf:
>> -> HOSTNAME: diamond.dthconnex.com
>> -> PCAP_INTF: eth0
Updated.
>> By default, the FWKnop OPerator daemon is not allowed to start at boot
> see above say "is not started at boot"
>> time through the init scripts in /etc/init.d/. You can change this
>> behaviour by updating the START_DAEMON variable from "no" to "yes" in
> en_US:behavior
>> /etc/default/fwknop-server.
So which one should I use, since to me there is no difference at all :)
In the same way, I used to use colour rather than color.
Here are the updated files:
Part of the fwknop-server.templates file
----------------------------------------
_Description: Configure fwknop to protect the SSH port?
The FireWall KNock OPerator daemon has not been set up yet. This install
process can configure fwknopd to protect the SSH port with a simple
Rijndael shared key, but moving to a GnuPG setup is recommended.
Setting up GnuPG for SPA communications involves a few manual steps
that are described in the fwknop documentation. In the meantime, using
Rjindael for SPA encryption and decryption provides decent security.
_Description: Sniffing interface:
Please specify which Ethernet interface should be put in promiscuous
mode.
_Description: Encryption key to use:
By default, SPA packets are encrypted with the Rijndael block cipher,
which requires an encryption key. This password must be at least eight
characters in length.
Part of the debian/control file
-------------------------------
Description: FireWall KNock OPerator server side
The FireWall KNock OPerator implements an authorization scheme called
Single Packet Authorization (SPA), based on Netfilter and libpcap.
.
Its main application is to protect services such as OpenSSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult.
.
The authorization server passively listens for authorization packets
via libcap, so there is no service listening for network connections on
the traditional port. Access to a protected service is only granted
after a valid encrypted and non-replayed packet is detected.
Description: FireWall KNock OPerator client side
The FireWall KNock OPerator implements an authorization scheme called
Single Packet Authorization (SPA), based on Netfilter and libpcap.
.
Its main application is to protect services such as OpenSSH with
an additional layer of security in order to make the exploitation of
vulnerabilities (both 0-day and unpatched code) much more difficult.
.
This is the client program responsible for accepting password input
from the user, constructing SPA packets that conform to the fwknop
packet format, and encrypting packet data.
README Debian file
------------------
Quick setup
--------------------------------------------------------------------------------
As the FireWall KNock OPerator daemon can be configured in many ways,
this package allows the user to turn the SSH protection on by the use of
a Rjindael password. Although this provides decent security, moving to a
GnuPG setup is recommended.
During the installation process, if the daemon has not previously been
configured, the user will be prompted for a quick setup. If you decline
the offer, you can still run it with the following command:
[code]
# dpkg-reconfigure fwknop-server
[/code]
You will be asked a few questions, then the FireWall KNock OPerator
daemon will be started according to your settings. If you want to make
any further changes, edit access.conf and fwknop.conf in /etc/fwknop/
and restart the daemon.
[code]
# invoke-rc.d fwknop-server restart
[/code]
Check your installation
--------------------------------------------------------------------------------
To verify that your installation was successful, try connecting to your
SSH server using the fwknop client.
[code]
$ nc -z -vv spaserver 22
spaserver (71.157.X.X) 22 (ssh) : Connection refused
$ fwknop -A tcp/22 -R -k spaserver
[+] Starting fwknop client (SPA mode)...
[+] Resolving hostname: spaserver
Resolving external IP via: http://www.whatismyip.org/
Got external address: 204.23.X.X
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.
Encryption Key:
[+] Building encrypted Single Packet Authorization (SPA) message...
[+] Packet fields:
Random data: 5300351470514251
Username: thialme
Timestamp: 1221761661
Version: 1.9.8-pre1
Type: 1 (access mode)
Access: 204.23.X.X,tcp/22
SHA256 digest: qlMNTa8d3JHexFeObFWowF/5FGQxCORVCy5u/YP/4KU
[+] Sending 182 byte message to 71.157.X.X over udp/62201...
# nc -z -vv spaserver 22
spaserver (71.157.X.X) 22 (ssh) open
[/code]
Minimal steps to configure the FWKnop OPerator server
--------------------------------------------------------------------------------
If you would prefer to update both access.conf and fwknop.conf files in
/etc/fwknop by hand, here is the list of the variables that have to be
defined:
in access.conf:
KEY: myverylongkey;
or
GPG_HOME_DIR: /root/.gnupg;
GPG_DECRYPT_ID: ABCD1234;
GPG_DECRYPT_PW: myGpgPassword;
GPG_REMOTE_ID: 1234ABCD;
in fwknop.conf:
HOSTNAME diamond.dthconnex.com;
PCAP_INTF eth0;
By default, the FireWall KNock OPerator daemon is not started at boot
time through the init scripts in /etc/init.d/. You can change this
behaviour by updating the START_DAEMON variable from "no" to "yes" in
/etc/default/fwknop-server.
I hope I have not missed anything.
--
Franck Joncourt
http://debian.org - http://smhteam.info/wiki/
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
Attachment:
signature.asc
Description: OpenPGP digital signature