fwknop 2.6.0

fwknop implements an authorization scheme that requires only a single encrypted packet to communicate various pieces of info.
fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme based around Netfilter and libpcap that requires only a single encrypted packet in order to communicate various pieces of information including desired access through a Netfilter policy and/or complete commands to execute on the target system.

By using Netfilter to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult.

The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored.

This method is similar to the Single Packet Authorization scheme proposed by Simple Nomad and the folks at NMRC

fwknop project was also the first tool to combine traditional encrypted port knocking with passive OS fingerprinting. This makes it possible to do things like only allow, say, Linux-2.4/2.6 systems to connect to your SSH daemon.

last updated on:
September 9th, 2012, 12:38 GMT
price:
FREE!
developed by:
Michael Rash
license type:
GPL (GNU General Public License) 
category:
ROOT \ System \ Networking

FREE!

In a hurry? Add it to your Download Basket!

user rating 23

UNRATED
3.2/5
 

0/5

What's New in This Release:
  • (Radostan Riedel) Added an AppArmor policy for fwknopd that is known to work on Debian and Ubuntu systems. The policy file is available at extras/apparmor/usr.sbin/fwknopd.
  • [libfko] Nikolay Kolev reported a build issue with Mac OS X Mavericks where local fwknop copies of strlcat() and strlcpy() were conflicting with those that already ship with OS X 10.9. Closes #108 on github.
  • [libfko] (Franck Joncourt) Consolidated FKO context dumping function into lib/fko_util.c. In addition to adding a shared utility function for printing an FKO context, this change also makes the FKO context output slightly easier to parse by printing each FKO attribute on a single line (this change affected the printing of the final SPA packet data). The test suite has been updated to account for this change as well.
  • [libfko] Bug fix to not attempt SPA packet decryption with GnuPG without an fko object with encryption_mode set to FKO_ENC_MODE_ASYMMETRIC. This bug was caught with valgrind validation against the perl FKO extension together with the set of SPA fuzzing packets in test/fuzzing/fuzzing_spa_packets. Note that this bug cannot be triggered via fwknopd because additional checks are made within fwknopd itself to force FKO_ENC_MODE_ASYMMETRIC whenever an access.conf stanza contains GPG key information. This fix strengthens libfko itself to independently require that the usage of fko objects without GPG key information does not result in attempted GPG decryption operations. Hence this fix applies mostly to third party usage of libfko
read full changelog

Add your review!

SUBMIT