Quick demo guide for SPA ( re: the port knocking thread )

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



For what it's worth to those who want to play with SPA, here is a demo i whipped up. It is very easy to set up, and i almost guarantee anyone can get this running.

What we will demonstrate:

Bascially: An SPA demo.
Requirements: Very little - a minimal setup of centos.

This setup will demonstrate a client who initially cannot connect to a an ssh port on the server (the server is DROPing packets and appears to not be running sshd). After a successful encrypted SPA (Single Packet Authorization) packet is sent to the server, in which a shared key and usercode is required, the ssh port is opened for the client IP only, and the client can then continue to connect with the normally required ssh credentials. After a timeout, the port is CLOSED to all traffic from the client IP, however firewall ESTABLISHED and RELATED rules will allow the connected client to continue to communicate.


Setup Details;
Server;
Almost any kind of CentOS, but i use CentOS 4.4 installed on a VM (vmware workstation build 36983)
SELinux Disabled
Firewall enabled, no services allowed.
"Minimal" installation performed.
IP=10.1.1.155

Client;
Almost any *nix, but i have used CentOS 4.4 installed on a VM (vmware workstation build 36983)
SELinux Disabled
Firewall enabled, no services allowed.
"Minimal" installation performed.
IP=10.1.1.8


===================
Setup the server

Optional : Update the server;
#yum -y update
#reboot

Install fwknop
#cd /tmp
#wget http://www.cipherdyne.org/fwknop/download/fwknop-1.0.1-1.i386.rpm
#rpm -i fwknop-1.0.1-1.i386.rpm

Backup fwknop's access.conf file and make our own.
#mv /etc/fwknop/access.conf /etc/fwknop/access.conf.orig
#access=/etc/fwknop/access.conf
#echo "SOURCE: ANY;">>$access
#echo "OPEN_PORTS:tcp/22;">>$access
#echo "DATA_COLLECT_MODE: ULOG_PCAP;">>$access
#echo "KEY: pkpassword;">>$access
#echo "FW_ACCESS_TIMEOUT: 30;">>$access
#echo "REQUIRE_USERNAME: mbr;">>$access

Note ... the usercode and password we need to tell the client is; usercode:mbr , password:pkpassword

Change the firewall (by default in a CentOS build it REJECTS everything. We want it to DROP instead, so that no-one knows if sshd is running or not) (this step is optional)

#service iptables stop
#joe /etc/sysconfig/iptables
change
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
to
-A RH-Firewall-1-INPUT -j DROP
Restart the firewall
#service iptables start
Start fwknopd --debug

Leave this debug window open, and you will see the rules that fwknop adds to the firewall.

Setup the Client;

Install fwknop (the same package contains server and client tools)
#cd /tmp
#wget http://www.cipherdyne.org/fwknop/download/fwknop-1.0.1-1.i386.rpm
#rpm -i fwknop-1.0.1-1.i386.rpm

Proof : Try to connect to server on port 22
#nc -v 10.1.1.155
nc will apear to hang waiting for a response. -> no response.
(unless you skipped the step above for changing the firewall rules, in which case i think you get a 'no route to host' message)

Now knock to open the port, using the usercode and password as above; (password will be prompted for )
#fwknop -A tcp/22 -k 10.1.1.155 --Spoof-user mbr -a 10.1.1.8

-A is the port to send the SPA packet to
-k is the server to send to
--Spoof-user is because we are not mbr (i am root)
we wouldnt need this if we were logged on as 'mbr'
-a 10.1.1.8 is because i am on a NATed subnet, and without it fwknop will resolve my IP to a public one, and then tell the server to open port 22 to that public IP, which wont help me.

You have 30 seconds to try to connect now ...
#nc -v 10.1.1.155 22
pc-00155.xx_hidden_xx.org [10.1.1.155] 22 (ssh) open
SSH-1.99-OpenSSH_3.9p1

Ctrl-c to kill this.

So we have proved that port 22 has been opened by our knock.
Watching the servers debug output as mentioned above will show you the exact rule which was added to iptables to achieve this.

If you have exceeded your 30 sec, just run the knock again;
#fwknop -A tcp/22 -k 10.1.1.155 --Spoof-user mbr -a 10.1.1.8
and then try to connect;
#ssh root@xxxxxxxxxx

If you are quick enough you can run
#service iptables status|grep 10.1.1.8
ACCEPT tcp -- 10.1.1.8 0.0.0.0/0 tcp dpt:22

This shows you the rule which let you in.
Note that port 22 is open to *YOUR IP* only.

About 30 sec later you will see;
# service iptables status|grep 10.1.1.8
# [no output]

This shows you that the open port has been closed.


Notes: If you get a message like 'remote time stamp is older than 120 second max age.' then you have a clock sync problem. (common when using vmware)

Notes: If you have trouble with clock drift and you dont want to be bothered fixing it, you can make fwknop less sensitive;
joe /etc/fwknop/fwknop.conf
change
MAX_SPA_PACKET_AGE          120;
to
MAX_SPA_PACKET_AGE          1200;
or similar (20 minute window)

Thanks to Michael Rash for his great pdf
(http://www.usenix.org/publications/login/2006-02/pdfs/rash.pdf)
which i blatently ripped content from for the good of the world.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux