For what it's worth to those who want to play with SPA, here
is a demo i whipped up. It is very easy to set up, and i
almost guarantee anyone can get this running.
What we will demonstrate:
Bascially: An SPA demo.
Requirements: Very little - a minimal setup of centos.
This setup will demonstrate a client who initially cannot
connect to a an ssh port on the server (the server is
DROPing packets and appears to not be running sshd).
After a successful encrypted SPA (Single Packet
Authorization) packet is sent to the server, in which a
shared key and usercode is required, the ssh port is opened
for the client IP only, and the client can then continue to
connect with the normally required ssh credentials.
After a timeout, the port is CLOSED to all traffic from the
client IP, however firewall ESTABLISHED and RELATED rules
will allow the connected client to continue to communicate.
Setup Details;
Server;
Almost any kind of CentOS, but i use CentOS 4.4 installed on
a VM (vmware workstation build 36983)
SELinux Disabled
Firewall enabled, no services allowed.
"Minimal" installation performed.
IP=10.1.1.155
Client;
Almost any *nix, but i have used CentOS 4.4 installed on a
VM (vmware workstation build 36983)
SELinux Disabled
Firewall enabled, no services allowed.
"Minimal" installation performed.
IP=10.1.1.8
===================
Setup the server
Optional : Update the server;
#yum -y update
#reboot
Install fwknop
#cd /tmp
#wget
http://www.cipherdyne.org/fwknop/download/fwknop-1.0.1-1.i386.rpm
#rpm -i fwknop-1.0.1-1.i386.rpm
Backup fwknop's access.conf file and make our own.
#mv /etc/fwknop/access.conf /etc/fwknop/access.conf.orig
#access=/etc/fwknop/access.conf
#echo "SOURCE: ANY;">>$access
#echo "OPEN_PORTS:tcp/22;">>$access
#echo "DATA_COLLECT_MODE: ULOG_PCAP;">>$access
#echo "KEY: pkpassword;">>$access
#echo "FW_ACCESS_TIMEOUT: 30;">>$access
#echo "REQUIRE_USERNAME: mbr;">>$access
Note ... the usercode and password we need to tell the
client is; usercode:mbr , password:pkpassword
Change the firewall (by default in a CentOS build it REJECTS
everything. We want it to DROP instead, so that no-one knows
if sshd is running or not) (this step is optional)
#service iptables stop
#joe /etc/sysconfig/iptables
change
-A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
to
-A RH-Firewall-1-INPUT -j DROP
Restart the firewall
#service iptables start
Start fwknopd --debug
Leave this debug window open, and you will see the rules
that fwknop adds to the firewall.
Setup the Client;
Install fwknop (the same package contains server and client
tools)
#cd /tmp
#wget
http://www.cipherdyne.org/fwknop/download/fwknop-1.0.1-1.i386.rpm
#rpm -i fwknop-1.0.1-1.i386.rpm
Proof : Try to connect to server on port 22
#nc -v 10.1.1.155
nc will apear to hang waiting for a response. -> no response.
(unless you skipped the step above for changing the firewall
rules, in which case i think you get a 'no route to host'
message)
Now knock to open the port, using the usercode and password
as above; (password will be prompted for )
#fwknop -A tcp/22 -k 10.1.1.155 --Spoof-user mbr -a 10.1.1.8
-A is the port to send the SPA packet to
-k is the server to send to
--Spoof-user is because we are not mbr (i am root)
we wouldnt need this if we were logged on as 'mbr'
-a 10.1.1.8 is because i am on a NATed subnet, and without
it fwknop will resolve my IP to a public one, and then tell
the server to open port 22 to that public IP, which wont
help me.
You have 30 seconds to try to connect now ...
#nc -v 10.1.1.155 22
pc-00155.xx_hidden_xx.org [10.1.1.155] 22 (ssh) open
SSH-1.99-OpenSSH_3.9p1
Ctrl-c to kill this.
So we have proved that port 22 has been opened by our knock.
Watching the servers debug output as mentioned above will
show you the exact rule which was added to iptables to
achieve this.
If you have exceeded your 30 sec, just run the knock again;
#fwknop -A tcp/22 -k 10.1.1.155 --Spoof-user mbr -a 10.1.1.8
and then try to connect;
#ssh root@xxxxxxxxxx
If you are quick enough you can run
#service iptables status|grep 10.1.1.8
ACCEPT tcp -- 10.1.1.8 0.0.0.0/0
tcp dpt:22
This shows you the rule which let you in.
Note that port 22 is open to *YOUR IP* only.
About 30 sec later you will see;
# service iptables status|grep 10.1.1.8
# [no output]
This shows you that the open port has been closed.
Notes: If you get a message like 'remote time stamp is older
than 120 second max age.' then you have a clock sync
problem. (common when using vmware)
Notes: If you have trouble with clock drift and you dont
want to be bothered fixing it, you can make fwknop less
sensitive;
joe /etc/fwknop/fwknop.conf
change
MAX_SPA_PACKET_AGE 120;
to
MAX_SPA_PACKET_AGE 1200;
or similar (20 minute window)
Thanks to Michael Rash for his great pdf
(http://www.usenix.org/publications/login/2006-02/pdfs/rash.pdf)
which i blatently ripped content from for the good of the world.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
