HowTo: Install And Configure FWKNOP (Using EnGarde Linux)
Secret knocks have been used for purposes as simple and childish as identifying friend or foe during a schoolyard fort war. Fraternities teach these knocks as a rite of passage into their society, and in our security world we can implement this layer of security to lock down an SSH server.
The FireWall KNock Operator (fwknop) is an excellent port knocking implementation that combines encrypted port knocking with passive OS finger-printing. This makes it possible to define specifically which Linux systems are allowed access to your SSH server. fwknop combines its functionality with iptables rules and log messages to grant or deny access to the SSH daemon.
You will need:
- A machine to do your development on. These commands should NOT be run on a production server since the example firewall implementations shut down all access to your SSH daemon!
- A separate client machine to actually connect to the server. To keep everything in sync, this could also be another EnGarde Secure Linux machine.
- EnGarde Secure Community 3.0.18 or above
Once you have all the above you may log in as root, transition over to sysadm_r, and disable SELinux:
[spa_server]# newrole -r sysadm_r
[spa_server]# setenforce 0
Throughout the HowTo, the server will be referred to as spa_server and the client as spa_client.
EnGarde Secure Linux makes the installation of fwknop a breeze due to its Guardian Digital Secure Network (GDSN). You can install the package through the command line:
[spa_server]# apt-get install fwknop
...or login to WebTool and install the package from the WebTool GDSN interface.
This should be repeated on the spa_client machine as well.
We shall get around to the setup of fwknop after we configure our iptables policy...
iptables Rules Setup
Since iptables is installed out of the box on EnGarde Secure Linux, we will provide you a simple shell script to execute to turn on your firewall. Keep in mind that this script will shut down access to your SSH daemon.
[spa_server]# cat firewall.sh
$IPTABLES -F -t nat
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP "
$IPTABLES -A INPUT -i ! lo -j DROP
$IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP "
$IPTABLES -A FORWARD -i ! lo -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "[+] EnGarde Secure Linux iptables policy activated"
Be sure to change the addresses to those of your public network interface.
Before running this script, be sure you make it executable:
[spa_server]# chmod +x firewall.sh
We can then run an Nmap scan on the server to see what we have open on the system:
[spa_client]# nmap <spa_server>
PORT STATE SERVICE
22/tcp open ssh
Nmap finished: 1 IP address (1 host up) scanned in 0.474 seconds
As you can see, there will be a set amount of open ports by default including the SSH port.
Run the firewall script on the spa_server...
[+] EnGarde Secure Linux iptables policy activated
From your client, you can run an Nmap scan and now see that all ports are closed:
[spa_client]# nmap <spa_server>
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 3.012 seconds
At this point you have configured your firewalls to block all access to your SSH daemon. We can now set up fwknop to allow you access through port knocking in the next section.
Sssh, I want to tell you a secret... (setup fwknop and access)
Back on the server side, use your favorite editor to modify the /etc/fwknop/fwknop.conf file. We're interested in the following tunables:
The EMAIL_ADDRESSES should be whichever email addresses you wish to have the fwknop server send feedback to. This feedback includes error messages and other logging variables that can be specified elsewhere in the configuration file. The HOSTNAME variable would be the hostname of the spa_server machine.
Next, we edit the /etc/fwknop/access.conf file and change the KEY variable:
KEY:<enter key here>
This is the key you will be prompted for when attempting to access the fwknop server from the client. For security purposes, this key should be at least 8 characters long and be a combination of alphanumeric characters, no spaces.
Examples of such keys include:
You can now start up the fwknop server:
[spa_server]# /etc/init.d/fwknop start
[ SUCCESSFUL ] fwknop Daemons
Knock knock...who's there??? (spa client)
Now, from the client server, we can attempt to access the fwknop server. In the example below, replace 220.127.116.11 with the address of your spa_client machine, and the 18.104.22.168 with the address of your spa_server machine:
[spa_client]# fwknop -A tcp/22 -a 22.214.171.124 -k 126.96.36.199
[+] Starting fwknop client.
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.
...at this point enter the key you had specified in the /etc/fwknop/access.conf file on the spa_server machine.
[+] Building encrypted single-packet authorization (SPA) message...
[+] Packet fields:
Random data: 9469687736864299
Action: 1 (access mode)
MD5 sum: THfoIDCAPeWZBjoh0JMPaA
[+] Sending 171 byte message to 188.8.131.52 over udp/62201.
You now have only a 30 second window to connect via SSH to the server:
[spa_client]# ssh root@spa_server
Last login: Fri Nov 30 15:38:12 2007 from spa_client
Congratulations! You've successfully implemented fwknop on both the server and client side!
Keep in mind this is one of the more basic setups for fwknop. You can go even further and implement GPG keys, change port settings, etc. by modifying the /etc/fwknop/fwknop.conf. A great resource for fwknop research is 'Linux Firewalls' by Michael Rash. Rash includes several chapters on fwknop covering theory and implementation. He even includes advanced setups for anyone looking to truly fine-tune their port knocking implementation!
Have fun in implementing a new secure layer for your SSH daemon!
Next time we will go over the EnGarde Secure Linux implementation of PSAD - here we will give you an inside look at how you can use PSAD to detect port scans against your server!