banner
B1ueD0g

BlueDog's Home

上班使我怨气比鬼重!
x
telegram
email
Home零信任AI 安全国学经典随笔ArchivesAboutMe

Setting up the open source single packet authorization tool fwknop environment

#技术学习#零信任60
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The FWKNOP introduces a Single Packet Authorization (SPA) scheme to hide services in the SDP architecture. It allows only legitimate packets to access protected business services, enhancing security by discarding unauthorized packets. The FWKNOP tool supports dynamic, single-packet authorization to reduce exposed service ports and increase security. It is used to filter SSH traffic behind firewalls, making it difficult for attackers to exploit vulnerabilities. The installation and configuration process on Ubuntu 20.04 is detailed, including setting up network addresses, changing package sources, downloading FWKNOP source code, compiling, and configuring the server and client. However, FWKNOP has potential security issues due to lack of updates and vulnerabilities in C language code.

Introduction to FWKNOP#

Under the SDP architecture, the business services protected only allow access to packets that are considered legitimate, discarding "illegal" packets, thus achieving business service invisibility. The SDP architecture is divided into three parts: SDP Client, Controller, and Gateway. Before accessing resources, all clients must go through the Controller service for SPA single packet validation and access control, and the Gateway handles business processing. As shown in the figure below:

image-20240120160830753

The fwknop mentioned in this article implements an authorization scheme called Single Packet Authorization (SPA) for hiding services. SPA encrypts individual packets, makes them non-replayable, and authenticates them with HMAC, so that the main application of SPA hidden behind the firewall is to filter all SSH and other service traffic, making it more difficult to exploit vulnerabilities (including 0day and unpatched vulnerabilities). Since there are no open ports, Nmap cannot be used to scan any services hidden by SPA. fwknop supports iptables and firewalld on Linux, ipfw on FreeBSD and Mac OS X, and PF and libpcap on OpenBSD.

SPA increases security by reducing exposed service ports and using dynamic, single packets for authorization, making it more difficult for attackers to discover and exploit potential vulnerabilities. This aligns with the concept of the zero-trust model, which means not trusting any internal or external networks and protecting resources through effective authentication and authorization.

Environment Introduction & Configuration#

Use the Ubuntu 20.04 environment for setup click here to download the Ubuntu image, and the dependency source is the Tsinghua source mirror.

Network address planning & system password:

HostAddress
Server192.168.31.211
Client192.168.31.37

Change the Ubuntu source

sudo su 
sudo vim /etc/apt/source.list
# Write the following and save
# The source code mirror is commented out by default to improve apt update speed. Uncomment if necessary
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
# deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
# deb-src http://security.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse

# Pre-release software source, not recommended to enable
# deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-proposed main restricted universe multiverse
# # deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-proposed main restricted universe multiverse
sudo apt update

fwknop Source Code Download, Compilation, and Installation#

Download the program from GitHub, and install the prerequisite tools first

sudo apt install git make gcc libpcap gawk mawk libpcap-dev

Use the git command to download the code to the local machine

git clone https://github.com/mrash/fwknop.git 
cd fwknop
chmod +x configure 
./configure --prefix=/usr --sysconfdir=/etc --disable-client # This step is used to check if the dependencies are installed correctly

As shown in the figure, this step is successful

image-20240117171211729

Continue to compile the program, note that you need to run the program with root privileges

sudo make
sudo make install
which fwknopd # If the file can be found successfully, it means the installation is successful

Configure the fwknop Server#

The fwknopd.conf file needs to be configured with the network interface name at line 40

PCAP_INTF ens33

The access.conf file needs to be configured with the knocking rules and client tokens, effective time, etc.

Ignore the keys for now, they will be generated on the client side

SOURCE              ANY
OPEN_PORTS	tcp/22
KEY_BASE64          TxpMVCiWRxc6IUR0rmABy2jKTDnI3SFa1MRD8fuOtgc=
HMAC_KEY_BASE64     mm+lPMq6WY8QHOcZdJ80XmDlNbWw+7zOJB87uw5wf9ShkgPiykxXDgPUeA+X6UlUF6Oa3MTEcSR0GMUZjm6sJQ==
FW_ACCESS_TIMEOUT	20
# If you want to use GnuPG keys then define the following variables
#
#GPG_HOME_DIR           /homedir/path/.gnupg
#GPG_DECRYPT_ID         ABCD1234
#GPG_DECRYPT_PW         __CHANGEME__

FW_ACCESS_TIMEOUT is set to 20, which means knocking, the door will remain open for 20 seconds, and after 20 seconds, the door will close.

Start and stop

sudo fwknopd start to start the service
sudo fwknopd -S to check the running PID of the service
kill -9 [pid] to end the process

Install the Client to Verify the Service Success#

sudo apt install fwknop-client

After successful installation, use the following command to generate the verification information

fwknop -A tcp/22 -a 192.168.31.37 -D 192.168.31.211 -p 62201 -P udp --key-gen --use-hmac --save-rc-stanza

-a is the client IP, -D is the server IP, -p is the port on which the server listens for SPA packets, and -P is the protocol used for sending SPA packets, usually UDP.

After execution, a file named .fwknoprc is generated, which contains the key. Put the key into the access.conf configuration information.

Block port 22 using iptables, the purpose of this step is to manually close port 22. After knocking, the program will create an iptables rule to allow port 22.

sudo iptables -I INPUT 1 -i ens33 -p tcp --dport 22 -j DROP
sudo iptables -I INPUT 1 -i ens33 -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Test using a port scanning tool, the effect is shown in the figure below

image-20240117184454361

Open the client tool to knock

wknop -n 192.168.31.211

image-20240117184547172

Verification successful

Observe the changes in iptables, before knocking

image-20240117191450209

After knocking

image-20240117191513591

You can see the username of the client and create an iptables rule to allow SSH port.

Summary and Outlook#

This document provides a detailed introduction to the entire process of setting up fwknop, starting with an explanation of the concept of Single Packet Authorization (SPA) and its important role in the Security Dynamic Port Knocking (SDP) architecture. The document provides detailed guidance on how to configure the environment on the Ubuntu 20.04 system, including network planning and updating software package sources. It also explains how to download the fwknop source code from GitHub and compile and install it, as well as how to configure the fwknop server, including setting the network interface, knocking rules, and client tokens, and also involves the installation of the client and the verification process of the service running.

However, fwknop, as a network security tool, has some issues. As of the latest version 2.6.11-pre1 (released in December 2019), the code has not been updated for a long time. Due to the use of the C language, Fwknop faces insufficient cross-platform capabilities, compatibility issues, and memory leak risks, as shown by CVE-2012-4434, CVE-2012-4435, and CVE-2012-4436. At the same time, the U.S. National Security Agency has recommended avoiding the use of C/C++ software and emphasized the need for more secure programming languages.

2031705993018_.pic

image-20240123153436937

Looking ahead, the development of the network security field is expected to introduce more advanced technologies, such as the Network Hiding Protocol (NHP) for autonomous and controllable zero-trust network invisibility. NHP technology, through more rigorous security mechanisms and intelligent management, can effectively improve the concealment of the network and the ability to resist attacks. This technology may become an important development direction in network security in the future, especially in dealing with increasingly complex network threats and improving the overall security of systems. By introducing such technologies, we can expect a more secure and reliable network environment.

Appendix#

[1] Fwknop's GitHub repository: https://github.com/mrash/fwknop

[2] Fwknop's official support documentation: http://www.cipherdyne.org/fwknop/

[3] CVE-2012-4436: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4436

[4] CVE-2012-4435: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4435

[5] CVE-2012-4434: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4434

[6] Fwknop related CVE vulnerability analysis article: https://ioactive.com/wp-content/uploads/2018/05/Multiple_Security_Vulnerabilities_in_Fwknop.pdf

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.