Michael Rash, Security Researcher

2006 Blog Archive    [Summary View]

« Previous | Next »

DEF CON Talk; Routing SPA Packets Over the Tor Network

DEF CON Talk; Routing SPA Packets Over the Tor Network This August at the DEF CON conference in Las Vegas I will be giving a talk entitled Service Cloaking and Anonymous Access; Combining Tor with Single Packet Authorization (SPA). This talk will focus on sending SPA packets over the Tor network in order to provide an additional layer of security and anonymity beyond what can be achieved by using the SPA protocol by itself. This represents a new usage for fwknop, and a new version will be released at the conference. Please stop by for a chat if you are going to be at DEF CON 14!

Software Release - psad-1.4.6

The 1.4.6 release of psad is ready for download. Here is an excerpt from the ChangeLog:
  • Added ENABLE_AUTO_IDS_REGEX and AUTO_BLOCK_REGEX to allow filtering on logging prefixes.
  • Added IPTABLES_PREREQ_CHECK to allow the administrator to control the frequency of Netfilter checks (for auto-block compatibility).
  • Added IGNORE_LOG_PREFIXES to allow certain log prefixes to be completely ignored by psad.
  • Added classification.config file from Snort-2.3.3 so that psad can assign danger levels based upon Snort rule class type. This is useful when also running fwsnort.
  • Added reference.config so that psad can include reference information in email alerts that are derived from attacks detected by fwsnort.

OSCON Talk; Maximum Netfilter

OSCON Talk; Maximum Netfilter In July, 2006 at the O'Reilly Open Source Convention (OSCON) in Portland, Oregon I will be giving a talk entitled Maximum Netfilter. This talk will concentrate on maximizing the effectiveness of Netfilter along with its iptables interface, and all three of psad, fwsnort, and fwknop will be discussed. Please stop by for a chat if you are going to be at OSCON!

Snort-2.1 Book Chapter Posted

Snort-2.1 Book Chapter Posted Syngress Publishing has allowed me to post the chapter I wrote for the Snort 2.1 Intrusion Detection, Second Edition book entitled "Chapter 12; Active Response". This chapter explores the concept and implications of configuring IDS software to automatically respond to attacks in real time. A PDF version of this chapter can be downloaded here. The book has received positive reviews (including one by Richard Bejtlich of on Both psad and fwsnort are discussed within this chapter.

Subversion Switch

The excellent Subversion system is now being used as the versioning software for all Cipherdyne software projects. The online web interface to the source code is powered by Trac. For example, the Trac interface to the psad sources can be found here.

USENIX ;login: Article on Single Packet Authorization

Digg Hardening OpenSSH with Single Packet Authorization USENIX ;login: Article on Single Packet Authorization In the February, 2006 issue of USENIX ;login: Magazine, I had an article published entitled Single Packet Authorization with Fwknop. This article is available locally here, and provides a summary of the reasons why SPA is a more effective and mature technology than port knocking.

Single Packet Authorization at

A short article on Single Packet Authorization (SPA) has been posted to the security site. Thanks for helping to spread the word about the benefits of SPA! Site Update

The and websites have been updated. They are now powered with components borrowed from the Nanoblogger and Apache Forrest projects together with some custom perl code to maintain it. The front page of the site is now much more bloggified, stories are permanently archived, and there are both Atom and RSS feeds.

Netfilter String Match 64-bit Bugfix

Netfilter String Match 64-bit Bugfix The release of the Linux kernel fixes a bug in the "textsearch" (linux/lib/textsearch.c) portion of the kernel when running on 64-bit processors, compliments of Pablo Neira Ayuso. The Netfilter string match extension depends on the textsearch infrastructure, so if you are running fwsnort on a 64-bit processsor then you will need to upgrade to at least the kernel.

Software Release - fwknop-0.9.6

The 0.9.6 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Added GPG based authentication capability for SPA packets. This new mode can be configured to require that a GPG message be signed with a particular key or set of keys.
  • In GPG mode, the fwknop client now prints GPG errors to stdout if not running with --gpg-no-batch-mode.
  • Added the ability to require that the client know the UNIX crypt() password associated with a username on the server side. This functionality is enabled on the fwknop client with the "--Server-auth crypt" command line argument, and the REQUIRE_AUTH_METHOD variable in /etc/fwknop/access.conf on the fwknopd server.
  • Added patch against OpenSSH-4.2p1 to integrate SPA mode. This patch adds a "-K <fwknop cmd line>" argument to the SSH client so that fwknop can be executed directly before an SSH connection is made.
  • Separated server and client portions of fwknop into "fwknopd" and fwknop respectively. This will allow better portability to be developed since the client and server pieces can be developed more independently.
« Previous | Next »