Michael Rash, Security Researcher

Software Releases    [Summary View]

« Previous | Next »

fwknop-1.9.2 Release at SOURCE Boston

fwknop-1.9.2 Release at SOURCE Boston Today at the SOURCE Boston computer security conference I will give a talk entitled "Advanced Linux Firewalls" in which I will present many of the themes I discuss in my book published late last year by No Starch Press. This talk will also launch the 1.9.2 release of fwknop, and present several new features such as client-derived access timeouts, the ability to select any of several digest algorithms (SHA-256, SHA-1, or MD5) for replay attack detection, the removal of the Salted__ prefix in SPA packets encrypted with Rijndael, and blacklist IP exclusions for incoming SPA packets. Many of these features were implemented by the SPAPICT team as well as several other contributors, and I wish to thank all who participated in the fwknop development process.

      You can download fwknop-1.9.2 here, and for those interested in the changes in the fwknop-1.9.2 release, here is the complete ChangeLog:
  • Crypt::CBC adds the string "Salted__" to the beginning of the encrypted text (at least for how fwknop interfaces with Crypt::CBC), so the fwknop client was updated to delete the encoded version of this string "U2FsdGVkX1" before sending a Rijndael-encrypted SPA packet on the wire. The fwknopd server will add this string back in before decrypting. This makes it harder to write an IDS signature that looks for fwknop traffic; e.g. look for the default prefix string "U2FsdGVkX1" over UDP port 62201, which would work for fwknop clients < 1.9.2 (as long as the port number is not changed with --Server-port).
  • Added more granular source IP and allowed IP tests so that access to particular internal IP addresses can be excluded in --Forward-access mode. A new keyword "INTERNAL_NET_ACCESS" is now parsed from the access.conf file in order to implemented these restrictions.
  • (SPAPICT Group) Added BLACKLIST functionality to allow source IP addresses to easily be excluded from the authentication process.
  • (Grant Ferley) Submitted patch to handle SIGCHLD in IPTables::ChainMgr.
  • (Grant Ferley) Submitted patch to handle Linux "cooked" interfaces for packet capture (e.g. PPPoE interfaces).
  • (SPAPICT Group) Applied modified version of the client-defined access timeout patches submitted by the PICT SPA Group. There are two new message types to facilitate client timeouts; one for normal access mode, and the other for the FORWARD access mode. In the access.conf file, there is also a new variable "PERMIT_CLIENT_TIMEOUT" to allow each SOURCE stanza to allow client-defined timeouts or not.
  • (SPAPICT Group) Submitted patches to include support for the SHA1 digest algorithm for SPA packet replay attack detection. I modified these patches for maximum configurability (see the --digest-alg argument on the fwknop command line), and the ability to use the SHA256 algorithm as well. The default path to the /var/log/fwknop/md5sums file has been changed to /var/log/fwknop/digest.cache, and the default digest algorithm is now SHA256 (but this is tunable via the DIGEST_TYPE variable in the fwknop.conf file).
  • Added the Digest::SHA perl module in support of the SHA1 and SHA256 digest algorithms for replay attack detection and SPA message integrity.
  • Added full packet hex dumps (including packet headers) to fwknopd in --debug --verbose mode. This is to help diagnose packet sniffing issues over the loopback interface on Mac OS X (first reported by Sebastien Jeanquier).
  • (Test suite) Bugfix to ensure that the FWKNOP_DIR variable is set to the local output/ directory in several of the test config files in the test/conf/ directory.
  • (Test suite) Added several tests for configurable digest algorithms in support for the SHA256, SHA1, and MD5 digest changes made by the SPAPICT Group.
  • Updated the fwknop client to always call encode_base64() with the string to encode along with a second null-string argument to force all encoded data to not include line breaks.
  • Bugfix in to not test for the iptable command on non-Linux systems, and to not test for the ipfw command on systems that are Linux.
  • (Test suite) Updated to include the /proc/config.gz file so that the kernel config can be reviewed (not all Netfilter hooks are necessarily compiled in).

Software Release - gpgdir-1.7

gpgdir-1.7 released The 1.7 release of gpgdir is ready for download. This release fixes a bug that was introduced in gpgdir-1.6 that caused previously encrypted directories to not be decrypted in --decrypt mode. This bug was reported by Per Ronny Westin, and the result is the addition of a new test suite so that bugs of this type don't creep back into the gpgdir development process. Here is some sample output of the new test suite in action: [+] ==> Running gpgdir test suite <==

(Setup) gpgdir program compilation..................................pass (0)
(Setup) Command line argument processing............................pass (1)
(Test mode) gpgdir basic test mode..................................pass (2)
(Encrypt dir) gpgdir directory encryption...........................pass (3)
(Encrypt dir) Files recursively encrypted...........................pass (4)
(Encrypt dir) Excluded hidden files/dirs............................pass (5)
(Decrypt dir) gpgdir directory decryption...........................pass (6)
(Decrypt dir) Files recursively decrypted...........................pass (7)
(MD5 digest) match across encrypt/decrypt cycle.....................pass (8)
(Ascii-armor dir) gpgdir directory encryption.......................pass (9)
(Ascii-armor dir) Files recursively encrypted.......................pass (10)
(Ascii-armor dir) Excluded hidden files/dirs........................pass (11)
(Decrypt dir) gpgdir directory decryption...........................pass (12)
(Decrypt dir) Files recursively decrypted...........................pass (13)
(MD5 digest) match across encrypt/decrypt cycle.....................pass (14)

[+] ==> Passed 15/15 tests against gpgdir. <==
[+] This console output has been stored in: test.log
Here is the complete ChangeLog: for the 1.7 release:
  • Bugfix to ensure that encrypted directories can actually be decrypted. This bug was reported by Per Ronny Westin.
  • Updated to use the ".asc" extension for encrypted files in --Plain-ascii mode.
  • Added gpgdir test suite. All future gpgdir releases (and including this 1.7 release) require that all gpgdir tests pass on the systems where gpgdir is developed.

Software Release - fwknop-1.9.1

fwknop-1.9.1 release The 1.9.1 release of fwknop is ready for download. This release focuses on better installation support for platforms such as Ubuntu 7.10 and Fedora 8, and also includes many enhancements to the fwknop test suite. The test suite is up to over 80 tests on Linux systems now, and includes verbose output that can help to troubleshoot any fwknop installation. Here is an excerpt from one of the symmetric key tests against the loopback interface which uses the fwknop packet hex dump feature: Sat Jan 26 14:33:03 2008 Raw packet data (hex dump, minus packet headers):
    0x0000: 5532 4673 6447 566b 5831 2f46 7867 764e U2FsdGVkX1/FxgvN
    0x0010: 2f7a 516e 626b 6e74 6943 7638 464b 3543 /zQnbkntiCv8FK5C
    0x0020: 6f6c 7a48 7268 3835 6f77 5a71 5075 4444 olzHrh85owZqPuDD
    0x0030: 4133 512f 6133 6b75 392b 6f58 7177 7748 A3Q/a3ku9+oXqwwH
    0x0040: 6450 7250 6933 4d2f 5278 556d 4e70 7833 dPrPi3M/RxUmNpx3
    0x0050: 6477 3942 6f36 5345 7542 4a50 306d 4630 dw9Bo6SEuBJP0mF0
    0x0060: 476a 5a49 5267 736f 6a37 4769 582b 7344 GjZIRgsoj7GiX+sD
    0x0070: 306a 6446 6d7a 7744 7154 3951 7976 4f65 0jdFmzwDqT9QyvOe
    0x0080: 3765 736d 7855 6a69 7049 5a42 5765 6f67 7esmxUjipIZBWeog
    0x0090: 6f45 6a4d 3744 6f50 5338 7469 7874 4f78 oEjM7DoPS8tixtOx
    0x00a0: 4c33 6457 7275 4f6f 6448 55 L3dWruOodHU
Sat Jan 26 14:33:03 2008 [+] Packet from matched SOURCE: ANY (line 15)
Sat Jan 26 14:33:03 2008 SOURCE block: 0
$VAR1 = {
'tcp' => {
'22' => ''
CMD_REGEX: (?-xism:echo)
KEY: (removed)
TYPE: any
Sat Jan 26 14:33:03 2008 [+] Attempting Rijndael decrypt...
Sat Jan 26 14:33:03 2008 Decrypting raw data (hex dump):
    0x0000: 5361 6c74 6564 5f5f c5c6 0bcd ff34 276e Salted__.....4'n
    0x0010: 49ed 882b fc14 ae42 a25c c7ae 1f39 a306 I..+...B.\...9..
    0x0020: 6a3e e0c3 0374 3f6b 792e f7ea 17ab 0c07 j>...t?ky.......
    0x0030: 74fa cf8b 733f 4715 2636 9c77 770f 41a3 t...s?G.&6.ww.A.
    0x0040: a484 b812 4fd2 6174 1a36 4846 0b28 8fb1
    0x0050: a25f eb03 d237 459b 3c03 a93f 50ca f39e ._...7E.<..?P...
    0x0060: edeb 26c5 48e2 a486 4159 ea20 a048 ccec ..&.H...AY. .H..
    0x0070: 3a0f 4bcb 62c6 d3b1 2f77 56ae e3a8 7475 :.K.b.../wV...tu
    0x0000: c5c6 0bcd ff34 276e .....4'n
    0x0000: 9087 692c 0d84 a24b a802 9b30 550e 6031 ..i,...K...0U.`1
    0x0010: 3121 f532 7404 b2af a863 653f 6d6b 7dab 1!.2t....ce?mk}.
    0x0000: 3ba9 7bda d3ac 0ae3 2a75 288e a791 6f0d ;.{.....*u(...o.
    0x0000: 6677 6b6e 6f70 7465 7374 3030 3030 3030 fwknoptest000000
    Block Size: 16
    Key Size: 32

Sat Jan 26 14:33:03 2008 [+] Decrypted message: 2729686373650157:cm9vdA== :1201375981:1.9.1:1:MTI3LjAuMC4yLHRjcC8yMg==:5v0x5MwZ8I9AUyvriRQ7Ug
For those interested in the changes in the fwknop-1.9.1 release, here is the complete ChangeLog:
  • Added ENABLE_OUTPUT_ACCESS keyword to access.conf file parsing. This provides a similar configuration gate for the iptables OUTPUT chain to the ENABLE_FORWARD_ACCESS keyword, and adds the abiliy to control which access.conf SOURCE blocks interface to the OUTPUT chain.
  • Better installation support for various Linux distributions including Fedora 8 and Ubuntu. The current runlevel is now acquired via the "runlevel" command instead of attempting to read /etc/inittab (which does not even exist on Ubuntu 7.10), and there are new command line arguments --init-dir, --init-name, and --runlevel to allow the init directory, init script name, and the runlevel to be manually specified on the command line.
  • Added command line argument display to fwknop client --verbose mode.
  • Updated the test suite to include OUTPUT chain tests, reference access.conf files in the test/conf/ directory, and perform SPA packet format validation tests by parsing fwknopd output.
  • Updated fwknopd to use always use the -c argument on the knoptm command line (this makes sure that the test suite usage of fwknopd causes knoptm to reference the correct configuration).
  • Updated IPTables::ChainMgr to print iptables command output to stdout or stderr if running in debug or verbose mode.
  • Added --Exclude-mod-regex to so that the installation of particular perl modules that match the supplied regex can be skipped.
  • Added SIGALRM wrapper to the test suite since some libpcap and system combinations break the ability of fwknopd to sniff packets.
  • Added srand() call to the fwknop client (this is useful for older versions of perl which do not automatically call srand() at the first rand() call if srand() was not already called).
  • Added a test to the test suite for sniffing packets over the loopback interface.
  • Added SPA packet aging test to the test suite to ensure that packet expirations work properly (this feature protects against MITM attacks where a valid SPA packet is stopped by an inline attacker and retransmitted at a later time to acquire access).
  • Added a file (test.log) to collect test suite console output.
  • Added --Prepare-results argument to test suite to anonymize test results and create a tarball that can be emailed to a third party to assist in debugging.
  • Added full firewall policy dumps and the collection of system specifics to the test suite. This makes it easy to send the output directory and the test.log file to developers to assist in debugging (no information is sent anywhere except as part of a manual process of course, and addresses can be anonymized with --Prepare-results - loopback addresses are not modified).
  • Added --fw-del-ip <IP> argument to fwknopd so that a specific IP address can be removed from the local firewall policy (this is used by the test suite to ensure that if a test for removed firewall rules fails then subsequent tests will not also fail because they are no longer tracked by a running knoptm instance).
  • Added a test to the test suite to collect fwknopd syslog output. This is useful to see if a mechanism such as SELinux is deployed in a manner that prevents normal fwknop communications.
  • Bugfix to track MD5 digest for SPA command mode packets.
  • Bugfix in fwknopd to not open ports listed in OPEN_PORTS in the absence of the PERMIT_CLIENT_PORTS directive when an SPA packet contains a request for access to a port not listed in OPEN_PORTS. debugging fwknop if there are any issues.
  • Added --verbose flag to fwknopd commands issued by the test suite so that more data is collected for debugging analysis.
  • Added GnuPG tests to the test suite with dedicated keys (for use only with the test suite) in the test/conf/client-gpg and test/conf/server-gpg directories.
  • Added digest file validation to test suite to make sure that fwknopd correctly tracks SPA packet MD5 digests.
  • Updated to search state tracking rule in any iptables chain (many iptables policies have user-defined chains that can be a bit complicated to parse).
  • Updated to be more strict in stopping any running fwknopd processes.

Software Release - psad-2.1.1

Software Release - psad-2.1.1 The 2.1.1 release of psad is ready for download. This release focuses on support for some of the latest Linux distributions, such as Ubuntu 7.10 and Fedora 8. There is also a new mode that allows psad to collect iptables logging data directly from a file that is written to by syslog instead of via the previous named pipe data collection mechanism. Here is the complete ChangeLog:
  • Added a new feature whereby psad can acquire iptables log data just by parsing an existing file (/var/log/messages by default) that is written to by syslog. By default, psad acquires iptables log data from the /var/log/psad/fwdata file which is written to by kmsgsd, but on some systems, having syslog communicate log data to kmsgsd can be problematic since syslog configs and external factors such as Apparmor and SELinux can play a role here. This new feature is controled by two new configuration variables "ENABLE_SYSLOG_FILE" (to enable/disable the feature) and "IPT_SYSLOG_FILE" to specifiy the path to the file to parse.
  • Better installation support for various Linux distributions including Fedora 8 and Ubuntu. The current runlevel is now acquired via the "runlevel" command instead of attempting to read /etc/inittab (which does not even exist on Ubuntu 7.10), and there are new command line arguments --init-dir, --init-name, and --runlevel to allow the init directory, init script name, and the runlevel to be manually specified on the command line.
  • Updated psad to automatically handle situations where the either the /var/log/psad/fwdata file or the /var/log/messages file (whichever syslog is writing iptables log messages to) gets rotated. The filehandle is closed and reopened if the file shrinks or if the inode changes. This strategy is borrowed from how the fwknop project deals with the filesystem packet capture file.
  • Minor bugfix to generate syslog message when restarting a psad process.
  • Updated to set the LC_ALL environmental variable to "C" This should address some issues with installing psad on non-English locale systems.
  • Updated to be compatible with the rsyslog daemon, which is commonly installed on Fedora 8 systems.

fwsnort-1.0.4 Software Release

fwsnort-1.0.4 Software Release The 1.0.4 release of fwsnort is ready for download. This release is mostly a bugfix release for bugs discovered and patched by Grant Ferley (thanks for the contributions both on the fwsnort mailing list and also via personal correspondence). Because these fixes mostly apply to the IPTables::Parse perl module, they will also make it into the psad and fwknop projects. Here is the full ChangeLog:
  • (Grant Ferley) Submitted patch to exclude loopback interfaces from iptables allow rules parsing. This behavior can be reversed with the existing --no-exclude-loopback command line argument.
  • (Grant Ferley) Submitted patch to IPTables::Parse to take into account iptables policy output that contains "0" instead of "all" to represent any protocol.
  • (Grant Ferley) Submitted patch to IPTables::Parse to set sport and dport to '0:0' if the protocol is 'all'.
  • Bugfix to allow negated networks to be specified within iptables allow rules or within the fwsnort.conf file.
  • Updated to set the LC_ALL environmental variable to "C". This should fix potential locale problems (this fix was borrowed from the fwknop project).

Software Release - fwknop-1.9.0

fwknop-1.9.0 release The 1.9.0 release of fwknop is ready for download. This release introduces major new functionality including inbound NAT support for authenticated connections (iptables firewalls only for now), iptables OUTPUT chain support, a test suite for SPA communications, the ability of the fwknopd daemons to restart themselves after a configurable length of time, and more.

Below is the output of the new test suite running on a Linux system: # ./

[+] ==> Running fwknop test suite; firewall: iptables <==

[+] perl program compilation.........................................pass (0)
[+] C program compilation............................................pass (1)
[+] Stopping any running fwknopd processes...........................pass (2)
[+] Flushing all fwknop iptables rules...............................pass (3)
[+] Testing Rijndael key validity....................................pass (4)
[+] Generating SPA access packet with fwknop client..................pass (5)
[+] Sniffing SPA access packet to acquire access.....................pass (6)
[+] Firewall access rules exist......................................pass (7)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Firewall access rules removed....................................pass (8)
[+] Stopping all running fwknopd processes...........................pass (9)
[+] Replay attack detection..........................................pass (10)
[+] SPA packet randomness............................................pass (11)
[+] Generating SPA packet with src addr......................pass (12)
[+] Sniffing packet source address with src addr.............pass (13)
[+] Generating SPA packet with invalid user..........................pass (14)
[+] Invalid user detection...........................................pass (15)
[+] Generating SPA command packet....................................pass (16)
[+] Sniffing SPA command packet and executing........................pass (17)
[+] Making sure firewall rules have been removed.....................pass (18)
[+] Generating SPA command packet with non-matching regex............pass (19)
[+] SPA command packet filtered......................................pass (20)
[+] Making sure firewall rules do not exist..........................pass (21)
[+] Stopping all running fwknopd processes...........................pass (22)
[+] Generating FORWARD chain access packet...........................pass (23)
[+] FORWARD request detection........................................pass (24)
[+] FORWARD and DNAT access..........................................pass (25)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Making sure firewall rules have been removed.....................pass (26)
[+] Stopping all running fwknopd processes...........................pass (27)
[+] Generating SPA access packet with fwknop client..................pass (28)
[+] SPA communications via tcpdump capture file......................pass (29)
[+] Firewall access rules exist......................................pass (30)
(Sleeping for 10 (+5) seconds for firewall rule timeout)
15 10 5 0
[+] Firewall access rules removed....................................pass (31)
[+] Stopping all running fwknopd processes...........................pass (32)
[+] Deleting all fwknopd iptables chains.............................pass (33)

[+] ==> Passed 34 tests against fwknop. <==
For those interested in the changes in the fwknop-1.9.0 release, here is the complete ChangeLog:
  • Added a test suite so that fwknop and fwknopd functionality can be automatically tested over the loopback interface (see the script in the test/ directory).
  • Major update to allow SPA packets to create DNAT connections to internal systems through the FORWARD chain (iptables only). This is useful to connect through to internal systems (that may be running on non-routable IP addresses) via a border firewall or router that is running fwknopd to create inbound DNAT rules.
  • Added support for the iptables OUTPUT chain via two new variable in the fwknop.conf file: ENABLE_IPT_OUTPUT and IPT_OUTPUT_ACCESS. This is useful for iptables firewalls that are not running the conntrack modules and that have a restrictive OUTPUT chain (so SYN/ACK responses are not allowed out without an explicit ACCEPT rule).
  • Added the ability to force the fwknopd and knoptm daemons to restart themselves (via knopwatchd) after a configurable timeout (see the ENABLE_VOLUNTARY_EXITS and EXIT_INTERVAL variables in the /etc/fwknop/fwknop.conf file). This feature is for those that want fwknopd to go through its initialization routine periodically just in case there is a logic (or other) bug that might result in fwknopd not accepting a valid SPA packet. NOTE: This feature is disabled by default, and is not normally needed since fwknopd is quite stable in most deployments.
  • Major update to perform all firewall rule expirations with knoptm, which is now started in all data collection modes. Older versions of fwknopd maintained its own firewall rule expiration code for the FILE_PCAP, ULOG_PCAP, and KNOCK modes, so two mechanisms were being maintained for the same purpose. The 1.9.0 release fixes this oversight.
  • Minor bugfix to have knopwatchd generate syslog messages whenever an fwknop daemon needs to be restarted.
  • Added --interface command line argument to to allow the sniffing interface to be specified from the command line. Also updated to enforce a 10-try maximum for attempting to accept a valid interface name from the command line (LANG env issues can exist sometimes).
  • Updated SPA packet format for server_auth and forward_info elements; the internal MD5 sum is now always the last field in an SPA packet. This makes extensions of the SPA protocol much easier, and the generation of SPA packets more elegant. Also, SPA packet validation has been improved to ensure that fields that are supposed to be digits really only contain integer data.
  • Added ENABLE_FORWARD_ACCESS variable to the access.conf file, and added ENABLE_IPT_FORWARDING to the fwknop.conf file. These variables provide the per-SOURCE ability to create DNAT connnections through the FORWARD chain.
  • Replaced the IPT_AUTO_CHAIN1 variable with IPT_INPUT_ACCESS and IPT_FORWARD_ACCESS in fwknop.conf.
  • Added --Forward-access argument to the fwknop client.
  • Added client version number to syslog messages generated by fwknopd when a valid SPA packet is received.
  • Added human readable timestamp to MD5 cache. Here is an example of the update format: X6WF2C29kEgAv4aDJ8TDeQ [Wed Nov 28 09:24:46 2007]
  • Added --Count argument to fwknopd so that it calls exit() when the specified number of packets is monitored.
  • Added --no-logs argument to knoptm in support of the test suite so that no emails are generated.
  • Bugfix in fwknopd to account for non-Ethernet link layer header over *BSD loopback interfaces.
  • Added --Save-dst argument to the fwknop client to add a priority file to store client command line arguments (~/ This file is only overwritten when --Save-dst is used.
  • Added fwknopd --fw-del-chains to allow the fwknopd iptables chains to easily be deleted.
  • Minor fwknopd bugfix to set process exit status to 0 when --Kill is used.

fwsnort-1.0.3 Software Release

fwsnort-1.0.3 Software Release The 1.0.3 release of fwsnort is ready for download. This release adds the ability to interpret basic PCRE's expressions (more detail below) and includes a major signature update from Bleeding Threats. A new command line argument --include-re-caseless allows fwsnort to restrict its translation operation to Snort rules that contain a regular expression (matched case-insensitively). For example, here is the command to build an iptables policy derived from Snort rules in the bleeding-all.rules file that contain the string "sid:2007" (for signatures that were added in 2007): # fwsnort --include-type bleeding-all --include-regex "sid:2007" --include-re-caseless
Snort Rules File Success Fail Ipt_apply Total

[+] bleeding-all.rules 614 28 607 642
614 28 607 642

[+] Generated iptables rules for 614 out of 642 signatures: 95.64%
[+] Found 607 applicable snort rules to your current iptables

[+] Logfile: /var/log/fwsnort.log
[+] iptables script: /etc/fwsnort/
This results in 607 successfully translated Snort rules, and here is the iptables command equivalent built by fwsnort for the "BLEEDING-EDGE MALWARE Adware Checkin" signature: $IPTABLES -A FWSNORT_OUTPUT_ESTAB -p tcp --dport 80 -m string --string "wmid=" --algo bm -m string --string "&mid=" --algo bm -m string --string "&lid=" --algo bm -m comment --comment "sid:2007696; msg:BLEEDING-EDGE MALWARE Adware Checkin; classtype:trojan-activity; rev:1; FWS:1.0.3;" -j LOG --log-ip-options --log-tcp-options --log-prefix "[15] SID2007696 ESTAB " Here is the full ChangeLog:
  • Added --include-re-caseless and --exclude-re-caseless options to have --include-regex and --exclude-regex options match case insensitively.
  • Major signature update from Bleeding Threats. This update includes a large number of new signatures with PCRE statements, with an emphasis on detecting SQL injection attacks directed at internal webservers from external sources.
  • Added the ability to interpret PCRE statements that include simple string matches separated by ".*" and ".+" as multiple iptables string matches. The only negative consequence in terms of signature detection is that ordering is not preserved; that is, the PCRE "/UNION.+SELECT/" would only match a packet that contains "UNION" followed by "SELECT", whereas an iptables rule that uses a string match for UNION and a separate string match for SELECT would match a packet that contains both strings but in reverse. Typically this is not a huge concern, and the PCRE translation can be disabled with a new option --no-pcre.
  • Added asn1 keyword to unsupported list.

fwknop Windows UI

fwknop Windows UI Sean Greven, a contributor to the fwknop project, has developed a UI for generating fwknop Single Packet Authorization messages from Windows systems without the need for the regular fwknop client to be installed. The UI can be downloaded here, and the source code (which Sean has contributed to fwknop under the GPL) can be downloaded here.

Although the fwknop client functions under Cygwin, it is an important step to be able to generate SPA packets without fwknop installed at all since many users do not run systems with Cygwin installed. With Sean's UI, users can easily leverage the strength of Single Packet Authorization to protect services such as SSHD on Linux, *BSD, or Mac OS X systems and authenticate from Windows at the same time. The UI is currently in a testing phase and the initial version supports symmetrically encrypted SPA messages (with the Rijndael cipher), but also leveraging GnuPG is on the roadmap.

Here is a screenshot of the UI installed on a Windows 2000 system. The UI is on the left, and the fwknopd daemon on the target (Linux) system is running in debug mode so that you can see the iptables ACCEPT rule added for the Windows client and then deleted after 30 seconds. Netfilter's connection tracking subsystem is used to keep any established connection open, but no new connections can be established unless another non-replayed SPA packet is sniffed off the wire by fwknopd:
fwknop Windows UI

Software Release - fwknop-1.8.3

fwknop-1.8.3 release The 1.8.3 release of fwknop is ready for download. This release reinstates the legacy port knocking operation mode (for those that really want to use it instead of Single Packet Authorization). A few bugs have also been fixed, particularly for the auto-resolution of external NAT addresses via (and a backup resolution URL exists now as well that you can hit with the --URL option on the fwknop client command line).

Below is an illustration of the old port knocking mode in action. The fwknopd server running on reconfigures the iptables policy to allow an SSH connection from the client system after receiving the encrypted port knock sequence: $ fwknop -A tcp/22 -a -D --Server-mode knock
[+] Starting fwknop client (encrypted port knocking mode)...
[+] Enter an encryption key. This key must match a key in the file
/etc/fwknop/access.conf on the remote system.

Encryption Key:
[+] Clear-text sequence (11 bytes): 192 168 10 2 0 22 6 28 109 98 114
[+] Cipher-text sequence (32 bytes): 83 97 108 116 101 100 95 95 110 133 220 202 45 184 129 230 175 166 62 162 104 46 183 22 193 82 17 126 174 38 76 222
[+] Sending port knocking sequence to knock server:
   -> tcp/61083 (packet: 0)
   -> tcp/61097 (packet: 1)
   -> tcp/61108 (packet: 2)
   -> tcp/61116 (packet: 3)
   -> tcp/61101 (packet: 4)
   -> tcp/61100 (packet: 5)
   -> tcp/61095 (packet: 6)
   -> tcp/61095 (packet: 7)
   -> tcp/61110 (packet: 8)
   -> tcp/61133 (packet: 9)
   -> tcp/61220 (packet: 10)
   -> tcp/61202 (packet: 11)
   -> tcp/61045 (packet: 12)
   -> tcp/61184 (packet: 13)
   -> tcp/61129 (packet: 14)
   -> tcp/61230 (packet: 15)
   -> tcp/61175 (packet: 16)
   -> tcp/61166 (packet: 17)
   -> tcp/61062 (packet: 18)
   -> tcp/61162 (packet: 19)
   -> tcp/61104 (packet: 20)
   -> tcp/61046 (packet: 21)
   -> tcp/61183 (packet: 22)
   -> tcp/61022 (packet: 23)
   -> tcp/61193 (packet: 24)
   -> tcp/61082 (packet: 25)
   -> tcp/61017 (packet: 26)
   -> tcp/61126 (packet: 27)
   -> tcp/61174 (packet: 28)
   -> tcp/61038 (packet: 29)
   -> tcp/61076 (packet: 30)
   -> tcp/61222 (packet: 31)
[+] Finished knock sequence.
$ ssh -l mbr
On the fwknopd server, the following messages are written to syslog that show an iptables ACCEPT rule being added for the client system for 30 seconds and then removed. The SSH connection from the client remains open by using the Netfilter connection tracking subsystem to allow packets in the ESTABLISHED state through, but once the ACCEPT rule is removed no new SSH connections can be established: Nov 17 10:34:47 isengard fwknopd: successful knock decrypt for (SOURCE block: 1)
Nov 17 10:34:47 isengard fwknopd: adding iptables FWKNOP_INPUT ACCEPT rule for -> tcp/22 (30 seconds)
Nov 17 10:35:19 isengard fwknopd: removed iptables FWKNOP_INPUT ACCEPT rule for -> tcp/22, 30 second timeout exceeded
Port knocking sequences do not necessarily have to be encrypted, and fwknop supports shared sequences. This can be useful to allow systems where perl is not installed to take advantage of some port knocking capabilities without requiring the fwknop client. In the screenshot below, the fwknopd server (in the right hand terminal) has been configured to accept a sequence that consists of the two TCP ports 1234 followed 5001. The client (in the left hand terminal) just needs to use any program such as netcat or telnet to hit these two ports, which generates iptables log messages at the fwknopd server where the shared sequence is parsed and validated. Once the correct sequence is seen, fwknopd opens port 22 for 30 seconds (this timeout is configured in the /etc/fwknop/access.conf file):
fwknop-1.8.3 release
For those interested in the changes in the fwknop-1.8.3 release, here is the complete ChangeLog:
  • Updated external IP resolution to point to, and added as a backup site for fwknop IP resolution.
  • Added storage of source IP along with SPA MD5 sum. This allows the user to infer which networks are more hostile if an SPA packet is replayed.
  • Added SPA packet hex dumps in 'fwknopd --debug' mode so that the integration of third-party encryption algorithms is easier to troubleshoot. Sean Greven contributed a patch for this.
  • Reinstated the legacy port knocking mode. It appears that all encrypted output from the updated Crypt::Rijndael module is at least 32 bytes long, so port knocking sequences are now 32 bytes long as well (they were previously 16 bytes long in old versions of fwknop).
  • Bugfix to ensure the key length is at least 8 chars in --get-key mode.
  • Minor update to remove init message on OS X install.
  • Updated to set the LANG environmental variable to "en_US.UTF-8". This should fix the problem where the output of ifconfig was not interpreted correctly if the locale LANG setting is not English.
  • Implemented verbose email alerting by setting the ALERTING_METHODS variable to "verbose". This instructs fwknopd to generate a new email message for each message that it normally logs vis syslog (this feature is not the default, and must be manually enabled).

Software Release - psad-2.1

psad-2.1 released The 2.1 release of psad is ready for download. This release completes the 2.0.x development series with a few minor bugfixes and the addition of a patch against iptables to enforce trailing spaces in log prefixes. Here is the ChangeLog:
  • Changed EMAIL_LIMIT model to apply to scanning source addresses only instead of also factoring in the destination address. The original src/dst email limit behavior can be restored by setting a new variable "ENABLE_EMAIL_LIMIT_PER_DST" to "Y".
  • Added the patches/iptables-1.3.8_LOG_prefix_space.patch file which can be applied to the iptables-1.3.8 code to enforce a trailing space character before any log prefix when a LOG rule is added. This ensures that the user cannot break the iptables syslog format just by forgetting to include a space at the end of a logging prefix.
  • Bugfix to ensure that parsing TCP options does not descend into an infinite loop in some some circumstances with obscure or maliciously constructed options. Also added syslog reporting for broken options lengths of zero or one byte (the minimum option length is two bytes to accomodate the TLV encoding).
  • Bugfix to enforce the usage of --CSV-fields in --gnuplot mode.
  • Implemented --get-next-rule-id so that it is easy to assign a new rule ID to a new signature in the /etc/psad/signatures file.
  • Updated to just call die() if GetOpt fails; this allows erroneous usage of the command line to display informative error messages more clearly.
« Previous | Next »