Greatings All,
This tutorial is and How to Guide for "Port Knocking" using "FWKNOP" on Fedora 13 and 14 , courtesy of " Ubersec"
fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap. SPA is essentially next generation port knocking.
Please download the following packages:
#yum install -y wget
#yum install openssh-server (If the server is not installed already)
#yum -y install system-config-services
#yum install setools-gui.i686 (To install SELinux if you don't have it already)
#yum -y install policycoreutils-gui.i686 (To install SELinux Management if you don't have it already)
#yum install -y nmap (installing network mapper)
#yum -y install perl-HTML-Entities-Numbered.noarch
#yum -y install perl-HTML-Parser.i686
#yum -y install perl-SOAP-Lite.noarch
#yum -y install perl-ExtUtils-AutoInstall.noarch
Download perlmod from the following website http://sourceforge.net/projects/perlmod/
#perlmod -i IPC::Shareable
#yum install fwknop (Install the port-knocking service)
Disable SELINUX and establish successful SSH session.
Check if SELINUX is running by typing: # sestatus –v | less OR type the following to see if SELinux is disabled on your PC #/usr/sbin/getenforce
If SELinux is enabled please disable it on your system through the GUI by going to System --> Administration --> SELinux Administratoin and restart your PC.
Type the following command to start SSHD server #service sshd stop && service sshd start
TIP:
Also go through the GUI to services and assure that you enable SSH to start next startup.
Type the following command to check your ssh session #ssh localhost
Now type #nmap -p 22
open.
TIP:
It should return open. If not your sshd service is not running.
For Example:
[root@ittlabusr fwknop]# nmap -p 22 localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-08 12:23 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00019s latency).
rDNS record for 127.0.0.1: localhost.localdomain
PORT STATE SERVICE
22/tcp open ssh
Configure IPTABLES
#sudo iptables-save -c > /etc/iptables-save
#cat /etc/iptables-save | sudo iptables-restore –c
Type #ifconfig to find out which interface you Linux is listening on. You will need to add it to the firewall.sh script below.
Now create the following file firewall.sh and add the followings:
#!/bin/sh
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -o
$IPTABLES -A INPUT -j LOG --log-prefix "DROP "
$IPTABLES -A INPUT -j DROP
$IPTABLES -A INPUT -p tcp --syn --dport 22 -j LOG --log-prefix "SSH SYN "
$IPTABLES -A INPUT -p tcp --syn --dport 22 -j LOG --log-prefix "DROP "
$IPTABLES -A FORWARD -j LOG --log-prefix "DROP "
$IPTABLES -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "[+] EnGarde Secure Linux iptables policy activated"
exit
Save the file and then change the permission to execute: chmod +x firewall.sh
Now run it by typing #./firewall.sh
Now type #iptables -L to check that your iptables contain the new rules.
For Example,
It should show the followings:
[root@ittlabusr ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning prefix `DROP '
DROP all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning prefix `SSH SYN '
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning prefix `DROP '
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning prefix `DROP '
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Now type the following command to assure that you save the rules in IPTABLES #/sbin/iptables-save > /etc/sysconfig/iptables
Now restart your computer by typing #shutdown –r now
Now run nmap again to assure that IPTAB
For example,
#nmap -p 22
[root@ittlabusr fwknop]# nmap -p 22 localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-08 12:25 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up.
rDNS record for 127.0.0.1: localhost.localdomain
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
Setup and configuring fwknop port-knocking application.
#gedit or nano /etc/fwknop/fwknop.conf
Change the line #ALERTING_METHODS ALL; (TO) --> ALERTING_METHODS noemail;
Change the line #shCmd /bin/sh; (TO) --> shCmd /bin/bash;
Change the line PCAP_INTF eth1; to assure that you are set to the correct interface!!!!!
TIP
Type ifconfig /all in another terminal to check your current interface.
Change the line #ENABLE_SPA_PACKET_AGING Y; (TO) --> ENABLE_SPA_PACKET_AGING N;
#gedit or nano /etc/fwknop/access.conf
Change the line #KEY: __CHANGEME__; to KEY: whatever you want; (The key must be 8 characters long at the least)
Add the line DATA_COLLECT_MODE: PCAP;
Unmark or add the line FW_ACCESS_TIMEOUT: 30; (time is in sec)
Stop and start fwknop service
#service fwknop stop
#service fwknop start
#netstat -anlp | grep fwknop (to check if fwknop is listening)
unix 2 [ ACC ] STREAM LISTENING 42445 7317/perl /var/run/fwknop/knoptm_ip_timeout.sock
OR
#service fwknop status
knoptm (pid 7317) is running...
fwknopd (pid 7314) is running...
knopwatchd (pid 7319) is running...
On the server side type the following to see logs coming in:
#tail -f /var/log/messages
On the other Linux client side type:
#fwknop -A
For example,
#fwknop -A tcp/22 -a 127.0.0.1 -D 10.75.3.232
OR
Download fwknop for Windows from
http://www.cipherdyne.org/fwknop/download/ and run fwknop for windows
Wish i got classes like this in school
ReplyDelete