FWKNOP(8) Fwknop Client FWKNOP(8)
NAME
fwknop - Firewall Knock Operator
SYNOPSIS
fwknop -A <proto/ports> -R|-a|-s -D <host> [options]
DESCRIPTION
fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for Linux systems running iptables. This mechanism
requires only a single encrypted and non-replayed packet to communicate various pieces of information including desired access through an
iptables or ipfw policy. The main application of this program is to use iptables in a default-drop stance to protect services such as SSH
with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more
difficult.
An authorization server fwknopd passively monitors authorization packets via libpcap and hence there is no "server" to which to connect in
the traditional sense. Any service protected by fwknop is inaccessible (by using iptables or ipfw to intercept packets within the kernel)
before authenticating; anyone scanning for the service will not be able to detect that it is even listening. Single Packet Authorization
offers many advantages over port knocking, including non-replayability of SPA packets, ability to use asymmetric ciphers (such as Elgamal),
and SPA cannot be broken by simply spoofing packets to duplicate ports within the knock sequence on the server to break port knocking
authentication.
SPA packets can easily be spoofed as well (this is a good thing in this context), and this makes it possible to make it appear as though,
say, www.yahoo.com is trying to authenticate to a target system but in reality the actual connection will come from a seemingly unrelated
IP.
Authorization packets are either encrypted with the Rijndael block cipher or via GnuPG and associated asymmetric ciphers. If the symmetric
encryption method is chosen, then the encryption key is shared between the client and server (see the fwknopd access.conf file for
details). If the GnuPG method is chosen, then the encryption keys are derived from GnuPG key rings. SPA packets generated by fwknop running
as a client adhere to the following format (before they are encrypted):
random number (16 bytes)
username
timestamp
software version
mode (command mode (0) or access mode (1))
if command mode => command to execute
else access mode => IP,proto,port
message digest (SHA512 / SHA384 / SHA256 / SHA1 / MD5)
Each of the above fields are separated by a ":" character due to the variable length of several of the fields, and those that might contain
":" characters are base64 encoded. The message digest (SHA256 by default in all versions of fwknop greater than 1.9.1) allows the server to
check message integrity after decryption, and the 16 bytes of random data ensures (with high probability) that no two messages are
identical. This ensures that replay attacks are not possible against fwknop.
For each packet coming from an fwknop client, the fwknopd server can cache the digest calculated over the entire packet and compares
against previous packet digests in order to detect attempted replay attacks. Syslog alerts are generated if a replay is detected.
By default, the fwknop client sends authorization packets over UDP port 62201, but this can be altered with the --server-port argument. The
server must first be configured to acquire the SPA data on the changed protocol-port. Also, fwknop can send the SPA packet over a random
port via the --rand-port argument. See fwknopd(8) for further details. See the EXAMPLES section for example invocations of the fwknop
client.
REQUIRED ARGUMENTS
These required arguments can be specified via command-line or from within the .fwknoprc file (see -n, --named-config option and the
FWKNOPRC FILE section below.
-D, --destination=<IP-address>
Direct the fwknop client to authenticate with the fwknopd daemon/service at the specified destination hostname or IP address. The
connection mode is discovered by the fwknopd daemon/service when it decrypts and parses the authentication packet.
-A, --access=<port list>
Provide a list of ports and protocols to access on a remote computer running fwknopd. The format of this list is
"<proto>/<port>...<proto>/<port>", e.g. "tcp/22,udp/53". NOTE: The vast majority of usages for fwknop require the -A argument, but
sending full commands with the --server-cmd argument via an SPA packet to be executed by fwknopd does not require this argument.
-R|-a|-s
One of these options (see below) is required to tell the remote fwknopd daemon what IP should be let through the local firewall. It is
recommend to use the -R or -a options instead of -s in order to harden SPA communications against possible Man-In-The-Middle (MITM)
attacks.
GENERAL OPTIONS
-h, --help
Print a usage summary message and exit.
-B, --save-packet=<file>
Instruct the fwknop client to write a newly created SPA packet out to the specified file so that it can be examined off-line.
-G, --get-key=<file>
Load an encryption key/password from the specified file. The key file contains a line for each destination hostname or IP address, a
colon (":"), optional space and the password, followed by a newline. Note that the last line has to have a terminating newline
character. Also note: though this is a convenience, have a file on your system with cleartext passwords is not a good idea and is not
recommended.
-l, --last-cmd
Execute fwknop with the command-line arguments from the previous invocation (if any). The previous arguments are parsed out of the
~/.fwknop.run file.
-n, --named-config=<stanza name>
Specify the name of the configuration stanza in the "$HOME/.fwknoprc" file to pull configuration and command directives. These named
stanzas alleviate the need for remembering the various command-line arguments for frequently used invocations of fwknop. See the
section labeled, FWKNOPRC FILE below for a list of the valid configuration directives in the .fwknoprc file.
--show-last
Display the last command-line arguments used by fwknop.
-T, --test
Test mode. Generate the SPA packet data, but do not send it. Instead, print a break-down of the SPA data fields, then run the data
through the decryption and decoding process and print the break-down again. This is primarily a debugging feature.
-v, --verbose
Run the fwknop client in verbose mode. This causes fwknop to print some extra information about the current command and the resulting
SPA data.
-V, --Version
Display version information and exit.
SPA OPTIONS
-a, --allow-ip=<IP-address>
Specify IP address that should be permitted through the destination fwknopd server firewall (this IP is encrypted within the SPA packet
itself). This is useful to prevent a MTIM attack where a SPA packet can be intercepted enroute and sent from a different IP than the
original. Hence, if the fwknopd server trusts the source address on the SPA packet IP header then the attacker gains access. The -a
option puts the source address within the encrypted SPA packet, and so thwarts this attack. The -a option is also useful to specify the
IP that will be granted access when the SPA packet itself is spoofed with the --spoof-src option. Another related option is -R (see
below) which instructs the fwknop client to automatically resolve the externally routable IP address the local system is connected to
by querying a website that returns the actual IP address it sees from the calling system.
-C, --server-cmd=<command to execute>
Instead of requesting access to a service with an SPA packet, the --server-cmd argument specifies a command that will be executed by
the fwknopd server. The command is encrypted within the SPA packet and sniffed off the wire (as usual) by the fwknopd server.
-g, --gpg-encryption
Use GPG encryption on the SPA packet (default if not specified is Rijndael). Note: Use of this option will require the specification
of a GPG recipient (see --gpg-recipient along with other GPG-related options below).
-H, --http-proxy=<proxy-host>[:port]
Specify an HTTP proxy that the fwknop client will use to send the SPA packet through. Using this option will automatically set the SPA
packet transmission mode (usually set via the --server-proto argument) to "http". You can also specify the proxy port by adding
":<port>" to the proxy host name or ip.
-m, --digest-type=<digest>
Specify the message digest algorithm to use in the SPA data. Choices are: MD5, SHA1, SHA256 (the default), SHA384, and SHA512.
-N, --nat-access=<internalIP:forwardPort>
The fwknopd server offers the ability to provide SPA access through an iptables firewall to an internal service by interfacing with the
iptables NAT capabilities. So, if the fwknopd server is protecting an internal network on an RFC-1918 address space, an external fwknop
client can request that the server port forward an external port to an internal IP, i.e. "--NAT-access 192.168.10.2,55000". In this
case, access will be granted to 192.168.10.2 via port 55000 to whatever service is requested via the --access argument (usually
tcp/22). Hence, after sending such an SPA packet, one would then do "ssh -p 55000 user@host" and the connection would be forwarded on
through to the internal 192.168.10.2 system automatically. Note that the port "55000" can be randomly generated via the --nat-rand-port
argument (described later).
--nat-local
On the fwknopd server, a NAT operation can apply to the local system instead of being forwarded through the system. That is, for
iptables firewalls, a connection to, say, port 55,000 can be translated to port 22 on the local system. By making use of the
--nat-local argument, the fwknop client can be made to request such access. This means that any external attacker would only see a
connection over port 55,000 instead of the expected port 22 after the SPA packet is sent.
--nat-rand-port
Usually fwknop is used to request access to a specific port such as tcp/22 on a system running fwknopd. However, by using the
--nat-rand-port argument, it is possible to request access to a particular service (again, such as tcp/22), but have this access
granted via a random translated port. That is, once the fwknop client has been executed in this mode and the random port selected by
fwknop is displayed, the destination port used by the follow-on client must be changed to match this random port. For SSH, this is
accomplished via the -p argument. See the --nat-local and --nat-access command line arguments to fwknop for additional details on
gaining access to services via a NAT operation.
-p, --server-port=<port>
Specify the port number where fwknopd accepts packets via libpcap or ulogd pcap writer. By default fwknopd looks for authorization
packets over UDP port 62201.
-P, --server-proto=<protocol>
Set the protocol (udp, tcp, http, tcpraw, or icmp) for the outgoing SPA packet. Note: The tcpraw and icmp modes use raw sockets and
thus require root access to run. Also note: The tcp mode expects to establish a TCP connection to the server before sending the SPA
packet. This is not normally done, but is useful for compatibility with the Tor for strong anonymity; see http://tor.eff.org/. In this
case, the fwknopd server will need to be configured to listen on the target TCP port (which is 62201 by default).
-Q, --spoof-src=<IP>
Spoof the source address from which the fwknop client sends SPA packets. This requires root on the client side access since a raw
socket is required to accomplish this. Note that the --spoof-user argument can be given in this mode in order to pass any
REQUIRE_USERNAME keyword that might be specified in /etc/fwknop/access.conf.
-r, --rand-port
Instruct the fwknop client to send an SPA packet over a random destination port between 10,000 and 65535. The fwknopd server must use a
PCAP_FILTER variable that is configured to accept such packets. For example, the PCAP_FILTER variable could be set to: "udp dst
portrange 10000-65535".
-R, --resolve-ip-http
This is an important option, and instructs the fwknop client and the fwknopd daemon/service to query a web server that returns the
caller's IP address (as seen by the web server). In some cases, this is needed to determine the IP address that should be allowed
through the iptables policy at the remote fwknopd server side. This is useful if the fwknop client is being used on a system that is
behind an obscure NAT address. Presently, fwknop uses the URL: http://www.cipherdyne.org/cgi-bin/myip to resolve the caller IP.
-s, --source-ip
Instruct the fwknop client to form an SPA packet that contains the special-case IP address "0.0.0.0" which will inform the destination
fwknopd SPA server to use the source IP address from which the SPA packet originates as the IP that will be allowed through upon
modification of the firewall ruleset. This option is useful if the fwknop client is deployed on a machine that is behind a NAT device.
The permit-address options -s, -R and -a are mutually exclusive.
--time-offset-plus=<time>
By default, the fwknopd daemon on the server side enforces time synchronization between the clocks running on client and server
systems. The fwknop client places the local time within each SPA packet as a time stamp to be validated by the fwknopd server after
decryption. However, in some circumstances, if the clocks are out of sync and the user on the client system does not have the required
access to change the local clock setting, it can be difficult to construct and SPA packet with a time stamp the server will accept. In
this situation, the --time-offset-plus option can allow the user to specify an offset (e.g. "60sec" "60min" "2days" etc.) that is added
to the local time.
--time-offset-minus=<time>
This is similar to the --time-offset-plus option (see above), but subtracts the specified time offset instead of adding it to the local
time stamp.
-u, --user-agent=<user-agent-string>
Set the HTTP User-Agent for resolving the external IP via -R, or for sending SPA packets over HTTP.
-U, --spoof-user=<user>
Specify the username that is included within SPA packet. This allows the fwknop client to satisfy any non-root REQUIRE_USERNAME keyword
on the fwknopd server (--spoof-src mode requires that the fwknop client is executed as root).
GPG-RELATED OPTIONS
--gpg-agent
Instruct fwknop to acquire GnuPG key password from a running gpg-agent instance (if available).
--gpg-home-dir=<dir>
Specify the path to the GnuPG directory; normally this path is derived from the home directory of the user that is running the fwknop
client. This is useful when a "root" user wishes to log into a remote machine whose sshd daemon/service does not permit root login.
--gpg-recipient=<key ID or Name>
Specify the GnuPG key ID, e.g. "1234ABCD" (see the output of "gpg--list-keys") or the key name (associated email address) of the
recipient of the Single Packet Authorization message. This key is imported by the fwknopd server and the associated private key is used
to decrypt the SPA packet. The recipient's key must first be imported into the client GnuPG key ring.
--gpg-signer-key=<key ID or Name>
Specify the GnuPG key ID, e.g. "ABCD1234" (see the output of "gpg --list-keys") or the key name to use when signing the SPA message.
The user is prompted for the associated GnuPG password to create the signature. This adds a cryptographically strong mechanism to allow
the fwknopd daemon on the remote server to authenticate who created the SPA message.
FWKNOPRC FILE
The .fwknoprc file is used to set various parameters to override default program parameters at runtime. It also allows for additional named
configuration stanzas for setting program parameters for a particular invocation.
The fwkop client will create this file if it does not exist in the user's home directory. This initial version has some sample directives
that are commented out. It is up to the user to edit this file to meet their needs.
The .fwkoprc file contains a default configuration area or stanza which holds global configuration directives that override the program
defaults. You can edit this file and create additonal named stanzas that can be specified with the -n or --named-config option. Parameters
defined in the named stanzas will override any matching default stanza directives. Note that command-line options will still override any
corresponding .fwknoprc directives.
There are directives to match most of the command-line parameters fwknop supports. Here is the current list of each directive along with a
brief description and its matching command-line option(s):
DIGEST_TYPE
Set the SPA message digest type (-m, --digest-type).
SPA_SERVER_PROTO
Set the protocol to use for sending the SPA packet (-P, --server-proto).
SPA_SERVER
Specify the IP or hostname of the destination (fwknopd) server ('-D, --destination).
SPA_SERVER_PORT
Set the server port to use for sending the SPA packet (-p, --server-port).
SPA_SOURCE_PORT
Set the source port to use for sending the SPA packet (-S, --source-port).
FW_TIMEOUT
Set the firewall rule timeout value (-f, --fw-timeout).
ALLOW_IP
Specify the address to allow within the SPA data. Note: This parameter covers the -a, -s, and -R command-line options. You can specify
a hostname or IP address (the -a option), specify the word "source" to tell the fwknopd server to accept the source IP of the packet as
the IP to allow (the -s option), or use the word "resolve" to have fwknop resolve the external network IP via HTTP request (the -R
option).
TIME_OFFSET
Set a value to apply to the timestamp in the SPA packet. This can be either a positive or negative value (--time-offset-plus/minus).
USE_GPG
Set to Y to specify the use of GPG for encryption (--gpg-encryption).
GPG_SIGNER
Specify the GPG key name or ID for signing the GPG-encrypted SPA data (--gpg-signer-key).
GPG_RECIPIENT
Specify the GPG key name or ID for the recipient of the GPG-encrypted SPA data (--gpg-recipient-key).
GPG_HOMEDIR
Specify the GPG home directory (--gpg-home-dir).
SPOOF_USER
Set the username in the SPA data to the specified value (-U, --spoof-user).
SPOOF_SOURCE_IP
Set the source IP of the outgoing SPA packet to the specified value (-Q, --spoof-source).
ACCESS
Set the one or more protocol/ports to open on the firewall (-A, --access).
RAND_PORT
Send the SPA packet over a randomly assigned port (-r, --rand-port).
KEY_FILE
Load an encryption key/password from a file (-G, --get-key).
HTTP_USER_AGENT
Set the HTTP User-Agent for resolving the external IP via -R, or for sending SPA packets over HTTP (-u, --user-agent).
NAT_ACCESS
Gain NAT access to an internal service protected by the fwknop server (-N, --nat-access).
NAT_LOCAL
Access a local service via a forwarded port on the fwknopd server system (--nat-local).
NAT_PORT
Specify the port to forward to access a service via NAT (--nat-port).
NAT_RAND_PORT
Have the fwknop client assign a random port for NAT access (--nat-rand-port).
ENVIRONMENT
SPOOF_USER, GPG_AGENT_INFO (only used in --gpg-agent mode).
EXAMPLES
The following examples illustrate the command line arguments that could be supplied to the fwknop client in a few situations:
Access mode examples
Packet contents printed to stdout at the fwknop client when creating an "access mode" SPA packet:
Random data: 6565240948266426
Username: mbr
Timestamp: 1203863233
Version: 1.9.2
Type: 1 (access mode)
Access: 127.0.0.2,tcp/22
SHA256 sum: gngquSL8AuM7r27XsR4qPmJhuBo9pG2PYwII06AaJHw
Use the Single Packet Authorization mode to gain access to tcp/22 (ssh) and udp/53 running on the system 10.0.0.123 from the IP
192.168.10.4:
$ fwknop -A "tcp/22,udp/53" -a 192.168.10.4 -D 10.0.0.123
Same as above example, but gain access from whatever source IP is seen by the fwknop server (useful if the fwknop client is behind a NAT
device):
$ fwknop -A "tcp/22,udp/53" -s -D 10.0.0.123
Same as above example, but use an IP identification website to derive the client IP address. This is a safer method of acquiring the client
IP address than using the -s option because the source IP is put within the encrypted packet instead of having the fwknopd daemon grant the
requested access from whatever IP address the SPA packet originates:
$ fwknop -A "tcp/22,udp/53" -R -D 10.0.0.123
Use the Single Packet Authorization mode to gain access to tcp/22 (ssh) and udp/53 running on the system 10.0.0.123, and use GnuPG keys to
encrypt and decrypt:
$ fwknop -A "tcp/22,udp/53" --gpg-sign ABCD1234 --gpg--recipient
1234ABCD -R -D 10.0.0.123
Instruct the fwknop server running at 10.0.0.123 to allow 172.16.5.4 to connect to TCP/22, but spoof the authorization packet from an IP
associated with www.yahoo.com:
# fwknop --Spoof-src 'www.yahoo.com' -A tcp/22 -a 172.16.5.4 -D
10.0.0.123
DEPENDENCIES
fwknop requires libfko (which is normally included with both source and binary distributions).
For GPG functionality, GnuPG must also be correctly installed and configured.
To take advantage of all of the authentication and access management features of the fwknopd daemon/service a functioning iptables firewall
is required on the underlying operating system.
DIAGNOSTICS
fwknop can be run with the -T (or --test) command line option. This will have fwknop simply create and print the SPA packet information,
then run it through a decrypt/decode cycle and print it again.
SEE ALSO
fwknopd(8), iptables(8), gpg(1), libfko documentation.
More information on Single Packet Authorization can be found in the paper "Single Packet Authorization with fwknop" available at
http://www.cipherdyne.org/fwknop/docs/SPA.html.
AUTHORS
Damien Stuart <dstuart@dstuart.org>, Michael Rash <mbr@cipherdyne.org>
CONTRIBUTORS
This "C" version of fwknop was derived from the original Perl-based version on which many people who are active in the open source
community have contributed. See the CREDITS file in the fwknop sources, or visit http://www.cipherdyne.org/fwknop/docs/contributors.html to
view the online list of contributors.
The phrase "Single Packet Authorization" was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005 (see:
http://www.nmrc.org).
BUGS
Send bug reports to dstuart@dstuart.org. Suggestions and/or comments are always welcome as well.
DISTRIBUTION
fwknop is distributed under the GNU General Public License (GPL), and the latest version may be downloaded from http://www.cipherdyne.org.
Fwknop Client 07/08/2010 FWKNOP(8)