fwknop
fwknop implements an authorization scheme called Single Packet Authorization that requires only a single encrypted packet to communicate various pieces of information, including desired access through an iptables or ipfw firewall policy and/or specific commands to execute on the target system. The main application of this program is to protect services such as SSH with an additional layer of security in order to make the exploitation of vulnerabilities much more difficult. The authorization server works by passively monitoring authorization packets via libpcap. Also supported is a robust port knocking implementation based around iptables log messages.
| Tags | Networking Firewalls Monitoring Security |
|---|---|
| Licenses | GPL |
| Operating Systems | POSIX Linux |
| Implementation | Perl C |
Recent releases
- 13 May 2009 10:10
Changes: Support was added for ipfw "sets" on FreeBSD and Mac OS X systems. A segfault on Debian systems that was exposed in some circumstances with older versions of libpcap was fixed. The --icmp-type and --icmp-code command line arguments were added for the fwknop client in order to manually set the ICMP type/code values when using "--Spoof-proto icmp" or "--Server-proto icmp". Support was added for multiple include/exclude test identifying strings (separated by commas).
- 14 Jan 2009 14:37
Changes: The ability to send SPA packets over HTTP requests was added. The fwknopd server was updated to support sniffing interfaces that have no IP address assigned, and also to support sniffing ppp interfaces on Linux systems. A bug was fixed to make sure to properly construct a hash reference for the "include" command list for the check_commands() function when checking for the mail command. A bug was fixed to add --Override configuration support to knopwatchd. A bug was fixed to properly support SPA packets over ICMP.
- 21 Nov 2008 09:50
Changes: Support was added to fwknop for the Linux "any" interface, which allows SPA packets to be received on multiple interfaces on a Linux system. Support was added for interfacing fwknop with third party software through the addition of three new variables in the access.conf file (or set globally in the fwknop.conf file): EXTERNAL_CMD_OPEN, EXTERNAL_CMD_CLOSE, and EXTERNAL_CMD_ALARM. The IPTables::* modules were updated to the latest versions, which are now available via CPAN as well. IPT_EXEC_STYLE was added to control the execution method used for iptables commands in the IPTables::ChainMgr module.
- 01 Oct 2008 16:50
Changes: This release adds support for gpg2 and fixes a bug where fwknop would allow GnuPG to reference an options file (new directives --gpg-use-options and GPG_USE_OPTIONS were added to override this). The Windows UI has been updated to fix a bug in the timezone calculation from the Windows system sending an SPA packet. GnuPG 'hQ' base64 encoded prefixes are configurable. A bug in the handling of blacklisted IP addresses has been fixed. The path to gpg or gpg2 is configurable via the command line or access.conf file (so SOURCE stanzas can reference different gpg paths).
- 25 Aug 2008 16:36
Changes: The NetPacket module dependency was removed since fwknopd now decodes packet headers itself. All Perl modules were moved into the deps/ directory so that it is easy to build fwknop on distributions where Perl modules are already available as a separate package. Base64 data in SPA messages is validated better before running the data through decryption routines. The ability to ignore GnuPG options was added with --gpg-no-options on the fwknop client command line and GPG_NO_OPTIONS for the fwknopd server.
- All comments
Recent commentsRe: Extra external IP source
> You can use as IP source also the
> following Webpage:
>
> http://www.netorbit.it/ip.php
>
>
Thanks, yes that page works great as an additional auto-resolution URL with the --URL option to the fwknop client.
Extra external IP source
You can use as IP source also the following Webpage:
http://www.netorbit.it/ip.php