SPA Port Knocking

USE CAUTION LEGAL DISCLAIMER:

The information provided in this technical website tutorial is for general informational purposes only. It is not intended to be a substitute for professional advice and should not be relied upon as such.

The tutorial is provided "as is" without any representations or warranties, express or implied. The owner and authors of this tutorial make no representations or warranties in relation to the accuracy, completeness, suitability, or availability of the information contained within.

Any reliance you place on such information is strictly at your own risk. In no event will the owner or authors of this tutorial be liable for any loss or damage including, without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this tutorial.

The owner and authors of this tutorial do not endorse or assume any liability for any third-party products or services discussed or referenced within this tutorial.

The information provided in this tutorial may be outdated, inaccurate, or incomplete. It is your responsibility to verify any information before relying on it.

The content of this tutorial may change without notice and is not guaranteed to be error-free.

By using this tutorial, you agree to hold harmless and indemnify the owner and authors of this tutorial from any claims, damages, liabilities, or expenses arising out of or in connection with your use of this tutorial.

Please use caution and your own judgment when implementing any advice or recommendations from this tutorial.

If you do not agree with these terms, please do not use this tutorial.

Documentation at https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#fwknop-rijndael

Firewall Knock Operator - fwknop implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment. SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance. The main application of SPA is to use a firewall to drop all attempts to connect to services such as SSH in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) more difficult. Any service that is concealed by SPA naturally cannot be scanned for with Nmap. It's like next generation Port Knocking...

Replace the default SSH port 22 with your SSH port, if different. Be sure, you have another method, of getting to the server if locked out! Try this out on a NON-PRODUCTION system only.

[spaclient]# apt-get install fwknop-client

[spaserver]# apt-get install fwknop-server

Let's initialize/setup the fwknoprc file:

[spaclient]$ fwknop --key-gen --use-hmac --save-rc-stanza -A tcp/22 -D ServerIP

Backup your keys on the spaclient ~/.fwknoprc to a safe place as without them, you will be locked out of any system that is SPA protected.

[spaclient]$ nano ~/.fwknoprc

[default]

[mypie]
ACCESS           tcp/22
# ACCESS           tcp/443,tcp/80
SPA_SERVER       SERVERIP
ALLOW_IP         MYIP
KEY_BASE64       CopyME
HMAC_KEY_BASE64   CopyME
USE_HMAC         Y

[spaserver]# nano /etc/fwknop/access.conf

SOURCE               ANY
OPEN_PORTS           tcp/22
# OPEN_PORTS           tcp/443,tcp/80
REQUIRE_USERNAME     bob
REQUIRE_SOURCE_ADDRESS      N
FW_ACCESS_TIMEOUT    30
MAX_FW_TIMEOUT       300
KEY_BASE64           PasteMe
HMAC_KEY_BASE64      PasteMe

[spaserver]# nano /etc/fwknop/fwknopd.conf

#PCAP_INTF eth0;
FIREWALL_EXE /sbin/iptables;

[spaclient]$ nmap -P0 -n -p 22 spaserver

22/tcp open ssh

[spaserver]# nano /usr/local/bin/iptables.sh

#!/bin/sh
IPTABLES=/sbin/iptables
LAN=eth0
$IPTABLES -I INPUT 1 -i $LAN -p tcp --dport 22 -j DROP
# $IPTABLES -I INPUT 1 -i $LAN -p tcp --dport 80 -j DROP
# $IPTABLES -I INPUT 1 -i $LAN -p tcp --dport 443 -j DROP
$IPTABLES -I INPUT 1 -i $LAN -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FWKNOP_INPUT -i $LAN -p tcp --dport 22 -j ACCEPT
# $IPTABLES -t filter -A FWKNOP_INPUT -i $LAN -p tcp -m multiport --dports 80,443 -j ACCEPT
/usr/sbin/fwknopd

[spaserver]# chmod +x /usr/local/bin/iptables.sh

[spaserver]# nano /lib/systemd/system/fwknop-server.service

[Unit]
Description=Firewall Knock Operator Daemon
Wants=network-online.target
After=network-online.target

[Service]
Type=forking
ExecStart=/usr/local/bin/iptables.sh
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

[spaserver]# systemctl daemon-reload

[spaserver]# systemctl enable fwknop-server.service

[spaserver]# systemctl start fwknop-server.service

[spaserver]# systemctl status fwknop-server.service

[spaclient]$ nmap -P0 -n -p 22 spaserver

22/tcp filtered ssh

Note: Make sure your date/time, and timezones EX New_York are the same on the client and server by doing:
$ timedatectl set-timezone America/New_York . Beware: that changing from UTC to EDT, etc... on a server might break timestamps on the server [which is a big deal if its a logging or database server]!! Otherwise, if the time does not match, the next command for SPA knock will fail. Test both systems to make sure date and time are correct by:
$ date

Let's send a SPA packet to allow access for the default of 30 seconds:

[spaclient]$ fwknop -n mypie -a MYIP -U bob -v

[spaclient]$ nmap -P0 -n -p 22 spaserver

22/tcp open ssh

Let's send a SPA packet to allow access for the 300 seconds:

[spaclient]$ fwknop -n mypie -a MYIP -U bob -v --fw-timeout 300