Re: [Fwknop-discuss] fwknopd and FORWARD chain / OpenVZ

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Michael (/me also waves at others :-), first of all, let me thank you
for your terrific software.

imho, never before has port knocking been so easy to set up (credit also
goes to package maintainer(s), Franck Joncourt) plus I think never
before has port knocking ever brought that much added-value to the table
in order to justify the added costs (mainly time to maintain and set up;
having .debs is a must-have to me) in running a port knocking
environment.

I have been waiting for something like fwknop for a long time now --
actually, I had this on my todo since 2003 now ;-]

 Michael> - In the /etc/fwknop/fwknop.conf file, set:
 Michael> Enable_IPT_FORWARDING Y;
Done

 Michael> - In the /etc/fwknop/access.conf file, create a SOURCE stanza
 Michael>   like this:
 Michael> Source: ANY;
 Michael> OPEN_PORTS: tcp/22;
 Michael> ENABLE_FORWARD_ACCESS: Y;
 Michael> FW_ACCESS_TIMEOUT: 30;
 Michael> KEY: __CHANGEME__;
Excellent, that is what I thought it had to be but then, I found no
hint/docu so I could not be sure.

 Michael> (Or you can set the GPG_* variables too if you use GnuPG to
 Michael> encrypt incoming SPA packets from the fwknop client.)
Right. Actually that is what I am going to do but only after I get it
working "the simple way" i.e. using Rijndael.

Into that, SHA1 is considered insecure
http://csrc.nist.gov/groups/ST/hash/statement.html and we are moving
away from it http://www.debian-administration.org/users/dkg/weblog/48
http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ I figure fwknop is
using SHA256 as its default cipher already which is good. However, what
if I wanted to use SHA512? How to?

 Michael> The key is the ENABLE_FORWARD_ACCESS variable. Then restart
 Michael> fwknopd:
 Michael> # /Etc/init.d/fwknop restart
yes, on Debian, using the official .deb this is reads
/etc/init.d/fwknop-server restart

 Michael> Now, to request SSH access to one of the internal VE's use the
 Michael> fwknop client as follows - assuming that 123.1.2.3 is the
 Michael> external IP of the HN (where fwknopd is configured to sniff
 Michael> traffic), and 192.168.10.2 is an IP of a VE that you want to
 Michael> reach over SSH:

 Michael> $ fwknop -A tcp/22 --NAT-access 192.168.10.2:55000 -R -D
 Michael> 123.1.2.3

 Michael> What this will do is allow you to SSH to port 55000 on
 Michael> 123.1.2.3 (use -p on the SSH command line), and this
 Michael> connection will be NAT'd through to the internal VE on
 Michael> 192.168.10.2.
Right. About that. I am running a pretty fancy SSH setup using
Monkeysphere and many settings to improve security which of course also
includes the obvious things like for example moving sshd listening port
away from port 22 to some port >1023.

Anyways, I still have a missing link in my overall understanding of this
i.e. in particular what you just said above. You say fwknop -A tcp/22
--NAT-access 192.168.10.2:55000 -R -D 123.1.2.3 will allow me to SSH to
port 55000 on 123.1.2.3. Ok, well, here is where I got lost ...

With this scenario, what listening port would be in
/etc/ssh/sshd_config -- would it be 55000 or 22? To be precise, what
would

sa@wks:~$ grep ^Port /etc/ssh/sshd_config
Port <what_goes_here?>
sa@wks:~$

return in our above case?

 Michael> If you want to get more fancy, you can use the --NAT-rand-port
 Michael> option like so:

 Michael> $ fwknop -A tcp/22 --NAT-access 192.168.10.2 --NAT-rand-port
 Michael> -R -D 123.1.2.3

 Michael> This will have the fwknop client request access to SSH via a
 Michael> randomly assigned port - which fwknop will print on the
 Michael> command line so you can see it - and then you can make your
 Michael> SSH connection to this port.
Ok, I read
http://www.cipherdyne.org/blog/2008/06/single-packet-authorization-with-port-randomization.html
of course and yes, that my current understanding too.

What sprung me first was that ... I cannot use my well beloved
~/.ssh/config stanzas anymore i.e. the shortcut "ssh myfancyserver"
would not work anymore because of the randomized port yes?

The stanza in ~/.ssh/config would then for example read like this

Host            fancyserver
HostName        111.6.5.1
Port            8683

 >> Also, I would like to also protect the sshd running on the HN not
 >> just the sshds running within the VEs. Is that possible with just
 >> one fwknopd running on the HN?

 Michael> Sure, in this case the best thing to do is create another
 Michael> SOURCE stanza identical to the above in the access.conf file,
 Michael> but just leave out the ENABLE_FORWARD_ACCESS variable.
/me cheers ... it is actually that easy ;-]

 Michael> Thanks, and let me know if there are any issues.
will do. I have a few things on my todo, but starting with mid June or
so I am going to nose-dive into fwknop. I will be back ... ;-]