Project 12 for CNIT 122 - fwknop (20 pts.)

What You Need

Purpose

Port Knocking adds another layer of security to a server by setting a firewall to reject SYN packets to the protected port until the correct knocking packet is received. This makes the open port invisible to port scanners such as nmap.

fwknop is the newest and best version of port knocking, requiring only a single packet to knock. The packet contains a cryptogaphic key, and is resistant to brute-force and replay attacks.

Starting the Linux Machine

Start your machine as usual. Open a Terminal window.

In a Terminal window, enter this commands, and then press Enter:

ping samsclass.info
Make sure you are getting replies, and then press Ctrl+C to stop the pings.

In a Terminal window, enter this commands, and then press Enter:

ifconfig
Find the interface that goes to the Internet and make a note of it. In my case it is eth2, as shown below.

Also make a note of your Linux machine's IP address. You will need it later.

Starting sshd

To start ssh, in a Terminal window, enter these commands, and then press Enter:
sshd-generate

/etc/init.d/ssh start

In the Linux machine, in a Terminal window, enter this command, and then press Enter:
lsof -i :22
Note that the first character is a lowercase L, not the numeral 1.

You should see two sshd processes listening, as shown below:

Scanning your Linux Machine

From the other computer, which is probably a Windows machine, run an Nmap port scan of your Linux machine.

You should see port 22 open, as shown below:

Logging in Via SSH

On the Windows machine, open a Web browser and go to this URL, as shown below:

ftp://ftp.ccsf.edu/pub/SSH

Download sshSecureShellClient-3.2.9.exe and install it with the default options.

Start the "SSH Secure Shell" program. Click the "Quick Connect" button.

In the "Host Name" field, enter your Linux machine's IP address.

In the "User name" field, enter root as shown below:

Click Connect.

In the "Host Identification" box, click Yes.

In the Password box, enter password of toor and press Enter.

You should see a screen saying "Welcome to the BackTrack 5 Distribution...", as shown below:

Saving the Screen Image

Make sure you can see the "Welcome to the BackTrack 5 Distribution...", message, as shown above.

Save a screen capture with a filename of "Proj 13a from YOUR NAME".

In your Windows machine, in the SSH Secure Shell window, at the # prompt, type exit and press Enter.

Installing the fwknop-server

On your Linux machine, in a Terminal window, enter this command, and then press Enter:
apt-get install fwknop-server -y

A "Configuring fwknop-server" box appears, as shown below.

The first question is "Configure fwknop ro peotect the SSH port?"

Press the Tab key to highlight <Yes> and press the SPACEBAR.

The next screen asks you which interface to put in promiscuous mode, as shown below. Type the interface name that goes to the Internet, which you determined previously with the ifconfig command. In my case, it is eth2.

After typing the interface name, press the Tab key to highlight <OK> and press the SPACEBAR.

The next screen asks you to enter an encryption key, as shown below.

Enter a password you can remember, such as password (of course, don't use such an obvious password on a real production server).

Press the Tab key to highlight <OK> and press the SPACEBAR.

Configuring iptables

On your Linux machine, in a Terminal window, enter these commands, pressing Enter after each one:
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -m pkttype --pkt-type multicast -j DROP
iptables -A INPUT -j LOG
This allows established connections, but blocks all connections initiated from the outside.

To examine your firewall rules, on your Linux machine, in a Terminal window, enter this command, and then press Enter:

iptables -L
Your rules should look like the image below:

Disabling Packet Aging

This adjustment is necessary if you use the Windows client, to prevent fwknop rejecting the knock packets because of an unacceptable timestamp value.

On your Linux machine, in a Terminal window, enter this command, and then press Enter:

nano /etc/fwknop/fwknop.conf
In nano, scroll down to find the line that says

ENABLE_SPA_PACKET_AGING       Y

Change the Y to a N, as shown below:

Save the file with Ctrl+X, Y, Enter.

Lengthening the Timeout

By default, the knock opens port 22 for 30 seconds. That may be fine once you get it all working, but when you are just setting it up I recommend using a longer timeout of 90 seconds.

On your Linux machine, in a Terminal window, enter this command, and then press Enter:

nano /etc/fwknop/access.conf
In nano, scroll down to find the line that says

FW_ACCESS_TIMEOUT: 30;

Change the 30 to 90, as shown below:

Save the file with Ctrl+X, Y, Enter.

Restarting fwknopf

On your Linux machine, in a Terminal window, enter this command, and then press Enter:
/etc/init.d/fwknop-server restart

Watching the Messages

To make it easier to see what fwknop is doing, on your Linux machine, in a Terminal window, enter this command, and then press Enter:
watch "tail /var/log/messages"
This will show a continuously updated display of system messages, which will be helpful when you knock from the Windows machine.

Scanning your Linux Machine

From your Windows machine, run an Nmap port scan of your Linux machine.

You should see the message "All 1000 scanned ports...are filtered", as shown below:

Saving the Screen Image

Make sure you can see the "All 1000 scanned ports...are filtered" message, as shown above.

Save a screen capture with a filename of "Proj 13b from YOUR NAME".

Installing the Morpheus fwknop Client

On your Windows machine, open a Web browser and go to this URL:
http://sourceforge.net/projects/morpheus-fwknop/files/

Click the "0.7.3501.21619" link, as shown below:

On the next page, find the "Morpheus 0.7 Installer.zip" link, as shown below:

Download the "Morpheus 0.7 Installer.zip" file and save it. Be careful not to download the source code--you need the Installer.

Unzip the "Morpheus 0.7 Installer.zip" file to reveal the "Morpheus 0.7 Installer.exe" file.

Double-click the "Morpheus 0.7 Installer.exe" file and install the software with the default options.

On my system, the installation requested permission to download a new .NET version from Windows Update, which I approved. That was somewhat confusing, because two boxes popped up requesting permission, one hidden behind other windows, and the installation could not proceed until I found the hidden box and approved it there. Once I got the process approved, it was fairly rapid, as shown below:

After the download was complete, the actual installation took 10-15 minutes when I did it. When the installation is complete, Morpheus opens.

Knocking with Morpheus

On your Windows machine, in the "Morpheus" window, make these four adjustments:

Your Morpheus window should look like the image shown below:

On your Windows machine, in the "Morpheus" window, click the "Send" button.

A box pops up asking you to enter your passphrase. Enter password, as shown below:

Click the Accept button.

A box pops up saying "You can now connect...", as shown below.

On the Linux machine, you should see the message "received valid Rindjael encrypted packet…", as shown below:

Saving the Screen Image

Make sure you can see the "received valid Rindjael encrypted packet...", message, as shown above.

Save a screen capture with a filename of "Proj 13c from YOUR NAME".

Logging in Via SSH

On your Windows machine, if necessary, start the "SSH Secure Shell" program. Click the "Quick Connect" button.

In the "Host Name" field, enter your Linux machine's IP address.

In the "User name" field, enter root as shown below:

Click Connect.

In the "Host Identification" box, click Yes.

In the Password box, enter password of toor and press Enter.

You should see a screen saying "Welcome to the BackTrack 5 Distribution...", as shown below:

In your Windows machine, in the SSH Secure Shell window, at the # prompt, type exit and press Enter.

Turning In Your Project

Email the images to cnit.122sam@gmail.com with a subject of "Project 13 from YOUR NAME".

Removing Firewall Rules

After this project is completed, you will need to remove the restrictive firewall rules to prepare your machine for future projects.

On your Linux machine, in a Terminal window, enter these commands, pressing Enter after each one:

iptables --flush
iptables --policy INPUT ACCEPT
This opens the firewall.

Sources

http://cipherdyne.org/blog/categories/fwknop.html

http://cipherdyne.org/blog/2009/08/morpheus-fwknop-windows-ui-update.html

http://cipherdyne.org/blog/2007/11/fwknop-windows-ui.html

https://help.ubuntu.com/community/SinglePacketAuthorization

http://ubuntuforums.org/showthread.php?t=812573




Last modified 10-27-11 6:30 am