cipherdyne.org

Michael Rash, Security Researcher



2006 Blog Archive    [Summary View]

« Previous | Next »

Netfilter Development Mailing List Thread on Port Knocking

Netfilter Port Knocking The netfilter-devel mailing list is the main discussion forum for technical development issues surrounding Netfilter and iptables. Recently, a thread entitled "new match extension to implement port knocking" appeared on this list in which a new Netfilter match is proposed to accomplish in-kernel port knocking and an HMAC variation of Single Packet Authorization. A proof of concept implementation is available here. While building some port knocking/SPA functionality into the kernel can be useful for some applications, I think this strategy is not generally flexible or scalable enough for many SPA deployments. Still, it is an interesting concept, and goes to show that people are interested in authenticating to default-drop packet filters in order to provide network services with an added layer of security.

Software Release - fwknop-0.9.9

fwknop-0.9.9 release The 0.9.9 release of fwknop is ready for download. This is a minor bugfix release, but there one important feature release - the (configurable) ability to force fwknop clients to either resolve or know their externally routable IP address. Here is the ChangeLog:
  • Added REQUIRE_SOURCE_ADDRESS (disabled by default) to force fwknop clients to know their source IP address (i.e. -s cannot be used). So, either fwknop clients have to use -R to resolve their externally routable address, or they must just know what it is.
  • Updated to Net-RawIP-0.21_03 for compatibility with gcc-4.x compilers.
  • Added List-MoreUtils-0.22 which is a dependency of the new Net::RawIP module.
  • Bugfix to restore "start" functionality in Gentoo init script.
  • Bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration variables in fwknopd.
  • Added KNOPTM_IPT_OUTPUT_FILE and KNOPTM_IPT_ERROR_FILE variables specifically for the knoptm daemon so that it can use IPTables::ChainMgr completely independently of fwknopd (this removes a potential race condition between fwknopd and knoptm).

Software Release - psad-1.4.8

psad-1.4.8 release The 1.4.8 release of psad is ready for download. This is a minor bugfix release, but there are a couple of feature additions as well. Here is the ChangeLog:
  • Added the ability to get the auto-blocking status for a specific IP address in --status-ip mode.
  • Bugfix to use the IPT_OUTPUT_FILE and IPT_ERROR_FILE configuration variables.
  • Bugfix to restore "start" functionality in Gentoo init script.
  • Added the ability to selectively disable psad auto-blocking emails.
  • Added more rigorous IP matching regex from Sebastien J. (contributed originally for fwknop).

M.S. Thesis on SPA at the University of London

M.S. Thesis on SPA Sebastien Jeanquier has completed a Master's Degree in Information Security with the Information Security Group (ISG) at Royal Holloway College, University of London His Thesis is entitled "An Analysis of Port Knocking and Single Packet Authorization" and can be downloaded here. He has started a website dedicated to the concepts of port knocking and Single Packet Authorization. Fwknop is given significant coverage in his thesis (some excellent points Sebastien makes about things to enhance in fwknop have been addressed in the fwknop-0.9.8 release after discussion with him).

HowtoForge on Setting Up Bastille-Linux On CentOS

HowtoForge has published a Howto on configuring Bastille-Linux on the CentOS. The Howto is entitled "Securing the CentOS Perfect Setup with Bastille" and includes information on how to configure the Port Scan Attack Detector (psad).

Software Release - fwknop-0.9.8

fwknop-0.9.8 released The 0.9.8 release of fwknop is ready for download. Here is an excerpt from the ChangeLog:
  • Added the ability to ignore old SPA packets through use of the client-side time stamp. This means that an attacker cannot intercept an SPA packet, prevent it from being forwarded to its intended destination, and then put the packet on the wire at some time outside of the allowed time window. There are two new configuration options in fwknop.conf "ENABLE_SPA_PACKET_AGING" and "MAX_SPA_PACKET_AGE" that control the length of the acceptable time window (2 minutes by default). This requires some level of synchronization between the fwknop client and the fwknopd server, but this is not onerous through the use of NTP. This feature is enabled by default, and the idea for it was contributed by Sebastien J.
  • Completely re-worked IPTables::ChainMgr to support the return of iptables error messages that are collected via stderr. This is critical to fixing any bugs where fwknopd could die as a result of a poorly crafted iptables command.
  • but no information would be returned to the user.
  • Added the ability to specify the position for both the jump rule into the fwknopd chains as well as the position for new rules within the fwknopd chains via the -I argument to iptables. This fixes a bug where the user was given the impression that the IPTABLES_AUTO_RULENUM would accomplish this (IPTABLES_AUTO_RULENUM has been removed).
  • Updated fwknopd to require < 1500 byte payload length before attempting to decrypt. Also, GnuPG decrypts are not attempted unless the encrypted payload is at least 400 bytes long (this is conservative since even encrypting a single byte with a 1024-bit key will result in about 340 bytes of encrypted data).
  • Added the --gpg-default-key option to have fwknop use the default GnuPG key that is defined in the ~/.gnupg/options file.

psad-1.4.7 x86_64 RPM Available

psad-1.4.7 x86_64 RPM An RPM is now available for x86_64 platforms of the psad-1.4.7 release (thanks to Mate Wierdl for contributing a patch to get the RPM building on this platform). It can be downloaded here.

Software Release - gpgdir-1.0.1

gpgdir-1.0.1 released The 1.0.1 release of gpgdir is ready for download. Here is the ChangeLog:
  • Added --quiet option to have gpgdir print as little as possible to the screen when encrypting or decrypting a directory.
  • Added x86_64 RPM (original patch from Mate Wierdl adapted for gpgdir).

Software Release - gpgdir-1.0

gpgdir-1.0 released The 1.0 release of gpgdir is ready for download. Here is an excerpt from the ChangeLog:
  • Added --Key-id command line argument so that use_key can be overridden from the command line
  • Made the argument to use_key not have to strictly be a keyID since GnuPG allows a unique string match on keys in the key ring.
  • Added --Default-key to allow the user to have gpgdir use the default key that is defined by GnuPG within the ~/.gnupg/options file.
  • Updated the .gpgdirrc file to include the line "default_key" to allow the user to have gpgdir prefer to use the GnuPG default key.
  • Added the ChangeLog.svn file to show exactly which files have been changed from release to release, and what the corresponding Subversion log messages are.

Software Release - psad-1.4.7

psad-1.4.7 released The 1.4.7 release of psad is ready for download. Here is an excerpt from the ChangeLog:
  • Completely re-worked IPTables::ChainMgr to support the return of iptables error messages that are collected via stderr. This is critical to fixing a bug where psad would sometimes die on an iptables command but no information would be returned to the user.
  • Added the ability to specify the position for both the jump rule into the psad chains as well as the position for new rules within the psad chains via the -I argument to iptables. This fixes a bug where the user was given the impression that the IPTABLES_AUTO_RULENUM would accomplish this.
  • Populated the _debug option in the IPTables::ChainMgr module, and also added a _verbose option so that the specific iptables commands can actually be seen as IPTables::ChainMgr functions are called.
  • Added code to install.pl to ask the user if a manual restart of syslog is ok upon an unsuccessful test of the syslog reconfiguration. This fixes a bug where some syslog daemons might not re-import their configurations after receiving a HUP signal.
  • Bugfix for incorrect config variable name that gated Netfilter prerequisite checks.
  • Added code to install.pl to update command paths in psad.conf and psadwatchd.conf if any of the paths are broken (i.e. the local system does not conform to the default paths). By default this only happens if the user does not want old configs to be merged, but to override this use the new --path-update command line argument to install.pl.
« Previous | Next »