Introducing Fwknop

"a '

The FireWall KNock OPerator (fwknop, see was released as an open source project under the GNU Public License (GPL) in June 2004. It was the first port-knocking implementation to combine encrypted port knocking with passive OS fingerprinting, making it possible to allow only Linux systems to connect to your SSH daemon. (The TCP stack of the port-knocking client system acts as an additional authentication parameter.) fwknop's port-knocking component is based on iptables log messages, and it uses iptables as the default-drop packet filter.

In May 2005, I released the Single Packet Authorization mode for fwknop, so fwknop became the first publicly available SPA software. As of this writing, fwknop-1.0 is the latest available release, and the SPA method of authentication is the default, even though fwknop continues to support the old port-knocking method. MadHat coined the term Single Packet Authorization at Black Hat Briefings in July 2005. I submitted a similar proposal for presentation at the same conference, but Single Packet Authorization rolls off the tongue a lot easier than my title, which was Netfilter and Encrypted, Non-replayable, Spoofable,

Single Packet Remote Administration. It is also worth noting that a protocol implemented by the tumbler project ( is similar to SPA in the sense that it only uses a single packet to transmit authentication and authorization information; its payload is hashed instead of encrypted, however, and this results in a significantly different architecture.

NOTE fwknop really supports both authentication—the process of verifying the digital identity of an entity that is communicating something—and authorization—the process of trying to determine whether an entity has permission to perform an operation—of remote clients that wish to access a service behind the default-drop packet filter. These two processes are not the same, and both are important in their own right.

Was this article helpful?

0 0

Post a comment