Protecting SSH Servers with Single Packet Authorization
On the spa_client system, we use fwknop to build an SPA packet encrypted via Rijndael and send it on its way to the spa_server system. We want access to SSHD, and the -A argument below encodes the desired access within the SPA packet. The -w argument resolves the IP address of the client system by querying http://www.whatismyip.com (this is useful if the fwknop client is behind a NAT device), the -k argument is the IP address of the destination SPA server, and -v runs in verbose mode so we can view the raw packet data:
[spa_client]$ fwknop -A tcp/22 -w -k 220.127.116.11 -v [+] Starting fwknop in client mode. Resolving external IP via: http://www.whatismyip.com/ Got external address: 18.104.22.168 [+] Enter an encryption key. This key must match a key in the file /etc/fwknop/access.conf on the remote system. Encryption Key: [+] Building encrypted single-packet authorization (SPA) message... [+] Packet fields: Random data: 7764880827899123 Username: mbr Timestamp: 1171133745 Version: 1.0.1 Action: 1 (access mode) Access: 22.214.171.124,tcp/22 MD5 sum: yzxKgnAxwUA5M2YhI8NTFQ [+] Packet data: U2FsdGVkX1+BvzxXj5Zv6gvfCFXwJ+iJGKPqe2whdYzyigkerSp \ 2WtvON/xTd8t6V6saxbg1v4zsK+YNt53BE8EInxVCgpD7y/gEBI \ g8sd+AvU1ekQh9vwJJduseVxDxjmAHx3oNnClo2wckBqd8zA [+] Sending 150 byte message to 126.96.36.199 over udp/62201...
As you can see from the Packet data section above, the SPA packet is a completely unintelligible blob of encrypted data. On the spa_server system, the following syslog message is generated indicating that an ACCEPT rule has been added for the source IP (188.8.131.52) that generated the SPA packet. Note that the source IP is put within the SPA packet by the fwknop client. In this case, the SPA packet was not spoofed, so the real source address and the source address embedded in the SPA packet match. SPA packets can be spoofed by fwknop with the --Spoof-src command-line argument (requires root):
Feb 10 13:55:44 spa_server fwknopd: received valid Rijndael \ encrypted packet from: 184.108.40.206, remote user: mbr Feb 10 13:55:44 spa_server fwknopd: adding FWKNOP_INPUT ACCEPT \ rule for 220.127.116.11 -> tcp/22 (30 seconds)
So, for 30 seconds after sending the SPA packet, the iptables policy on the spa_server allows the spa_client system to establish an SSH session:
[spa_client]$ ssh -l mbr 18.104.22.168 mbr@spa_server's password:
After 30 seconds has expired, knoptm (a dæmon responsible for deleting iptables rules added by fwknopd to the iptables policy) deletes the ACCEPT rule and writes the following messages to syslog:
Feb 10 13:52:17 spa_server knoptm: removed iptables \ FWKNOP_INPUT ACCEPT rule for 22.214.171.124 -> tcp/22, \ 30 second timeout exceeded
Our SSH session remains established after the ACCEPT rule is deleted because of the state tracking rules in the iptables policy (see the firewall.sh script above). These rules allow packets that are part of an established TCP connection to pass unimpeded.
To use GnuPG to encrypt and sign an SPA packet, you can execute the fwknop command below. In this case, the key ID of the fwknopd server is specified on the command line with the --gpg-recipient argument, and the key ID used to sign the SPA packet is given with the --gpg-signing-key argument (the output below has been abbreviated):
[spa_client]$ fwknop -A tcp/22 --gpg-recipient ABCD1234 \ --gpg-signing-key 5678DEFG -w -k 126.96.36.199 [+] Sending 1010 byte message to 188.8.131.52 over udp/62201
As you can see, the length of the application portion of the SPA packet has increased to more than 1,000 bytes, whereas it was only 150 bytes for the Rijndael example. This is because the key length of GnuPG keys (in this case 2,048 bits) and the characteristics of asymmetric ciphers tend to inflate the size of small chunks of data after being encrypted. There is no strict correspondence between the size of clear-text and cipher-text data as in block ciphers such as Rijndael.
Again, on the spa_server system, fwknop adds the ACCEPT rule for us. This time fwknopd reports that the SPA packet is encrypted with GnuPG, and that a valid signature for the required key ID 5678DEFG is found:
Feb 10 14:38:26 spa_server fwknopd: received valid GnuPG encrypted packet (signed with required key ID: "5678DEFG") from: 184.108.40.206, remote user: mbr Feb 10 14:38:26 spa_server fwknopd: adding FWKNOP_INPUT ACCEPT rule for 220.127.116.11 -> tcp/22 (30 seconds)
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- SUSE LLC's SUSE Manager
- Managing Linux Using Puppet
- Tech Tip: Really Simple HTTP Server with Python
- Returning Values from Bash Functions
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- My +1 Sword of Productivity
- Non-Linux FOSS: Caffeine!
- Rogue Wave Software's Zend Server
- Doing for User Space What We Did for Kernel Space
- Parsing an RSS News Feed with a Bash Script