[needs-packaging] fwknop
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Debian |
Fix Released
|
Unknown
|
|||
| Ubuntu |
Fix Released
|
Wishlist
|
Unassigned | ||
Bug Description
http://
fwknop stands for the "FireWall KNock OPerator", and implements an authorization scheme called Single Packet Authorization (SPA) that is based around iptables and libpcap. SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through an iptables policy and/or complete commands to execute on the target system. By using iptables to maintain a "default drop" stance, the main application of this program is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult. With fwknop deployed, anyone using nmap to look for sshd can't even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no "server" to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from an fwknop client.
| Allisson Azevedo (allisson) wrote | #1 |
| xtsbdu3reyrbrmroezob (xtsbdu3reyrbrmroezob) wrote Re: [Bug 105763] [needs-packaging] fwknop | #2 |
This package is already in Jaunty.