tmux is a terminal multiplexer.

最後更新: 2017-02-27

介紹

Single Packet Authorization (SPA) - modern replacement for port knocking

fwknopd

written in C

HMAC with KEY

An SPA packet is "valid" when it is authenticated via an HMAC

Encrypted by a strong cipher with an expected key (Rijndael encryption mode)

The fwknop client strips off any trailing "=" characters before sending an SPA packet.

supports iptables, ipfw, pf

iptables 上的特性

daemon relies on the iptables "comment" match in order to store the expiration time for new ACCEPT rules upon receiving a valid SPA packet.

all new rules are added by fwknopd to the FWKNOP_INPUT chain to ensure separation with the rest of the iptables policy.

We assume that iptables is configured in a default-drop stance for port

iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -j DROP

A state tracking mechanism supported by the firewall can be used to keep a session established even after the rule that allows access is removed.

iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

SPA server will only allow access to the IP that was originally encrypted within the SPA payload

By default, the fwknop client sends SPA packets over UDP port 62201.

功能

Stopping Replay Attack

spaserver  will compare the SHA-256 digest of this packet vs. the SHA-256 digest of all previously seen and properly decrypted SPA packets.

If there is a match, then fwknopd knows that a replay attack was attempted

/tmp/fwknop/digest.cache

# <digest> <proto> <src_ip> <src_port> <dst_ip> <dst_port> <time>
DIGEST     17      s.s.s.s  58536      d.d.d.d  62201      1519636310

Different Types of IPCS

• Pipes
• Shared Memory (-m)
• Message Queue (-q)
• Semaphores (-s)

Pipes

Provides a way for processes to communicate with each another by exchanging messages. Named pipes provide a way for processes running on different computer systems to communicate over the network.

Shared Memory

Processes can exchange values in the shared memory. One process will create a portion of memory which other process can access.

Message Queue

It is a structured and ordered list of memory segments where processes store or retrieve data.

Semaphores

POSIX semaphores allow processes and threads to synchronize their actions.

A semaphore is an integer whose value is never allowed to fall below zero. 

Two operations can be performed on semaphores:

 - increment the semaphore value by one (sem_post(3));

 - decrement the semaphore value by one (sem_wait(3)). 

If the value of a semaphore is currently zero, then a sem_wait(3) operation will block until the value becomes greater than zero.

No data is passed with a semaphore; it simply coordinates access to shared resources.

POSIX semaphores come in two forms:

named semaphores

/somename (up to 251)

unnamed semaphores

An unnamed semaphore does not have a name. 

Instead the semaphore is placed in a region of memory that is shared between multiple threads or processes