|
|
381c564 |
Summary: A Single Packet Authorization (SPA) implementation
|
|
|
381c564 |
Name: fwknop
|
|
|
7985a77 |
Version: 1.9.9
|
|
|
d59c873 |
Release: 3
|
|
|
6c28328 |
License: GPLv2
|
|
|
381c564 |
Group: System Environment/Daemons
|
|
|
381c564 |
Url: http://www.cipherdyne.org/fwknop/
|
|
|
4bf5ce1 |
Source0: http://www.cipherdyne.org/fwknop/download/fwknop-nodeps-%{version}.tar.gz
|
|
|
4bf5ce1 |
Source1: http://www.cipherdyne.org/fwknop/download/fwknop-nodeps-%{version}.tar_gz.asc
|
|
|
4bf5ce1 |
Source2: fwknop.logrotate
|
|
|
93205bb |
Patch0: fwknop-1.9.9-hostname.patch
|
|
|
381c564 |
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
6c28328 |
Requires: logrotate
|
|
|
6c28328 |
# The automatic dependency generator doesn't find the Perl dependencies
|
|
|
4bf5ce1 |
Requires: perl(Crypt::CBC), perl(Crypt::Rijndael), perl(Digest::SHA)
|
|
|
4bf5ce1 |
Requires: perl(GnuPG::Interface), perl(IPTables::ChainMgr)
|
|
|
4bf5ce1 |
Requires: perl(IPTables::Parse), perl(Net::IPv4Addr), perl(Net::Pcap)
|
|
|
4bf5ce1 |
Requires: perl(Net::Ping::External), perl(Net::RawIP), perl(Term::ReadKey)
|
|
|
6c28328 |
Requires: perl(Unix::Syslog)
|
|
|
381c564 |
Requires(post): chkconfig
|
|
|
381c564 |
Requires(preun): chkconfig, initscripts
|
|
|
381c564 |
Requires(postun): initscripts
|
|
|
381c564 |
|
|
|
381c564 |
%description
|
|
|
381c564 |
fwknop implements an authorization scheme known as Single Packet
|
|
|
381c564 |
Authorization (SPA) that requires only a single encrypted packet to
|
|
|
381c564 |
communicate various pieces of information including desired access through an
|
|
|
381c564 |
iptables policy and/or specific commands to execute on the target system.
|
|
|
381c564 |
The main application of this program is to protect services such as SSH with
|
|
|
381c564 |
an additional layer of security in order to make the exploitation of
|
|
|
381c564 |
vulnerabilities (both 0-day and unpatched code) much more difficult. The
|
|
|
381c564 |
authorization server passively monitors authorization packets via libpcap and
|
|
|
381c564 |
hence there is no "server" to which to connect in the traditional sense. Any
|
|
|
381c564 |
service protected by fwknop is inaccessible (by using iptables to
|
|
|
381c564 |
intercept packets within the kernel) before authenticating; anyone scanning for
|
|
|
381c564 |
the service will not be able to detect that it is even listening. This
|
|
|
381c564 |
authorization scheme offers many advantages over port knocking, include being
|
|
|
381c564 |
non-replayable, much more data can be communicated, and the scheme cannot be
|
|
|
381c564 |
broken by simply connecting to extraneous ports on the server in an effort to
|
|
|
381c564 |
break knock sequences. The authorization packets can easily be spoofed as
|
|
|
381c564 |
well, and this makes it possible to make it appear as though, say,
|
|
|
381c564 |
www.yahoo.com is trying to authenticate to a target system but in reality the
|
|
|
381c564 |
actual connection will come from a seemingly unrelated IP. Although the
|
|
|
381c564 |
default data collection method is to use libpcap to sniff packets off the
|
|
|
381c564 |
wire, fwknop can also read packets out of a file that is written by the
|
|
|
381c564 |
iptables ulogd pcap writer or by a separate sniffer process.
|
|
|
381c564 |
|
|
|
381c564 |
%prep
|
|
|
381c564 |
%setup -q
|
|
|
6c28328 |
%patch0 -p1 -b .hostname
|
|
|
381c564 |
|
|
|
381c564 |
%build
|
|
|
381c564 |
make %{?_smp_mflags} OPTS="$RPM_OPT_FLAGS"
|
|
|
381c564 |
|
|
|
381c564 |
%install
|
|
|
381c564 |
rm -rf $RPM_BUILD_ROOT
|
|
|
381c564 |
|
|
|
381c564 |
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/fwknop \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_initrddir} \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_bindir} \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_mandir}/man8 \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_sbindir} \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_localstatedir}/lib/fwknop \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_localstatedir}/log/fwknop \
|
|
|
34d60e5 |
$RPM_BUILD_ROOT%{_localstatedir}/log/fwknop/errs \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_localstatedir}/run/fwknop
|
|
|
381c564 |
|
|
|
381c564 |
install -p -m 644 access.conf fwknop.conf pf.os $RPM_BUILD_ROOT%_sysconfdir/fwknop
|
|
|
381c564 |
install -p -m 755 init-scripts/fwknop-init.redhat \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_initrddir}/fwknop
|
|
|
381c564 |
install -p -m 755 fwknop $RPM_BUILD_ROOT%{_bindir}
|
|
|
381c564 |
install -p -m 644 *.8 $RPM_BUILD_ROOT%{_mandir}/man8/
|
|
|
381c564 |
install -p -m 755 fwknopd fwknop_serv knopmd knoptm knopwatchd \
|
|
|
381c564 |
$RPM_BUILD_ROOT%{_sbindir}
|
|
|
381c564 |
#install logrotate stuff
|
|
|
381c564 |
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d
|
|
|
4bf5ce1 |
install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/fwknop
|
|
|
381c564 |
|
|
|
381c564 |
%clean
|
|
|
381c564 |
rm -rf $RPM_BUILD_ROOT
|
|
|
381c564 |
|
|
|
381c564 |
%post
|
|
|
381c564 |
/sbin/chkconfig --add fwknop
|
|
|
381c564 |
|
|
|
381c564 |
%preun
|
|
|
381c564 |
if [ $1 = 0 ]; then
|
|
|
381c564 |
/sbin/service fwknop stop >/dev/null 2>&1
|
|
|
381c564 |
/sbin/chkconfig --del fwknop
|
|
|
381c564 |
fi
|
|
|
381c564 |
|
|
|
381c564 |
%postun
|
|
|
381c564 |
if [ $1 -ge 1 ]; then
|
|
|
381c564 |
/sbin/service fwknop condrestart >/dev/null 2>&1 || :
|
|
|
381c564 |
fi
|
|
|
381c564 |
|
|
|
381c564 |
%files
|
|
|
381c564 |
%defattr(-,root,root)
|
|
|
381c564 |
%doc CREDITS ChangeLog ChangeLog.svn LICENSE README README.ACCESS README.GPG
|
|
|
381c564 |
%doc README.PK TODO
|
|
|
381c564 |
%dir %{_sysconfdir}/fwknop
|
|
|
381c564 |
%config(noreplace) %{_sysconfdir}/fwknop/*.conf
|
|
|
381c564 |
%config(noreplace) %{_sysconfdir}/fwknop/pf.os
|
|
|
381c564 |
%config(noreplace) %{_sysconfdir}/logrotate.d/fwknop
|
|
|
381c564 |
%{_initrddir}/fwknop
|
|
|
381c564 |
%{_bindir}/fwknop
|
|
|
381c564 |
%{_sbindir}/*kno*
|
|
|
381c564 |
%{_mandir}/man8/*
|
|
|
381c564 |
%dir %{_localstatedir}/lib/fwknop
|
|
|
381c564 |
%dir %{_localstatedir}/log/fwknop
|
|
|
34d60e5 |
%dir %{_localstatedir}/log/fwknop/errs
|
|
|
381c564 |
%dir %{_localstatedir}/run/fwknop
|
|
|
381c564 |
|
|
|
381c564 |
%changelog
|
|
|
d59c873 |
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.9-3
|
|
|
d59c873 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
|
|
d59c873 |
|
|
|
34d60e5 |
* Mon Jan 05 2009 Peter Vrabec <pvrabec@redhat.com> 1.9.9-2
|
|
|
34d60e5 |
- add /var/log/fwknop/errs directory (#469395)
|
|
|
34d60e5 |
|
|
|
7985a77 |
* Mon Nov 17 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.9-1
|
|
|
7985a77 |
- Update to fwknop-1.9.9
|
|
|
7985a77 |
|
|
|
4bf5ce1 |
* Sat Oct 4 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.8-1
|
|
|
4bf5ce1 |
- Update to fwknop-1.9.8
|
|
|
4bf5ce1 |
- Add missing Requires:
|
|
|
4bf5ce1 |
- Use the "nodeps" tarball
|
|
|
4bf5ce1 |
|
|
|
6c28328 |
* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.7-1
|
|
|
6c28328 |
- Update to fwknop-1.9.7
|
|
|
6c28328 |
- License specified to be GPLv2
|
|
|
6c28328 |
|
|
|
6c28328 |
* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-4
|
|
|
6c28328 |
- Don't change SNAT_TRANSLATE_IP to "localhost" in the default config.
|
|
|
6c28328 |
- Add Requires: logrotate.
|
|
|
6c28328 |
|
|
|
381c564 |
* Wed Aug 13 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-3
|
|
|
381c564 |
- fix sed cmd in spec file
|
|
|
381c564 |
|
|
|
381c564 |
* Mon Aug 11 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-2
|
|
|
381c564 |
- add logrotate file
|
|
|
381c564 |
- do not set hostname during install
|
|
|
381c564 |
|
|
|
381c564 |
* Wed Jul 30 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-1
|
|
|
381c564 |
- Initial Fedora package, based on Michael Rash's spec file (heavily modified
|
|
|
381c564 |
since).
|
|
|
381c564 |
|
|
|
381c564 |
* Fri Jul 18 2008 Michael Rash <mbr@cipherdyne.org>
|
|
|
381c564 |
- Release of fwknop-1.9.6
|