|
|
381c564 |
Summary: A Single Packet Authorization (SPA) implementation
|
|
|
381c564 |
Name: fwknop
|
|
|
d3c7b7b |
Version: 2.0
|
|
|
d3c7b7b |
Release: 1
|
|
|
6c28328 |
License: GPLv2
|
|
|
381c564 |
Group: System Environment/Daemons
|
|
|
381c564 |
Url: http://www.cipherdyne.org/fwknop/
|
|
|
d3c7b7b |
Source0: http://cipherdyne.org/fwknop/download/fwknop-%{version}.tar.gz
|
|
|
d3c7b7b |
Source1: http://cipherdyne.org/fwknop/download/fwknop-%{version}.tar.gz.asc
|
|
|
381c564 |
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
d8fbf8b |
BuildRequires: libpcap-devel iptables
|
|
|
6c28328 |
Requires: logrotate
|
|
|
d3c7b7b |
Requires(post): chkconfig /sbin/ldconfig
|
|
|
d3c7b7b |
Requires(preun): chkconfig, initscripts, /sbin/ldconfig
|
|
|
381c564 |
Requires(postun): initscripts
|
|
|
381c564 |
|
|
|
381c564 |
%description
|
|
|
381c564 |
fwknop implements an authorization scheme known as Single Packet
|
|
|
381c564 |
Authorization (SPA) that requires only a single encrypted packet to
|
|
|
381c564 |
communicate various pieces of information including desired access through an
|
|
|
381c564 |
iptables policy and/or specific commands to execute on the target system.
|
|
|
381c564 |
The main application of this program is to protect services such as SSH with
|
|
|
381c564 |
an additional layer of security in order to make the exploitation of
|
|
|
381c564 |
vulnerabilities (both 0-day and unpatched code) much more difficult. The
|
|
|
381c564 |
authorization server passively monitors authorization packets via libpcap and
|
|
|
381c564 |
hence there is no "server" to which to connect in the traditional sense. Any
|
|
|
381c564 |
service protected by fwknop is inaccessible (by using iptables to
|
|
|
381c564 |
intercept packets within the kernel) before authenticating; anyone scanning for
|
|
|
381c564 |
the service will not be able to detect that it is even listening. This
|
|
|
381c564 |
authorization scheme offers many advantages over port knocking, include being
|
|
|
381c564 |
non-replayable, much more data can be communicated, and the scheme cannot be
|
|
|
381c564 |
broken by simply connecting to extraneous ports on the server in an effort to
|
|
|
381c564 |
break knock sequences. The authorization packets can easily be spoofed as
|
|
|
381c564 |
well, and this makes it possible to make it appear as though, say,
|
|
|
381c564 |
www.yahoo.com is trying to authenticate to a target system but in reality the
|
|
|
381c564 |
actual connection will come from a seemingly unrelated IP. Although the
|
|
|
381c564 |
default data collection method is to use libpcap to sniff packets off the
|
|
|
381c564 |
wire, fwknop can also read packets out of a file that is written by the
|
|
|
381c564 |
iptables ulogd pcap writer or by a separate sniffer process.
|
|
|
381c564 |
|
|
|
381c564 |
%prep
|
|
|
381c564 |
%setup -q
|
|
|
381c564 |
|
|
|
381c564 |
%build
|
|
|
d3c7b7b |
%configure
|
|
|
d3c7b7b |
# remove Rpath
|
|
|
d3c7b7b |
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
|
|
|
d3c7b7b |
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
|
|
|
381c564 |
make %{?_smp_mflags} OPTS="$RPM_OPT_FLAGS"
|
|
|
381c564 |
|
|
|
381c564 |
%install
|
|
|
381c564 |
rm -rf $RPM_BUILD_ROOT
|
|
|
381c564 |
|
|
|
d3c7b7b |
make install DESTDIR=$RPM_BUILD_ROOT
|
|
|
d3c7b7b |
|
|
|
d3c7b7b |
# init script
|
|
|
d3c7b7b |
install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
|
|
|
d3c7b7b |
install -p -m 755 extras/fwknop.init.redhat $RPM_BUILD_ROOT%{_initrddir}/fwknopd
|
|
|
d3c7b7b |
|
|
|
d3c7b7b |
# devel stuff
|
|
|
d3c7b7b |
rm $RPM_BUILD_ROOT/%{_libdir}/libfko.a
|
|
|
d3c7b7b |
rm $RPM_BUILD_ROOT/%{_libdir}/libfko.la
|
|
|
d3c7b7b |
rm $RPM_BUILD_ROOT/%{_libdir}/libfko.so
|
|
|
d3c7b7b |
rm $RPM_BUILD_ROOT/%{_includedir}/fko.h
|
|
|
d3c7b7b |
rm $RPM_BUILD_ROOT/%{_datadir}/info/dir
|
|
|
d3c7b7b |
rm $RPM_BUILD_ROOT/%{_datadir}/info/libfko.info
|
|
|
381c564 |
|
|
|
381c564 |
%clean
|
|
|
381c564 |
rm -rf $RPM_BUILD_ROOT
|
|
|
381c564 |
|
|
|
381c564 |
%post
|
|
|
d3c7b7b |
/sbin/ldconfig
|
|
|
d3c7b7b |
/sbin/chkconfig --add fwknopd
|
|
|
381c564 |
|
|
|
381c564 |
%preun
|
|
|
381c564 |
if [ $1 = 0 ]; then
|
|
|
d3c7b7b |
/sbin/service fwknopd stop >/dev/null 2>&1
|
|
|
d3c7b7b |
/sbin/chkconfig --del fwknopd
|
|
|
381c564 |
fi
|
|
|
381c564 |
|
|
|
d3c7b7b |
|
|
|
381c564 |
%postun
|
|
|
d3c7b7b |
/sbin/ldconfig
|
|
|
381c564 |
if [ $1 -ge 1 ]; then
|
|
|
d3c7b7b |
/sbin/service fwknopd condrestart >/dev/null 2>&1 || :
|
|
|
381c564 |
fi
|
|
|
381c564 |
|
|
|
381c564 |
%files
|
|
|
381c564 |
%defattr(-,root,root)
|
|
|
d3c7b7b |
%doc CREDITS ChangeLog COPYING README TODO
|
|
|
381c564 |
%dir %{_sysconfdir}/fwknop
|
|
|
d3c7b7b |
%config(noreplace) %{_sysconfdir}/fwknop/fwknopd.conf
|
|
|
d3c7b7b |
%config(noreplace) %{_sysconfdir}/fwknop/access.conf
|
|
|
d3c7b7b |
%{_initrddir}/fwknopd
|
|
|
381c564 |
%{_bindir}/fwknop
|
|
|
d3c7b7b |
%{_sbindir}/fwknopd
|
|
|
381c564 |
%{_mandir}/man8/*
|
|
|
d3c7b7b |
%{_libdir}/*.so.*
|
|
|
381c564 |
|
|
|
381c564 |
%changelog
|
|
|
d3c7b7b |
* Thu Jan 12 2012 Peter Vrabec <pvrabec@redhat.com> - 2.0-1
|
|
|
d3c7b7b |
- upgrade
|
|
|
d3c7b7b |
|
|
|
458d212 |
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.12-2
|
|
|
458d212 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
|
|
458d212 |
|
|
|
9619bd2 |
* Wed Sep 16 2009 Miloslav Trmač <mitr@redhat.com> - 1.9.12-1
|
|
|
9619bd2 |
- Update to fwknop-1.9.12.
|
|
|
9619bd2 |
|
|
|
b16af34 |
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.11-2
|
|
|
b16af34 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
|
|
b16af34 |
|
|
|
031f3ad |
* Thu May 14 2009 Miloslav Trmač <mitr@redhat.com> - 1.9.11-1
|
|
|
031f3ad |
- Update to fwknop-1.9.11.
|
|
|
031f3ad |
|
|
|
d59c873 |
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.9-3
|
|
|
d59c873 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
|
|
d59c873 |
|
|
|
34d60e5 |
* Mon Jan 05 2009 Peter Vrabec <pvrabec@redhat.com> 1.9.9-2
|
|
|
34d60e5 |
- add /var/log/fwknop/errs directory (#469395)
|
|
|
34d60e5 |
|
|
|
7985a77 |
* Mon Nov 17 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.9-1
|
|
|
7985a77 |
- Update to fwknop-1.9.9
|
|
|
7985a77 |
|
|
|
4bf5ce1 |
* Sat Oct 4 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.8-1
|
|
|
4bf5ce1 |
- Update to fwknop-1.9.8
|
|
|
4bf5ce1 |
- Add missing Requires:
|
|
|
4bf5ce1 |
- Use the "nodeps" tarball
|
|
|
4bf5ce1 |
|
|
|
6c28328 |
* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.7-1
|
|
|
6c28328 |
- Update to fwknop-1.9.7
|
|
|
6c28328 |
- License specified to be GPLv2
|
|
|
6c28328 |
|
|
|
6c28328 |
* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-4
|
|
|
6c28328 |
- Don't change SNAT_TRANSLATE_IP to "localhost" in the default config.
|
|
|
6c28328 |
- Add Requires: logrotate.
|
|
|
6c28328 |
|
|
|
381c564 |
* Wed Aug 13 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-3
|
|
|
381c564 |
- fix sed cmd in spec file
|
|
|
381c564 |
|
|
|
381c564 |
* Mon Aug 11 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-2
|
|
|
381c564 |
- add logrotate file
|
|
|
381c564 |
- do not set hostname during install
|
|
|
381c564 |
|
|
|
381c564 |
* Wed Jul 30 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-1
|
|
|
381c564 |
- Initial Fedora package, based on Michael Rash's spec file (heavily modified
|
|
|
381c564 |
since).
|
|
|
381c564 |
|
|
|
381c564 |
* Fri Jul 18 2008 Michael Rash <mbr@cipherdyne.org>
|
|
|
381c564 |
- Release of fwknop-1.9.6
|