| 1 |
Summary: A Single Packet Authorization (SPA) implementation
|
| 2 |
Name: fwknop
|
| 3 |
Version: 1.9.12
|
| 4 |
Release: 1
|
| 5 |
License: GPLv2
|
| 6 |
Group: System Environment/Daemons
|
| 7 |
Url: http://www.cipherdyne.org/fwknop/
|
| 8 |
Source0: http://www.cipherdyne.org/fwknop/download/fwknop-nodeps-%{version}.tar.gz
|
| 9 |
Source1: http://www.cipherdyne.org/fwknop/download/fwknop-nodeps-%{version}.tar_gz.asc
|
| 10 |
Source2: fwknop.logrotate
|
| 11 |
Patch0: fwknop-1.9.9-hostname.patch
|
| 12 |
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
| 13 |
Requires: logrotate
|
| 14 |
# The automatic dependency generator doesn't find the Perl dependencies
|
| 15 |
Requires: perl(Crypt::CBC), perl(Crypt::Rijndael), perl(Digest::SHA)
|
| 16 |
Requires: perl(GnuPG::Interface), perl(IPTables::ChainMgr)
|
| 17 |
Requires: perl(IPTables::Parse), perl(Net::IPv4Addr), perl(Net::Pcap)
|
| 18 |
Requires: perl(Net::Ping::External), perl(Net::RawIP), perl(Term::ReadKey)
|
| 19 |
Requires: perl(Unix::Syslog)
|
| 20 |
Requires(post): chkconfig
|
| 21 |
Requires(preun): chkconfig, initscripts
|
| 22 |
Requires(postun): initscripts
|
| 23 |
|
| 24 |
%description
|
| 25 |
fwknop implements an authorization scheme known as Single Packet
|
| 26 |
Authorization (SPA) that requires only a single encrypted packet to
|
| 27 |
communicate various pieces of information including desired access through an
|
| 28 |
iptables policy and/or specific commands to execute on the target system.
|
| 29 |
The main application of this program is to protect services such as SSH with
|
| 30 |
an additional layer of security in order to make the exploitation of
|
| 31 |
vulnerabilities (both 0-day and unpatched code) much more difficult. The
|
| 32 |
authorization server passively monitors authorization packets via libpcap and
|
| 33 |
hence there is no "server" to which to connect in the traditional sense. Any
|
| 34 |
service protected by fwknop is inaccessible (by using iptables to
|
| 35 |
intercept packets within the kernel) before authenticating; anyone scanning for
|
| 36 |
the service will not be able to detect that it is even listening. This
|
| 37 |
authorization scheme offers many advantages over port knocking, include being
|
| 38 |
non-replayable, much more data can be communicated, and the scheme cannot be
|
| 39 |
broken by simply connecting to extraneous ports on the server in an effort to
|
| 40 |
break knock sequences. The authorization packets can easily be spoofed as
|
| 41 |
well, and this makes it possible to make it appear as though, say,
|
| 42 |
www.yahoo.com is trying to authenticate to a target system but in reality the
|
| 43 |
actual connection will come from a seemingly unrelated IP. Although the
|
| 44 |
default data collection method is to use libpcap to sniff packets off the
|
| 45 |
wire, fwknop can also read packets out of a file that is written by the
|
| 46 |
iptables ulogd pcap writer or by a separate sniffer process.
|
| 47 |
|
| 48 |
%prep
|
| 49 |
%setup -q
|
| 50 |
%patch0 -p1 -b .hostname
|
| 51 |
|
| 52 |
%build
|
| 53 |
make %{?_smp_mflags} OPTS="$RPM_OPT_FLAGS"
|
| 54 |
|
| 55 |
%install
|
| 56 |
rm -rf $RPM_BUILD_ROOT
|
| 57 |
|
| 58 |
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/fwknop \
|
| 59 |
$RPM_BUILD_ROOT%{_initrddir} \
|
| 60 |
$RPM_BUILD_ROOT%{_bindir} \
|
| 61 |
$RPM_BUILD_ROOT%{_mandir}/man8 \
|
| 62 |
$RPM_BUILD_ROOT%{_sbindir} \
|
| 63 |
$RPM_BUILD_ROOT%{_localstatedir}/lib/fwknop \
|
| 64 |
$RPM_BUILD_ROOT%{_localstatedir}/log/fwknop \
|
| 65 |
$RPM_BUILD_ROOT%{_localstatedir}/log/fwknop/errs \
|
| 66 |
$RPM_BUILD_ROOT%{_localstatedir}/run/fwknop
|
| 67 |
|
| 68 |
install -p -m 644 access.conf fwknop.conf pf.os $RPM_BUILD_ROOT%_sysconfdir/fwknop
|
| 69 |
install -p -m 755 init-scripts/fwknop-init.redhat \
|
| 70 |
$RPM_BUILD_ROOT%{_initrddir}/fwknop
|
| 71 |
install -p -m 755 fwknop $RPM_BUILD_ROOT%{_bindir}
|
| 72 |
install -p -m 644 *.8 $RPM_BUILD_ROOT%{_mandir}/man8/
|
| 73 |
install -p -m 755 fwknopd fwknop_serv knopmd knoptm knopwatchd \
|
| 74 |
$RPM_BUILD_ROOT%{_sbindir}
|
| 75 |
#install logrotate stuff
|
| 76 |
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d
|
| 77 |
install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/fwknop
|
| 78 |
|
| 79 |
%clean
|
| 80 |
rm -rf $RPM_BUILD_ROOT
|
| 81 |
|
| 82 |
%post
|
| 83 |
/sbin/chkconfig --add fwknop
|
| 84 |
|
| 85 |
%preun
|
| 86 |
if [ $1 = 0 ]; then
|
| 87 |
/sbin/service fwknop stop >/dev/null 2>&1
|
| 88 |
/sbin/chkconfig --del fwknop
|
| 89 |
fi
|
| 90 |
|
| 91 |
%postun
|
| 92 |
if [ $1 -ge 1 ]; then
|
| 93 |
/sbin/service fwknop condrestart >/dev/null 2>&1 || :
|
| 94 |
fi
|
| 95 |
|
| 96 |
%files
|
| 97 |
%defattr(-,root,root)
|
| 98 |
%doc CREDITS ChangeLog ChangeLog.svn LICENSE README README.ACCESS README.GPG
|
| 99 |
%doc README.PK TODO
|
| 100 |
%dir %{_sysconfdir}/fwknop
|
| 101 |
%config(noreplace) %{_sysconfdir}/fwknop/*.conf
|
| 102 |
%config(noreplace) %{_sysconfdir}/fwknop/pf.os
|
| 103 |
%config(noreplace) %{_sysconfdir}/logrotate.d/fwknop
|
| 104 |
%{_initrddir}/fwknop
|
| 105 |
%{_bindir}/fwknop
|
| 106 |
%{_sbindir}/*kno*
|
| 107 |
%{_mandir}/man8/*
|
| 108 |
%dir %{_localstatedir}/lib/fwknop
|
| 109 |
%dir %{_localstatedir}/log/fwknop
|
| 110 |
%dir %{_localstatedir}/log/fwknop/errs
|
| 111 |
%dir %{_localstatedir}/run/fwknop
|
| 112 |
|
| 113 |
%changelog
|
| 114 |
* Wed Sep 16 2009 Miloslav Trmač <mitr@redhat.com> - 1.9.12-1
|
| 115 |
- Update to fwknop-1.9.12.
|
| 116 |
|
| 117 |
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.11-2
|
| 118 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
| 119 |
|
| 120 |
* Thu May 14 2009 Miloslav Trmač <mitr@redhat.com> - 1.9.11-1
|
| 121 |
- Update to fwknop-1.9.11.
|
| 122 |
|
| 123 |
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.9.9-3
|
| 124 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
| 125 |
|
| 126 |
* Mon Jan 05 2009 Peter Vrabec <pvrabec@redhat.com> 1.9.9-2
|
| 127 |
- add /var/log/fwknop/errs directory (#469395)
|
| 128 |
|
| 129 |
* Mon Nov 17 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.9-1
|
| 130 |
- Update to fwknop-1.9.9
|
| 131 |
|
| 132 |
* Sat Oct 4 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.8-1
|
| 133 |
- Update to fwknop-1.9.8
|
| 134 |
- Add missing Requires:
|
| 135 |
- Use the "nodeps" tarball
|
| 136 |
|
| 137 |
* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.7-1
|
| 138 |
- Update to fwknop-1.9.7
|
| 139 |
- License specified to be GPLv2
|
| 140 |
|
| 141 |
* Sun Aug 24 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-4
|
| 142 |
- Don't change SNAT_TRANSLATE_IP to "localhost" in the default config.
|
| 143 |
- Add Requires: logrotate.
|
| 144 |
|
| 145 |
* Wed Aug 13 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-3
|
| 146 |
- fix sed cmd in spec file
|
| 147 |
|
| 148 |
* Mon Aug 11 2008 Peter Vrabec <pvrabec@redhat.com> - 1.9.6-2
|
| 149 |
- add logrotate file
|
| 150 |
- do not set hostname during install
|
| 151 |
|
| 152 |
* Wed Jul 30 2008 Miloslav Trmač <mitr@redhat.com> - 1.9.6-1
|
| 153 |
- Initial Fedora package, based on Michael Rash's spec file (heavily modified
|
| 154 |
since).
|
| 155 |
|
| 156 |
* Fri Jul 18 2008 Michael Rash <mbr@cipherdyne.org>
|
| 157 |
- Release of fwknop-1.9.6
|
Parent Directory
| 
Revision Log