minor man page documentation updates (added twitter reference)
This commit is contained in:
Michael Rash
@@ -2,12 +2,12 @@
|
||||
.\" Title: fwknop
|
||||
.\" Author: [see the "AUTHORS" section]
|
||||
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
|
||||
.\" Date: 06/27/2013
|
||||
.\" Date: 06/30/2013
|
||||
.\" Manual: Fwknop Client
|
||||
.\" Source: Fwknop Client
|
||||
.\" Language: English
|
||||
.\"
|
||||
.TH "FWKNOP" "8" "06/27/2013" "Fwknop Client" "Fwknop Client"
|
||||
.TH "FWKNOP" "8" "06/30/2013" "Fwknop Client" "Fwknop Client"
|
||||
.\" -----------------------------------------------------------------
|
||||
.\" * Define some portability stuff
|
||||
.\" -----------------------------------------------------------------
|
||||
@@ -34,7 +34,7 @@ fwknop \- Firewall Knock Operator
|
||||
\fBfwknop\fR \fB\-A\fR <\*(Aqproto/ports\*(Aq> \fB\-R\fR|\fB\-a\fR|\fB\-s \-D\fR <\*(Aqhost\*(Aq> [\fIoptions\fR]
|
||||
.SH "DESCRIPTION"
|
||||
.sp
|
||||
\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for strong service protection\&. SPA requires only a single packet which is encrypted, non\-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default\-drop filtering stance\&. The main application of SPA is to use a firewall to drop all attempts to connect to services such as \fISSH\fR in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) more difficult\&. Any service that is protected by SPA naturally cannot be scanned for with \fINmap\fR\&. The fwknop project supports three different firewalls: \fIiptables\fR on Linux systems, \fIpf\fR on OpenBSD, and \fIipfw\fR on FreeBSD and Mac OS X\&.
|
||||
\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment\&. SPA requires only a single packet which is encrypted, non\-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default\-drop filtering stance\&. The main application of SPA is to use a firewall to drop all attempts to connect to services such as \fISSH\fR in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) more difficult\&. Any service that is concealed by SPA naturally cannot be scanned for with \fINmap\fR\&. The fwknop project supports three different firewalls: \fIiptables\fR on Linux systems, \fIpf\fR on OpenBSD, and \fIipfw\fR on FreeBSD and Mac OS X\&.
|
||||
.sp
|
||||
SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits\&. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn\(cqt know the proper sequence)\&. All of these limitation are solved by SPA\&. At the same time, SPA hides services behind a default\-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption\&.
|
||||
.sp
|
||||
@@ -1129,6 +1129,8 @@ More information on Single Packet Authorization can be found in the paper \(lqSi
|
||||
.if n \{\
|
||||
.RE
|
||||
.\}
|
||||
.sp
|
||||
Additional commentary on Single Packet Authorization can be found via Michael Rash\(cqs Twitter feed: http://twitter\&.com/michaelrash, @michaelrash
|
||||
.SH "AUTHORS"
|
||||
.sp
|
||||
Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>
|
||||
|
||||
@@ -16,13 +16,13 @@ SYNOPSIS
|
||||
DESCRIPTION
|
||||
-----------
|
||||
*fwknop* implements an authorization scheme known as Single Packet
|
||||
Authorization (SPA) for strong service protection. SPA requires only a single
|
||||
Authorization (SPA) for strong service concealment. SPA requires only a single
|
||||
packet which is encrypted, non-replayable, and authenticated via an HMAC in order
|
||||
to communicate desired access to a service that is hidden behind a firewall in a
|
||||
default-drop filtering stance. The main application of SPA is to use a
|
||||
firewall to drop all attempts to connect to services such as 'SSH' in order
|
||||
to make the exploitation of vulnerabilities (both 0-day and unpatched code)
|
||||
more difficult. Any service that is protected by SPA naturally cannot be
|
||||
more difficult. Any service that is concealed by SPA naturally cannot be
|
||||
scanned for with 'Nmap'. The fwknop project supports three different
|
||||
firewalls: 'iptables' on Linux systems, 'pf' on OpenBSD, and 'ipfw' on FreeBSD
|
||||
and Mac OS X.
|
||||
@@ -1002,6 +1002,9 @@ along with 'Github' for tracking of issues and milestones:
|
||||
$ git clone https://github.com/mrash/fwknop.git fwknop.git
|
||||
..........................
|
||||
|
||||
Additional commentary on Single Packet Authorization can be found via Michael
|
||||
Rash's Twitter feed: http://twitter.com/michaelrash, @michaelrash
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
|
||||
@@ -23,10 +23,10 @@ or ACL policy to allow the desired access after authenticating and
|
||||
decrypting a valid SPA packet (in that order), and removing access after a
|
||||
configurable timeout.
|
||||
|
||||
The main application of this program is to protect services such as 'SSH'
|
||||
The main application of this program is to conceal services such as 'SSH'
|
||||
with an additional layer of security in order to make the exploitation of
|
||||
vulnerabilities (both 0-day and unpatched code) much more difficult. In
|
||||
addition, services that are protected in this fashion naturally cannot be
|
||||
addition, services that are concealed in this fashion naturally cannot be
|
||||
scanned for with 'Nmap'.
|
||||
|
||||
The main configuration for *fwknopd* is maintained within two files:
|
||||
@@ -558,6 +558,9 @@ along with 'Github' for tracking of issues and milestones:
|
||||
$ git clone https://github.com/mrash/fwknop.git fwknop.git
|
||||
..........................
|
||||
|
||||
Additional commentary on Single Packet Authorization can be found via Michael
|
||||
Rash's Twitter feed: http://twitter.com/michaelrash, @michaelrash
|
||||
|
||||
|
||||
AUTHORS
|
||||
-------
|
||||
|
||||
@@ -2,12 +2,12 @@
|
||||
.\" Title: fwknopd
|
||||
.\" Author: [see the "AUTHORS" section]
|
||||
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
|
||||
.\" Date: 06/27/2013
|
||||
.\" Date: 06/30/2013
|
||||
.\" Manual: Fwknop Server
|
||||
.\" Source: Fwknop Server
|
||||
.\" Language: English
|
||||
.\"
|
||||
.TH "FWKNOPD" "8" "06/27/2013" "Fwknop Server" "Fwknop Server"
|
||||
.TH "FWKNOPD" "8" "06/30/2013" "Fwknop Server" "Fwknop Server"
|
||||
.\" -----------------------------------------------------------------
|
||||
.\" * Define some portability stuff
|
||||
.\" -----------------------------------------------------------------
|
||||
@@ -36,7 +36,7 @@ fwknopd \- Firewall Knock Operator Daemon
|
||||
.sp
|
||||
\fBfwknopd\fR is the server component for the FireWall Knock Operator, and is responsible for monitoring and processing Single Packet Authorization (SPA) packets that are generated by \fBfwknop\fR clients, modifying a firewall or ACL policy to allow the desired access after authenticating and decrypting a valid SPA packet (in that order), and removing access after a configurable timeout\&.
|
||||
.sp
|
||||
The main application of this program is to protect services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&. In addition, services that are protected in this fashion naturally cannot be scanned for with \fINmap\fR\&.
|
||||
The main application of this program is to conceal services such as \fISSH\fR with an additional layer of security in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) much more difficult\&. In addition, services that are concealed in this fashion naturally cannot be scanned for with \fINmap\fR\&.
|
||||
.sp
|
||||
The main configuration for \fBfwknopd\fR is maintained within two files: \fIfwknopd\&.conf\fR and \fIaccess\&.conf\fR\&. The default location for these files is determined at package configuration (typically \fI@sysconfdir@/fwknop\fR)\&. The configuration variables within these files are described below\&.
|
||||
.SH "COMMAND-LINE OPTIONS"
|
||||
@@ -642,6 +642,8 @@ More information on Single Packet Authorization can be found in the paper \(lqSi
|
||||
.if n \{\
|
||||
.RE
|
||||
.\}
|
||||
.sp
|
||||
Additional commentary on Single Packet Authorization can be found via Michael Rash\(cqs Twitter feed: http://twitter\&.com/michaelrash, @michaelrash
|
||||
.SH "AUTHORS"
|
||||
.sp
|
||||
Damien Stuart <dstuart@dstuart\&.org>, Michael Rash <mbr@cipherdyne\&.org>
|
||||
|
||||
Reference in New Issue
Block a user