Linux Firewalls - Michael Rash [145]
CMD_REGEX: ^mail\s+\-s\s+\"\w+\"\s+\w+\@\w+\.com;
DATA_COLLECT_MODE
The DATA_COLLECT_MODE variable accepts the same packet collection modes as the AUTH_MODE variable in the fwknop.conf file. This allows each SOURCE access definition in the access.conf file to be independently enabled or disabled, depending on the value of the AUTH_MODE variable. Only those SOURCE access definitions with a DATA_COLLECT_MODE value that matches the AUTH_MODE variable are enabled. However, the DATA_COLLECT_MODE variable is optional, and if it is left out of the access.conf file, the fwknop daemon assumes that it is set to PCAP, the most common setting.
DATA_COLLECT_MODE: PCAP;
REQUIRE_USERNAME
The REQUIRE_USERNAME variable refers to the username of the user on a remote system who executes the fwknop client to generate an SPA packet. This username is included within all SPA packets (see "fwknop SPA Packet Format" on page 241 for more information). The remote username allows fwknop to apply authorization rules to incoming SPA packets. The REQUIRE_USERNAME variable supports multiple usernames, which can be useful if there is a site or system-wide encryption key for multiple users on the client side.
REQUIRE_USERNAME: mbr,mrash;
FW_ACCESS_TIMEOUT
The FW_ACCESS_TIMEOUT variable tells the fwknop server the number of seconds for which any iptables ACCEPT rules should be instantiated within the FWKNOP_INPUT chain, allowing access to the services requested by a valid SPA packet.
FW_ACCESS_TIMEOUT: 30;
KEY
The KEY variable defines the encryption key used for decrypting SPA packets that have been encrypted with the Rijndael block cipher. It requires an argument that is at least eight characters long.
KEY: yourencryptkey;
GPG_DECRYPT_ID
The GPG_DECRYPT_ID variable specifies a unique identifier for the fwknop server's GnuPG public key, which is used by an fwknop client to encrypt the SPA packet. This unique identifier can be obtained from the output of the gpg --list-keys command and is normally a string of eight hex characters.
GPG_DECRYPT_ID: ABDC1234;
GPG_DECRYPT_PW
The GPG_DECRYPT_PW variable holds the decryption password for the fwknop server's GnuPG public key, which is used by an fwknop client for encryption. Because this password is contained within a plaintext file, you should generate a new GnuPG key to be used only as the fwknop server key, rather than using a valuable GnuPG key that you might also use for other things, like confidential email communications.[81]
GPG_DECRYPT_PW: gpgdecryptionpw;
GPG_REMOTE_ID
The GPG_REMOTE_ID variable contains a unique identifier for the GnuPG key that an fwknop client uses to digitally sign an SPA packet. This key needs to be imported into the fwknop server key ring (see "SPA via Asymmetric Encryption" on page 246).
GPG_REMOTE_ID: DEFG5678;
Example /etc/fwknop/access.conf File
Next, you'll put all of this information together and create a complete access.conf file that you can use to protect your SSH server. (You'll find operational examples in "Deploying fwknop" on page 243.)
With your favorite editor, open the /etc/fwknop/access.conf file and add the configuration directives listed below.
# cat /etc/fwknop/access.conf
SOURCE: ANY;
OPEN_PORTS: tcp/22;
FW_ACCESS_TIMEOUT: 30;
REQUIRE_USERNAME: mbr;
KEY: mypassword;
GPG_DECRYPT_PW: gpgdecryptpassword;
GPG_HOME_DIR: /root/.gnupg;
GPG_REMOTE_ID: 5678DEFG;
GPG_DECRYPT_ID: ABCD1234;
SOURCE: ANY means that the fwknop daemon will accept a valid SPA packet from any source IP address. This is handy if you are on the road and cannot predict which network your laptop or other system will be connected to.
OPEN_PORTS: tcp/22 means that the fwknop daemon will grant temporary access through the local iptables firewall with an ACCEPT rule to the SSH port. The ACCEPT rule is removed after 30 seconds, as specified by the FW_ACCESS_TIMEOUT variable.
REQUIRE_USERNAME: