Linux Firewalls - Michael Rash [152]
❹ [root@attacker ˜]# tcpreplay -i eth0 spa.pcap
sending on: eth0
1 packets (1052 bytes) sent in 0.15 seconds
6831169.0 bytes/sec 52.12 megabits/sec 6493 packets/sec
[root@attacker ˜]# ssh -l root 71.157.X.X
[root@spaserver ˜]# tail /var/log/messages
❺ Oct 18 23:32:50 spaserver fwknopd: attempted message replay from: 204.23.X.X
Spoofing the SPA Packet Source Address
The SPA protocol supports spoofed source IP addresses. This is a consequence of two factors: the ability of the fwknop server to acquire the real source address from within the SPA packet payload, and the fact that SPA packets are sent over UDP with no expectation of return traffic.
fwknop uses the Perl Net::RawIP module to send SPA packets via a raw socket, which allows you to set the source IP address to an arbitrary value from the fwknop client command line. (This requires root access.) In Figure 13-3, the spaclient system sends the SPA packet, but the source IP address in the IP header is crafted to make the packet appear to originate from the 207.132.X.X IP address. When fwknopd is running on the spaserver system, it sniffs the SPA packet off the wire, but it grants access to SSHD from the real fwknop client IP address 204.23.X.X instead of from the spoofed source IP address, 207.132.X.X.
Figure 13-3. An SPA packet from a spoofed source address
Notice that the fwknop client command shown below has become more complicated. This is to support spoofing the source IP address of the SPA packet (as root), but to also build the encrypted payload using the fwknop_client key, which is owned by the mbr user and located within the /home/mbr/.gnupg directory.
[root@spaclient ˜]# fwknop --Spoof-src 207.132.X.X -A tcp/22 --gpg-home-dir
/home/mbr/.gnupg --Spoof-user mbr --gpg-recip "fwknop_server" --gpg-sign
"fwknop_client" --quiet -R -k spaserver
GnuPG signing password:
The syslog messages below indicate that the fwknop server sniffed the SPA packet, that it originates from ❶ the spoofed source address 207.132.X.X, and that access is granted to the IP address contained within ❷ the encrypted packet, 204.23.X.X.
[root@spaserver ˜]# tail /var/log/messages
Oct 18 23:31:37 spaserver fwknopd: received valid GnuPG encrypted packet (signed with
required key ID: "fwknop_client") from: ❶207.132.X.X, remote user: mbr
Oct 18 23:31:37 spaserver fwknopd: adding FWKNOP_INPUT ACCEPT rule for ❷204.23.X.
X -> tcp/22 (30 seconds)
fwknop OpenSSH Integration Patch
The fwknop project hopes to make the use of SPA as easy and user friendly as possible. One thing that can help reduce the burden on the user is to integrate seamlessly with a variety of client applications. Because the most common application of SPA is to protect SSH communications, fwknop provides a patch against the OpenSSH source code, which integrates the ability to execute the fwknop client directly from the OpenSSH client command line. For this to work, you must first apply the patch to the OpenSSH source code and recompile it. The following illustrates how to accomplish this for the OpenSSH-4.3p2 release, assuming the source code is located in /usr/local/src.
$ cd /usr/local/src/openssh-4.3p2
$ wget http://www.cipherdyne.org/LinuxFirewalls/ch13/openssh-4.3p2_SPA.patch
$ patch -p1 < openssh-4.3p2_SPA.patch
patching file config.h.in
patching file configure
patching file configure.ac
patching file ssh.c
$ ./configure --prefix --with-spa-mode && make
$ su -
Password:
# cd /usr/local/src/openssh-4.3p2
# make install
The most important thing to note about the commands above is that the --with-spa-mode argument to the configure script ensures that the SPA patch code is included within OpenSSH when it is compiled.
Now, with the modified SSH client installed, the fwknop client can be invoked directly from the SSH command line, eliminating the need to run fwknop manually before using SSH to make a connection. The patch adds the new command-line argument -K fwknop args to SSH; this argument can be used as follows to gain access to the spaserver system without separately running the