====FWKNOP====

Single Packet Authorization (SPA) Port Knocking.

Port knocking is used to alter packet filter rules on a host
dependant upon a packet encrypted with a secret key delivered to that host.

It can be used to open a normally closed port to an SSH server
from a single host for a limited time duration.

===Server===

==IPtables==

<code>
iptables -t filter -A INPUT -i eth0 -p tcp --syn --destination-port 22 -j REJECT --reject-with icmp-port-unreachable
</code>

==FWKNOP==

==Install==

<code>
apt install fwknop-server
</code>

==Run==
<code>
/usr/sbin/fwknopd
</code>

==access.conf==

<code>
SOURCE: ANY
OPEN_PORTS: tcp/22
KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
FW_ACCESS_TIMEOUT: 60
</code>

==fwknop.conf==

<code>
PCAP_INTF eth0;
</code>

===Client===

==Install==

<code>
apt install fwknop-client 
</code>

==.fwknoprc==

<code>
[default]

[hostname]
SPA_SERVER      x.x.x.x
ACCESS          tcp/22
ALLOW_IP        resolve
KEY             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</code>

==.ssh/config==

<code>
Match host hostname exec "fwknop -n hostname && sleep 0.5"
</code>

===Resources===

[[https://www.cipherdyne.org/fwknop/|Home page]]