[CentOS] Quick demo guide for SPA ( re: the port knocking thread )

MrKiwi mrkiwi at gmail.com
Mon Feb 19 00:16:49 UTC 2007

For what it's worth to those who want to play with SPA, here 
is a demo i whipped up. It is very easy to set up, and i 
almost guarantee anyone can get this running.

What we will demonstrate:

Bascially: An SPA demo.
Requirements: Very little - a minimal setup of centos.

This setup will demonstrate a client who initially cannot 
connect to a an ssh port on the server (the server is 
DROPing packets and appears to not be running sshd).
After a successful encrypted SPA (Single Packet 
Authorization) packet is sent to the server, in which a 
shared key and usercode is required, the ssh port is opened 
for the client IP only, and the client can then continue to 
connect with the normally required ssh credentials.
After a timeout, the port is CLOSED to all traffic from the 
client IP, however firewall ESTABLISHED and RELATED rules 
will allow the connected client to continue to communicate.

Setup Details;
Almost any kind of CentOS, but i use CentOS 4.4 installed on 
a VM (vmware workstation build 36983)
SELinux Disabled
Firewall enabled, no services allowed.
"Minimal" installation performed.

Almost any *nix, but i have used CentOS 4.4 installed on a 
VM (vmware workstation build 36983)
SELinux Disabled
Firewall enabled, no services allowed.
"Minimal" installation performed.

Setup the server

Optional : Update the server;
#yum -y update

Install fwknop
#cd /tmp
#rpm -i fwknop-1.0.1-1.i386.rpm

Backup fwknop's access.conf file and make our own.
#mv /etc/fwknop/access.conf /etc/fwknop/access.conf.orig
#echo "SOURCE: ANY;">>$access
#echo "OPEN_PORTS:tcp/22;">>$access
#echo "DATA_COLLECT_MODE: ULOG_PCAP;">>$access
#echo "KEY: pkpassword;">>$access
#echo "FW_ACCESS_TIMEOUT: 30;">>$access
#echo "REQUIRE_USERNAME: mbr;">>$access

Note ... the usercode and password we need to tell the 
client is; usercode:mbr , password:pkpassword

Change the firewall (by default in a CentOS build it REJECTS 
everything. We want it to DROP instead, so that no-one knows 
if sshd is running or not) (this step is optional)

#service iptables stop
#joe /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -j REJECT --reject-with 
-A RH-Firewall-1-INPUT -j DROP
Restart the firewall
#service iptables start
Start fwknopd --debug

Leave this debug window open, and you will see the rules 
that fwknop adds to the firewall.

Setup the Client;

Install fwknop (the same package contains server and client 
#cd /tmp
#rpm -i fwknop-1.0.1-1.i386.rpm

Proof : Try to connect to server on port 22
#nc -v
nc will apear to hang waiting for a response. -> no response.
(unless you skipped the step above for changing the firewall 
rules, in which case i think you get a 'no route to host' 

Now knock to open the port, using the usercode and password 
as above; (password will be prompted for )
#fwknop -A tcp/22 -k --Spoof-user mbr -a

-A is the port to send the SPA packet to
-k is the server to send to
--Spoof-user is because we are not mbr (i am root)
we wouldnt need this if we were logged on as 'mbr'
-a is because i am on a NATed subnet, and without 
it fwknop will resolve my IP to a public one, and then tell 
the server to open port 22 to that public IP, which wont 
help me.

You have 30 seconds to try to connect now ...
#nc -v 22
pc-00155.xx_hidden_xx.org [] 22 (ssh) open

Ctrl-c to kill this.

So we have proved that port 22 has been opened by our knock.
Watching the servers debug output as mentioned above will 
show you the exact rule which was added to iptables to 
achieve this.

If you have exceeded your 30 sec, just run the knock again;
#fwknop -A tcp/22 -k --Spoof-user mbr -a
and then try to connect;
#ssh root at

If you are quick enough you can run
#service iptables status|grep
ACCEPT     tcp  --    
  tcp dpt:22

This shows you the rule which let you in.
Note that port 22 is open to *YOUR IP* only.

About 30 sec later you will see;
# service iptables status|grep
# [no output]

This shows you that the open port has been closed.

Notes: If you get a message like 'remote time stamp is older 
than 120 second max age.' then you have a clock sync 
problem. (common when using vmware)

Notes: If you have trouble with clock drift and you dont 
want to be bothered fixing it, you can make fwknop less 
joe /etc/fwknop/fwknop.conf
MAX_SPA_PACKET_AGE          120;
MAX_SPA_PACKET_AGE          1200;
or similar (20 minute window)

Thanks to Michael Rash for his great pdf
which i blatently ripped content from for the good of the world.

More information about the CentOS mailing list