On Wed, Jul 1, 2015 at 5:50 PM, Jeremiah Rothschild <[email protected]>
wrote:
> Recently I pondered the idea of integrating fwknopd with fail2ban. The idea
> being, upon several knocking failures, the remote IP is banned.
>
> As far as I can tell, however, fwknopd logging doesn't currently
> differentiate
> much between different types of knocking failures. That is, in my
> experience,
> everything ends up looking like this on the server:
>
> Jul 1 12:34:56 host fwknopd[12345]: [1.2.3.4] (stanza #1) Error creating
> fko context: Decryption failed or decrypted data is invalid
>
> That said, it would be useful if fwknopd was able to detect and report
> different failure types accordingly. Most specifically, for my purposes, a
> log
> entry stating that the failure was related to an invalid key would allow
> me to
> monitor for it via fail2ban.
>
In this case, the 'Decryption failed or decrypted data is invalid' message
is basically the same thing as fwknopd receiving an SPA packet that was
encrypted with an invalid key. There are several checks that a candidate
packet has to pass before that error can be triggered. These checks include
proper base64 decoding, expected packet length, and (most importantly) an
HMAC verification which is currently optional but recommended. If a
candidate SPA packet makes it through all of these checks, then fwknopd
attempts to decrypt it with the encryption key defined in each access.conf
stanza. After decryption, fwknopd then tries to decode the decrypted data
to ensure it looks like a proper SPA packet. The very first check that is
done is to verify that 16 ascii digits of random data are at the beginning
of the payload, and if this check fails - which is highly likely if the
packet were encrypted with a different key - then that "Decryption failed"
message appears. And, this message is only generated in that one spot in
the code. It is unlikely that other error conditions would be triggered
unless an attacker actually has a valid key and also has a malicious SPA
client. So, in essence, that "Decryption failed" message is equivalent to
someone using an valid key.
Please note that the above is in the context of a single access.conf
stanza. The Decryption failed message is frequently generated through
normal operations when multiple stanza are involved and each has its own
encryption key. fwknopd has no way to know which one to try, so it just
cycles through them to see if one decrypts properly.
Thanks,
--Mike
>
> If there's anything that currently exists to help me meet my goal, let me
> know.
> Elsewise, please consider my suggestion for future work. Thanks!
>
>
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
