Port knocking using two-factor authentication
List of commits:
| Subject | Hash | Author | Date (UTC) |
|---|---|---|---|
| Small README update | 3535924e1cda76040cd1309de11fe9a8a0b2e39e | Catalin(ux) M. BOIE | 2018-04-26 19:53:22 |
| Use RAND_bytes instead of getrandom because it is not supported on CentOS7 | 86b71d957f8ca371f04837746c0ac9689306d48e | Catalin(ux) M. BOIE | 2018-04-03 03:49:17 |
| Small stuff dealing with ENOBUFS; doc updated | 17bb2fc3712e1704519d4c4257462e71350dfa93 | Catalin(ux) M. BOIE | 2018-03-23 03:28:39 |
| Add first support for ct marking | 19268d626b40bdd18480cc79fa597aa4bff9c824 | Catalin(ux) M. BOIE | 2018-03-21 17:23:01 |
| More tweakings all around | 0c5961860deadb8bcb1dfd1be429b2966f03312a | Catalin(ux) M. BOIE | 2018-03-11 21:10:32 |
| Added password support | df6d270a3e243084069a31fe980d76c97d89a861 | Catalin(ux) M. BOIE | 2018-02-13 22:46:53 |
| Checkpoint | 049e12584744b8a51bfc5867fd0e7b2db0592deb | Catalin(ux) M. BOIE | 2018-02-11 22:25:13 |
| Fixed a bug in totp, added keys in memory | abec61861e2f37398026dbe7342d7751390e95d8 | Catalin(ux) M. BOIE | 2018-02-04 18:36:12 |
| Initial version | c641fafbd46342cd24fde45129cc3637b7ca65bc | Catalin(ux) M. BOIE | 2018-02-03 23:42:32 |
Commit 3535924e1cda76040cd1309de11fe9a8a0b2e39e
- Small README update
Author: Catalin(ux) M. BOIE
Author date (UTC): 2018-04-26 19:53
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2018-04-26 19:53
Parent(s): 86b71d957f8ca371f04837746c0ac9689306d48e
Signing key:
Tree: 5d0661f6af6977e538c3e040bb6685c3b1c62d02
Author: Catalin(ux) M. BOIE
Author date (UTC): 2018-04-26 19:53
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2018-04-26 19:53
Parent(s): 86b71d957f8ca371f04837746c0ac9689306d48e
Signing key:
Tree: 5d0661f6af6977e538c3e040bb6685c3b1c62d02
| File | Lines added | Lines deleted |
|---|---|---|
| README | 10 | 9 |
| File README changed (mode: 100644) (index 8669344..c992367) | |||
| ... | ... | Description: Port knocking meets two-factor authentication (2fa) | |
| 3 | 3 | Start date: 1st Feb 2018 | Start date: 1st Feb 2018 |
| 4 | 4 | Author: Catalin(ux) M. BOIE | Author: Catalin(ux) M. BOIE |
| 5 | 5 | Code: https://rocketgit.com/user/catalinux/nf2fa | Code: https://rocketgit.com/user/catalinux/nf2fa |
| 6 | See also: fwknop, "Single Packet Authorization (SPA)" | ||
| 6 | 7 | ||
| 7 | 8 | ||
| 8 | 9 | . How it works? | . How it works? |
| ... | ... | the firewall only from your connecting IP. Also you will be able to close | |
| 12 | 13 | the firewall as soon as you do not need it open anymore. | the firewall as soon as you do not need it open anymore. |
| 13 | 14 | ||
| 14 | 15 | ||
| 16 | . Why you need this program? | ||
| 17 | - Because classic port knocking can be replicated from anywhere, if the | ||
| 18 | attacker can sniff the traffic. | ||
| 19 | - With a digital signature program, you need some code on the client side, | ||
| 20 | which may not be available for all platforms. | ||
| 21 | - This program allows hosts to be completely silent, to not answer any | ||
| 22 | request from outside: no code exposed to attacks and no log pollution. | ||
| 23 | |||
| 24 | |||
| 15 | 25 | . Installation & configuration | . Installation & configuration |
| 16 | 26 | After installation, edit the configuration file (/etc/nf2fa.conf) and set | After installation, edit the configuration file (/etc/nf2fa.conf) and set |
| 17 | 27 | the desired parameters. Then, start the daemon. | the desired parameters. Then, start the daemon. |
| ... | ... | Please note that the time must be in sync on both server and mobile device | |
| 31 | 41 | because the tokens are time dependent. | because the tokens are time dependent. |
| 32 | 42 | ||
| 33 | 43 | ||
| 34 | . Why you need this program? | ||
| 35 | - Because classic port knocking can be replicated from anywhere, if the | ||
| 36 | attacker can "watch" the packets. | ||
| 37 | - With a digital signature program, you need some code on the client side, | ||
| 38 | which may not be available for all platforms. | ||
| 39 | - This program allows hosts to be completely silent, to not answer any | ||
| 40 | request from outside: no code exposed to attacks and no log pollution. | ||
| 41 | |||
| 42 | |||
| 43 | 44 | . Firewall preparation | . Firewall preparation |
| 44 | 45 | For iptables: | For iptables: |
| 45 | 46 | # Connections already marked by nf2fad are accepted | # Connections already marked by nf2fad are accepted |
Hints:
Before first commit, do not forget to setup your git environment:
Clone this repository using HTTP(S):
Clone this repository using ssh (do not forget to upload a key first):
Clone this repository using git:
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/catalinux/nf2fa
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/nf2fa
Clone this repository using git:
git clone git://git.rocketgit.com/user/catalinux/nf2fa
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main
... make some changes and some commits ...
git push origin main
RocketGit
Rocket your launch!
Rocket your launch!