File README changed (mode: 100644) (index 8669344..c992367) |
... |
... |
Description: Port knocking meets two-factor authentication (2fa) |
3 |
3 |
Start date: 1st Feb 2018 |
Start date: 1st Feb 2018 |
4 |
4 |
Author: Catalin(ux) M. BOIE |
Author: Catalin(ux) M. BOIE |
5 |
5 |
Code: https://rocketgit.com/user/catalinux/nf2fa |
Code: https://rocketgit.com/user/catalinux/nf2fa |
|
6 |
|
See also: fwknop, "Single Packet Authorization (SPA)" |
6 |
7 |
|
|
7 |
8 |
|
|
8 |
9 |
. How it works? |
. How it works? |
|
... |
... |
the firewall only from your connecting IP. Also you will be able to close |
12 |
13 |
the firewall as soon as you do not need it open anymore. |
the firewall as soon as you do not need it open anymore. |
13 |
14 |
|
|
14 |
15 |
|
|
|
16 |
|
. Why you need this program? |
|
17 |
|
- Because classic port knocking can be replicated from anywhere, if the |
|
18 |
|
attacker can sniff the traffic. |
|
19 |
|
- With a digital signature program, you need some code on the client side, |
|
20 |
|
which may not be available for all platforms. |
|
21 |
|
- This program allows hosts to be completely silent, to not answer any |
|
22 |
|
request from outside: no code exposed to attacks and no log pollution. |
|
23 |
|
|
|
24 |
|
|
15 |
25 |
. Installation & configuration |
. Installation & configuration |
16 |
26 |
After installation, edit the configuration file (/etc/nf2fa.conf) and set |
After installation, edit the configuration file (/etc/nf2fa.conf) and set |
17 |
27 |
the desired parameters. Then, start the daemon. |
the desired parameters. Then, start the daemon. |
|
... |
... |
Please note that the time must be in sync on both server and mobile device |
31 |
41 |
because the tokens are time dependent. |
because the tokens are time dependent. |
32 |
42 |
|
|
33 |
43 |
|
|
34 |
|
. Why you need this program? |
|
35 |
|
- Because classic port knocking can be replicated from anywhere, if the |
|
36 |
|
attacker can "watch" the packets. |
|
37 |
|
- With a digital signature program, you need some code on the client side, |
|
38 |
|
which may not be available for all platforms. |
|
39 |
|
- This program allows hosts to be completely silent, to not answer any |
|
40 |
|
request from outside: no code exposed to attacks and no log pollution. |
|
41 |
|
|
|
42 |
|
|
|
43 |
44 |
. Firewall preparation |
. Firewall preparation |
44 |
45 |
For iptables: |
For iptables: |
45 |
46 |
# Connections already marked by nf2fad are accepted |
# Connections already marked by nf2fad are accepted |