Quick setup -------------------------------------------------------------------------------- As the FWKnop OPerator daemon can be configured in many ways, this package allows the user to turn the SSH protection on by the use of a Rjindael password. Although this provides decent security, moving to a GnuPG setup is recommended. During the installation process, if the daemon has not previously been configured, the user will be prompted for a quick setup. In case you decline the offer, you can still run it with the following command: [code] # dpkg-reconfigure fwknop-server [/code] You will be asked few questions, then the FWKnop OPerator daemon will be started according to your settings. Edit access.conf and fwknop.conf in /etc/fwknop/ if you would like to make some other changes and restart the daemon. [code] # invoke-rc.d fwknop-server restart [/code] Check your installation -------------------------------------------------------------------------------- To verify that your installation was successful, try connecting to your SSH server using the fwknop client. [code] $ nc -z -vv spaserver 22 spaserver (71.157.X.X) 22 (ssh) : Connection refused $ fwknop -A tcp/22 -R -k spaserver [+] Starting fwknop client (SPA mode)... [+] Resolving hostname: spaserver Resolving external IP via: http://www.whatismyip.org/ Got external address: 204.23.X.X [+] Enter an encryption key. This key must match a key in the file /etc/fwknop/access.conf on the remote system. Encryption Key: [+] Building encrypted Single Packet Authorization (SPA) message... [+] Packet fields: Random data: 5300351470514251 Username: thialme Timestamp: 1221761661 Version: 1.9.8-pre1 Type: 1 (access mode) Access: 204.23.X.X,tcp/22 SHA256 digest: qlMNTa8d3JHexFeObFWowF/5FGQxCORVCy5u/YP/4KU [+] Sending 182 byte message to 71.157.X.X over udp/62201... # nc -z -vv spaserver 22 spaserver (71.157.X.X) 22 (ssh) open [/code] Minimal steps to configure the FWKnop OPerator server -------------------------------------------------------------------------------- In case you would prefer to update both access.conf and fwknop.conf files in /etc/fwknop by hand, here is the list of the variables that have to be defined: in access.conf: -> KEY: myverylongkey or -> GPG_HOME_DIR: /root/.gnupg; -> GPG_DECRYPT_ID: ABCD1234; -> GPG_DECRYPT_PW: myGpgPassword; -> GPG_REMOTE_ID: 1234ABCD; in fwknop.conf: -> HOSTNAME: diamond.dthconnex.com -> PCAP_INTF: eth0 By default, the FWKnop OPerator daemon is not allowed to start at boot time through the init scripts in /etc/init.d/. You can change this behaviour by updating the START_DAEMON variable from "no" to "yes" in /etc/default/fwknop-server.