[ .security ]
| .firewall
| .network
monitoring |
.intrusion
detection | .proxy | .scanners
|
.filesystem
|
.links |
|
|
Applications
and aspects of network monitoring, intrusion detection,
authentication and daily management
Some useful tips for increasing your system security: Use passwords that contain alpha, numeric and symbol combinations to decrease or eliminate the possibility of guessing, brute force and dictionary-based crackers. Move critical files such as password, group and certain configuration files to non standard locations to to decrease the chances an attacker, if they do happen to break in, can harvest information or do any harm to your system. You can also use / configure any of the programs below to implement different aspects of network security. There are also many great links for learning security techniques and effective strategies for thwarting would-be attacks or system breaches. Security is far more than installing a few programs and sitting idly by hoping they'll do what you expect. You need to be active and involved to be an effective system admin. Use these tools as a starting point to understanding how your system works and keeping it functioning properly and efficiently. Be a responsible admin, your users depend on it. use caution: Some commands listed here (when used incorrectly) have the potential to make your system(s) nonbootable. Make sure to read all appropriate man pages as well as specific information / documentation related to the command you are interested in using. Simply typing the command without proper research is foolish, understand what you are doing and take the necessary measures to compensate for unforseen mistakes. |
[ .firewall ] - A firewall
is a piece of hardware
and/or software which functions in a networked environment to prevent
some communications forbidden by the security policy, analogous to the
function of firewalls in building construction. Don't rely
on residential swtiches or routers such as Linksys or Netgear to
protect you, these seriously lack in features, protection and auditing
options. A
good admin will always be examining and wondering what more can be done
to increase security.
Firestarter
- Firestarter
is an
easy-to-use, yet powerful, Linux firewall tool for Gnome. Use it to
quickly set up a secure environment using the firewall creation wizard,
or use it's monitoring and administrating features with your old
firewall scripts.
Fwbuilder - Firewall
builder consists of a GUI and set of policy compilers for various
firewall platforms. It helps
users maintain a database of objects and allows policy editing using
simple drag-and-drop operations. The GUI
generates firewall description in the form of XML file, which compilers
then interpret and generate platform-specific code. Several
algorithms are provided for automated network objects discovery and
bulk import of data. The GUI
and policy compilers are completely independent, this provides for a
consistent abstract model and the same GUI for different firewall
platforms.
Ipcop
- Ipcop
Linux is a complete
Linux distribution whose sole purpose is to
protect the networks it is installed on. By
implementing existing
technology, outstanding new technology and secure programming practices
ipcop is the Linux Distribution for those wanting to keep their
computers/networks safe.
Netfilter
/ Iptables - Iptables is
used to set up,
maintain, and inspect the tables of IP packet filter rules in the Linux
kernel. Several
different tables may be defined. Each table
contains a
number of built-in chains and may also contain user-defined chains.
Each
chain is a list of rules
which can match a set of packets. Each rule specifies what to do with a
packet that matches. This is
called a ‘target’, which may be
a jump to a user-defined chain in the same
table. (see: 'man iptables' for a full
description and list of options)
m0n0wall
- m0n0wall
is a project aimed
at creating a complete, embedded firewall software package that, when
used together with an embedded PC, provides all the important features
of commercial firewall boxes (including ease of use) at a fraction of
the price (free software). m0n0wall
is based on a bare-bones
version of FreeBSD,
along with a web server, PHP and a few other utilities. The
entire system configuration is stored in one single XML text file to
keep things transparent. m0n0wall is probably the first UNIX system that has its
boot-time configuration done with PHP, rather than the usual shell
scripts, and that has the
entire system configuration stored in XML format.
Quicktables - Quicktables is an iptables firewall and firewall / nat (gateway) script generator. It was created to provide a secure set of iptables rules quickly, while still maintaining few requirements (sh and ifconfig pretty much). Quicktables will ask you to answer a small handful of questions, and generates your very own personalized firewall or script.
Shorewall - The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use netfilter's ipchains compatibility mode and can thus take advantage of netfilter's connection state tracking capabilities. Shorewall is not a daemon. Once Shorewall has configured Netfilter, it's job is complete. After that, there is no Shorewall code running although the /sbin/shorewall program can be used at any time to monitor the netfilter firewall.
Quicktables - Quicktables is an iptables firewall and firewall / nat (gateway) script generator. It was created to provide a secure set of iptables rules quickly, while still maintaining few requirements (sh and ifconfig pretty much). Quicktables will ask you to answer a small handful of questions, and generates your very own personalized firewall or script.
Shorewall - The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use netfilter's ipchains compatibility mode and can thus take advantage of netfilter's connection state tracking capabilities. Shorewall is not a daemon. Once Shorewall has configured Netfilter, it's job is complete. After that, there is no Shorewall code running although the /sbin/shorewall program can be used at any time to monitor the netfilter firewall.
[ .network monitoring ] - Tools designed to help monitor and configure network connections and devices.
Arpwatch - The
arpwatch package contains
arpwatch and arpsnmp. Arpwatch
and arpsnmp are both network monitoring
tools. Both
utilities monitor Ethernet or FDDI network traffic and
build databases of Ethernet/IP address pairs, and can report certain
changes via email.
Install arpwatch if you need
networking monitoring devices which will automatically keep track of
the IP addresses on your network. (see:
'man arpwatch' for a full description and list of options)
Arptables_jf - The arptables_jf utility controls the arpfilter network packet filtering code in the Linux kernel. You do not need this program for normal network firewalling. If you need to manually control which arp requests and/or replies this machine accepts and sends, you should install this package.
Denyhosts - Denyhosts
is a Python script that
analyzes the sshd server log messages to determine which hosts are
attempting to hack into your system. It also
determines what user
accounts are being targeted. It keeps
track of the frequency of
attempts from each host and, upon discovering a repeated attack host,
updates the /etc/hosts.deny file to prevent future break-in attempts
from that host. Email
reports can be sent to a system admin.
Ethereal
- Ethereal
is a network
traffic
analyzer for unix-like operating systems. This
package lays base for
libpcap, a packet capture and filtering library, contains command-line
utilities, contains plugins and documentation for ethereal. A
graphical
user interface is package separately to GTK+ package. (see:
'man ethereal' for a full description and list of options.)
Ifconfig - Ifconfig is used to configure the kernel-resident network interfaces. It is used at boot time to set up interfaces as necessary. After that, it is usually only needed when debugging or when system tuning is needed. If no arguments are given, ifconfig displays the status of the currently active interfaces. If single interface argument is given, it displays the status of the given interface only; if a single -a argument is given, it displays the status of all interfaces, even those that are down. Otherwise, it configures an interface. (see: 'man ifconfig' for a full description and list of options)
Iftop - Iftop does for network usage what top(1) does for CPU usage. It listens to network traffic on a named interface and displays a table of current bandwidth usage by pairs of hosts. Handy for answering the question "why is our ADSL link so slow?". (see: 'man iftop' for a full description and list of options.)
Ip-sentinel - Ip-sentinel
is a tool that tries
to
prevent unauthorized usage of IP addresses within an ethernet broadcast
domain by answering ARP requests. After
receiving faked replies,
requesting parties store the MAC in their ARP tables and will send
future packets to this invalid MAC, rendering the IP unreachable.
Iptraf - Iptraf is
a console-based network
monitoring utility. Iptraf
gathers data like TCP connection packet and
byte counts, interface statistics and activity indicators, TCP/UDP
traffic breakdowns, and LAN station packet and byte counts. Iptraf
features include an IP traffic monitor which shows TCP flag
information, packet and byte counts, ICMP details, OSPF packet types,
and oversized IP packet warnings; interface statistics showing IP, TCP,
UDP, ICMP, non-IP and other IP packet counts, IP checksum errors,
interface activity and packet size counts; a TCP and UDP service
monitor showing counts of incoming and outgoing packets for common TCP
and UDP application ports, a LAN statistics module that discovers
active hosts and displays statistics about their activity; TCP, UDP and
other protocol display filters so you can view just the traffic you
want; logging; support for Ethernet, FDDI, ISDN, SLIP, PPP, and
loopback interfaces; and utilization of the built-in raw socket
interface of the Linux kernel, so it can be used on a wide variety of
supported network cards. (see:
'man iptraf' for a full description and list of options)
Iwconfig - Iwconfig
is similar to
ifconfig(8),
but is dedicated to the wireless interfaces. It is used
to set the
parameters of the network interface which are specific to the wireless
operation (for example: the frequency). Iwconfig may also
be used to display those parameters, and the wireless statistics
(extracted from /proc/net/wireless). All these
parameters and
statistics are device dependent. Each
driver will provide
only some of them depending on hardware
support, and the range of values may change. Please
refer to the man
page of each device for details. (see:
'man iwconfig' for a full description and list of options.)
Netstat - Prints
information about the
Linux networking subsystem, network connections, routing tables,
interface statistics, masquerade connections, and multicast
memberships. (see: 'man
netstat' for a full description and list of options)
Tcpdump - Tcpdump is
a command-line tool
for
monitoring network traffic. Tcpdump can capture and display the packet
headers on a particular network interface or on all interfaces. Tcpdump can display all of the packet
headers, or just the ones that
match particular criteria. Install
tcpdump if you need a
program to monitor network traffic. (see:
'man tcpdump' for a full description and list of options.)
Traceroute - The
traceroute utility displays
the
route used by IP packets on their way to a specified network (or
Internet) host. Traceroute
displays the IP number and host name
(if possible) of the machines along the route taken by the packets. Traceroute is used as a network debugging
tool. If
you're having
network connectivity problems, traceroute will show you where the
trouble is coming from along the route. Install
traceroute if you need
a tool for diagnosing network connectivity problems. (see:
'man traceroute' for a full description and list of options.)
[ .intrusion detection / protection ] - Programs designed to monitor certain security and configuration files for unauthorized changes and acecss.
AIDE - AIDE
(Advanced Intrusion
Detection
Environment) is a free replacement
for Tripwire®. It
generates a database that can
be used to check the
integrity of files on server. It uses
regular expressions for
determening which files get added to the database. You can
use several
message digest algorithms to ensure that the files have not been
tampered with.
LIDS
- The Linux Intrusion Detection System
(LIDS) is a kernel
patch and admin tools which enhances the kernel's security by
implementing
Mandatory Access Control (MAC).
When
it is in effect, chosen file access, all system network
administration operations, any capability use, raw device, memory, and
I/O access can be made impossible even for root. You can
define which
programs can access specific files. It uses
and extends the system
capabilities bounding set to control the whole system and adds some
network and filesystem security features to the kernel to enhance the
security. You
can finely tune the security protections online, hide
sensitive processes, receive security alerts through the network, and
more. LIDS currently support kernel 2.6, 2.4. LIDS is released under
GPL.
Pam_abl - Another of
several pluggable pam
modules that provides auto blacklisting of hosts and users responsible
for repeated failed authentication attempts. Generally
configured so
that blacklisted users still see normal login prompts but are
guaranteed to fail to authenticate. A command
line tool allows the user
to query or purge the databases used by the pam_abl module.
Rootkit hunter - Rootkit
hunter is a scanning tool
to ensure that you're about 99.9% clean of nasty tools. This tool
scans for rootkits, backdoors and local exploits by running tests like:
o MD5 hash compareo Look for default files used by rootkits
o Wrong file permissions for binaries
o Look for suspected strings in LKM and KLD modules
o Look for hidden files
o Optional scan within plaintext and binary files
o Software version checks
o Application tests
Rootkit hunter is released as a GPL licensed project and is free for everyone to use. (see: 'man rkhunter' for a full description and list of options.)
Samhain
- Samhain is a multiplatform, open
source solution for centralized file integrity checking / host-based
intrusion detection on POSIX systems (Unix, Linux, Cygwin/Windows). It
has been designed to monitor multiple hosts with potentially different
operating systems from a central location, although it can also be used
as standalone application on a single host.
Snort
- Snort® is an open source network
intrusion prevention
and detection system utilizing a rule-driven language, which combines
the benefits of signature, protocol and anomaly based inspection
methods. With
millions of downloads to date, Snort is the most widely
deployed intrusion detection and prevention technology worldwide and
has become the de facto standard for the industry.
Tripwire - Tripwire® is a very valuable security tool
for Linux systems, if it is installed to a clean system. Tripwire
should be installed right after the OS installation, and before you
have connected your system to a network (i.e., before any possibility
exists that someone could alter files on your system). When
Tripwire is initially
set
up, it creates a database that records certain file information. Then
when it is run, it compares a designated set of files and directories
to the information stored in the database. Added or
deleted files are
flagged and reported, as are any files that have changed from their
previously recorded state in the database. When
Tripwire is run against
system files on a regular basis, any file changes will be spotted when
Tripwire is run. Tripwire will report the changes,
which will give
system administrators a clue that they need to enact damage control
measures immediately if certain files have been altered.
[ .proxy ] - A proxy is
a computer that offers a
computer network service to allow clients to make indirect network
connections to other network services and other networks.
Squid
- Squid is a
high-performance
proxy
caching server for Web clients, supporting FTP, gopher, and HTTP data
objects. Unlike
traditional caching software, Squid handles all
requests in a single, non-blocking, I/O-driven process. Squid
keeps
meta data and especially hot objects cached in RAM, caches DNS lookups,
supports non-blocking DNS lookups, and implements negative caching of
failed requests. Squid consists of a main
server program squid, a Domain Name System lookup program (dnsserver),
a program for retrieving FTP data (ftpget), and some management and
client tools. (see:
'man squid' for a full description and list of options.)
[ .scanners ] - Depending
on the laws in your area,
you can get into serious trouble and even be arrested and charged with
a crime for scanning
networks/nodes without written permission from the respective owners of
those networks. We do not
advise scanning networks/nodes unless they
are owned by you.
Airsnort
- Airsnort
is a wireless LAN
(WLAN)
tool which recovers encryption keys. Airsnort operates by passively
monitoring transmissions, computing the encryption key when enough
packets have been gathered. 802.11b,
using the Wired
Equivalent Protocol (WEP), is crippled with numerous security flaws.
Most
damning of these is the weakness described in " Weaknesses in the
Key Scheduling Algorithm of RC4 " by Scott Fluhrer, Itsik Mantin and
Adi Shamir. Adam
Stubblefield was the first to implement this attack,
but he has not made his software public. Airsnort,
along with WEPCrack,
which was released about the same time as Airsnort, are the first
publicly available implementaions of this attack. Airsnort
requires
approximately 5-10 million encrypted packets to be gathered. Once
enough packets have been gathered, airsnort can guess the encryption
password in under a second.
Nessus
- Nessus is
the world's most
popular
vulnerability scanner
used in over 75,000 organizations world-wide. Many of
the world's
largest organizations are realizing significant cost savings by using
Nessus to audit business-critical enterprise devices and applications. The
"nessus" Project was
started by Renaud Deraison in 1998 to provide
to the internet community a free, powerful, up-to-date and easy to use
remote security scanner. Nessus is
currently rated among the top
products of its type throughout the security industry and is endorsed
by
professional information security organizations such as the SANS
Institute. It
is estimated that the Nessus scanner is used by 75,000
organizations world-wide.
Nmap - Nmap is a
utility for network
exploration or security auditing. It
supports ping scanning (determine
which hosts are up), many port scanning techniques (determine what
services the hosts are offering), and TCP/IP fingerprinting (remote
host operating system identification). Nmap also
offers flexible target
and port specification, decoy scanning, determination of TCP sequence
predictability characteristics, reverse-identd scanning, and more.
[ .filesystem ] - Something
you will want to consider:
who has access to what files and directories and for what reasons? this
is where filesystem security comes in. Below are
several programs /
utilities to help you manage users and privlages on your system(s).
Chmod - The chmod command changes the permissions of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new permissions. (see: 'man chmod for a full description and list of options)
Chown - The chown command changes the user and/or group ownership of each given file or directory, according to its first non-option argument. (see: 'man chown' for a full description and list of options.)
Clamav - Clam antivirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the clam antivirus package, which you can use with your own software. The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is kept up to date. (see: 'man clamscan' for a full description and list of options.)
SElinux - Security-enhanced Linux is a patch of the Linux® kernel developed by the NSA (National Security Administration) which includes a number of utilities with enhanced security functionality designed to add mandatory access controls (MAC) to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security. (see: 'man selinux' for a full description and list of options.)
Sudo - Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. (see: 'man sudo' for a full description and list of options.)
[ .links ] - Links to resources that will help you with understanding network security.
1.) - http://www.securityfocus.com/ - The most comprehensive and trusted source of security information on the Internet.
Chmod - The chmod command changes the permissions of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new permissions. (see: 'man chmod for a full description and list of options)
Chown - The chown command changes the user and/or group ownership of each given file or directory, according to its first non-option argument. (see: 'man chown' for a full description and list of options.)
Clamav - Clam antivirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the clam antivirus package, which you can use with your own software. The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is kept up to date. (see: 'man clamscan' for a full description and list of options.)
SElinux - Security-enhanced Linux is a patch of the Linux® kernel developed by the NSA (National Security Administration) which includes a number of utilities with enhanced security functionality designed to add mandatory access controls (MAC) to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security. (see: 'man selinux' for a full description and list of options.)
Sudo - Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. (see: 'man sudo' for a full description and list of options.)
[ .links ] - Links to resources that will help you with understanding network security.
1.) - http://www.securityfocus.com/ - The most comprehensive and trusted source of security information on the Internet.
2.) - http://www.linuxsecurity.com/ - The central voice for Linux and FOSS (Free & Open Source Software) security news.
3.) - http://www.tldp.org/HOWTO/Security-HOWTO/ - The Linux Documentation Project, aimed at providing the most comprehensive online free Linux related documentation.
4.) - http://www.oreilly.com/ - The #1 publisher of Linux / Unix FOSS books and documentation.