Basic Security Steps / Overview:
Perform the following steps to secure your web site:
See Distribution erratas and security fixes. [Red Hat Linux Errata] Update your system where appropriate.
It is best for security reasons that you reduce the number of network services exposed. The more sevices exposed, the greater your vulnerability. Reduce the number of network services accessible through the xinet or inet daemon by:
inetd (Red Hat 7.0 and earlier): Comment out un-needed services in the /etc/initd.conf file.
Sample: (FTP is the only service I run)
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a Restart the daemon to apply changes: /etc/rc.d/init.d/inetd restart
xinetd (Red Hat 7.1): All network services are turned off by default during an upgrade. Sample file: /etc/xinetd.d/wu-ftpd: service ftp { disable = yes - FTP default is off. Note that this line controlls whether the xinetd service is enabled or not
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
Turning on/off an xinetd service:
Edit the file: /etc/xinetd.d/service-name
Changing to the line "disable = yes" turns off an xinetd serivce.
Changing to the line "disable = no" turns on an xinetd serivce.
Xinetd configuration must be performed for each and every file in the directory /etc/xinetd.d/ in order to configure each and every network service.
Restart the daemon to apply changes: /etc/rc.d/init.d/xinetd restart
You may also use the command:
chkconfig wu-ftpd on
OR
chkconfig wu-ftpd off
This will edit the appropriate file (/etc/xinetd.d/wu-ftpd) and restart the xinetd process.
Tip:
List init settings including all xinetd controlled services: chkconfig --list
List status of services (Red Hat/Fedora Core based systems): service --status-all
Reduce the number of non-inetd network services. These will be started by scripts in /etc/rc.d/rc*.d/ directories. There may be no need to run sendmail (mail server), portmap (RPC listener required by NFS), lpd (Line printer server daemon. Hackers probe my system for this service all the time.), innd (News server), linuxconf etc. For example, sendmail can be removed from the boot process using the command: chkconfig --del sendmail or by using the configuration tool ntsysv. The service can be terminated using the command /etc/rc.d/init.d/sendmail stop. At the very least one should run the command chkconfig --list to see what processes are configured to be operable after boot-up. See the YoLinux init process tutorial
Apache: Turn off modules you are not going to use. With past ssl exploits, those using this philosophy did not get burned.
Apache 1.3.x config file /etc/httpd/conf/httpd.conf
#<IfDefine HAVE_SSL>#LoadModule ssl_module modules/libssl.so#</IfDefine>......#<IfDefine HAVE_SSL>#AddModule mod_ssl.c#</IfDefine>......<IfDefine HAVE_SSL>Listen 80#Listen 443</IfDefine>......#<IfModule mod_ssl.c>#...#......#<VirtualHost _default_:443>#...#......
Comment out the use of the ssl module by placing a "#" in the first column.
One can also block the https port 443 using firewall rules:
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 443 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 443 -j DROP
Verify your configuration. List the open ports and processes which hold them: netstat -punta (Also try netstat -nlp)
List RPC services: [root]# rpcinfo -p localhost
Ideally you would NOT be running portmapper so not RPC services would be available. Turn off portmapper: service portmap stop (or: /etc/init.d/portmap stop) and remove it from the system boot sequence: chkconfig --del portmap (Portmap is required by NFS.)
Anonymous FTP (Using wu_ftpd - Last shipped with RH 8.0. RH 9 and FC use vsftpd): By default Red Hat comes configured for anonymous FTP. This allows users to ftp to your server and log in with the login anonymous and use an email address as the password. If you wish to turn off this feature edit the file /etc/ftpaccess and change:
class all real,guest,anonymous *
to
class all real,guest *
For more on FTP configuration see: YoLinux Web server FTP configuration tutorial
Use the find command to locate vulnerabilities - find suid and guid files as well as world writable files and directories.
Use the command chattr and lsattr to make a file unmodifiable over and above the usual permissions.
Make a file unmodifiable: chattr +i /bin/ls
Make directories unmodifiable: chattr -R +i /bin /sbin /boot /lib
Make a file append only: chattr +a /var/log/messages
Use "tripwire" [sourceforge: tripwire] for security monitoring of your system for signs of unauthorized file changes. Tripwire is offered as part of the base Red Hat 7.1 installation. For earlier releases it is available as an RPM on the Red Hat Power tools CD. Tripwire configuration is covered below.
Watch your log files especially /var/log/messages and /var/log/secure.
Avoid generic account names such as guest.
Use PAM network wrapper configurations to disallow passwords which can be found easily by crack or other hacking programs. PAM authentication can also disallow root network login access. (Default Red Hat configuration. You must login as a regular user and su - to obtain root access. This is NOT the default for ssh and must be changed as noted below.)
See YoLinux Network Admin Tutorial on using PAM
Remote access should NOT be done with clear text telnet but with an encrypted connection using ssh. (Later in this tutorial)
Proc file settings for defense against attackes. This includes protective measures against IP spoofing, SYN flood or syncookie attacks.
Use Linux firewall rules to protect against attacks. (ipchains or iptables) Access denial rules can also be imlemented on the fly by portsentry.
(Place at the end of /etc/rc.d/rc.local to be executed upon system boot, or some other appropriate script)
iptables script: iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP - Block X-Windows
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP - Block X-Windows font server
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
iptables -A INPUT -p all -s localhost -i eth0 -j DROP - Deny outside packets from internet which
claim to be from your loopback interface.
ipchains script: # Allow loopback access. This rule must come before the rules denying port access!! iptables -A INPUT -i lo -p all -j ACCEPT - This rule is essential if you want your own computer
iptables -A OUTPUT -o lo -p all -j ACCEPT to be able to access itself throught the loopback interface
ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT - Block NFS
ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT - Block NFS
ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT - Block X-Windows
ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT - Block X-Windows font server
ipchains -A input -p tcp -s 0/0 -d 0/0 515 -y -j REJECT - Block printer port
ipchains -A input -p udp -s 0/0 -d 0/0 515 -j REJECT - Block printer port
ipchains -A input -p tcp -s 0/0 -d 0/0 111 -y -j REJECT - Block Sun rpc/NFS
ipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECT - Block Sun rpc/NFS
ipchains -A input -j REJECT -p all -s localhost -i eth0 -l - Deny and log (option -l) outside packets from internet
which claim to be from your loopback interface.
Note:
iptables uses the chain rule "INPUT" and ipchains uses the lower case descriptor "input".
View rules with iptables -L or ipchains -L command.
iptables man page
ipchains man page
When running an internet web server it is best from a security point of view, that one NOT run printing, X-Window, NFS or any services which may be exploited if a vulnerability is discovered or if misconfigured regardless of firewall rules.
Also see:
YoLinux Internet Gateway Tutorial
Red Hat 7.1 firewall GUI configuration tool /usr/sbin/gnome-lokkit
Use portsentry to monitor network hacker attacks. (Later in this tutorial)
A minimal and monolithic kernel might also provide a small bit of protection (avoid trojan modules) as well as running on less common hardware (MIPS, Alpha, etc... so buffer overflow instructions will not run.)
National Security Agency (NSA): Security-Enhanced Linux - Altered for increased security.
DDoS (Distributed Denial of Service) attacks: The only thing you can do is have gobs of bandwidth and processing power/firewall. Lots of processing power or a firewall are useless without gobs of bandwidth as the network can get sooo overloaded from a distributed attack.
Also see:
Turn off ICMP.
Monitor the attack with tcpdump
Unfortunately the packets are usually spoofed and in my case the FBI didn't care. If the server is a remote server, have a dial-up modem or a second IP address and route for access because the attacked route is blocked by the flood of network attacks. You can also request that your ISP drop ICMP traffic to the IP addresses of your servers. (and UDP if all you are running is a web server. Name servers use UDP.) For very interesting reading see "The Strange Tale" of the GRC.com DDoS attack. (Very interesing read about the anatomy of the hacker bot networks.)
User access can be restricted with the configuration files:
/etc/security/limits.conf
/etc/security/group.conf
/etc/security/time.conf
See YoLinux SysAdmin tutorial - restrict users
Remove un-needed users from the system. See /etc/passwd. By default Red Hat installations have many user accounts created to support various processes. It you do not intend to run these processes, remove the users. i.e. remove user ids games, uucp, rpc, rpcd, ...
--------------------------------------------------------------------------------
SSH: (Secure Shell)
SSH protocol suite of network connectivity tools are used to encrypt connections accross the internet. SSH encrypts all traffic including logins and passwords to effectively eliminate network sniffing, connection hijacking, and other network-level attacks. In a regular telnet session the password is transmitted across the Internet unencrypted.
SSH is a commercial product but available freely for non-commercial use from SSH Communications Security at http://www.ssh.com/. Two versions are available, SSH1 and SSH2. The newer SSH2 supports FTP and has more options than SSH1. SSH2 can be purchased and/or downloaded from their web site. Note that SSH1 does have a major vulnerability issues. The "woot-project" web site cracking and defacing gang uses this vulnerability. DO NOT USE SSH1 PROTOCOL!!!!! Summary of SSH1 issues and what to avoid. ("woot-project" exploit/attack description/recovery)
OpenSSH was developed by the the OpenBSD Project and is freely available. OpenSSH is compatable with SSH1 and SSH2. OpenSSH relies on the OpenSSL project for the encrypted communications layer. Current releases of Linux come with OpenSSH/OpenSSL. (Comes with Red Hat Linux 7.x+)
Links:
OpenSSH.org - Shell. Supports SSH1 and SSH2 protocols.
OpenSSL.org - Encrypted network layer
FreeSSH.org - SSH for other platforms
SSH:
SSh.com - Secure shell
DataFellows.com - F-Secure
FreeSSH.org - SSh for other platforms
Secure Shell IETF working group - (Internet Engineering Task Force)
SSH tunneling / port forwarding - (for POP and SMTP etc)
--------------------------------------------------------------------------------
OpenSSH:
Download:
Download OpenSSH RPM's (sourceforge) - statically linked with OpenSSL 0.9.5 - Pick this one for an easy complete RPM install
Download OpenSSH source (tgz)
Red Hat Linux 6.x Open SSL RPM downloads (redhat.com) (SSL only)
Note: SSH and SSL are included with Red Hat Linux 7.0+
Installation:
Common to Client and Server:
rpm -ivh openssh-2.9p2-8.7.i386.rpm Client:
rpm -ivh openssh-askpass-2.9p2-8.7.i386.rpm rpm -ivh openssh-clients-2.9p2-8.7.i386.rpm rpm -ivh openssh-askpass-gnome-2.9p2-8.7.i386.rpm - Gnome desktop users
Server:
rpm -ivh openssh-server-2.9p2-8.7.i386.rpm If upgrading from SSH1 you may have to use the RPM option --force.
The rpm will install the appropriate binaries, configuration files and openssh-server will install the init script /etc/rc.d/init.d/sshd so that sshd will start upon system boot.
Configuration:
Client configuration file /etc/ssh/ssh_config: (Default)
# $OpenBSD: ssh_config,v 1.9 2001/03/10 12:53:51 deraadt Exp $
# This is ssh client systemwide configuration file. See ssh(1) for more
# information. This file provides defaults for users, and the values can
# be changed in per-user configuration files or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking yes
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1 - Change this line to: Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Host *
ForwardX11 yes
Change the line: # Protocol 2,1
to: Protocol 2
This will eliminate use of SSH1 protocol.
Uncomment the options required or accept the hard-coded defaults. The hard coded defaults for OpenSSH client are compatable with SSH1 client files and sshd server. An upgrade to OpenSSH client will not require any changes to the files in $HOME/.ssh/.
Server configuration file /etc/ssh/sshd_config:
Default:
# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin# This is the sshd server system-wide configuration file. See sshd(8)# for more information.Port 22#Protocol 2,1 - Change to: Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600 - Change to: LoginGraceTime 120
KeyRegenerationInterval 3600
PermitRootLogin yes - Change to: PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
# Logging
SyslogFacility AUTHPRIV
LogLevel INFO
#obsoletes QuietMode and FascistLogging
RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
#CheckMail yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
Subsystem sftp /usr/libexec/openssh/sftp-server
Note:
Ssh protocol version 1 is not as secure, it should not take 10 minutes to type your password and if someone logs in as root without logging in as a particular user first then tracability is lost if there are multiple admins, thus the changes were made as suggested above.
Setting "PermitRootLogin no" mandates that remote logins use an undetermined user login. This removes root, a known login on all Linux systems, from the list of dictionary atttacks available.
It is a good idea to change the "Banner" so that a login greeting and legal disclaimer is presented to the user. i.e. change file /etc/issue.net contents to:
Access is granted to this server only to authorized personel of Mega Corp.By default, the /etc/issue.net message presents to the hacker the OS name, kernel release and information which can be used to determine potential vulnerabilities.
Generate keys:
Client:
Use the command: /usr/bin/ssh-keygen -t rsa
Generating public/private rsa key pair.Enter file in which to save the key (/home/user-id/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user-id/.ssh/id_rsa.Your public key has been saved in /home/user-id/.ssh/id_rsa.pub.The key fingerprint is:XXXblablablaXXXaf:90:8f
c:65:0d:XXXXXXXXXXXXXX user-id@node-name
Files generated:
$HOME/.ssh/id_rsa - binary
$HOME/.ssh/id_rsa.pub - ssh-rsa ...223564257432 email address - Multiple keys/lines allowd.
Server:
FTP the file $HOME/.ssh/id_rsa.pub to the server
cd $HOME/.ssh/
cat id_rsa.pub >> authorized_keys
Using ssh: On client use the following command and login as you normally would with a telnet session:
ssh name-of server
The first time you use ssh it will issue the following message:
The authenticity of host 'node.your-domain.com (XXX.XXX.XXX.XXX)' can't be established.RSA key fingerprint is XXXXblablablaXXX1:81:29:00:3a:c5:fb:XXXXXXXXXXX.Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node.your-domain.com,XXX.XXX.XXX.XXX' (RSA) to the list of known hosts.user@node.your-domain.com's password: Answer yes. It won't ask again.
To use a different user name for the login, state it on the command line: ssh -l username name-of server
Note: You can now also use the command sftp for secure ftp file transfers using ssh.
OpenSSH Man Pages:
ssh - OpenSSH SSH client (remote login program)
sshd - OpenSSH ssh daemon
ssh-keygen - Used to create RSA keys (host keys and user authentication keys)
ssh-add - adds RSA or DSA identities for the authentication agent. Used to register new keys with the agent.
scp - secure copy (remote file copy program)
ssh-agent - authentication agent This can be used to hold RSA keys for authentication.
sftp - Secure file transfer program
sftp-server - SFTP server subsystem
Other OpenSSH Links:
Red Hat Open SSH Guide - Also scp, sftp, Gnome ssh-agent
Linux Journal: OpenSSH Part I
SSH for MS/Windows Links:
PuTTY
Tera Term
TTSSH - An SSH Extension to Tera Term
SSH Notes:
The sshd should not be started using xinetd/inetd due to time necessary to perform calculations when it is initailized.
ssh client will suid to root. sshd on the server is run as root. Root privileges are required to communicate on ports lower than 1024. The -p option may be used to run SSH on a different port.
RSA is used for key exchange, and a conventional cipher (default Blowfish) is used for encrypting the session.
Encryption is started before authentication, and no passwords or other information is transmitted in the clear.
Authentication:
Login is invoked by the user. The client tells the server the public key that the user wishes to use for authentication.
Server then checks if this public key is admissible.
If yes then random number is generated and encrypts it with the public key and sends the value to the client.
The client then decrypts the number with its private key and computes a checksum. The checksum is sent back to the server
The server computes a checksum from the data and compares the checksums.
Authentication is accepted if the checksums match.
SSH will use $HOME/.rhosts (or $HOME/.shosts)
To establish a secure network connection on another TCP port, use "tunneling" options with the ssh command:
Forward TCP local port to hostport on the remote-host:
ssh remote-host -L port:localhost:hostport command
Specifying ports lower than 1024 will require root access.
FTP opens various ports and thus is not a good candidate. Port 21 is only used to establish the connection.
Man pages:
ssh - secure shell client (remote login program)
sshd - secure shell daemon (server)
ssh-keygen - Used to create RSA keys (host keys and user authentication keys)
ssh-keyscan - gather ssh public keys
ssh-add - adds identities for the authentication agent Used to register new keys with the agent.
scp - secure copy (remote file copy program)
slogin
sftp - secure file transfer program client.
sftp-server - secure file transfer program server.
ssh-agent - Authentication agent. This can be used to hold RSA keys for authentication.
telnet - user interface to the TELNET protocol
Documentation:
/usr/share/doc/openssh-2.9p2/
/usr/share/doc/openssh-askpass-2.9p2/
/usr/share/doc/openssl-0.9.6/
--------------------------------------------------------------------------------
Test:
The network sniffer Ethereal was used to sniff network transmissions between the client and server for both telnet and ssh with the following results:
Test telnet clear text login: (port 23)
The text sent by the client is green text on a black background.
The rest of the text was transmitted by the server.
Note that both the login ("JoeUser") and password ("super-secret-password") were captured.
Test ssh encrypted login: (port 22)
Note that the entire login and password exchange was encrypted.
--------------------------------------------------------------------------------
PortSentry:
This tool will monitor the network probes and attacks against your server. It can be configured to log and counter these probes and attacks. PortSentry can modify your /etc/hosts.deny (PAM module) file and issue IP firewall commands automatically to block hackers.
PortSentry can be loaded as an RPM but this tutorial covers compiling PortSentry from source to configure a more preferable system logging.
Note: Version 1.1 of portsentry can issue iptables, ipchains or route commands to thwart attacks. Linux Kernel 2.2 (Red Hat 6.x and 7.0) uses ipchains. Linux kernel 2.4 (Red Hat 7.1) uses iptables but can also use ipchains but NOT both. Route commands can be used by any Unix system.
Steps to install and configure portsentry:
Download and unzip source code
Edit include file and compile
Start PortSentry
Read logs
--------------------------------------------------------------------------------
Download and unzip source code:
Download: PortSentry source code
(Note: Portsentry version 1.1 includes a bug fix required for Red Hat 7.1 kernel 2.4)
Move to your source directory and unzip: tar -xzf portsentry-1.1.tar.gz
Edit include file and compile:
cd portsentry-1.1/
Read file README.install. It details the following:
--------------------------------------------------------------------------------
Edit file: portsentry_config.h
--------------------------------------------------------------------------------
Set options:
CONFIG_FILE - PortSentry run-time configuration file.
WRAPPER_HOSTS_DENY - The path and name of TCP wrapper hosts.deny file.
#define CONFIG_FILE "/opt/portsentry/portsentry.conf" #define WRAPPER_HOSTS_DENY "/etc/hosts.deny" #define SYSLOG_FACILITY LOG_DAEMON #define SYSLOG_LEVEL LOG_NOTICE
(Note: I use /opt/portsentry/ because I like to locate custom files/software there. It allows for an easy backup by separating it from the OS. If you prefer, you can use /etc/portsentry/ for configurations files and follow the Linux/Unix file system logic)
The above default, "LOG_DAEMON", will log messages to the /var/log/messages file.
To log to a separate file dedicated to PortSentry logging: (This will eliminate logging clutter in the main system logging file)
Add logging directives to syslogd configuration file: /etc/syslog.conf
Change the following line to reflect that portsentry messages are not going to be logged to the regular syslog output file /var/log/messages
*.info;mail.none;news.none;authpriv.none;local6.none /var/log/messages
Add the following line to assign a portsentry log facility:
local6.* /var/log/portsentry.log
Note: Use tab not spaces in the syslog configuration file.
Restart syslogd: /etc/rc.d/init.d/syslog restart
Set portsentry_config.h entry to new log facility:
#define SYSLOG_FACILITY LOG_LOCAL6 Options for the SYSLOG_FACILITY are defined in /usr/include/sys/syslog.h
They include:
SYSLOG_FACILITY Facility Name Description
LOG_LOCAL0 local0 reserved for local use
LOG_LOCAL1 local1 reserved for local use
LOG_LOCAL2 local2 reserved for local use
LOG_LOCAL3 local3 reserved for local use
LOG_LOCAL4 local4 reserved for local use
LOG_LOCAL5 local5 reserved for local use
LOG_LOCAL6 local6 reserved for local use
LOG_LOCAL7 local7 reserved for local use
LOG_USER user random user-level messages
LOG_MAIL mail mail system
LOG_DAEMON daemon system daemons
LOG_SYSLOG syslog messages generated internally by syslogd
LOG_LPR lpr line printer subsystem
LOG_NEWS news network news subsystem
LOG_UUCP uucp UUCP subsystem
LOG_CRON cron clock daemon
LOG_AUTHPRIV authpriv security/authorization messages (private)
LOG_FTP ftp ftp daemon
Options for the SYSLOG_LEVEL include:
SYSLOG_LEVEL Priority Description
LOG_EMERG 0 system is unusable
LOG_ALERT 1 action must be taken immediately
LOG_CRIT 2 critical conditions
LOG_ERR 3 error conditions
LOG_WARNING 4 warning conditions
LOG_NOTICE 5 normal but significant condition
LOG_INFO 6 informational
LOG_DEBUG 7 debug-level messages
--------------------------------------------------------------------------------
Edit file: portsentry.conf to set paths for configuration files and ports to monitor.
--------------------------------------------------------------------------------
IGNORE_FILE="/opt/portsentry/portsentry.ignore" HISTORY_FILE="/opt/portsentry/portsentry.history" BLOCKED_FILE="/opt/portsentry/portsentry.blocked" KILL_ROUTE="/sbin/route add -host $TARGET$ reject" - Generic Unix KILL_ROUTE
I prefer iptables/ipchains options below
Uncomment and modify if necessary the appropriate statements. The TCP_PORTS=, UDP_PORTS= lists are ignored for stealth scan detection modes. I added UDP port 68 (BOOTP) and TCP 21 (ftp), 22 (ssh), 25 (smtp mail), 53 (dns bind), 80 (http web server), 119 (news) to the ADVANCED_EXCLUDE_UDP and ADVANCED_EXCLUDE_TCP statements respectively. ADVANCED_EXCLUDE_TCP="21,22,25,53,80,110,113,119" - server
ADVANCED_EXCLUDE_UDP="21,22,53,110,520,138,137,68,67"
OR
ADVANCED_EXCLUDE_TCP="113,139" - workstation
ADVANCED_EXCLUDE_UDP="520,138,137,68,67"
List of ports used by Remote Access trojans
PAM options:
KILL_HOSTS_DENY="ALL: $TARGET$"
For more on PAM see YoLinux network Admin Tutorial
Route deny options: (Options: network "route" or firewall command "iptables/ipchains")
Simple method to drop network return routes if ipchains are not compiled into your kernel:
KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
You can check the addresses dropped with the command: netstat -rn They will be routed to interface "-".
For Linux 2.2.x kernels (version 2.102+) using ipchains: (Best option)
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
OR
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
Note: The second option is without the "-l" or logging option so ipchains won't keep logging the portscan in /var/log/messages
For those using iptables (RH 7.1+ Linux Kernel 2.4+):
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
(Note: The default used in portsentry.conf uses the incorrect path for Red Hat. Change /usr/local/bin/iptables to /sbin/iptables)
Note on Red Hat 7.1: During installation/upgrade the firewall configuration tool /usr/bin/gnome-lokkit may be invoked. It will configure a firewall using ipchains and will add this to your boot process. To see if ipchains and the Lokkit configuration is invoked during system boot, use the command: chkconfig --list | grep ipchains. You can NOT use portsentry to issue iptables rules if ipchain rules have been issued previously.
More info on iptables and ipchains support/configuration in Red Hat 7.1 and kernel 2.4.
--------------------------------------------------------------------------------
Edit file: portsentry.ignore (contains IP addresses to ignore. )
--------------------------------------------------------------------------------
127.0.0.1 0.0.0.0 Your IP address
The at Home network routinely scans for news servers on port 119 from a server named authorized-scan1.security.home.net. Adding the IP address of this server (24.0.0.203) greatly reduces the logging. I also added their BOOTP server. (24.9.139.130)
I manually issued the iptables (RH 7.1 kernel 2.4) commands on my workstation to drop the hosts and deny their scans. At Home users may add the commands to the file /etc/rc.d/rc.local
/sbin/iptables -I INPUT -s 24.0.0.203 -j DROP /sbin/iptables -I INPUT -s 24.9.139.130 -j DROP
--------------------------------------------------------------------------------
Edit file: Makefile
--------------------------------------------------------------------------------
INSTALLDIR = /opt And remove the line under "uninstall": (dangerous line!!)
# /bin/rmdir $(INSTALLDIR) And remove the line under "install": (troublesome line!!)
# chmod 700 $(INSTALLDIR)
--------------------------------------------------------------------------------
Compile: make linux
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Install (as root): make install
--------------------------------------------------------------------------------
Run PortSentry for advanced UDP/TCP stealth scan detection:
portsentry -atcp
portsentry -audp
OR use init scripts below in next section.
Check logfile for hacker attacks. See: /var/log/messages or /var/log/portsentry.log if you are logging to a dedicated file.
Also check /etc/hosts.deny to see a list of IP addresses that PortSentry has deamed attackers.
Check the "HISTORY_FILE" /opt/portsentry/portsentry.history
Note: Is is possible to have all logging sent to a logging daemon on a single server. This will allow the administrator to check the logs on only one server rather than individually on many.
Note on Red Hat 7.1: Red Hat Powertools 7.1 now includes portsentry 1.0. I reccomend using version 1.1 configured as above.
Powertools RPM layout:
/usr/sbin/portsentry - (chmod 700) executable
/etc/portsentry/ - (chmod 700) Directory used for configuration files.
/etc/portsentry/portsentry.conf (chmod 600)
/etc/portsentry/portsentry.ignore (chmod 600)
/var/portsentry/portsentry.history
/var/portsentry/portsentry.blocked
Instead of using a firewall command (ipchains/iptables), a false route is used: /sbin/route add -host $TARGET$ gw 127.0.0.1.
My init script calls the portsentry executable twice with the apropriate command line arguments to monitor tcp and udp ports. The Red Hat 7.1 init script uses the file /etc/portsentry/portsentry.modes and a for loop in the init script to call portsentry the appropriate number of times. Their init script also recreates the portsentry.ignore file each time portsentry is started by including the IP addresses found with ifconfig and the addresses 0.0.0.0 and localhost. Persistent addresses must be placed above a line stating: Do NOT edit below this otherwise it is not included in the creation of the new file.
The Red Hat 7.1 Powertools portsentry version logs everything to /var/log/messages. My configuration avoids log clutter by logging to a separate file.
Notes on DOS (Denial of Service) possibility: If portsentry is configured to shut down an attack with firewall rules, an attacker may use this feature to slow down your machine over time by creating a huge set of firewall rules. It would require the hacker to use (or spoof) a new IP address each time. It is probably a good idea to monitor or even clear the firewall rules from time to time.
iptables:
List firewall rules: iptables -L
Clear firewall rules: iptables -F
ipchains:
List firewall rules: ipchains -L
Clear firewall rules: ipchains -F
Clean-up script: /etc/cron.monthly/reset-chainrules
(-rwx------ 1 root root)
This script is run automatically once a week by cron. (The presence of this script in this directory for the Red Hat configuration makes it so)
#!/bin/bash# Purge and re-assign chain rules ipchains -Fipchains -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECTipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECTipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECTipchains -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECTipchains -A input -p tcp -s 0/0 -d 0/0 515 -y -j REJECTipchains -A input -p udp -s 0/0 -d 0/0 515 -j REJECTipchains -A input -p tcp -s 0/0 -d 0/0 111 -y -j REJECTipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECTipchains -A input -j REJECT -p all -s localhost -i eth0 -l
Also see:
Psionic Software Home Page - PortSentry, Logcheck and HostSentry home page.
FAQ: Firewall Forensics - Robert Graham
Other tools to detect portscans and network based hacker attacks:
scanlogd - Attack detection.
InterSect Alliance - Intrusiuon analysis. Identifies malicious or unauthorized access attempts.
snort - Instead of monitoring a single server with portsentry, snort monitors the network, performing real-time traffic analysis and packet logging on IP networks for the detection of an attack or probe.
Also see: YoLinux IDS and Snort links
--------------------------------------------------------------------------------
Using an init script to start and stop the portsentry program.
Init configuration: /etc/rc.d/init.d/portsentry
The init script needs to be executable: chmod a+x /etc/rc.d/init.d/portsentry
After adding the following script, enter it into the init process with the command: chkconfig --add portsentry or chkconfig --level 345 portsentry on
See YoLinux Init Tutorial for more information.
#!/bin/bash## Startup script for PortSentry## chkconfig: 345 85 15# description: PortSentry monitors TCP and UDP ports for network attacks## processname: portsentry# pidfile: /var/run/portsentry.pid# config: /opt/portsentry/portsentry.conf# config: /opt/portsentry/portsentry.ignore # config: /opt/portsentry/portsentry.history# config: /opt/portsentry/portsentry.blocked# Source function library.. /etc/rc.d/init.d/functions# Source networking configuration.. /etc/sysconfig/network# Check that networking is up.[ ${NETWORKING} = "no" ] && exit 0# See how we were called.case "$1" in start) echo -n "Starting portsentry: " daemon /opt/portsentry/portsentry -atcp /opt/portsentry/portsentry -audp echo touch /var/lock/subsys/portsentry ;; stop) echo -n "Shutting down portsentry: " killproc portsentry echo rm -f /var/lock/subsys/portsentry rm -f /var/run/portsentry.pid ;; status) status portsentry ;; restart) $0 stop $0 start ;; reload) echo -n "Reloading portsentry: " killproc portsentry -HUP echo ;; *) echo "Usage: $0 {start|stop|restart|reload|status}" exit 1esacexit 0
--------------------------------------------------------------------------------
Logrotate Configuration:
Create the following file to have your logs rotate.
File: /etc/logrotate.d/portsentry
/var/log/portsentry.log { rotate 12 monthly errors root@localhost missingok postrotate /usr/bin/killall -HUP portsentry 2> /dev/null || true endscript}
Also see the YoLinux Sys Admin tutorial covering logrotate.
--------------------------------------------------------------------------------
Tests:
Portscan your workstation - Use your web browser to go to this site. Select "Probe my ports" and it will scan you. You can then look at the file /opt/portsentry/portsentry.blocked.atcp to see that portsentry dropped the scanning site:
Host: shieldsup.grc.com/207.71.92.221 Port: 23 TCP BlockedThe file /var/log/portsentry.log will show the action taken: portsentry[589]: attackalert: SYN/Normal scan from host: shieldsup.grc.com/207.71.92.221 to TCP port: 23
portsentry[589]: attackalert: Host 207.71.92.221 has been blocked via wrappers with string: "ALL: 207.71.92.221"
portsentry[589]: attackalert: Host 207.71.92.221 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 207.71.92.221 -j DENY -l"
nmap: portscanner - This is the hacker tool responsible for many of the portscans you may be recieving.
Command arguments:
Argument Description
-sO IP scan. Find open ports.
-sT TCP scan. Full connection made.
-sS SYN scan (half open scan). This scan is typically not logged on receiving system.
-sP Ping ICMP scan.
-sU UDP scan.
-P0 Don't ping before scan.
-PT Use ping to determine which hosts are available.
-F Fast scan. Scan for ports listed in configuration.
-T Set timing of scan to use values to avoid detection.
-O Determins operating system.
-p 1000-1999,5000-5999 Scan port ranges specified.
Also see: nmap man page for a full listing of nmap command line arguments.
Examples:
nmap -sT -F IP-address Scan
nmap -sS -F IP-address SYN Scan
nmap -sU -F IP-address Scan UPD ports
nmap -sF -F IP-address FIN Scan
nmap -O -F IP-address Determine OS
nmap -p22 -F -O IP-address nmap -p 1-30,40-65535 IP-Address Scan given port ranges
Add the option -v (verbose) or -vv (super verbose) for more info.
The ports will be determined to be open, filtered or firewalled.
Sample output from command: nmap -sS -F -O IP-Address
Starting nmap V. 2.54BETA7 ( http://www.insecure.org/nmap/ ).....(The 1067 ports scanned but not shown below are in state: closed)Port State Service21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 111/tcp open sunrpc - Shut down the portmap (RPC) daemon: /etc/rc.d/init.d/portmap stop
137/tcp filtered netbios-ns - Turn off netbios services: /etc/rc.d/init.d/smb stop
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
TCP Sequence Prediction: Class=random positive increments
Difficulty=2727445 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.16
Nmap run completed -- 1 IP address (1 host up) scanned in 36 seconds
nmap/nmapfe: nmapfe = nmap front end - GUI front end to nmap. It's an amazingly easy and usefull tool which will help you make discoveries about your servers before the hackers do.
Nmap and nmapfe are available with distribution or on the Red Hat Powertools CD for older (7.1) releases:
nmap-XXX.i386.rpm
nmap-frontend-XXX.i386.rpm
Links:
nmap man page
The Art of Port Scanning - by Fyodor
ndiff - Compares two nmap scans and outputs the differences. Monitor network for changes.
--------------------------------------------------------------------------------
Tripwire: (security monitoring)
Tripwire monitors your file system for changes. Tripwire is used to create an initial database of information on all the system files then runs periodically (cron) to compare the system to the database.
I will cover Tripwire version 1.2-3 (Red Hat Powertools 6.2) and version 2.3.0-58 (Red Hat 7.1). Use the command tripwire --version or rpm -q tripwire to determine the version.
Red Hat 7.1 includes Tripwire as an optional package during install. Tripwire for earlier releases is available from the RedHat Powertools CD in RPM format. Upon installation it will proceed to scan your entire filesystem to create a default database of what your system looks like. (files and sizes etc) It took about ten minutes to run!
Tripwire configuration files:
Tripwire 2.3.0-58:
/etc/tripwire/twcfg.txt
/etc/tripwire/twpol.txt
These files are first edited and then processed by the script /etc/tripwire/twinstall.sh which configures Tripwire after the installation of the Tripwire RPM package.
Edit and change file: /etc/tripwire/twcfg.txt
Change:
LOOSEDIRECTORYCHECKING =false
to
LOOSEDIRECTORYCHECKING=TRUE
This was recommended in the comments of the file twpol.txt
Edit and change file: /etc/tripwire/twpol.txt
Change:
severity = $(SIG_XXX)
to
severity = $(SIG_XXX),
emailto = root@localhost
or
severity = $(SIG_XXX),
emailto = root@localhost;admin@isp.com
where XXX is the severity level. This will cause Tripwire to email a report of discrepancies for the rule edited. Set the email address to one appropriate for you.
I also added:
"User binaries" rule: directory /opt/bin
"Libraries" rule: directory /opt/lib
I removed/commented out:
the rule "System boot changes" as it reports changes due to system boot.
Rule: "Root config files": Many of the non-existant files listed under /root were commented out to reduce the number of errors reported.
Rule "File System and Disk Administraton Programs": Many of the non-existant binaries listed under /sbin were commented out to reduce the number of errors reported.
After configuration files have been edited run the script: /etc/tripwire/twinstall.sh
The script will ask for a "passphrase" for the site and local system. This is a similar concept to a password - remember it!
If at any point you want to make configuration/policy changes, edit these files and re-run the configuration script. The script will generate the true configuration files used by Tripwire:
/etc/tripwire/tw.cfg
(View with command: twadmin --print-cfgfile)
/etc/tripwire/tw.pol
(View with command: twadmin --print-polfile)
/etc/tripwire/site.key
/etc/tripwire/ServerName-a-local.key
These files are binary and not human readable.
Tripwire 1.2-3: /etc/tw.config
Tripwire initialization:
If at any time you change the configuration file to monitor your system differently or install an upgrade (changes a whole lot of files which will "trip" tripwire into reporting all changes) you may want to generate a new database.
Tripwire 2.3.0-58: /usr/sbin/tripwire --init
You will be prompted for your "local passphrase".
This will generate a tripwire database file: /var/lib/tripwire/ServerName-a.twd
Tripwire 1.2-3: /usr/sbin/tripwire -initialize
This will generate a tripwire database file: ./databases/tw.db_ServerName
If you are in root's home directory, this will create the file /root/databases/tw.db_ServerName
At this point copy it to a useable location:
cp -p /root/databases/tw.db_ServerName /var/spool/tripwire/tw.db_ServerName
Don't change /etc/tw.config without first running tripwire -initialize otherwise it will show differences due to settings in tw.config file rather than true differences.
Cron and tripwire:
Cron runs tripwire:
Tripwire 2.3.0-58:
File: /etc/cron.daily/tripwire-check
#!/bin/shHOST_NAME=`uname -n`if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****" echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"else test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --checkfi
You may move this cron script to the directory /etc/cron.weekly/ to reduce reporting from a daily to a weekly event.
Tripwire reports will be written to: /var/lib/tripwire/report/HostName-Date.twr
Tripwire 1.2-3:
File: /etc/cron.daily/tripwire.verify script which runs the command: /usr/sbin/tripwire -loosedir -q
Note: You may want to move the script to /etc/cron.weekly/tripwire.verify to reduce email reporting to root.
Read tripwire report:
Tripwire 2.3.0-58: twprint --print-report -r /var/lib/tripwire/report/report-file.twr
Interactive mode:
Tripwire 1.2-3:
Update tripwire database - run: tripwire -interactive
This will allow you to respond Y/N to files if they should be permanently updated in the tripwire database. This will still run tripwire against the whole file system. I ran it from /root and it updated /root/databases/tw.db_ServerName You must then cp -p to /var/spool/tripwire/ to update the tripwire database.
Default configuration file:
Tripwire 2.3.0-58: /etc/twcfg.txt
ROOT =/usr/sbinPOLFILE =/etc/tripwire/tw.polDBFILE =/var/lib/tripwire/$(HOSTNAME).twdREPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twrSITEKEYFILE =/etc/tripwire/site.keyLOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.keyEDITOR =/bin/viLATEPROMPTING =falseLOOSEDIRECTORYCHECKING =falseMAILNOVIOLATIONS =trueEMAILREPORTLEVEL =3REPORTLEVEL =3MAILMETHOD =SENDMAILSYSLOGREPORTING =falseMAILPROGRAM =/usr/sbin/sendmail -oi -t
Tripwire 1.2-3: /etc/tw.config
# Log file@@define LOGFILEM E+pugn# Config file@@define CONFM E+pinugc# Binary@@define BINM E+pnugsci12# Directory@@define DIRM E+pnug# Data file (same as BIN_M currently)@@define DATAM E+pnugsci12# Device files@@define DEVM E+pnugsc# exclude all of /proc=/proc E#=/dev @@DIRM/dev @@DEVM#=/etc @@DIRM/etc @@CONFM# Binary directories#=/usr/sbin @@DIRM/usr/sbin @@BINM#=/usr/bin @@DIRM/usr/bin @@BINM#=/sbin @@DIRM/sbin @@BINM#=/bin @@DIRM/bin @@BINM#=/lib @@DIRM/lib @@BINM#=/usr/lib @@DIRM/usr/lib @@BINM=/usr/src E=/tmp @@DIRM
Add:
/var/named @@CONFM - If you are running Bind DNS slave
/home/httpd/cgi-bin @@BINM
Delete/comment out:
#/dev @@DEVMThis eliminated the reporting of too much junk due to a reboot of the system.
Man pages:
Tripwire 2.3.0-58:
tripwire - a file integrity checker for UNIX systems
twintro - introduction to Tripwire software
twadmin - Tripwire administrative and utility tool
twprint - Tripwire database and report printer
siggen - signature gathering routine for Tripwire
twconfig - Tripwire configuration file reference
twpolicy - Tripwire policy file description reference (For file /etc/tripwire/twpol.txt)
twfiles - Overview of files used by Tripwire and file backup process
Tripwire 1.2-3:
tripwire
tw.config
Also see:
TripwireSecurity.com
Tripwire.org
Tripwire documentations
/usr/doc/tripwire-1.2/docs/designdoc.ps
ViperDB - Alternative to Tripwire.
Red Hat 7.1 tripwire manual
--------------------------------------------------------------------------------
CHKROOTKIT: Performing a trojan/worm/virus file scan.
Tripwire will monitor your filesystems for intrusion or addition of a file so you may determine what changes have occured on your system in sensitive areas. Chkrootkit will scan your system for known exploits, trojan commands, and worms used to compromise a system.
Download chkrootkit from http://www.chkrootkit.org. It is a shell script which should be run as root as well as a small collection of C programs.
Installation:
make sense (Compile C programs)
./chkrootkit (Run shell script and call programs.)
Useage:
./chkrootkit
OR
./chkrootkit -h (help)
See the README file for more info.
Note:
This software is constantly being upgraded and updated to include scans for new exploits.
If running portsentry, chkrootkit may return a false error while performing the bindshell test.
--------------------------------------------------------------------------------
NESSUS: Performing a network vulnerability scan/security assessment of your system.
Let me start by saying that this should only be performed on your own systems. It is considered and attack to run this against the systems of others and legal action may be taken against you for performing such an audit. This is not a scan like NMAP. NESSUS will search and locate vulnerabilities on your system by actively trying to perform known exploits against the system.
Nessus is amazingly complete and effective. In fact it is awesome!! It will identify services on your system and try to exploit them. If a vulnerability is found it will make recomendations about upgrades, configuration changes and where to find patches. It will also explain any causes for concern in detail and explain why your system is vulnerable. And that's not all! It can output reports in various formats including HTML with pie charts and bar charts!! The HTML reports will have hyperlinks to the security reports, upgrades and patches. (I'm impressed) It can scan Unix, Linux and Windows systems for vulnerabilities.
Note:
Running "Dangerous Plugins" may cause a crash of the system being audited!!
The NESSUS software is available from http://Nessus.org.
If compiling source:
Edit file: nessus-core/include/config.h (Set USE_AF_UNIX to define socket type)
It is also available in RPM form: (See http://freshrpms.net)
nessus-client-....rpm
nessus-common-....rpm
nessus-plugins-....rpm
nessus-server-....rpm : Nessus plugins which are used to perform the various checks. (Scripts in nasl scripting language) Note that the RPM installs an init script which starts nessusd during boot. Disable with chkconfig --del nessusd
nessus-devel-....rpm : Nessus developement librairies and headers.
Running NESSUS:
Add a NESSUS user:
/usr/sbin/nessus-adduser
Login : admindude
Authentication method (cipher/plaintext) [cipher] :
Is "admindude" a local user on this machine [ |n]? y
New pass phrase:
... Start server daemon: /usr/sbin/nessusd
or
/etc/rc.d/init.d/nessusd start
Start client program: /usr/bin/nessus
First enter your "Login" id and select the "Log in" button.
In this example I am running the nessusd server on node "localhost". Enter the appropriate nessus server node name or IP address if different.
You will then be placed in the "Plugins" panel. Note that "dangerous" plug-ins may crash a server.
Select the "Target selection" tab and enter the name or IP address of the server to audit.
Select "Start the scan" and wait. (It takes about 15 minutes to audit one computer.)
The results may be reviewed by selecting the node from the collumn in the left window.
A full report may then be output in HTML format.
Configuration file: /etc/nessus/nessusd.conf
--------------------------------------------------------------------------------
Security Software Tools:
Argus - IP network transaction auditing tool. This daemon promiscuously reads network datagrams from a specified interface, and generates network traffic status records
Argus 2
COPS - UNIX security checks.
deslogin - remote login
Freedom Internet Privacy Suite for Linux - Commercial products for internet surfers. (Also free downloads)
freestone - firewall from sosCorp.com
ipfilter - packet filter
Kerberos - authentication
Port Sentry, Log Check, Host Sentry
rsaeuro - cryptographic toolkit
Pretty Good Privacy (PGP)
Rkdet - root kit detector daemon. Intended to catch someone installing a rootkit or running a packet sniffer.
satan - Security Administrator Tool for Analyzing Networks
SARA - Security Auditor's Research Assistant - network security vulnerability scanner.
SAINT - Finds computers on the network, port scans and does a vulnerability check and outputs a report. - Commercial product.
Secure connections SSH (shell) and SSL (socket layer):
ssh.com - Secure shell
OpenSSH - Open Source version - Requires :
OpenSSL - Secure Socket Layer
zlib - data compression library
SSH - Comercial versions SSH1 and SSH2
SSH - [Download] - Ver. 1 (RPMs: ssh, ssh-server, ssh-clients, ssh-extras)
SSL - Encrypted telnet
SSH FAQ - Frequently Asked Questions
Secure Shell Working Group
MS/Windows clients:
PuTTY - Telnet, SSH, SCP, SFTP client
WinSCP - scp (secure copy) client.
Shaolin Secure FTP
Tera Term
TTSSH: An SSH Extension to Teraterm
TAMU - Texas A&M University developed tools
Drawbridge - Firewall package (Free BSD)
Tiger - Scan a Unix system looking for security problems (Similar to COPS) - Tiger Analytical Research Assistant (TARA Pro) - Commercial support
Netlog - TCP and UDP suspicious traffic logging system
TCP wrapers - Wietse Venema
tripwire - File system data integrity checking tool
InterSect Alliance - Intrusiuon analysis. Identifies malicious or unauthorized access attempts.
CryptoHeaven - Secure online storage, file sharing and distribution, email, instant messaging. Free Linux client but it is a commercial for fee service. (less than 2MB storage is free)
Wireless:
AirSnort - wireless LAN (WLAN) tool that recovers encryption keys.
WEPCrack
Also see: YoLinux Wireless security links
Commercial Vendors:
RSA Security - Encryption and secure commerce.
CRYPTOCard authentication servers
Tiger Analytical Research Assistant (TARA Pro) - Texas A+M Tiger Commercial support
TIS: Trusted Informations Systems Inc. - [download] - TIS Internet firewall toolkit
Tripwire Security Systems - Intrusion detection
CA (Computer Associates): eTrust Compliance - Vulnerability assesment, security policies, audit and correction.
Labatam: Secure X-Server Encryption
Cylant: CylantSecure - host-based intrusion prevention system.
--------------------------------------------------------------------------------
Security Audit Tools:
Perform a "Security Risk Assessment" on your system with the following tools.
Nessus - Remote security scanner - This is my favorite security audit tool!! Checks service exploits and vulnerablilities.
Chkrootkit - Scan system for trojans, worms and exploits.
Linuxforce: AdminForce CGI Auto Audit - CGI script analyzer to find security deficiencies.
--------------------------------------------------------------------------------
Forensic and Data Recovery Tools:
Forensic links
Coroner's Toolkit (TCT) - collection of tools that are either oriented towards gathering or analyzing forensic data on a Unix system.
Basic Steps in Forensic Analysis of Unix Systems - a case study
--------------------------------------------------------------------------------
Hacker Tools:
lCRACK - password hacker
Nutcracker - Password cracker
rootkit
PacketFactory.net: Firewalk - Network discovery beyond the packet filtering router. (Compile tip: configure --with-gtk=no)
List of network hacks and security projects
Port scanners:
nmap - Port scanner and security scanning and investigation tool
NmapFe - GUI front-end to NMAP
pbnj - Diff nmap scans to find changes to systems on the network.
ndiff - Compares nmap scans to detect network changes to port states.
strobe - fast network scanner (open e-mail relays)
portscan - C++ Port Scanner will try to connect on every port you define for a particular host.
portscan - Perl script to scan for open ports
--------------------------------------------------------------------------------
Network Sniffers:
Linux Network Security Examination.
DSniff
Ethereal - full network protocol sniffer/analyzer
IPTraf - curses based IP LAN monitor
TcpDump - network monitor and data acquisition
VOMIT - Voice Over Misconfigured Internet Telephones - Use TCP dump of VOIP stream and convert to WAV file.
Cisco Call Manager depends on MS/SQL server and are thus vulnerable to SQL Slammer attacks.
KISMET - 802.11 wireless network detector, sniffer and intrusion detection system.
--------------------------------------------------------------------------------
Online Tools:
AutomatedScanning.com - commercial service
Anonymizer.com - Anonymous surfing
--------------------------------------------------------------------------------
Software updates and Security fixes:
Redhat Security fixes and Errata
--------------------------------------------------------------------------------
Anti-Virus Software:
This has typically been the domain of the Microsoft Windows and Outlook products and NOT Linux but Linux administrators running SAMBA file servers often must be aware of these viruses. There are according to Symantec 68 Linux specific viruses and worms including the Ramen worm which attempts to attack unpatched rpc.statd, wuftpd, and LPRng.
Anti-Virus products:
F-Secure.com
Anti-Virus for Linux firewalls
Anti-Virus for File Servers
Anti-Virus for Desktops and Laptops
Kaspersky Lab - Workstation/Server/eMail gateway protection
Sophos.com
Anti-Virus for Unix/Linux
SOPHOS - Sophos Anti-Virus Interface for Linux
MailMonitor for SMTP
Grisoft.com
AVG Anti-Virus Linux E-mail Server Edition
Symantec.com
I-Gear: Web and FTP filtering (also a version for ISP's)
Mail-Gear: (up to and including version 1.2.x)
TrendMicro.com
Interscan VirusWall - Internet Gateway - detect/scan SMTP, HTTP and FTP
InterScan eManager - plug-in for Interscan to manage spam and message content, blocking file attachments, greeting cards, melissa or variants, ...
ScanMail for HP/OpenMail
ServerProtect
ClamAv.net - Clam anti-virus. Open source virus protection for mail servers.
Virus info:
CERT.org
ICSA.net anti-virus labs - Anti-virus Product Developers Consortium
McAfee
McAfee hoax list
Symantec Anti Virus Research Center (SARC)
SARC virus hoaxes
Virus email alert:
CERT Advisory Mailing List
ICSA Security Wire
McAfee Dispatch
SARC AntiVirus Newsletter
Trend Micro Virus Alerts
--------------------------------------------------------------------------------
Standards and Security Certification:
GIAC.org - SANS (SysAdmin, Audit, Network, Security) Institute
ISACA.org - The Information Systems Audit and Control Association & Foundation
CISA - Community Information Strategies Australia Inc.
COBIT - Control Objectives for Information and related Technology
--------------------------------------------------------------------------------
Attacks:
SYN packet manipulation:
SYN flood Description
Syn Flood experiment
SYN Cookie
Smurf DOS:
ISS.com: Description
GRC.com: DDOS Anatomy
IRC (Internet Relay Chat) Client attacks:
IIS.com: Description
Service attacks:
Buffer Overflow attacks
Buffer overflow vulnerabilities explained
Session Hijacking:
IIS.com: Descriptions
ARP Cache poisoning:
Wireless Access Points and ARP Poisoning
Wireless Attacks Threaten Wired Networks
NetSys.com: Source code - Various attacks
Hacker attacks, countermeasures, topics and links
--------------------------------------------------------------------------------
Honeypots:
How to build a honeypot
honeyd
ManTrap/ManHunt - Commercial product
Honeynet.org - The honeynet project
--------------------------------------------------------------------------------
DoD/DoE NISPOM Chapter 8 computer security configuration for Linux:
NISPOM (National Industry Security Program Operating Manual) chapter 8 is a computer security requirement developed by the US DoD (Department of Defense - US) and DoE (Department of Energy) and published by the DSS (Defense Security Service) which US defense contractors are required to meet when processing classified data on computers in a classified environment. Linux as issued by major distros defaults do not meet this requirement. Use the following software packages/configurations:
Use central authentication server (LDAP or NIS) with the proper security policies. See YoLinux LDAP authentication tutorial.
Meet reporting requirements: This auditing and reporting requirement can be met using Snare. This requires a kernel patch (or use of one of the kernels [RHEL3 or RHEL4] downloaded from the Snare home page.) and the running of a Snare audit daemon. It meets C-2 reporting requirements and records logins/logoffs, file and directory access, access denial, ...
Newer linux distributions running auditd (RHEL4, FC3+) can get compliant results.
Snare home page. For more agressive reporting requirements, see Computer Associates eTrust Security Information Management.
Grant admin privileges without giving root password. Granular delegation of root privileges. File and directory access control. Symark.com: PowerBroker
Virus scanner. (See above list)
for more tutorials pleaz visit -- http://www.yolinux.com
Search
Member List
Calendar
Help
