A Guide to Linux Security
Tools for defense
Keeping your system secure can be quite a task. Luckily, there's plenty of
other people out there who are attempting to keep their systems secure, as
well. Several of them have written tools to make it easier to defend your
system. Arbitrarily, I chose to group them into four categories:
log monitoring, connection
monitoring, host based intrusion detection, and
network based intrusion detection.
These tools will watch over your log files and help you detect security
related events (actually, based on the rules, you can have them detect
any type of event). Either by default, or through configuration, they
can e-mail you the alerts.
When connected to the internet, unless a firewall is in place, other
systems can connect to yours. These tools will help you know who
is connecting to your box, even to the point of detecting stealth
scans that normal logging will not catch.
Host based intrusion detection
These days, it's often difficult to know if an intrusion has taken
place. Upon successfully gaining root privilege, an intruder will
often erase the logs of the break-in. Quite often, they will take
an additional step of installing a set of trojan binaries known as
a rootkit. These tools help to
detect the intrusion, sometimes even after the intruder has gained
Network based intrusion detection
These tools will help detect intrusions (or intrusion attempts) across
your entire network, not just on individual hosts. They will look at
the traffic and attempt to match known attack patterns and notify you
if an attack is seen.
Tools for attack
I suppose I should start this section with a disclaimer. I'm only providing
links to these tools, as well as including local mirrors for those that allow.
What you do with these is your business, but only use them on authorized hosts
lest you receive a visit from law enforcement or men named Vinni carrying
Now, all that said, you can learn a lot about your hosts by attacking them.
Also, you can learn a lot about security in general by looking at the existing
tools and learning how they work. There's a few different types of tools,
some are just for information gathering (port scanners), those that attempt
to find security holes and notify you, and downright exploits that will
try to use a hole in the security of a host to gain access or more privilges.
These tools will scan your system for security problems
such as world writable directories and file permissions.
There are also usually checks related to SUID files.
Remote Analysis and Port Scanners
These tools will scan a remote host (or localhost) for
network vulnerabilities (IE, services vulnerable to
attack from outside) and report back to you. Nmap,
hping and Firewalk are a little different in that they
aren't as much for vulnerability scanning as for gaining
Passwords are key to the security of a system. Good
passwords are key to good security. These tools will
test the security of your passwords, attempting to
guess the passwords of your users.
Buffer overflows are the most common security problems. A bug
in the code of a program causes code to be executed that is
not part of the original code (like /bin/sh).
Papers about Writing Buffer Overflows
Common Buffer Overflow Exploits
Buffer Overflow Protection
"Broken trust" type attacks are really two techniques used
together. An untrusted host impersonates a trusted host, then
exploits the gained trust, ususally to make the untrusted host
into a trusted one.
Trojans and Rootkits
Oftentimes, after an intruder has root access on a host, they
install a set of trojaned binaries to make it easier to
regain access as root to your host and stay hidden.
- How Mitnick hacked Tsutomu Shimomura with an IP sequence attack - (local copy)
- Nmap scans: connect() and stealth
- Abacus portsentry reaction to scans
- Tripwire demo: siggen on a file, change, diff siggen
- Nessus demo, maybe SARA
- Buffer overflow attacks, defend with kernel patch