A Guide to Linux Security

Tools for defense

Keeping your system secure can be quite a task. Luckily, there's plenty of other people out there who are attempting to keep their systems secure, as well. Several of them have written tools to make it easier to defend your system. Arbitrarily, I chose to group them into four categories: log monitoring, connection monitoring, host based intrusion detection, and network based intrusion detection.

Log monitoring

These tools will watch over your log files and help you detect security related events (actually, based on the rules, you can have them detect any type of event). Either by default, or through configuration, they can e-mail you the alerts.
• autobuse - (local copy) (distribution site)
• logcheck - (local copy) (distribution site)
• logwatch - (local copy) (distribution site)
• swatch - (local copy) (distribution site)

Connection monitoring

When connected to the internet, unless a firewall is in place, other systems can connect to yours. These tools will help you know who is connecting to your box, even to the point of detecting stealth scans that normal logging will not catch.
• ippl - (local copy) (distribution site)
• jail - (local copy) (distribution site)
• klaxon - (local copy) (distribution site)
• portsentry - (local copy) (distribution site)
• tcplogd - (local copy) (distribution site)

Host based intrusion detection

These days, it's often difficult to know if an intrusion has taken place. Upon successfully gaining root privilege, an intruder will often erase the logs of the break-in. Quite often, they will take an additional step of installing a set of trojan binaries known as a rootkit. These tools help to detect the intrusion, sometimes even after the intruder has gained root access.
• hostsentry - (local copy) (distribution site)
• Tripwire - (distribution site)
• ViperDB - (dsitribution site)

Network based intrusion detection

These tools will help detect intrusions (or intrusion attempts) across your entire network, not just on individual hosts. They will look at the traffic and attempt to match known attack patterns and notify you if an attack is seen.
• Network Flight Recorder - (distribution site)
• SHADOW - (local copy) (distribution site)
• snort - (local copy) (distribution site)

Tools for attack

I suppose I should start this section with a disclaimer. I'm only providing links to these tools, as well as including local mirrors for those that allow. What you do with these is your business, but only use them on authorized hosts lest you receive a visit from law enforcement or men named Vinni carrying baseball bats.

Now, all that said, you can learn a lot about your hosts by attacking them. Also, you can learn a lot about security in general by looking at the existing tools and learning how they work. There's a few different types of tools, some are just for information gathering (port scanners), those that attempt to find security holes and notify you, and downright exploits that will try to use a hole in the security of a host to gain access or more privilges.

Vulnerability analysis

Host Analysis

These tools will scan your system for security problems such as world writable directories and file permissions. There are also usually checks related to SUID files.
• COPS - (local copy) (distribution site)
• sherpa - (local copy) (distribution site)
• TARA - (local copy) (distribution site)

Remote Analysis and Port Scanners

These tools will scan a remote host (or localhost) for network vulnerabilities (IE, services vulnerable to attack from outside) and report back to you. Nmap, hping and Firewalk are a little different in that they aren't as much for vulnerability scanning as for gaining information.
• Firewalk - (local copy) (distribution site)
• hping - (local copy) (distribution site)
• MNS - (local copy) (distribution site)
• NMAP - (local copy) (distribution site)
• Nessus - (local copy) (distribution site)
• SAINT - (distribution site)
• SARA - (local copy) (distribution site)
• SATAN - (local copy) (distribution site)

Password Checkers

Passwords are key to the security of a system. Good passwords are key to good security. These tools will test the security of your passwords, attempting to guess the passwords of your users.
• Crack - (local copy) (distribution site)
  You need this makefile for Red Hat 5.0 and higher.
• John the Ripper - (local copy) (distribution site)

Buffer Overflows

Buffer overflows are the most common security problems. A bug in the code of a program causes code to be executed that is not part of the original code (like /bin/sh).
Papers about Writing Buffer Overflows
• How to write Buffer Overflows - (local copy)
• Smashing The Stack For Fun And Profit - (local copy)
Common Buffer Overflow Exploits
• IMAPD Exploit - (local copy)
• BIND Exploit - (local copy)
• mountd Exploit - (local copy)
• qpopper Exploit - (local copy)
Buffer Overflow Protection
• Keep up to date with security related patches.
• Secure Linux -- kernel patch - (local copy) (distribution site)
• Stackguard - (local binary RPM) (local source) (distribution site)

Broken Trust

"Broken trust" type attacks are really two techniques used together. An untrusted host impersonates a trusted host, then exploits the gained trust, ususally to make the untrusted host into a trusted one.
• IP-spoofing Demystified (paper) - (local copy)

Trojans and Rootkits

Oftentimes, after an intruder has root access on a host, they install a set of trojaned binaries to make it easier to regain access as root to your host and stay hidden.
• Linux Rootkit IV - (local copy)

Attack Log

• How Mitnick hacked Tsutomu Shimomura with an IP sequence attack - (local copy)

Attack Demonstrations

• Nmap scans: connect() and stealth
• Abacus portsentry reaction to scans
• Tripwire demo: siggen on a file, change, diff siggen
• Nessus demo, maybe SARA
• Buffer overflow attacks, defend with kernel patch and stackguard