Security tools

ArticleCategory: [Choose a category for your article]

System Administration

AuthorImage:[Here we need a little image form you]

[Photo of the Author]

TranslationInfo:[Author and translation history]

original in en Georges Tarbouriech 

AboutTheAuthor:[A small biography about the author]

Georges is a long time Unix user (commercial and free). He is very interested in free security tools and really appreciates their high quality.

Abstract:[Here you write a little summary]

Security has always been one of the main concern for sysadmins. However, because of the Internet "explosion" the risk of intrusion became even much higher. Statistically, if the number of connected users increases, the number of crackers follows the same growth. Accordingly, the development of security software grew up exponentially. Once again, thanks to the free software community, since it provided us with the best tools ever seen and with a lot of documentation.
You'll find many interesting links in the reference section at the end of this article. Obviously, what we will mention here can't be exhaustive. I present just a selection of good tools.
This article is intended for private users as well as for sysadmins, since some tools are designed for hosts protection and others for improving network security.
Most of these tools work on many Unix flavors (if not all), whether these Unixes are commercial or free. Last, this article is not a "How to secure your network or your machine" but a presentation of various tools you can (must) use to improve the security of a network or a machine.

ArticleIllustration:[This is the title picture for your article]

[article illustration]

ArticleBody:[The article body]

Generic tools

Let's call this section "tools for whitehats to protect redhat from blackhats" :-) Most of the Linux distributions (not only RedHat!) come with a lot of good security tools. They can be used to make your machine more secure.
Among them we can mention TCPWrapper, PAM (Pluggable Authentication Modules), shadow utilities... Since they are part of distributions you'll find a lot to read about them : HOWTO, man pages, so we won't spend too much time on them.
Let's start with the shadow utils. To make it short, they allow password encryption. The /etc/passwd file is replaced with /etc/shadow.
Something much more elaborated is PAM. As the name says, it's another authentication method. Is used to configure access to services. A lot of restrictions can be defined from some configuration files thus making administration easier. Usually those files are found in the /etc/pam.d directory.
TCPWrapper, it's enough to say that it allows to restrict service access by IP address or hostname. They can be allowed or denied via two files : /etc/hosts.allow and /etc/hosts.deny.
TCPWrapper can be configured in two different ways : either moving the daemons or modifying the /etc/inetd.conf file. If TCPWrapper is not part of your Unix flavor, you can get it from ftp://ftp.porcupine.org/pub/security
And now, you will understand why we didn't say much about the above mentioned tools : a single tool can manage all that for you while teaching you. The one and lonely Bastille-Linux. If you only install one tool, this is the one! It is not (yet?) part of the normal Linux distributions but you can get it from http://bastille-linux.sourceforge.net
By the way, we will say nothing about Bastille-Linux!!! It's useless, since there's an excellent article about it in the September LinuxFocus issue from my fellow Frédéric : he tells you everything. If you don't have read it yet, just have a look there.
Let's add Bastille-Linux is a tool you can't live without!
Another generic tool to improve security is called xinetd. It's available from http://www.xinetd.org. Sorry, but we won't talk about it, neither!!! Once again, Frédéric has done the whole job in the November issue of LinuxFocus. You can read it here.
That was FredFocus section...
Don't worry about the money Fred, I can wait...
Now, let's have a look at some specific tools.

Firewall tools

Free Unixes come with software to make your machine act as a firewall. The 2.2 kernel provides you with ipchains. Previous 2.0 kernel used ipfwadm. To get ipchains or ipfwadm to work, the kernel must be compiled with the right options. A lot of documentation is available on the matter through HOWTOs, then, again, we won't say more about it.
In short, let's say a firewall is a packet filtering tool. The most important part of the work concerns the configuration of the firewall. That is, a bad configured firewall can become very dangerous.
Nevertheless, firewalls are important.
For instance, Bastille-Linux provides you with a firewall based on ipchains.
If you go to http://www.linuxapps.com and type "firewall" in the search field, you'll get at least 40 answers. Many of them are GUIs for ipchains or ipfwadm administration. Some others are really big tools with tons of features, like T.REX for instance, available from http://www.opensourcefirewall.com. Again, don't be fooled : a firewall is compulsory on a network, but the network security cannot ONLY rely on it. A cracker may break it in about 15 minutes! You've been warned.

Port scanners

Here we reach the heart of the problem. The idea is : use the same tools as the crackers do, to check the vulnerabilities of your network (or machine).
In this area we can benefit from two very great tools but there are many others.
The first one is called nmap. You can download nmap from http://www.insecure.org. Even more, you'll find there a lot of information, links...
With nmap you can check which ports are open on a machine on your network. Sure, you can do that with commands such as lsof or netstat but only for your own machine. Obviously, you can check your own machine with nmap.
nmap can provide you with a lot of information : for instance, it may tell you which OS is running, inform you about dangerous open ports... Last, but not least, nmap is quite easy to use.
nmap can be used either from a shell or from a graphical interface called nmapfe. The GUI is based on the gtk lib. The present version of nmap is 2.53. It works on many Unix flavors and is available as source code, rpm, with or without GUI.
nmap is the tool sysadmins cannot live without!
Many thanks Mr. Fyodor and congratulations for this great job.

The second one is called nessus. It can be downloaded from http://www.nessus.org . Nessus works according to the client/server architecture and the Posix source code is usable on many Unix flavors. There's even a client for Win32 (just to let you know).
Nessus relies on nmap (you see you can't do without!) and the gtk lib for its GUI.
Present version is 1.06 and with it you can scan a whole network in one command, that is the network address. For example, typing the address 192.168.1.0/24 in the target field will scan the 255 machines from that network.
Even if nessus is a bit more complex than nmap, it's still easy to use and has a lot of features. For example it can generate reports, it can make diffs between reports... Another feature is quite interesting : nessus suggests solutions to the problems found during a portscan. As soon as the machines are Unix machines, the suggestions are often good ones. They will be less appropriate for others OSes. Anyway, that's not the point.
Here is an example from a very vulnerable machine:

nessus.jpg

Nessus has another great feature : it works with plugins, it can easily be updated each time a new security hole has been found somewhere.
Another tool sysadmins do need! Great job Mr. Deraison and "Merci beaucoup".

Both tools have been tested from a Linux box on a network with different OSes : Linux RH 6.2, Irix 6.5.7, Solaris 2.6, NeXTStep 3.3, QNX RT, BeOS 5.0, Amiga OS 3.5, Not Terminated 4.0. The results are impressive for most of the platforms. Of course the Amiga OS is not really well identified (since it appears as a printer or a router!) but who has still this OS in a network (apart from me)?
Anyway, these tools are a "must have" in today's networking.
To end with this chapter, let's mention some other tools such as SARA http://www-arc.com/sara/, or its "father" SATAN http://www.porcupine.org/satan/, or SAINT http://www.wwdsi.com. They are not only port scanners and they can be quite useful to improve network security.

Detection systems

Some tools are able to detect portscans or intrusion. A "standard" (that is paranoid!) sysadmin CANNOT work without this sort of tools.
The first suite of tools comes from the Abacus Project. You can get these tools from http://www.psionic.com. Three different tools are available : logcheck, portsentry and hostsentry.
Logcheck is in version 1.1.1, portsentry is in version 1.0 and hostsentry is in version 0.0.2 alpha.
Portsentry is a portscan detection tool. As its name says, if a port is scanned from somewhere, portsentry will immediately block the host, either dropping the route using the firewall (or an unused IP address) or writing the IP address of the attacker in the /etc/hosts.deny file as soon as TCPWrapper is installed on your machine. The result is quite efficient!
Porsentry relies on a main configuration file and on a few specific files. The later are used to ignore hosts (that is not to block them) or to block some port on some host.
From the config file, you define the way portsentry will work. You'll first select the ports you want to bind to portsentry, either TCP or UDP ports (or both). Be careful with port 6000 binding if you run X11!
According to the Unix system you use, you can have two different mode of operation to monitor the ports. The advanced mode is only available for Linux at the moment.
Next you select the blocking option : either you don't block the scans, or you do, or you may run an external command.
You then choose the way to drop the route, either redirecting the attacker to an unused IP address from your network or to a packet filtering (firewall).
The following step concerns TCPWrappers. That is you decide (or not) to write a DENY text in the /etc/hosts.deny file.
Next you can define an external command to run and last, you may select a trigger value for the scan (default to 0).
That's all you have to do! We suppose you know everything about logging, since, obviously, all the alarms are logged. That means, you can modify your syslog.conf file if you want the eventual alarms to go somewhere else than /var/log/messages or var/log/syslog or /var/adm/messages...
You now can run portsentry in the background with the option of your choice. The available options depend on your system : you'll be able to use -tcp, -udp on most Unixes and -atcp, -audp on Linux boxes ("a" for advanced).
Let's have a look at the result when scanning a machine where portsentry is running.

portsentry is running

If you are a sysadmin looking at the logs once a week (you should try another job!!!) the Abacus project provides you with another tool called logcheck. This one is run via a cron task and sends a mail to the administrator if it finds something unusual in the logs.
The latest tool from the suite is called hostsentry and seems quite interesting, but I haven't tested it.
If you want a great, simple and efficient tool, get portsentry!
Thank you Mr. Rowland : very great job! By the way, I love your humor.
Another tool sysadmins can't do without is called snort.
snort is an IDS (Intrusion Detection System) and more precisely, a lightweight one (not a gas factory!).
You can get snort version 1.6.3 from http://www.snort.org. It's known to run on every platform able to work with libpcap. This last is a requirement to run snort. By the way, you even have a Win32 version of snort.
Snort is able to analyse IP traffic and provides very strong logging.
It relies on rules scripts, that is you can monitor what you want to. Even more, the snort site provides you with a rules database.
Here comes the important decision to make : where to put the sensors, or if you prefer, what type of traffic to monitor? Incoming, outgoing, inside the firewall, outside the firewall...
We could suggest everywhere!!! Seriously, it's up to you, but once again, if you're the "standard" sysadmin, the more the better...
Now you decided where to listen to, you must select the rules to apply. Snort comes with a lot of basic rules : backdoor, ddos, finger, ftp... These rules are set in the snort-lib files. Again, you can get new rules and updated rules from snort site.
From there, you only have to run snort as a background task (for example), with the option(s) of your choice. In that case, to run snort as a daemon, the option would be -D. You can also define where the logging goes since you can redirect it, even to another machine.
It's impossible to mention every feature of snort in this article. The documentation will tell you a lot.
Anyway, snort is another tool you CANNOT work without. It's a great, great tool. Thanks a lot Mr Roesch.
A few other free tools are available : let's mention AIDE from http://www.cs.tut.fi/~rammer/aide.html for example.

Encryption

There are many tools in this area. We won't be able to talk about all of them. Nevertheless, we must at least say a few words about SSH, especially the free version OpenSSH. You can get it from http://www.openssh.com. Present version is 2.3.0. This great product was first developed to work with OpenBSD. Now it works on many Unix flavors.
OpenSSH is a replacement for telnet and the remote commands such as rsh, rlogin. It includes scp which is a replacement for ftp and rcp. OpenSSH allows the encryption of the data going through the network. Telnet, rsh... transfer the data in clear text and of course, this is as well true for the passwords!
That is, you shouldn't use the above mentioned tools anymore but OpenSSH instead. This should be compulsory! Let's be a bit fascist :-)
The problems with this sort of tools comes from the laws around encryption. Some countries are very strict and do not allow such software. Things are changing, but in many countries you cannot use these tools freely. For instance, some time ago, you were considered as a spy if you used SSH in a country like France (country of Human Rights, they said!!!). Fortunately, this is not true anymore. Nevertheless, I recommend to read about the restrictions before using such tools. You can find a report on the situation in the different countries at http://www2.epic.org/reports/crypto2000/countries.html
However, encryption is a big security concern and many tools have to be considered. Let's mention OpenSSL (Secure Sockets Layer) http://www.openssl.org, or Strong Crypto, an Open source VPN (Virtual Private Network) for Linux at http://www.strongcrypto.com.
VPN is another solution that would deserve an article on its own (like many of the above mentioned tools!), accordingly, we won't go any further on the matter.
Obviously, we can't forget to mention OpenPGP (Pretty Good Privacy) available from http://www.ietf.org/html.charters/openpgp-charter.html or GNUpg from http://www.gnupg.org.

Scripting

Here, we can't talk about tools. Scripting is one of the main skill of any sysadmin. Shell scripts, Perl scripts... are part of your everyday's job if you are managing networks.
Obviously, scripts can be used for automating tasks, but as well for security monitoring. Every sysadmin has his own needs and he always tries to manage them in the way that suits him. It is not always so easy. Something can help : subscribe to SysAdmin magazine! This magazine is made by sysadmins for sysadmins and provides you with a lot of programs, scripts... You can even get a CDRom containing all previous issues, and of course all previous programs or scripts.
This is not advertising... it's a way to find more solutions to improve security. Go and have a look at http://www.samag.com.
If you are a sysadmin, let's say you should give it a try.
Well, it's only a suggestion.

So what?

There is much more to add about security, but as we said before, this article is not a "How to secure you network". A book on the subject wouldn't be enough. Security doesn't only rely on tools, it is also a behavior (sort of). For instance, some common behaviors make me mad. When will people understand that M$ Office files are just like bombs? They are not only "enormous" in size, but potentially full of macroviruses. Please, Wintel users, DO NOT SEND Word or Excel documents as mail attachments. Furthermore, if you receive some of them DO NOT OPEN them : this is only a suggestion, but you have been warned! They are as dangerous (I should say more!) as any executable you receive (or download). And, by the way, plain text or HTML files are much smaller in size than Office documents, and they are NOT dangerous!
Of course, I know the Wintel word works this way : when you download a single driver, it's always an executable! Let's admit, we can trust the big firms... but do you know what could have happened to the archive you download? Sure, it's a paranoid way of thinking, but is it so crazy? Why do you think many archives have a checksum to verify authenticity?
The following may "hurt" many people, but it's a fact : JAVA is dangerous! Applets are insecure, Java scripts are insecure. Nevertheless, it would be interesting to know how many websites use Java! Furthermore, Java is a source of problems when visiting websites : how many of them will freeze your browser? Is that the goal of a website?
Don't we talk about ActiveX from the Redmond army!
Suggestion : use Rebol instead (http://www.rebol.com)
Since we are on the matter : please, new Internet "professionals", stop creating websites dedicated to the Wintel word and IE5! I'm aware these things are widespread, however many people connect to the Internet with many different OSes and many different browsers. Working the way you do, prevents people from visiting your website. The aim of the Internet is to share. Using proprietary things is a nonsense. In my humble opinion, when making a website, the first thing to do is to check it from different OSes and different browsers... but this is only my opinion. Just for information : if you connect to such a website with an Unix machine and let's say Netscrape, you can't even view the index page!
Sorry for the digression.
Another important point is to remember that security won't reach 100%. We are far from it. You can improve it, that's all : it's a fact. For example, you can use all the tools we mentioned here and leave a back door wide open! Don't be fooled : crackers won't try to break a 128 bit key at first, but they will try to find a small hole somewhere. So be careful with SUID or SGID programs, with access rights, with useless running services, with canceled accounts and so on.
If the different Unix flavors have many similarities, they are much different concerning security. Some of them are just like sieves! You must be aware of that too. For instance, having an Internet cable connection with a standard Winsomething machine is great : that is, you can have the icon of the cracker's machine in the network neighbourhood... and soon M$ will provide you with the picture of the cracker! I'm only kidding...
The road to networks and computers security is a very long one. If you are interested in this matter you will learn everyday. Fortunately, there are a lot of sources to get information. Here are some of them.

References

http://www.linuxsecurity.com is the first gold mine. There you'll find almost everything!

http://www.sans.org is the place to get help and information about security. A site you should consult on a regular basis.

http://www.infosyssec.org is another place to get tons of information about security.

http://www.securityfocus.com is the home of Bugtraq thus providing lot of security information.

http://www.cs.purdue.edu/coast/hotlist/ THE site you must visit!

Going to the top of this page you'll find a "Links" button : click on it to get the addresses of most of the distributors. Consulting their site is compulsory to get information about security patches. This applies to every Unix editor! Many of them release security or recommended patches on a regular basis.

Many articles in previous LinuxFocus issues are worth reading (apart from the already mentioned):
Adding Security to Common Linux Distributions
TCPD and Firewalls using IPFWADM
VXE, a Linux security tool

Many more documentation is available and we can't provide all the existing links. Neither can't we mention all the free security tools as already said. From every site mentioned here, you'll find more links sending you to even more links, and so on... just like Russian dolls.
The fact some tools or sites are not present in this article doesn't mean they are of no interest. It only means the tools have not been tested by me. Obviously, you have to make an arbitrary selection among the hundreds of available tools.
The goal of this article is to provide the readers with places to start from. We hope it'll help.

Aren't we living in a great time?

mirror server hosted at Truenetwork, Russian Federation.