Security references
Welcome to the LQ Security references!
Securing a Linux box is not hard, but requires a bit of reading and planning ahead to make sure you covered the important points. That's why I compiled a few lists of texts about Linux security, grouped by subject: 1: Basics, important sites, HOWTO's, handbooks, tips, advisories, mailinglists, hardening, log analysis, sites, books 2: Netfilter, firewall, Iptables, Ipchains, DoS, DDoS 3: Intrusion detection, integrity checks, antivirus 4: Chroot, chrooting, jailing, comparimization 5: Forensics, recovery, undelete 6. Securing networked services Some texts contain step by step directions for newbies, and some are directed at intermediate or expert users. Please do not try to read everything in one go and post your questions in the Linux - Security forum. Comments/additions/corrections are welcome, just mail me. Have fun! Cheers, unSpawn A note for copying. While this information is free, there are restrictions for copying. I collected and posted these resources here for the use of the larger Linux Community. This means you are free to copy this information, but you will give credit where credit is due and reference back adding this page as the original Linuxquestions.org URI. Don't pass it off as your own. All articles are available under the terms of a Creative Commons license. WARNING: HTML lintcheck Link validity isn't guaranteed and checking should have been done aeons ago. If you find errors I would appreciate an email with a corrected link. TIA |
Basics etc
Post 1
Basics, important sites, HOWTO's, handbooks, hardening, tips Advisories, alerts, bulletins, disclosure, mailinglists, mailing archives, knowledge bases, other sites Hardening, distro-specific Log analysis tools, resources Daemons, device or application specific More Brainfood, sites, books Basics, important sites, HOWTO's, handbooks, hardening, tips Checklists AusCERT UNIX and Linux Security Checklist v3.0: http://www.auscert.org.au/5816 UNIX Security Checklist v2.0: http://www.cert.org/tech_tips/unix_s...cklist2.0.html SANS, The Twenty Most Critical Internet Security Vulnerabilities: http://www.sans.org/top20/ SANS SCORE Checklists for W32/Solaris/Cisco IOS/Mac OS/etc etc: http://www.sans.org/score/ SANS http://www.sans.org/infosecFAQ/linux/linux_list.htm SANS, Reading room, Linux Issues: http://www.sans.org/rr/catindex.php?cat_id=32 Securing CERT, Security improvements: http://www.cert.org/security-improvement/ CERT, Tech Tips: http://www.cert.org/tech_tips/ Linux Administrator's Security Guide (LASG): http://www.seifried.org/lasg/ Linux Security Administrator's Guide (SAG, old): http://www.tldp.org/LDP/sag/index.html The Linux Network Administrator's Guide (NAG): http://www.tldp.org/LDP/nag2/index.html Securing & Optimizing Linux: The Ultimate Solution (PDF): http://www.tldp.org/LDP/solrhe/Secur...ution-v2.0.pdf Securing Optimizing Linux RH Edition (older): http://tldp.org/LDP/solrhe/Securing-...-Edition-v1.3/ Linux Security HOWTO: http://tldp.org/HOWTO/Security-HOWTO/index.html Linux Security Quick Reference Guide (PDF): http://www.tldp.org/REF/ls_quickref/QuickRefCard.pdf Security Quick-Start HOWTO for Linux,: http://tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/ Security links at Linuxguru's: http://www.linuxguruz.org/z.php?id=914 TLPD Networking security HOWTO's: http://www.tldp.org/HOWTO/HOWTO-INDE...ml#NETSECURITY Compromise, breach of security, detection Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html now archived at http://web.archive.org/web/200801092...checklist.html Detecting and Removing Malicious Code (SF): http://www.securityfocus.com/infocus/1610 Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html Formatting and Reinstalling after a Security Incident (SF): http://www.securityfocus.com/infocus/1692 How to Report Internet-Related Crime (usdoj.gov CCIPS): http://www.usdoj.gov/criminal/cybercrime/reporting.htm Related, old(er) articles/docs: Intruder Discovery/Tracking and Compromise Analysis: http://staff.washington.edu/dittrich...khat/blackhat/ Intrusion Detection Primer: http://www.linuxsecurity.com/feature...e_story-8.html Through the Looking Glass: Finding Evidence of Your Cracker (LG): http://www.linuxgazette.com/issue36/kuethe.html Recognizing and Recovering from Rootkit Attacks: http://www.cs.wright.edu/people/facu...on/obrien.html See also post #5 under Forensics docs Advisories, alerts, bulletins, disclosure, mailinglists, mailing archives, knowledge bases, other sites Bugtraq (running): http://www.mail-archive.com/bugtraq@securityfocus.com/ or http://msgs.securepoint.com/cgi-bin/...q-current.html or http://www.der-keiler.de/Mailing-Lis...focus/bugtraq/ or RSS: http://www.djeaux.com/rss/insecure-full-bugtraq.rss Linuxsecurity: http://www.linuxsecurity.com or RSS (Advisories): http://www.linuxsecurity.com/static-...advisories.rss or RSS (News articles): http://www.linuxsecurity.com/static-...y_articles.rss Securityfocus: http://www.securityfocus.com or RSS (Vulns): http://www.securityfocus.com/rss/vulnerabilities.xml Securiteam: http://www.securiteam.com/ CERT KB: http://www.cert.org/kb/ Securitytracker (Advisories): http://www.securitytracker.com/topics/topics.html SANS RSS (ISC): http://iscxml.sans.org/rssfeed.xml Neohapsis (mailinglists/archives): http://www.neohapsis.com theaimsgroup (mailinglists/archives): http://marc.theaimsgroup.com/ Der Keiler (mailinglists/archives): http://www.der-keiler.de/ Linux Gazette: http://www.linuxgazette.com Experts exchange: http://www.experts-exchange.com The Linux Documentation Project: http://www.tldp.org Blacksheep (HOWTO's, whitepapers, etc): http://www.blacksheepnetworks.com/security/ IRIA: http://www.ists.dartmouth.edu/IRIA/k...base/index.htm E-secure-db Security Information database: http://www.e-secure-db.us/dscgi/ds.p...ollection-1586 Linuxmag, Hardening Linux Systems: http://www.linux-mag.com/2002-09/guru_01.html SEI: http://www.sei.cmu.edu/publications/lists.html Matt's Unix Security Page: http://www.deter.com/unix/ Jay Beale's docs (Bastille-linux/CIS): http://www.bastille-linux.org/jay/se...icles-jjb.html The Unix Auditor's Practical Handbook: http://www.nii.co.in/tuaph.html Aging stuff from Phrack like "Unix System Security Issues": www.fc.net/phrack/files/p18/p18-7.html Mailinglists distro specific: RedHat http://www.redhat.com/support/errata/ http://www.redhat.com/mailing-lists/...ist/index.html Debian Our own markus1982 on a roll! LQ HOWTO: securing debian: http://www.linuxquestions.org/questi...threadid=61670 http://bugs.debian.org/ http://lists.debian.org/ (search for debian-security@lists.debian.org) http://security.debian.org/ S.u.S.E. mailto:suse-security@suse.com mailto:suse-security-announce@suse.com (subscribe: mailto:suse-security-subscribe@suse.com) Mandriva http://www.mandriva.com/en/security/advisories Conectiva Linux http://distro.conectiva.com/seguranca/ mailto:seguranca@distro.conectiva.com.br (subscribe for URL above URL; security-mailinglist Lingua Franca is Portugese, but on updates-mailinglist it's Engish. The last one always has the packages updates announced on security-mailinglist. Slackware http://www.slackware.com/lists/ mailto:slackware-security@slackware.com (subscribe for URL above) # We need to incorporate more distro's here. Hardening, distro specific Debian/Mandrake/Red Hat: Bastille Linux: http://www.bastille-linux.org/ Debian Security HOWTO: http://www.debian.org/doc/manuals/se...-debian-howto/ Debian Security FAQ: http://www.debian.org/security/faq Mandrake: msec-*.rpm: http://www.linux-mandrake.com/ SuSE: http://www.suse.de/~marc/ Slackware: Slackware Administrators Security tool kit: http://sourceforge.net/projects/sastk/ Slackware: http://members.cox.net/laitcg/new/system-hardening.txt Log analysis tools, resources Auditd: Linux Audit: http://people.redhat.com/sgrubb/audit/ Auditd: CAPP rules example: http://www.math.ias.edu/doc/audit-1.0.3/capp.rules Tools & Tips for auditing code: http://www.vanheusden.com/Linux/audit.html Track unlink syscall (rm): TrackFS, libauditunlink, LAUS, LTT (Syscalltrack on 2.4) # FWanalog (Summarizes IPF & IPtables firewall logs) # FWlogsum (Summarizes Checkpoint FW1 logs) # FWlogwatch (Summarizes firewall & IDS logs) # KLogger (WinNT/Win2K keystroke logger) # Linux Event Logger (For Enterprise-Class Systems): http://evlog.sourceforge.net/ # Lmon (PERL-based real time log monitoring solution) # LogSentry (Monitors logs for security violations) # Logsurfer (Monitors logs in realtime) # PIdentd (Provides UserID with TCP connects) # Swatch (Monitors syslog messages) # Secure Remote Syslogger (Encrypted streaming syslog) # SnortSnarf (HTMLized Snort Log Reviewer) # Syslog-NG (Replacement for standard syslog facility) # Syslog.Org (Vast info on syslogging) # Throughput Monitor (An event counter per timeframe log analyzer): http://home.uninet.ee/~ragnar/throughput_monitor/ Loganalysis.org (check the library): http://www.loganalysis.org/ Counterpane, Log Analysis Resources: http://www.counterpane.com/log-analysis.html EVlog, Linux Event Logging for Enterprise-class systems Throughput Monitor Need to add: Snare, LTK etc etc Daemons, device or application specific The Linux-PAM System Administrators Guide Securing Xwindows: http://www.uwsg.indiana.edu/usail/ex...d/xsecure.html How to Build, Install, Secure & Optimize Xinetd: #(link gone, see: http://web.archive.org/web/200410121...netd/index.php) Installation of a secure webserver (SuSE): #(link gone, do a websearch for "suse_secure_webserver.txt") Linksys security (LQ notes on): http://www.linuxquestions.org/questi...007#post157007 Auditing tools at: Packetstorm: http://www.packetstormsecurity.org/UNIX/audit/ SecurityFocus: http://www.securityfocus.com/tools/category/1 More Brainfood, sites, books Daryl's TCP/IP primer: www.tcpipprimer.com Teach Yourself TCP IP in 14 Days (PDF): http://www.bitman.ca/manuals.html click on the link to download a 1.3 Meg PDF Uri's TCP resource list: www.private.org.il/tcpip_rl.html Macmillan's "Maximum Security" O'Reilly's TCP/IP Network Administration * O'Reilly has a myriad of books some of which can also be found online, just search for "O'reilly and bookshelf", "o'reilly reference bookshelf" or "o'reilly cd bookshelf". |
Netfilter, firewall, Iptables etc
Post 2
Netfilter, firewall, Iptables, Ipchains, DoS, DDoS *Please note the easiest way to troubleshoot Netfilter related problems is to add log (target) rules before any "decision" in a chain. ** Please note there's a LOT of firewall scripts on LQ: just search the Linux - Security and Linux - networking fora please. Netfilter/Iptables LQ search, iptables+howto: http://www.linuxquestions.org/questi...der=descending IPTables Tutorial: http://iptables-tutorial.frozentux.n...-tutorial.html IPSysctl Tutorial: http://ipsysctl-tutorial.frozentux.n...-tutorial.html Linuxguruz.org: http://www.linuxguruz.org/iptables/ Netfilter.org Packetfiltering HOWTO: http://www.netfilter.org/unreliable-...ltering-HOWTO/ Linuxsecurity.com Iptables tutorial: http://www.linuxsecurity.com/resourc...-tutorial.html Iptables Connection tracking: http://www.cs.princeton.edu/~jns/sec...conntrack.html Taking care of the New-not-SYN vulnerability: http://archives.neohapsis.com/archiv...3-01/0036.html Ipchains TLDP Ipchains HOWTO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Flounder.net Ipchains HOWTO: http://www.flounder.net/ipchains/ipchains-howto.html Web-browsers, mail clients, FTP clients, IM, P2P ports database for building your own rules: http://www.pcflank.com/fw_rules_db.htm Other resources/misc stuff Basic introduction to building ipchains rules: www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html Explanation of the Ipchains logformat: logi.cc/linux/ipchains-log-format.php3 Ipchains log decoder: dsl081-056-052.dsl-isp.net/dmn/decoder/decode.php Basics on firewalling: www.linuxdoc.org/HOWTO/Firewall-HOWTO.html linux-firewall-tools: http://www.linux-firewall-tools.com/linux/ CERT: Home Network Security: http://www.cert.org/tech_tips/home_networks.html Firewall FAQ: http://www.faqs.org/faqs/firewalls-faq/ Assigned ports > 1024: http://www.ec11.dial.pipex.com/port-num4.shtml Port designations: http://www.chebucto.ns.ca/~rakerman/port-table.html Firewall Forensics FAQ (What am I seeing?): http://www.robertgraham.com/pubs/firewall-seen.html Linux Firewall and Security Site: http://www.linux-firewall-tools.com/linux/ Auditing Your Firewall Setup (old, still usefull), : http://www.enteract.com/~lspitz/audit.html TLDP: Firewall Piercing mini-HOWTO: http://www.tldp.org/HOWTO/mini/Firew...cing/x189.html Something called the "Home PC Firewall Guide": http://www.firewallguide.com/ Vendor/Ethernet MAC Address Lookup: http://www.coffer.com/mac_find/ Netfilter Iptabes/Ipchains Log Format: http://logi.cc/linux/netfilter-log-format.php3 Dshield (find out if IP was marked as used in attacks): http://www1.dshield.org/ipinfo.php Port search (Snort): http://www.snort.org/ports.html Neohapsis Port search: http://www.neohapsis.com/neolabs/neo-ports/ P2P ports (IPMasq): http://www.tsmservices.com/masq/cfm/main.cfm Is "Stealth" important?: http://www.practicallynetworked.com/...et.htm#Stealth Infosyssec's Firewall Security and the Internet (badly updated site): http://www.infosyssec.net/infosyssec/firew1.htm Webbased portscan services http://www.linux-sec.net/Audit/nmap.test.gwif.html http://www.derkeiler.com/Service/PortScan/ http://scan.sygatetech.com/ http://www.sdesign.com/securitytest/ http://www.auditmypc.com/ http://www.dslreports.com/scan http://crypto.yashy.com/nmap.php http://www.grc.com/ DoS info Hardening the TCP/IP stack to SYN attacks: http://www.securityfocus.com/infocus/1729 SANS, Help Defeat Denial of Service Attacks: Step-by-Step: http://www.sans.org/dosstep/ SANS, ICMP Attacks Illustrated: http://rr.sans.org/threats/ICMP_attacks.php CERT, Denial of Service Attacks: http://www.cert.org/tech_tips/denial_of_service.html NWC, Fireproofing Against DoS Attacks (forms of): http://www.nwc.com/1225/1225f38.html DDoS info SANS, Consensus Roadmap for Defeating Distributed Denial of Service Attacks: http://www.sans.org/ddos_roadmap.htm SANS, Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth: http://rr.sans.org/threats/spoofed.php SANS, Understanding DDOS Attack, Tools and Free Anti-tools with Recommendation: http://rr.sans.org/threats/understan...nding_ddos.php Juniper.net, Minimizing the Effects of DoS Attacks: http://arachne3.juniper.net/techcent...te/350001.html CISCO, Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks: http://www.cisco.com/warp/public/707/newsflash.html Dave Dittrich's references: http://staff.washington.edu/dittrich/misc/ddos/ Xinetd Sensors: http://www.gate.net/~ddata/xinetd-sensors.html Xinetd FAQ: http://synack.net/xinetd/faq.html |
Intrusion detection etc
Post 3
Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software. Note: vulnerability checking: CIS, SATAN, COPS, Tiger FAQ: Network Intrusion Detection Systems: http://www.robertgraham.com/pubs/net...detection.html Sniffin' the Ether v2.0: http://www.unixgeeks.org/security/ne...r/sniffer.html Lotek sniffing docs: http://www.l0t3k.org/security/documents/sniffing/ Defeating Sniffers and Intrusion Detection Systems, Phrack, http://www.phrack.org/show.php?p=54&a=10 The IDS acronym game: IDS: Intrusion Detection System refers to an application able to examine traffic for attributes and properties that mark "benign", suspicious, restricted, forbidden or outright hostile activities. NIDS: Network IDS refers to Intrusion Detection, like running "sensors" on various sentry or sniffer hosts while logging and/or logprocessing and alerting is done on a central host (many-to-one topology). NIDS examples are: Snort: http://www.snort.org/ Shoki: http://shoki.sourceforge.net/ Prelude: http://www.prelude-ids.org/ OSSIM (Snort+Acid+mrtg+NTOP+OpenNMS+nmap+nessus+rrdtool): http://sourceforge.net/projects/os-sim/ MIDAS: http://midas-nms.sourceforge.net/ Firestorm: http://www.scaramanga.co.uk/firestorm/ Panoptis (DoS, DDoS only): Defenseworx: SHADOW: Pakemon: Some commercial/non OSS examples: Demarc PureSecure, Cisco Secure IDS (NetRanger), ISS Real Secure, Axent Net Prowler, Recourse ManHunt, NFR Network Flight Recorder, NAI CyberCop Network, Enterasys Dragon and Okena Stormfront/Stormwatch. Snort also is available commercially these days. HIDS: Host-based IDS. The HIDS acronym itself is subject to flamewars. IDS examples are Snort, Shoki, Prelude, Defenseworx, Pakemon, Firestorm and Panoptis (DoS, DDoS only). IPS: Intrusion Protection System. Passive or active (learning, like the heuristics stuff?) enforcement of rules at the application, system or access level. I suppose we're looking at stuff like Grsecurity, Solar Designer's Open Wall, LIDS, LOMAC, RSBAC, Linux trustees, Linux Extended Attributes, LIDS or Systrace here. Commercial/non OSS examples: Entercept, ISS RealSecure, Axent Intruder Alert Manager, Enterasys' Dragon, Tripwire, Okena and CA's eTrust. Docs: Intrusion Detection Systems: An Introduction: http://www.linuxsecurity.com/feature...story-143.html Intrusion Detection FAQ (SANS, handling ID in general): http://www.sans.org/resources/idfaq/index.php Basic File Integrity Checking (with Aide): http://online.securityfocus.com/infocus/1408 www.networkintrusion.co.uk (IDS, NIDS, File Integrity Checkers) Snort basics: Using Snort as an IDS and Network Monitor in Linux (SANS, PDF file): http://www.giac.org/practical/gsec/James_Kipp_GSEC.pdf Snort: IDS Installation with Mandrake 8.2, Snort, Webmin, Roxen Webserver, ACID, MySQL: http://www.linux-tip.net/workshop/id.../ids-snort.htm ArachNIDS (Snort/Dragon/Defenseworx/Pakemon/Shoki rule, research and info library): http://whitehats.com/ids/ Intrusion Detection and Network Auditing on the Internet: http://www.infosyssec.net/infosyssec/intdet1.htm Snort Stealth Sniffer: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging: http://www.linuxjournal.com/article.php?sid=6222 Dropping Packets with Snort: Why not to use Snort's "flexresp": http://www.mcabee.org/lists/snort-us.../msg00379.html Snortsam: http://www.snortsam.net Hogwash: http://hogwash.sourceforge.net Snort-inline: http://www.snort.org/dl/contrib/patc...ort-inline.tgz Guardian: see the Snort tarball, in the contrib dir. Blockit: Snort GUI's, management, log reporting and analysis: Midas: http://midas-nms.sourceforge.net SnortCenter: http://users.pandora.be/larc Snort Unified Logging: Barnyard: (Sourceforge) Snort Unified Logging: Logtopcap Snort Unified Logging: Mudpit Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/ HOWTO Build Snort with ACID: http://www.sfhn.net/whites/snortacid.htm ACID HOWTO: http://www.andrew.cmu.edu/~rdanyliw/...snortacid.html ACID FAQ: http://www.andrew.cmu.edu/~rdanyliw/snort/acid_faq.html SPADE, Snortsnarf: http://www.silicondefense.com Sguil: http://sguil.sourceforge.net/ Enabling Automated Detection of Security Events that affect Multiple Administrative Domains: http://www.incident.org/thesis/book1.html Demarc (commercial): http://www.demarc.com RazorBack: http://www.intersectalliance.com/pro...ack/index.html Oinkmaster (rulemanagement): http://www.snort.org/dl/contrib/sign...nt/oinkmaster/ Snort alert mailer (C or .pe?r?l?): http://rouxdoo.freeshell.org/dmn/snort/ Pig Sentry: http://web.proetus.com/tools/pigsentry/ IDS Policy Manager Version (W32): http://www.activeworx.com/ Snort_stat: snort_stat.pl /var/log/snort/alert | /usr/lib/sendmail <human@someh.ost> Swatch: ./swatch -c /root/.swatchrc --input-record-separator="\n\n" --read-pipe="tail -f /var/log/snort/alert" --daemon Swatch + Hogtail. Snort vs Abacus Portsentry: Snort and PortSentry compared: http://www.linux.ie/articles/portsen...rtcompared.php Comparison of IDSs ( NFR NID, Snort, INBOUNDS, SHADOW, Dragon, Tripwire): http://zen.ece.ohiou.edu/~nagendra/compids.html Snort help, mailinglist (archives), honeypots: Snort: Database support FAQ: http://www.incident.org/snortdb/ Snort mailinglists, Aims: http://marc.theaimsgroup.com/ Snort IDS forum at Whitehats.com: http://whitehats.com/cgi/forum/messa...?bbs=forum&f=4 Baby steps with a honeypot: http://www.lucidic.net/whitepapers/mcooper-4-2002.html Honeypot & Intrusion Detection Resources: http://www.honeypots.net/ The TCP Flags Playground (Mailinglist, Neohapsis): http://archives.neohapsis.com/archiv...0-03/0386.html Snort + 802.11 aka Wireless: http://www.loud-fat-bloke.co.uk/w80211.html Sniffing (network wiretap, sniffer) FAQ: http://www.robertgraham.com/pubs/sniffing-faq.html Apps, network monitoring (index): http://www.mirrors.wiretapped.net/se...ng-README.txt. An Analysis of a Compromised Honeypot (Snort+Ethereal): http://www.securityfocus.com/infocus/1676 To add: Firestorm NIDS, Barnyard, Mudpit, Snort GUI's, add-ons etc etc. Snort on two interfaces, solution one: "-i bond0". Valid-for: running one Snort instance, multiple promiscuous mode interfaces except the mgmnt one. Caveat: none See-also: Documentation/networking/bonding.txt Do once: "echo alias bond0 bonding >>/etc/modules.conf" At boot: "ifconfig bond0 up; ifenslave bond0 eth0; ifenslave bond0 eth1" At boot: start Snort with interface arg "-i bond0" Snort on two interfaces, solution two: "-i any" Valid-for: running one Snort instance, all interfaces. Caveat: you loose promiscuous mode. See-also: At boot: start Snort with interface arg "-i any" and a BPF filter to stop it from logging the loopback device. File Integrity Detection Systems Checking a filesystem's contents against one or more checksums to determine if a file (remember anything essentially is a file on a Linux FS) has been changed. Examples are: Aide: http://www.cs.tut.fi/~rammer/aide.html (for remote mgmnt see also ICU http://www.algonet.se/~nitzer/ICU/ or RFC http://sourceforge.net/projects/rfc/ which handles Aide, Integrit and Afick) Samhain: http://la-samhna.de/samhain/ (for remote mgmnt see docs) Osiris: http://osiris.shmoo.com/ Nabou: http://www.daemon.de/en/software/nabou/ Sentinel: http://zurk.sourceforge.net/zfile.html Viper(DB): http://panorama.sth.ac.at/viperdb/ Integrit: http://integrit.sourceforge.net/ Tripwire (for remote mgmnt see FICC: http://freshmeat.net/projects/ficc/). Chkrootkit (not only Linux): http://www.chkrootkit.org Rootkit Hunter (not only Linux): http://rkhunter.sourceforge.net Findkit: http://mirror.trouble-free.net/killall/findkit Commercial/non OSS examples: Versioner, GFI LANguard System Integrity Monitor, Ionx's Data Sentinel, Tripwire for Servers and Pedestal Software Intact. File Integrity (SecurityFocus, tools list): http://www.securityfocus.com/tools/category/7 Viruses on Linux/GNU, Antivirus software Sendmail, Tcpdump, OpenSSH, TCP Wrappers, Aide and some other projects have suffered from people succeeding to inject malicious code, and of those only Sendmail and OpenSSH where at main servers, the rest where mirrors AFAIK. Even though all the apps mentioned are safe to use, and the differences where noted soon, the real problem is you I. have to have the knowledge to read code, and II. the discipline to read the code each time and question any diffs or III. have minimal "protection" in place to cope with like rogue compiled apps "phoning home". Which in essence means to end users any SW provided w/o means to verify integrity of the code and the package should be treated with care, instead of accepting it w/o questioning. As for the "virus" thingie I wish we, as a Linux community, try to "convert" people away from the typical troubles of Pitiful Operating Systems (abbrev.: POS, aka the MICROS~1 Game Platform) and direct them towards what's important to know wrt Linux: user/filesystem permissions, b0rken/suid/sgid software, worms, trojans and rootkits. Basic measures should be: - Using (demanding) source verification tru GPG or minimally md5sums, - Watch system integrity (Aide, Samhain, Tripwire or any package mgr that can do verification: save those databases off-site, also see Tiger, Chkrootkit), - Harden your systems by not installing SW you don't need *now*, denying access where not needed and using tools like Bastille-linux, tips from Astaro, - Patch kernel to protect looking at/writing to crucial /proc and /dev entries and/or use ACL's (see Silvio Cesare's site, Grsecurity, LIDS), - Watch general/distro security bulletins and don't delay taking action (Slapper, Li0n etc), - Keep an eye on outgoing traffic (egress logging and filtering), - Don't compile apps as root but as a non-privileged user, - Inspect the code if you can, - Don't use Linux warez, But most of all: use common sense. *If you're still not satisfied you've covered it all you could arm yourself with knowledge on forensics stuff like UML, chrooting, disassembly and honeypots. If you want to find Antivirus software, Google the net for Central Command, Sophos, Mcafee, Kaspersky, H+BEDV, Trend Micro, Frisk, RAV, Clam, Amavis, Spam Assassin, Renattach, Ripmime, Milter or Inflex. - AV SW is as good as it's signatures/heuristics. Some vendors don't update their Linux sig db's very well, or field SW with lacking capabilities. I've tested some (admittedly a long time ago) on my virus/trojan/LRK/malware libs. Bad (IMHO): Frisk's F-Prot (sigs), Clam (sigs), H+BEDV (libc version). Good (IMNSHO): Mcafee's uvscan (best) and RAV (2nd). Please do test yourself. - AFAIK only KAV (Kaspersky) has a realtime scanner daemon. I'm in limbo about it's compatibility with recent kernels tho. Links to check out: LAVP/Mini-FAQ Linux/Unix AV SW, NIST (list of AV vendors), Clam. |
Forensics, recovery, undelete
Post 5
Forensics, recovery, undelete Forensics HOWTO's, docs Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html Open Web Application Security Project (OWASP): http://www.owasp.org/ Open Source Computer Forensics Manual: http://sourceforge.net/project/showf...ease_id=171701 OSSTM: Institute for Security and Open Methodologies (formerly ideahamster.org): http://www.isecom.org/projects/osstmm.htm Forensics Basic Steps: http://staff.washington.edu/dittrich/misc/forensics/ or http://staff.washington.edu/dittrich...forensics.html Dd and netcat cloning disks: http://www.rajeevnet.com/hacks_hints...s_cloning.html Security Applications of Bootable Linux CD-ROMs: http://rr.sans.org/linux/sec_apps.php Honeypot project (Hone your skills with the SOM): http://project.honeynet.org/scans/ RH8.0: Chapter 11. Incident Response (Red Hat Linux Security Guide): http://www.redhat.com/docs/manuals/l...se-invest.html Forensics and Incident Response Resources: http://is-it-true.org/pt/ptips8.shtml Forensics presentation by Weld Pond and Tan: http://www.cs.neu.edu/groups/acm/lectures/Forensics_NU/ Law Enforcement and Forensics Links.: http://www.computerforensics.net/links.htm Forensics commercial svc's: http://forensic.to/links/pages/Foren...Investigation/ Forensics CDR's FIRE (formerly Biatchux +TCT): http://biatchux.dmzs.com/?section=main The Penguin Sleuth Kit (Knoppix-based +TCT + Sleuthkit): http://luge.cc.emory.edu/psl.html Knoppix Forensics tools OSSTM Tools listing: http://www.isecom.org/projects/operationaltools.htm The Coroners Toolkit (TCT): http://www.porcupine.org/forensics/ or http://www.fish.com/forensics/ tomsrtbt (1 floppy distro): http://www.toms.net/rb/ Trinux, (Pentest/sniff/scan/recovery/IDS/forensics CD): http://www.trinux.org/ Snarl (Forensics CD based on FreeBSD): http://snarl.eecue.com Freeware Forensics Tools for Unix: http://online.securityfocus.com/infocus/1503 The @stake Sleuth Kit (TASK): http://sleuthkit.sourceforge.net/ Tools used by CSIRTs to Collect Incident Data/Evidence, Investigate and Track Incidents (list): http://www.uazone.org/demch/analysis/sec-inchtools.html Freeware Forensics Tools (reflist, Linux w32).: http://www.theiia.org/itaudit/index....=forum&fid=325 TUCOFS - The Ultimate Collection of Forensic Software, : http://www.tucofs.com/tucofs/tucofs.asp?mode=mainmenu Response kits (precompiled static binaries for Linux, Slowaris and wintendo): http://www.incident-response.org/irtoolkits.htm Precompiled static binaries for Linux (iso): http://www.stearns.org/staticiso/ Forensic Acquisition Utilities for w32: http://users.erols.com/gmgarner/forensics/ CREED (Cisco Router Evidence Extraction Disk),: http://cybercrime.kennesaw.edu/creed/ ...else check Zone-h.org, Packetstorm, Wiretapped.net, whatever. Undelete HOWTO's Recovering a Lost Partition Table: http://tsaling.home.attbi.com/linux/lost_partition.html Linux Partition HOWTO: http://surfer.nmr.mgh.harvard.edu/pa...Partition.html How to recover lost partitions: http://cvs.sslug.dk/hdmaint/hdm_rescue.html Linux Ext2fs Undeletion mini-HOWTO: http://www.linuxdoc.org/HOWTO/mini/E...ndeletion.html Linux Partition Rescue mini-HOWTO: http://www.linux-france.org/article/...ini-HOWTO.html File Recovery.v.0.81 (using Midnight Commander): http://www.ists.dartmouth.edu/text/I...very.v0.81.php Rescue tools for partition table/ext2fs Gpart: http://www.stud.uni-hannover.de/user/76201/gpart/ Testdisk: http://www.cgsecurity.org/index.html Parted: http://www.gnu.org/software/parted/parted.html Recover (app + info): http://recover.sourceforge.net/linux/recover/ R-Linux: http://www.r-tt.com/RLinux.shtml Unrm: http://www.securiteam.com/tools/Unrm...for_Linux.html Dd-rescue: http://www.garloff.de/kurt/linux/ddrescue/ Also see mc (the Midnight Commander) TCT (above). Rescue tools from dd image Foremost: http://sourceforge.net/projects/foremost/ Rescue tools for FAT/VFAT/FAT32 from Linux Fatback: http://sourceforge.net/projects/biatchux/ Partition imaging : http://www.partimage.orgPartimage. * For more rescue tools check Freshmeat.net, metalab.unc.edu or other depots for a /Linux/system/recovery/ dir. II. Runefs: The first inode that can allocate block resources on a ext2 file system is in fact the bad blocks inode (inode 1) -- *not* the root inode (inode 2). Because of this mis-implementation of the ext2fs it is possible to store data on blocks allocated to the bad blocks inode and have it hidden from an analyst using TCT or TASK. To illustrate the severity of this attack the following examples demonstrate using the accompanying runefs toolkit to: create hidden storage space; copy data to and from this area, and show how this area remains secure from a forensic analyst.: http://www.phrack.org/show.php?p=59&a=6 //If you've read this far and you aren't a professional system administrator: congrats. LQ doesn't ask you nothing in return but to spread around whatever good security practices you know. If you want to add a section or a link: please email me. License information: see top of thread. |
Securing networked services
Post 6
Securing networked services Apache Web Security Appliance With Apache and mod_security (SF): http://www.securityfocus.com/infocus/1739 Securing Apache Step-by-Step: http://www.securityfocus.com/infocus/1694 Securing apache2: http://www.securityfocus.com/infocus/1786 Suexec Apache suEXEC Support: http://httpd.apache.org/docs/1.3/suexec.html HOWTO Install PHP with SuExec: http://gentoo-wiki.com/HOWTO_Install_PHP_with_SuExec HOWTO Install PHP as CGI with Apache's suEXEC Feature: http://archiv.debianhowto.de/en/php_cgi/c_php_cgi.html How to set up suexec to work with virtual hosts and PHP (+PHP +public_html patch): http://alain.knaff.lu/howto/PhpSuexec/ Apache modules Apache mod_security guide: http://www.securityfocus.com/infocus/1739 Secure Your Apache With mod_security: http://www.howtoforge.com/book/print/1375 Apache mod_ssl: http://www.securityfocus.com/infocus/1356 mod_dosevasive: http://www.nuclearelephant.com/projects/dosevasive/ mod_security: http://www.modsecurity.org mod_security rulesets: http://www.gotroot.com/mod_security+rules mod_security rule generator: http://leavesrustle.com/tools/modsecurity/ MySQL Securing MySQL Step-byStep: http://www.securityfocus.com/infocus/1726 Secure MySQL Database Design: http://www.securityfocus.com/infocus/1667 Database Security Explained: http://www.linuxexposed.com/content/view/181/54/ SQL injection attack mitigation: SafeSQL: http://www.phpinsider.com/php/code/SafeSQL/, http://www.webmasterbase.com/article/794 Detect SQL injection attacks: class_sql_inject: http://www.phpclasses.org/browse/package/1341.html PHP The Problem With PHP Application Security: http://www.linuxquestions.org/questi...curity-521792/ PHP and the OWASP Top Ten Security Vulnerabilities: http://www.sklar.com/page/article/owasp-top-ten Top 7 PHP Security Blunders: http://www.sitepoint.com/print/php-security-blunders PHP Security Guide: http://phpsec.org/projects/guide/ (PHP Security Library: http://phpsec.org/library/) PHPsec.org Security Guide considered harmful: http://www.hardened-php.net/php_secu...armful.51.html PHP: Preventing register_global problems: http://www.modsecurity.org/documenta...r-globals.html Securing PHP Step-by-Step: http://www.securityfocus.com/infocus/1706 PHP Security: http://www.onlamp.com/pub/a/php/2003...undations.html Security of PHP: http://www.developer.com/lang/article.php/918141 (PHP Foundations: http://www.onlamp.com/pub/ct/29) Auditing PHP, Part 1: Understanding register_globals: http://www-128.ibm.com/developerworks/library/os-php1/ Hardened PHP: http://www.hardened-php.net SuPHP: http://www.suphp.org/Home.html (http://www.phpsecure.info seems outdated) Checking PHP phpcksec: http://tools.desire.ch/phpcksec/ CastleCops Analyzer (Nuke only?): http://nukecops.com/ Exploiting Common Vulnerabilities in PHP Applications http://www.securereality.com.au/studyinscarlet.txt Security network testing Nessus: http://www.nessus.org/ Metasploit Framework: http://metasploit.com/projects/Framework/index.html Application security testing Open Web Application Security Project (OWASP): http://www.owasp.org/index.php/OWASP...le_of_Contents Oracle OScanner: http://www.cqure.net/wp/?page_id=3 OAT (Oracle Auditing Tools): http://www.cqure.net/wp/?page_id=2 Samba SMBAudit (auditing): http://smbdaudit.sourceforge.net/ BIND Secure BIND Template Version 5.1 05 JAN 2006: http://www.cymru.com/Documents/secur...-template.html Securing an Internet Name Server: http://www.securiteam.com/securitynews/5VP0N0U5FU.html DNS Security and Vulnerabilities: http://www.l0t3k.org/security/docs/dns/ SSH General remarks: Do not allow root account logins with ssh Do use public key authentication Restrict access if possible sshd_config: AllowGroups,AllowUsers and/or TCP wrappers, firewall, Xinetd entry, PAM ACL. Stop bruteforcing (in no particular order): Samhain: Defending against brute force ssh attacks: http://la-samhna.de/library/brutessh.html Sshblack: http://www.pettingers.org/code/SSHBlack.html Ssh_access: http://www.undersea.net/seanm/softwa...-access.tar.gz Sshd_check: http://cerberus.cc/open/scripts/sshd_check.sh Authfail: http://www.bmk.bz/?p=33 Denyhosts: http://denyhosts.sourceforge.net/ Sshdfilter: http://www.csc.liv.ac.uk/~greg/sshdfilter/ PAM_abl: http://www.hexten.net/sw/pam_abl/index.mhtml Fail2ban: http://fail2ban.sourceforge.net/ Blockhosts: http://www.aczoom.com/cms/blockhosts/ |
All times are GMT -5. The time now is 08:42 PM. |