Next Previous Contents

15. Security Sources and Tools

There are a LOT of good sites out there for UNIX security in general and Linux security specifically. It's very important to subscribe to one (or more) of the security mailing lists and keep current on security fixes. Most of these lists are very low volume, and very informative.

There is an Appendix section in ``Building Internet Firewalls'' that discusses some of the more popular and useful security tools. Have you gotten the hint yet that this is a book you really should purchase? :)

COAST, the Computer Operations, Audit, and Security Technology project at Purdue University is the place to go for security tools. You can find these archives at http://www.cs.purdue.edu/coast/hotlist/ They typically are very well organized, and have a clear description of what the tool does, as well as a keyword search.

Security tools are typically categorized in several different categories. These include network and host scanners to tell you which services are available on your system and possibly any exploits associated with those services, authentication tools, analysis tools to analyize your machines and log files both before an after an attack, service filtering tools such as firewalls and service monitors, and general utilities.

Linux systems, and Linux vendors, realize the benefits of many of these programs, and as a result many of the preventitive security tools have already been incorported into your distribution. Don't use this as an excuse for not going through what is available, and making sure it is configured properly.

15.1 Network Scanners and Auditing Tools

There are a number of different software packages available that do port and service based scanning of machines or networks. SATAN and ISS are two of the more well known ones. This software connects to the target machine (or all the target machines on a network) on all the ports it can, and tries to determine what service is running there. Based on this information, you could find out the machine is vulnerable to a specific exploit on that server.

If when you run these network scanning and auditing tools, you find egregious security exploits, you should rethink your approach. These tools are not a one-stop security solution, and don't assume that if they don't find a problem, it doesn't exist.

Security Administrators Tool for Analyzing Networks (SATAN)

SATAN is a port scanner with a web interface. SATAN was written by Dan Farmer and Wietse Venema, and released in 1995. It was based on known vulnerabilities (mainly those from CERT Advisories), but hasn't really been updated since then by the original authors.

It can be configured to do light, medium, or strong checks on a machine or a network of machines. It has been known in the past to crash machines when doing a heavy scan. This isn't a bug in SATAN; rather, it's a poorly configured machine. It's a good idea to get SATAN and scan your machine or network, and fix the problems it finds. http://www.trouble.org/~zen/satan/satan.html

Security Administrator's Integrated Network Tool (SAINT)

Perhaps not as well known, but nevertheless useful, is a package called SAINT, which is also a security analyzer. Quoting from the README:

SAINT is the Security Administrator's Integrated Network Tool. In its simplest mode, it gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services. The information gathered includes the presence of various network information services as well as potential security flaws -- usually in the form of incorrectly setup or configured network services, well-known bugs in system or network utilities, or poor or ignorant policy decisions. It can then either report on this data or use a simple rule-based system to investigate any potential security problems. Users can then examine, query, and analyze the output with an HTML browser, such as Mosaic, Netscape, or Lynx. While the program is primarily geared towards analyzing the security implications of the results, a great deal of general network information can be gained when using the tool - network topology, network services running, types of hardware and software being used on the network, etc.

However, the real power of SAINT comes into play when used in exploratory mode. Based on the initial data collection and a user configurable ruleset, it will examine the avenues of trust and dependency and iterate further data collection runs over secondary hosts. This not only allows the user to analyze her or his own network or hosts, but also to examine the real implications inherent in network trust and services and help them make reasonably educated decisions about the security level of the systems involved.

You can find the latest version at http://www.wwdsi.com/saint/, although it seems to be a relatively new product, but developing rapidly. It claims to be a work derived from SATAN, and includes many enhancements.

Rhino9 Auditing Tool

The security research group Rhino9 have released their auditing tool There are also several tools available for Linux that allow you to:

The tool seems to be still a little immature, but variation is always a good idea.

Internet Security Scanner (ISS) and System Security Scanner (S3)

Internet Security Systems has written two proactive security tools, both of which run on Linux. ISS has been a long-time supporter of Linux, and make some very useful tools.

The System Security Scanner allows the security professional to "proactively seeking internal system vulnerabilities. S3 is a comprehensive host-based security assessment and intrusion detection tool which i dentifies and reports exploitable system weaknesses. S3 assesses file permissions and ownerships, network services, account setups, program authenticities, operating system configurations and common user-related security weaknesses such as guessable passw ords to determine current security levels and to identify previous system compromises. With the majority of information security breaches perpetrated by insiders, this avenue of assessment is of vital importance in assuring the protection of an organization's information."

It is commercially supported, currently checks for 413 vulnerabilities, and available for Linux.

Abacus-Sentry

Abacus-Sentry is a commercial port scanner from http://www.psionic.com. Look at it's home page on the web for more information.

15.2 The Art of Port Scanning

Fyodor <[email protected]> wrote ``The Art of Port Scanning'' in Volume 7, Issue 51 of Phrack Magazine, in September 1997, which discusses the various types of port scanning that can be done, and a source code program at the bottom that can be used to find out what services a host is offering, using a variety of port scanning techniques. It is available at http://www.2600.com/phrack/p51/ or at Fyodor's site http://www.dhp.com/~fyodor/nmap/

Detecting Port Scans

There are some tools designed to alert you to probes by Satan and ISS and other scanning software, however, liberal use of TCP wrappers and making sure to look over your log files regularly, you should be able to notice such probes. Even on the lowest setting, Satan still leaves traces in the logs on a stock Red Hat system.

There are also ``stealth'' port scanners. A packet with the TCP ACK bit set (as is done with established connections) will likely get through a packet-filtering firewall. The returned RST packet from a port that had no established session can be taken as proof of life on that port. I don't think TCP wrappers will detect this.

You should read the Phrack magazine document listed in the previous section to understand the types of port scans that can be performed on your systems.

A properly configured implementation of TCP Wrappers can do a great deal towards catching an intrusion attempt, and even warn the administrator of the break-in. See the Host Security section for specific examples of TCP Wrappers usage.

Gabriel, a tool specially designed to detect SATAN scans and attacks, but can also detect other types of scans, probes and system attacks, can be found at COAST.

15.3 Incident Response Contacts

15.4 Vendor Information

There is a vendor FAQ available at http://www.iss.net/vd/vendor.html where you can find general vendor information. The Linux-specific contacts are as follows:

15.5 Mailing Lists

These are the classic security-based mailing lists available to the general public. You've probably seen the addresses for these lists a thousand times by now, but here they are again, all in one place.

Subscription requests for most lists is performed by sending ``subscribe listname'' in the body of the message. Be sure to keep your subscription information, so you know the proper way to unsubscribe.

15.6 General References

15.7 Books - Printed Reading Material (Works Referenced)

There are a number of good security books out there. This section lists a few of them. In addition to the security specify books, security is covered in a number of other books on system administration. There really is an incredible amount of information on security available on the Internet; it's just a matter of finding it.



Next Previous Contents