Paranoid Penguin - Seven Top Security Tools
Linux supports a wealth of outstanding free and open-source security tools—enough, obviously, to write a monthly column on the topic. But whereas I usually focus on one or two particular tools or techniques in-depth, this month I'd like to discuss, at a high level, a variety of my favorite security tools for Linux.
If you're new to Linux or to network security, this may be your first exposure to these particular software packages, and I hope this column nudges you in the direction to learn more. If you're familiar with a couple of them but not the others, I hope this article helps you to augment your toolkit. But even if all of this is old hat for you, I hope you find it amusing to see which of the t00lz on my laptop have been getting the most CPU time lately. So without further ado, I bring you the Paranoid Penguin's Choice.
We begin with the most ubiquitous of our featured tools, Netfilter, the Linux kernel's built-in firewall code. To be precise, the collection of modules in question officially is called Netfilter—iptables is merely the user-space command we use to configure the Netfilter kernel modules. The two names can be used interchangeably most of the time except, of course, when you're issuing iptables commands or talking to kernel developers.
Netfilter was the winner in the Best Security Tool category of our 2003 Editors' Choice Awards. As I explained then, Netfilter is responsible for moving Linux firewalls out of the primordial soup of dumb, stateless packet filtering and into the modern era of stateful packet filters. What this means for non-security geeks is Netfilter allows Linux firewalls to inspect network packets statefully in relation to one another, that is, by associating them with established connections, identifying them as beginning new transactions and so on. In contrast, in pre-2.4 kernels Linux treated each packet as a standalone entity, filtering it based strictly on where it came from and where it was headed. For example, all the packets in an HTTP transaction were filtered separately rather than being treated as a group, but no more.
This new packet power and intelligence has ramifications that extend beyond Linux's usefulness as a network firewall. Netfilter is as useful for local security on servers and even on workstations as it is on proper network firewalls—I explain precisely how and include code examples in my article “Using iptables for Local Security”, LJ, August 2002, and also in Chapter 3 of my book Building Secure Servers With Linux.
The command iptables is, for many people, simple to use after spending some time with the iptables(8) man page. Besides my own material on that topic, I also recommend Robert Ziegler's book Linux Firewalls, 2nd Ed. (New Riders, 2002). iptables is eminently scriptable, and the aforementioned sources and the Internet abound with example scripts you can adapt for your own use.
But what if you prefer to insulate yourself from the inner workings of packet filtering and instead want a GUI front end that speaks plain English to you? You're in luck: many quality third-party front ends for Netfilter exist. One of the best is Firewall Builder (www.fwbuilder.org), which allows you to create firewall rules with reusable objects and with wizards. I covered Firewall Builder in-depth in my two-part series “Using Firewall Builder” (LJ, May and June 2003).
Another popular iptables helper is Mason, which automatically builds iptables scripts by passively observing normal system use. This is useful especially for personal firewall setups on workstations. Mason is available at users.dhp.com/~whisper/mason. Yet another increasingly popular tool is Shorewall, which generates iptables scripts based on how you configure a few simple text files in the directory /etc/shorewall. Shorewall's home page is shorewall.net.
Finally, I'd be remiss if I didn't mention that many Linux distributions have their own (distribution-specific) packages for using iptables. SuSE 8.2, for example, has SuSEfirewall2, which automatically generates and runs iptables commands based on simple parameters you set in the file /etc/sysconfig/SuSEfirewall2. If your preferred distribution has such a tool, it's worth checking out—it already may be installed on your system.
By the way, in case you're wondering what I myself prefer, I usually write my own iptables scripts by hand. For me that's the simplest and most direct way; then again I'm a professional firewall engineer—your needs and skills may vary.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- SUSE LLC's SUSE Manager
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- My +1 Sword of Productivity
- Managing Linux Using Puppet
- Non-Linux FOSS: Caffeine!
- Doing for User Space What We Did for Kernel Space
- SuperTuxKart 0.9.2 Released
- Google's SwiftShader Released
- Parsing an RSS News Feed with a Bash Script
- Rogue Wave Software's Zend Server