Paranoid Penguin - Seven Top Security Tools
Bastille, the brainchild of Jay Beale and Jon Lasser, is in a class by itself. It's a script that performs a comprehensive lockdown of your Linux system, based entirely on questions it asks you. What really sets it apart from other hardening scripts is all the questions it asks are annotated copiously. Of all the security tools I've seen, none does more to educate its users than Bastille. For this reason, I especially recommend Bastille to newbies.
When I wrote a Linux Journal article on Bastille a couple of years ago (“Battening Down the Hatches with Bastille” LJ, April 2001), I asked Jay Beale a few questions over e-mail that, after meeting face-to-face soon after, led to an enduring friendship. Bastille benefits greatly from Jay's outgoing personality, and he uses direct and even entertaining language to enable you to help Bastille tweak your system into a more secure state.
Bastille is supported officially on Red Hat, Mandrake and Debian GNU/Linux. It's even been ported to HP-UX and Mac OS X. You can get Bastille at www.bastille-linux.org.
Netfilter and Bastille are strictly defensive tools, but what if you want to test your Linux box's current state of security? One way is to run a port scanner and enumerate the listening ports on it, for the purpose of deducing which network applications are running.
In a site-wide security audit, automated port scanners are invaluable in determining how carefully and consistently hosts have been secured. If you run a port scanner against hosts protected by a firewall, it can validate the firewall's configuration. And at the most tactical level, a good port scanner tells you the precise points of entry attackers can see on each host it runs against.
Nmap (Listing 1) is the undisputed king of port scanners: it's fast, low-profile, free and feature-rich. Nmap offers a variety of scanning methodologies, from the fast but noisy TCP Connect method to arcane but stealthful approaches, such as Xmas Tree scanning. Nmap even comes with a GUI, NmapFE, though it's quite easy to use from the command prompt as well. You can get the latest version of Nmap from www.insecure.org, but your Linux distribution of choice probably has its own reasonably current package. You most likely needn't look any further than your Linux CDs to get Nmap.
Listing 1. Nmap reveals which network services are available on a host.
tamarin:/usr/src # nmap -sS -F -P0 -O 10.1.2.123 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) caught SIGINT signal, cleaning up tamarin:/usr/src # nmap -sS -F -P0 10.1.2.123 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on wuxia.wiremonkeys.org (10.1.2.123): (The 1134 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp closed ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 119/tcp closed nntp 389/tcp open ldap 418/tcp closed hyper-g 443/tcp open https 636/tcp open ldapssl 873/tcp closed rsync 993/tcp open imaps 3389/tcp closed ms-term-serv 6666/tcp closed irc-serv 8080/tcp closed http-proxy 11371/tcp closed pksd
Whereas port scanners simply enumerate listening ports, security scanners attempt to connect to open ports and find out as much as possible about the applications doing the listening. At its simplest, this can amount to banner grabbing, which is logging the text message the application prints upon successful connection. Many applications identify themselves by name and some even by version.
But professional-grade security scanners go much further than banner grabbing. Once they identify which application is running on a given port, they try to determine whether various known vulnerabilities can be exploited against that application, sometimes by actually beginning but not following through with penetration methods. Nessus (Figure 1) is a professional-grade security scanner, but it's a free and 100% customizable one.
As with Nmap, the value of Nessus to professional security engineers is immeasurable; I use both in my work all the time. But even civilians can benefit from, for example, testing their hobby Web servers with Nessus. As with Bastille, Nessus includes user education in its design goals. If you read a report carefully, you can learn a thing or two not only about the vulnerabilities it identifies but what to do to fix them.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- RSS Feeds
- New Products
- Reply to comment | Linux Journal
5 min 53 sec ago
- This is the easiest tutorial
6 hours 20 min ago
- Ahh, the Koolaid.
11 hours 58 min ago
- git-annex assistant
17 hours 58 min ago
- direct cable connection
18 hours 21 min ago
- Agreed on AirDroid. With my
18 hours 31 min ago
- I just learned this
18 hours 35 min ago
19 hours 5 min ago
- not living upto the mobile revolution
21 hours 56 min ago
- Deceptive Advertising and
22 hours 32 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.