Paranoid Penguin - Seven Top Security Tools

Bastille, the brainchild of Jay Beale and Jon Lasser, is in a class by itself. It's a script that performs a comprehensive lockdown of your Linux system, based entirely on questions it asks you. What really sets it apart from other hardening scripts is all the questions it asks are annotated copiously. Of all the security tools I've seen, none does more to educate its users than Bastille. For this reason, I especially recommend Bastille to newbies.

When I wrote a Linux Journal article on Bastille a couple of years ago (“Battening Down the Hatches with Bastille” LJ, April 2001), I asked Jay Beale a few questions over e-mail that, after meeting face-to-face soon after, led to an enduring friendship. Bastille benefits greatly from Jay's outgoing personality, and he uses direct and even entertaining language to enable you to help Bastille tweak your system into a more secure state.

Bastille is supported officially on Red Hat, Mandrake and Debian GNU/Linux. It's even been ported to HP-UX and Mac OS X. You can get Bastille at www.bastille-linux.org.

Netfilter and Bastille are strictly defensive tools, but what if you want to test your Linux box's current state of security? One way is to run a port scanner and enumerate the listening ports on it, for the purpose of deducing which network applications are running.

In a site-wide security audit, automated port scanners are invaluable in determining how carefully and consistently hosts have been secured. If you run a port scanner against hosts protected by a firewall, it can validate the firewall's configuration. And at the most tactical level, a good port scanner tells you the precise points of entry attackers can see on each host it runs against.

Nmap (Listing 1) is the undisputed king of port scanners: it's fast, low-profile, free and feature-rich. Nmap offers a variety of scanning methodologies, from the fast but noisy TCP Connect method to arcane but stealthful approaches, such as Xmas Tree scanning. Nmap even comes with a GUI, NmapFE, though it's quite easy to use from the command prompt as well. You can get the latest version of Nmap from www.insecure.org, but your Linux distribution of choice probably has its own reasonably current package. You most likely needn't look any further than your Linux CDs to get Nmap.

Whereas port scanners simply enumerate listening ports, security scanners attempt to connect to open ports and find out as much as possible about the applications doing the listening. At its simplest, this can amount to banner grabbing, which is logging the text message the application prints upon successful connection. Many applications identify themselves by name and some even by version.

But professional-grade security scanners go much further than banner grabbing. Once they identify which application is running on a given port, they try to determine whether various known vulnerabilities can be exploited against that application, sometimes by actually beginning but not following through with penetration methods. Nessus (Figure 1) is a professional-grade security scanner, but it's a free and 100% customizable one.

Figure 1. This sample Nessus report reveals a vulnerable SSH dæmon.

As with Nmap, the value of Nessus to professional security engineers is immeasurable; I use both in my work all the time. But even civilians can benefit from, for example, testing their hobby Web servers with Nessus. As with Bastille, Nessus includes user education in its design goals. If you read a report carefully, you can learn a thing or two not only about the vulnerabilities it identifies but what to do to fix them.