Security Tools to Install

Previous page
Table of content
Next page


This is by no means an all-inclusive listjust a listing of general categories of tools we think you should be running and some examples of software that can fill this need.

Log Monitoring Tools

These are tools that parse through the system logs on the firewall to detect events worthy of attention. Some of the better tools can categorize and prioritize the events to help you identify attacks or even just suspicious behavior.

Two of our favorites are logwatch and logcheck. You can find both of these at our website, http://www.gotroot.com. logwatch comes with many Linux distributions now, and it basically gives you a daily summary of activity on your system. logwatch depends on extensions that understand the log format of the various applications running on your system, such as sudo or ssh. If there is no extension on your system for the application you wish to monitor, logwatch might miss some important information about that application.

The other side of the coin is logcheck, written by a friend of ours, Craig Rowland. Craig's logcheck takes the approach that you should be notified of anything you haven't told logcheck to ignore. This can generate a considerable about of alerts, but it guarantees you will not miss anything, and by default logcheck comes with a number of regular expressions in its default install to reduce the volume to a useful amount of traffic.

Network Intrusion Detection

This might seem out of scope for a firewall, but we think a firewall is a perfect place to run an NIDS, or Network Intrusion Detection System, provided that your firewall has enough disk space for the logs and enough memory and CPU power to handle the extra overhead of the NIDS. Generally a firewall is a good choke point to see traffic from many networks as it flows through the firewall. For instance, many firewalls are built with at least three network interfaces to allow for an internal, external, and DMZ network. If you ran your NIDS on another system, you might need three NIDS boxes to see all this traffic. Also with the introduction of snort and other open source NIDS on the scene, it's now free to run a high quality NIDS on as many systems as you want.

As with other services, make sure your NIDS is running all of its components as a non-privileged user and that it's also properly chrooted. snort has these capabilities built in, as do some of the other open source NIDS. Just because it's an NIDS does not mean that it's free from possible security vulnerabilities. Many commercial and open source NIDS have had security flaws in them that could have led to the compromise of the system running the NIDS, so again, assume the worst, run them with the least privilege necessary, and stick them into a chroot.

You can find snort at the website, http://www.snort.org. And you can find information out about other intrusion detection packages at www.gotroot.com.

Host Intrusion Detection

These are tools that focus not on looking at what's going on with your network, but solely on what's going on with the local system. These tools might look at what modules are loaded on a system, the users logged in, when they logged in, and from where. Others crawl the file system looking for known signs of intrusion, files with bad permissions, misconfigured programs, and other behaviors or indicators of problems. You might have to run several of these to get the full range of features you want. Again, this is only a partial list to get you started. There are many excellent HIDS tools and products out there.

Tiger

TIGER is a set of Bourne shell scripts, C programs, and data files which are used to perform a security audit of Unix systems. The security audit results are useful both for system analysis (security auditing) and for real-time, host-based intrusion detection (http://www.tigersecurity.org).

rkhunter

This tool scans for rootkits, backdoors, and local exploits (http://www.rootkit.nl/).

chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit. This tool can also integrate with later versions of TIGER (http://www.chkrootkit.org/).

Titan

TITAN is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system. Conceived and created by Brad Powell, it was written in Bourne shell, and its simple modular design makes it trivial for anyone who can write a shell script or program to add to it, as well as completely understand the internal workings of the system.

TITAN does not replace other security tools, but when used in combination with them, it can help make the transformation of a new, out of the box system into a firewall or security conscious system into a significantly easier task. In a nutshell, it attempts to help improve the security of the system it runs on (http://www.fish.com/titan/).

samhain

samhain is an open source file integrity and host-based intrusion detection system for Unix and Linux (http://www.la-samhna.de/samhain/index.html).

tripwire

tripwire is a file integrity checking tool. It's probably one of the most well known HIDS tools. tripwire basically generates a hash, or checksum, of all the files on your system you tell it to monitor. If the file changes, tripwire will alert you to it. There are commercial as well as open source versions of tripwire. The commercial version can be found on tripwire's website, http://www.tripwire.com/.

The open source version is available, as with many other tools in this book, at our website, http://www.gotroot.com.

Aide

AIDE (Advanced Intrusion Detection Environment) is a free open source replacement for tripwire. It's very similar to tripwire and is even included in some Linux distributions. As with tripwire, it's a tool for generating hashes and checksums on files, and then periodically checking those files for changes. You can download AIDE from either our website (www.gotroot.com) or from its official website, http://sourceforge.net/projects/aide.

Remote Logging

You also might want to keep a real-time copy of your firewall's logs on another system you can trust. This system shouldn't be used for anything else if you intend to use the logs for forensics or evidentiary purposes. Judges and lawyers are starting to catch up with technology and beginning to realize how fragile digital evidence can be. If you are relying on a copy of logs running on a system that has been compromised, you have a serious problem. The logs can easily be tampered with to remove information, plant false information, or anything else you can or cannot imagine. For some peace of mind, keep a separate copy of your logs on a separate system. One way to accomplish this is to set up a loghost in your syslog.conf and to configure the remote system to listen for these entries. For most Linux systems using classic syslog, the remote host will need to be running syslogd with -r switch to set syslogd to listen to UDP port 514 for syslog traffic.

Correctly Configure the Software You Are Using

Most software comes with too many features turned on and is rarely configured to operate in the most paranoid mode. Again, assume the worstthat all the services and software running on your firewall are configured to allow the world to have full access to the system without having to so much as have an account and password on the system. For instance, the venerable sshd, the stalwart tool of Unix administrators everywhere, is rarely configured out of the box to its most secure settings. Too often sshd is set to allow protocol 1 connections, which is known to have serious security flaws, to allow root logins, to not run as unprivileged user, and to honor user environment settings. All of these can spell bad news for your firewall. Make sure you understand what the software does, and that you are configuring it correctly. If you aren't sure, ask.

Use a Hardened Kernel

"The reality is that secure applications require secure operating systems, and any effort to provide system security that ignores this premise is doomed to fail," (P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments," in proceedings of The 21st National Information Systems Security Conference, page 303-314, Oct. 1998).

The vanilla Linux kernel is a marvel of open source development but has traditionally been lacking in truly above and beyond security models. The security model, particularly in the 2.4 kernel, is only adequate for systems where security is not a primary concern and with a firewall that's the system's entire purpose: security. To rest easy, the security model of the vanilla kernel will not do.

With 2.6, these trusted enhancements, referred to as SELinux, or Security Enhanced Linux, are now available in the vanilla kernel. SELinux, according to the NSA, provides for a "...flexible mandatory access control architecture incorporated into the major subsystems of the kernel. The system provides a mechanism to enforce the separation of information based on confidentiality and integrity requirements. This allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications." You will have to check your system to see if these features are compiled in by default to use them. There are also SELinux patches for the 2.4. kernel, should you choose to use a 2.4 kernel.

In addition to SELinux, we are particularly fond of combining the grsecurity patches with a 2.6 kernel running SELinux, or when running 2.4, we always add in the grsecurity patches. grsecurity, another kernel security enhancement project run by Brad Spengler, includes chroot hardening, IP stack hardening, stack overflow protection, address randomization, trusted path execution, and a real RBAC and MAC security model. The combination of the two works wonderfully for us and provides for so many extra features, it's more than worth the effort to patch your 2.6 kernel with the grsecurity 2.6 features.

You can find the grsecurity patches at http://www.grsecurity.net.

We have also collected many essays and manuals on SELinux at our website (www.gotroot.com). You also can go straight to the source, the NSA, which funded the SELinux enhancements to Linux for the latest patches, documents, and for instructions on how to join the SELinux mailing lists at http://www.nsa.gov/seLinux/.

Other Hardening Steps

Remove any software you cannot prove that you need. One easy piece of software to remove is your compiler. Regardless of what you remove, getting rid of software you don't need will reduce the number of patches you have to install, and it will also lessen your exposure to unknown flaws. The less software you have, the fewer vulnerabilities to which you are exposed.

And finally, don't assume you got any of this right. Now is the time to test the system and see if you can break in. Never assume that you haven't missed something or incorrectly installed some useful security tool. If you really want to test your system, don't do the testing yourself. Have a trusted associate test the system or hire a security auditor to test the security posture of your system.


    Previous page
    Table of content
    Next page
    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169
    BUY ON AMAZON
    SQL Tips & Techniques (Miscellaneous)
    Developing Tablet PC Applications (Charles River Media Programming)
    Managing Enterprise Systems with the Windows Script Host
    Microsoft WSH and VBScript Programming for the Absolute Beginner
    Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
    Quantitative Methods in Project Management
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy