Section A.5 URLs for Security Tools

   


A.5 URLs for Security Tools

These URLs cover sites that provide the various tools that are discussed in this book. Most of these tools may be downloaded and used for free.

A.5.1 The Author's Site

Fly-By-Day Consulting, Inc. (FBD) maintains a Web site for purchasers of this book to download updates of the various tools developed by me (as FBD's employee) and open-source tools for their use. These tools also are available on the CD-ROM that accompanies this book. Additionally, there will be errata and other useful information on the Web site.

Note that this license which covers most of the tools developed by me (or otherwise provided by FBD) only permits their use by those that have a legal copy of the book under this license. If applicable law does not provide for its distribution or use under these conditions, or if you do not agree to these conditions, it is not available for use by you or your company. (I apologize for the capitalization but it is required by law.)

SOFTWARE AND OTHER INFORMATION IN THIS BOOK, CD-ROM, AND ON THE WEB SITE IS PROVIDED BY THE LICENSOR, FLY-BY-DAY CONSULTING, INC. "AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

THE ENTIRE RISK AS TO THE QUALITY AND OPERATION OF THE SOFTWARE AND INFORMATION LIES WITH THE LICENSEE. SHOULD THE SOFTWARE OR INFORMATION PROVE DEFECTIVE, THE LICENSEE ALONE SHALL ASSUME THE COST OF ALL NECESSARY SERVICING, CORRECTION, REPAIR OR CONSEQUENCES OF ITS USE OR ATTEMPTED USE.

IN NO EVENT SHALL THE LICENSOR OR CONTRIBUTORS OR PUBLISHER BE LIABLE TO THE LICENSEE OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION, BAD PUBLICITY, OR INFRINGEMENT OF THIRD-PARTY RIGHT OR SIMILAR) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

LICENSOR SHALL HAVE NO OBLIGATION TO PROVIDE MAINTENANCE OR SUPPORT FOR THE SOFTWARE.

THOSE NOT AGREEING TO THESE TERMS ARE FORBIDDEN FROM COPYING OR USING SAID INFORMATION OR SOFTWARE. MUCH OF THE SOFTWARE ON THE CD-ROM AND WEBSITE IS OPEN SOURCE SOFTWARE LICENSED UNDER THE FREE SOFTWARE FOUNDATION'S GPL OR LGPL OR BY THE REGENTS OF THE UNIVERSITY OF CALIFORNIA. BY USING ANY SOFTWARE OR INFORMATION YOU ARE AGREEING TO THESE TERMS AND THAT THE STATE AND LOCAL COURTS OF GEORGIA, IN THE UNITED STATES HAVE SOLE JURISDICTION.

Just as with any other software downloaded from the Internet, you will want to satisfy yourself that the software does not contain any Trojan horses. Certainly, this site will be the target of intense cracker activity, some of which might succeed. It is critical that you check the signature of each file downloaded, as explained in "Signature Files" on page 441 and "The Author's GPG Public Key" on page 790.

The Web site is at

www.realworldlinuxsecurity.com/

There also is a mirror of this site with a higher bandwidth connection at

www.mindspring.com/~cavu/rwls/

To prevent other than readers of this book from downloading files, FTP access may require that an account and password be provided. If this is required, the account and password will be

 
 penguin WorldDom 

The truly paranoid will download the objects of their desire from both sites and compare on the theory that it is less likely that both sites could be cracked and most certainly will verify the GPG signatures. The author can be reached by e-mail at book@verysecurelinux.com; GPG encryption and signing may be used if the content warrants it.

A.5.2 Downloading the Secure SHell (SSH)

You may download the latest version of Secure SHell (SSH) from any of the following sites:

 
 ftp://www.ibiblio.org/pub/packages/security/ssh/ (OpenSsh downloads) www.ssh.fi www.openssh.com                               (This is the unrestricted version.) www.chiark.greenend.org.uk/~sgtatham/putty/   (GUI Windows) pro.wanadoo.fr/chombier/                      (Mac) www.lexa.ru/sos                               (Windows version of ssh1 and ssh2) www.cl.cam.ac.uk/~fapp2/software/java-ssh     (Java-based ssh) www.lysator.liu.se/~jonasw/about              (MacOS ssh; outside U.S. only) www.er6.eng.ohio-state.edu/~jonesd/ssh        (VMS client) www.free.lp.se/fish                           (VMS client) www.isaac.cs.berkeley.edu/pilot               (Palm Pilot) ftp://hobbes.nmsu.edu/pub/os2/apps/    internet/telnet/client/ssh-1.2.27-b1.zip   (OS2) www.ssh.org/patches/patch-ssh-1.2.27-rsaref.buffer.overflow 

Additionally, the following site offers lots of documentation on SSH, including how to use it, "Public Key Encryption 101," and some links.

http://ns.uoregon.edu/pgpssh/sshstart.html

A.5.3 Downloading Bastille Linux

Bastille Linux is a project that has created a script that a SysAdmin may download and invoke that leads her through the steps to harden her system. At the time of this writing, it only supports Red Hat Linux 6.0 through 7.1 and Mandrake 6.0 through 8.0.

http://bastille-linux.org/

A.5.4 Downloading the SuSE Hardening Script

There is a script to harden SuSE installations (6.1 8.0 and beyond), available on the CD-ROM and at

www.suse.de/~marc/harden_suse-2.4.tar.gz

A.5.5 Downloading Linux Intrusion Detection System

The Linux Intrusion Detection System may be used to prevent and detect attempted (and successful) break-ins. It uses the new CAP (capability) system calls to limit root's power. It is worth trying.

www.lids.org/

ftp://ftp.lids.org/

A.5.6 Pretty Good Privacy (PGP)

Pretty Good Privacy software (PGP) may be used for protecting e-mail messages, disk files, and almost any other data, except a TCP session or UDP packets. (TCP sessions may be protected rather nicely with SSH.) It is covered in "Pretty Good Privacy (PGP)" on page 430. Also see "Using GPG to Encrypt Files the Easy Way" on page 431. The following site offers downloads of PGP to U.S. citizens and permanent residents in the U.S., and Canadian citizens in Canada. In the past, others have located sites outside of the U.S. or have obtained a copy of Zimmermann's book with source code (which now is out of print).

Note that it is legal to ship the printed source code overseas but not a tape containing the same information. In early 2000 the U.S. government started relaxing export controls on encryption software so these limitations may no longer apply when you read this.

I remember when these export controls first went into effect around 1981 and my company, Onyx, had to split our UNIX distribution into two versions, a full domestic one and an international one that was devoid of the decryption library and program.

Note that one-way encryption is allowed (because it cannot be used to "hide" information) so the UNIX/Linux password encryption remained legal.


PGP may be downloaded from the following site:

http://web.mit.edu/network/pgp.html

A.5.7 GNU Privacy Guard (GPG)

The GNU Privacy Guard, GPG, is the Free Software Foundation's Open Source implementation of Philip Zimmermann's Pretty Good Privacy. It was first available in late 1999. It does not suffer from the licensing and export restrictions of PGP. It is discussed in detail in "Using GPG to Encrypt Files the Easy Way" on page 431. It may be legally downloaded (by anyone) from

www.gnupg.org/

A.5.8 The tcpdump Utility

One of the U.S. government's energy and nuclear research laboratories, Lawrence Berkeley Lab (LBL), offers the tcpdump Linux/UNIX utility. This utility is a sniffer intended for System Administrators to analyze their computers and networks for both general network problems and security problems. As such, it does not show enough of the packet to, say, see the contents of a mail message (though it would be trivial to alter this). I also have found it quite useful in debugging during development of client/server software. The tcpdump program and related software may be downloaded from the laboratory at the URLs listed below. It is easy to set up and use.

ftp://ftp.ee.lbl.gov/libpcap.tar.Z

ftp://ftp.ee.lbl.gov/pcapture-0.2.1.tar.Z

ftp://ftp.ee.lbl.gov/tcpdump-3.4.tar.Z

A.5.9 The Ethereal GUI-Based Sniffer

This is an open-source GUI-based sniffer that besides the "show every packet" philosophy of tcpdump allows easy watching of a particular session. It allows observing the actual data so honesty in its use is important here. It even allows decompressing gziped streams. It is the author's favorite sniffer.

It requires GTK+ and libpcap, as well as Perl. If decompression is desired, zlib is required. These may be downloaded from

http://ethereal.zing.org/

ftp://ftp.ee.lbl.gov/

www.gtk.org/

A.5.10 The sniffit Utility

This utility is more sophisticated than tcpdump and also will show the contents of the packet rather than just the headers. Although this can be used for unethical purposes, crackers will do that anyway.

http://sniffit.rug.ac.be/~coder/sniffit/sniffit.html

A.5.11 Downloading the Tripwire Utility

Tripwire is a powerful, yet hard-to-use tool that computes a hard-to-fake checksum of each file on your system that you are interested in, such as your system configuration files in /etc, system programs in /bin and /usr/bin, and user accounts. It allows you at any time to see whether any of the files have been altered.

A free copy of Tripwire is currently is available at the following site. There are also enhanced versions of the program are offered for a substantial fee.

www.tripwire.com/downloads/

You also might check the related site for open-source development.

http://tripwire.org/

A.5.12 Downloading Tripwire Alternatives

These alternatives to Tripwire might be easier and more pleasant to use, while providing at least the same level of security.

The samhain file system integrity checker may be downloaded from

www.la-samna.de/samhain/index.html

AIDE may be downloaded from

ftp://ftp.linux.hr/pub/aide/

The current version of AIDE is

 
 aide-0.7.tar.gz 

The AIDE manual may be downloaded from

www.cs.tut.fi/~rammer/aide/manual.html

Gog&Magog may be downloaded from

www.multimania.com/cparisel/gog/

and Sentinel, which has a nice optional GUI front end, from

http://zurk.netpedia.net/zfile.html

SuSEauditdisk operates from a bootable disk to provide very secure integrity checking. It is standard with SuSE and can be ported easily to other distributions. Download it from

www.suse.de/~marc/

A.5.13 Downloading the Nessus Security Auditor

Nessus is a powerful tool for scanning (probing) your network for open ports and, more importantly, vulnerabilities in those services. It is discussed briefly in "The Nessus Security Scanner" on page 591.

www.nessus.org/

A.5.14 Downloading the SARA Security Auditor

The SARA Security Auditor is a new tool based on the SATAN source, but will continue to be enhanced in a timely fashion and continuously updated as new exploits are discovered, sometimes before these exploits become common knowledge. It is an excellent tool and it is suggested that you try it out.

www-arc.com/sara/

Also, they offer a mailing list that you may subscribe to thusly:

 
 echo subscribe sara-l | Mail -s subscribe list@mail-arc.com 

A.5.15 Downloading nmap

The nmap tool allows mapping the open ports of the systems on your network. It is discussed in "The nmap Network Mapper" on page 592. It may be downloaded from

www.insecure.org/nmap/

A.5.16 Downloading the Snort Attack Detector

Snort is designed to heavily sniff your network looking for patterns of known attacks and warn you. It has a very large database of more than 500 attack signatures and this database is kept up to date. This is an excellent tool for sounding the first alarm when you are under attack. It is discussed in "The Snort Attack Detector" on page 598 and may be downloaded from

www.snort.org/

A.5.17 Downloading SHADOW

SHADOW is a sophisticated tool for analyzing intrusion attempts and successes and recognizing patterns of many intrusion attempts in large volumes of otherwise normal traffic, available from the U.S. Navy's Naval Surface Warfare Center.

It operates in near real-time, generating alerts and capturing packets for further analysis and for evidence in subsequent legal action. It can detect stealth scans done via TCP "half-opens," sending UDP replies, etc. This is an excellent free product that can handle even very large sites. It is discussed in "Scanning and Analyzing with SHADOW" on page 599.

www.nswc.navy.mil/ISSEC/CID/

A.5.18 Downloading the SAINT Security Auditor

SAINT is a program that scans a system for security vulnerabilities. It now will recognize zombies for various DDoS programs, such as Trin00, TFN, Stacheldraht, Shaft, and mstream, and for various Sendmail and WU-FTPD weaknesses. It is derived from SATAN.

www.wwdsi.com/saint/

A.5.19 Downloading IP Chains Configuration Tool

PMFirewall is an IP Chains firewall and Masquerading configuration program for Linux. It is designed to allow a novice to build a custom firewall with little or no IP Chains experience. It rated four penguins on tucows. It understands common IP Chains configurations for workstations, servers, firewalls, and routers. It can handle multiple Ethernet cards, cable modems, dial-up connections, and Masquerading. It will determine the address and netmask for each interface automatically. It works on almost every Linux distribution.

www.pointman.org/PMFirewall/

A.5.20 Downloading SSL

SSL is short for Secure Socket Layer. It is the encryption and authentication code and protocol that puts the "s" in https, pop3s, and imaps. This prevents sniffing and spoofing very effectively. Even high-security applications such as Internet banking and commerce rely on it. I am not aware of it having been broken.

It is important to note that SSL solves only the problems of network sniffing and authentication, and only if used correctly. Some sites fail to use it for all the confidential information sent over the Internet. Even though Netscape Communications invented SSL, some versions of their browser have used it incorrectly, making users vulnerable to dishonest Web sites. This is discussed in "Upgrade Netscape" on page 113.

Do not get a false sense of security that either your browser's site or your Web site is secure because SSL is used it is but one component of security. Consider, too, that because SSL provides encrypted communication through your firewall, the firewall cannot detect content-based attacks done over SSL. These include long names causing buffer overflow attacks, non-ASCII data, and many other attacks that Web servers and clients are vulnerable to.


An open-source version of SSL, including the sslproxy program (used for wrapping around the imap and pop3 servers), stunnel, edssl, and the SSL library may be downloaded from

www.openssl.org/

It includes the ssl library needed by fetchmail-ssl and similar programs.

A.5.21 Downloading sslwrap

The sslwrap program allows wrapping any TCP service in SSL easily. It is especially recommended for imap and pop3. (Note that it is not recommended for https. Apache's http-ssl is a better solution.) See also "POP and IMAP Servers" on page 204.

www.rickk.com/sslwrap/

A.5.22 SSH-Wrapped CVS Web Site

CVS is a very useful tool for shared software development over the Internet and has been a part of Linux development since the beginning. Unfortunately, by itself it is not secure. With a small amount of effort, it can be wrapped in SSH, as CVS is just another TCP service to SSH. The Web site

http://cuba.xs4all.nl/~tim/scvs

documents how to do this.

A.5.23 Downloading Encrypted Disk Driver

The encrypted device driver PPDD (Practical Privacy Disk Driver) that may be stacked above a disk driver may be downloaded from

http://linux01.gwdg.de/~alatham/ppdd.html

It is discussed in more detail in "Encrypted Disk Driver" on page 274.

A.5.24 Sendmail Without Root

This page explains how to set up sendmail to run without ever being root and to be invoked from inetd to allow the use of TCP Wrappers and to be immune to reverse DNS spoofing.

www.coker.com.au/~russell/sendmail.html

A.5.25 Downloading postfix

The postfix program is an alternative to sendmail that some security experts consider to be substantially more secure due to its use of "Rings of Security." Its advantages are discussed in "Sendmail" on page 174.

www.postfix.org/

A.5.26 Libsafe

This innovative library works around some common C programming bugs that cause buffer overflows. These bugs are one of the most common entry points for Linux compromises and cannot be overcome completely by good system administration practices alone. The library works by intercepting calls to the most common string processing library routines that are called by this buggy code and mitigates the problem.

The innovation is that Libsafe does not require you to recompile or even relink all your code. Instead, it operates as a dynamic library and so just needs to be "dropped in." Because virtually all programs are dynamically linked, they benefit from this protection. It was created by Bell Labs. It is on the CD-ROM and also may be downloaded from

www.research.avayalabs.com/project/libsafe/

A.5.27 Attacks That Have Been Seen

This Web site posts the various attacks that have been launched to various ports; in other words, what Trojans have been seen on these ports. By understanding these, you can get valuable clues to what compromises might have happened to some of your systems.

www.robertgraham.com/pubs/firewall-seen.html

A.5.28 Analyzing Your Attacker with Sam Spade

This interesting site offers many tools for analyzing another site. It can tell what domain an IP address belongs to, safely analyzes Web pages (though tcpread will do this too), allows looking at sites without giving away your IP address, and can check whether your mail server allows relaying. Unfortunately, this site can be used for evil too but the crackers will discover it anyway. I consider its value to white hats sufficient to list it.

www.samspade.org/


       
    Top


    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net