[ Pobierz całość w formacie PDF ]
language so you can write your own. Nessus is available from http://www.nessus.org/.
Saint
114
�Saint is the sequel to Satan, a network security scanner made (in)famous by the media a few
years ago (there were great worries that bad people would take over the Internet using it).
Saint also uses a client/server architecture, but uses a www interface instead of a client
program. Saint produces very easy to read and understand output, with security problems
graded by priority (although not always correctly), and also supports add in scanning modules
making it very flexible. Saint is available from: http://www.wwdsi.com/saint/.
Cheops
While not a scanner per se, it is useful for detecting a hosts OS and dealing with a large
number of hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture
of a domain, or IP block, what hosts are running and so on. It is extremely useful for
preparing an initial scan as you can locate interesting items (HP printers, Ascend routers, etc)
quickly. Cheops is available at: http://www.marko.net/cheops/.
Ftpcheck / Relaycheck
Two simple utilities that scan for ftp servers and mail servers that allow relaying, good for
keeping tabs on naughty users installing services they shouldn� t (or simply misconfiguring
them), available from: http://david.weekly.org/code/.
SARA
Security Auditor� s Research Assistant (SARA) is a tool similar in function to SATAN and
Saint. SARA supports multiple threads for faster scans, stores it� s data in a database for ease
of access and generates nice HTML reports. SARA is free for use and is available from:
http://home.arc.com/sara/.
Firewall scanners
Firewalk
Firewalk is a program that uses a traceroute style of packets to scan a firewall and attempt to
deduce the rules in place on that firewall. By sending out packets with various time to lives
and seeing where they die or are refused a firewall can be tricked into revealing rules. There is
no real defense against this apart from silently denying packets instead of sending a rejection
message which hopefully will reveal less. I would advise utilizing this tool against your
systems as the results can help you tighten up security. Firewalk is available from:
http://www.packetfactory.net/firewalk/.
Exploits
I won't cover exploits specifically, since there are hundreds if not thousands of them floating
around for Linux. I will simply cover the main archival sites.
http://www.rootshell.com/
One of the primary archive sites for exploits, it has almost anything and everything,
convenient search engine and generally complete exploits.
115
�116
�Scanning and intrusion detection tools
If the last section has you worried you should be. There are however many defenses, active
and passive against those types of attacks. The best ways to combat network scans are keep
software up to date, only run what is needed, and heavily restrict the rest through the use of
firewalls and other mechanisms. Luckily in Linux these tools are free and easily available,
again I will only cover opensource tools, since the idea of a proprietary firewall/etc is rather
worrying. The first line of defense should be a robust firewall, followed by packet filters on
all Internet accessible machines, liberal use of TCP-WRAPPERS, logging and more
importantly automated software to examine the logs for you (it is unfeasible for an
administrator to read log files nowadays).
Logging Tools
Port Sentry (beta)
The third component to the Abacus suite, it detects and logs port scans, including stealthy
scans (basically anything nmap can do it should be able to detect). Port Sentry can be
configured to block the offending machine (in my opinion a bad idea as it could be used for a
denial of service attack on legitimate hosts), making completion of a port scan difficult. As
this tool is in beta I would recommend against using it, however with some age it should
mature into a solid and useful tool. Port Sentry is available at:
http://www.psionic.com/abacus/portsentry/.
Host based attack detection
Firewalling
Most firewalls support logging of data, and ipfwadm/ipchains are no exception, using the -l
switch you get a syslog entry for each packet, using automated filters (Perl is good for this)
you can detect trends/hostile attempts and so on. Since most firewalls (UNIX based, and
Cisco in any case) log via the syslog facility, you can easily centralize all your firewall packet
logging on a single host (with a lot of harddrive space hopefully).
TCP-WRAPPERS
Wietse's TCP-WRAPPERS allow you to restrict connections to various services based on IP
address and so forth, but even more importantly it allows you to configure a response, you can
have it email you, finger the offending machine, and so on (use with caution however).
TCP_WRAPPERS comes standard with most distributions and is available at:
ftp://ftp.porcupine.org/pub/security/.
Klaxon
While mostly obsoleted by TCP-WRAPPERS and firewall logging, klaxon can still be useful
for detecting port scans/etc if you don't want to totally lock down the machine. Klaxon is
available at: ftp://ftp.eng.auburn.edu/pub/doug/.
Host Sentry (pre release software)
117
�While this software is not yet ready for mass consumption I thought I would mention it
anyways as it is part of a larger project (the Abacus project, http://www.psionic.com/abacus/).
Basically Host Sentry builds a profile of user accesses and then compares that to current
[ Pobierz całość w formacie PDF ]
zanotowane.pldoc.pisz.plpdf.pisz.plstargazer.xlx.pl