Tools for Linux security

By Fei Zhao


Linux is becoming more and more popular because it provides a great UNIX server/workstation environment at a low cost, and as powerful as UNIX system, can be run on a wide variety of platforms, and some distributions of Linux are free and widely available. But in turn, Linux system is not risk free any more. The threats to Linux system is growing more and more as well; these threats include computer Hackers, Viruses, Trojans and Worms etc.

By qualifying the risks, it is possible to take appropriate measures to minimize those risks; therefore the topic of the security of Linux is becoming more important as well. Actually, the security of Linux requires the help of different kind of tools. The open source of Linux also promotes the developing of these excellent tools. There are many security tools for Linux, each good at a specific task or class of tasks. However, there is no universal solution, so, the selection and usage of these tools are crucial.

An appropriate and powerful tool can relieve the workloads of a Linux system administrator and improve the overall performance of Linux-based network.

                                                                                                                                   

Contents

Protocol analyzer -- Ethereal

Introduction

Ethereal is the most popular network protocol analyzer, it is a network monitor software and can be run under different platforms such as Linux, Solaris, SGI and so on. It mainly focus on the unsecurity of TCP/IP and monitors the machines running on TCP/IP. It works just like the Sniffer under Windows platform, which captures and analysis the datagrams in a shared network environment, moreover, one can add some Plug-ins to implement extra features for it.

Installation

The latest Ethereal version is ethereal-0.99.0, it can be downloaded from http://www.ethereal.com/
Ethereal has a very convenient and user-friendly GUI, by GUI, the user is able to easily configure and select the display of multi NIC, multi protocols, the latest version is Ethereal 0.99.0 Release

  # cp ethereal-0.99.0.tar.bz2 /usr/local/src/

  # cd /usr/local/src/

  # bzip2 -d ethereal-0.99.0.tar.bz2

  # tar xvf ethereal-0.99.0.tar
 

In addition, just like Tcpdump, before compiling Ethereal, make sure the "pcap" library(libpcap) is installed, this is necessary to compile Ethereal. If the "pcap" library is already installed, then one can use the following commands to compile and install Ethereal.

  # cd ethereal-0.99.0

  # ./configure

  # make

  # make install

How to use

Ethereal is a GUI network protocol analyzer. You can access all of its feature from its graphic interface. But it is better to specify the capture filter before capturing, otherwise, the captured data is huge even in a short capturing time, and most of the protocols captured are unwanted.

Network port scanner -- Nmap

Introduction

Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It is designed to rapidly scan large networks, it can detect which TCP/IP ports are currently in listening. User can use it to make sure and verify which ports are currently opening and communicating with external, therefore one may close the unnecessary ports, for instance, some system unsecured application ports or some large bandwidth consuming P2P ports.

The purpose of Nmap is for System Administrator to conveniently monitor the status of network, for instance, how many hosts are running and providing what kind of services. Its scanning speed is very fast, especially suitable for large networks.

When scanning, it is mainly using ICMP echo to detect if a host is running.

Installation

The latest Nmap version is nmap-4.20.tar.bz2, it can be downloaded from http://www.insecure.org/nmap/index.html

  #bzip2 -cd nmap-4.20.tar.bz2 | tar xvf -

  #cd nmap-4.20

  #./configure

  #make

  #make install

How to use

The follow example is to scan local machine.

# nmap 127.0.0.1

Starting Nmap 4.20 ( http://insecure.org ) at 2007-03-26 11:32 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1688 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
50000/tcp open iiimsf
50002/tcp open iiimsf

Nmap finished: 1 IP address (1 host up) scanned in 0.282 seconds

Password Analyzer -- John the ripper

Introduction

In Linux, the password is stored in Hash format, it is almost impossible to get the password from Hash table, because the Hash function has the one way property. But, if the passwords are simple or are some simple combination of well-regulated letters and digits, then it is very easy for hackers or malicious users to guess the password. They can build a dictionary from some general words or from the user's personal information,  then encrypted this password dictionary with Hash function and compare the encrypted password dictionary with Linux password file, if the same, then the Linux password is cracked.

Generally speaking, password analyzer is often used by hackers to obtain user's password, but as a system administrator, we can also use it to verify whether the passwords of system users are vulnerable, so it can remind the system users their vulnerable password and make them to select the non-vulnerable password, therefore, the security of whole system is increased.

There are a lot of password analyzer available on the Internet, among then, John the ripper is a classic, efficient one, it is free and Open Source software, distributed primarily in source code form.

Installation

The latest John the ripper version is John the ripper 1.7.2, it can be downloaded from. http://www.openwall.com/john/

  #tar xzvf john-1.7.2.tar.gz

  #cd john-1.7.2/src

  #make linux-x86-any-a.out

  #cd john-1.7.2/run

How to use

(1) First, run the following command:

  #john - single the password file being cracked

  #john - show


(2) Then, dictionary attack, crack the password

  #john - w: dictionary the password file being cracked

  #john - show
 

(3) If unsuccessful, then forced attacking

  #john - the password file being cracked

  #john -show

Other security tools

There are a number of security tools available for Linux on the Internet, they can be used by malicious user to attack others, but we can also use these tools to secure our Linux system, the key point is for what purpose we are using these tools.

Malicious user is using them to attack others, we are using them to fight attacking, who will win the battle is depending on who can skillfully use these tools.

See also

External Links

 

Last Revised: April 4th, 2007 by Fei Zhao