Tools for Linux security
By Fei Zhao
Linux is becoming more and more popular because it provides a great UNIX server/workstation environment at a low cost, and as powerful as UNIX system, can be run on a wide variety of platforms, and some distributions of Linux are free and widely available. But in turn, Linux system is not risk free any more. The threats to Linux system is growing more and more as well; these threats include computer Hackers, Viruses, Trojans and Worms etc.
By qualifying the risks, it is possible to take appropriate measures to minimize those risks; therefore the topic of the security of Linux is becoming more important as well. Actually, the security of Linux requires the help of different kind of tools. The open source of Linux also promotes the developing of these excellent tools. There are many security tools for Linux, each good at a specific task or class of tasks. However, there is no universal solution, so, the selection and usage of these tools are crucial.
An appropriate and powerful tool can relieve the workloads of a Linux system administrator and improve the overall performance of Linux-based network.
Ethereal is the most popular network protocol analyzer, it is a network monitor software and can be run under different platforms such as Linux, Solaris, SGI and so on. It mainly focus on the unsecurity of TCP/IP and monitors the machines running on TCP/IP. It works just like the Sniffer under Windows platform, which captures and analysis the datagrams in a shared network environment, moreover, one can add some Plug-ins to implement extra features for it.
The latest Ethereal version is
can be downloaded from http://www.ethereal.com/
In addition, just like Tcpdump,
before compiling Ethereal, make sure the "pcap" library(libpcap) is installed,
this is necessary to compile Ethereal. If the "pcap" library is already
installed, then one can use the following commands to compile and install
Ethereal is a GUI network protocol analyzer. You can access all of its feature from its graphic interface. But it is better to specify the capture filter before capturing, otherwise, the captured data is huge even in a short capturing time, and most of the protocols captured are unwanted.
Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It is designed to rapidly scan large networks, it can detect which TCP/IP ports are currently in listening. User can use it to make sure and verify which ports are currently opening and communicating with external, therefore one may close the unnecessary ports, for instance, some system unsecured application ports or some large bandwidth consuming P2P ports.
The purpose of Nmap is for System Administrator to conveniently monitor the status of network, for instance, how many hosts are running and providing what kind of services. Its scanning speed is very fast, especially suitable for large networks.
When scanning, it is mainly using ICMP echo to detect if a host is running.
The latest Nmap version is nmap-4.20.tar.bz2, it can be downloaded from http://www.insecure.org/nmap/index.html
#bzip2 -cd nmap-4.20.tar.bz2
| tar xvf -
The follow example is to scan local machine.
# nmap 127.0.0.1
In Linux, the password is stored in Hash format, it is almost impossible to get the password from Hash table, because the Hash function has the one way property. But, if the passwords are simple or are some simple combination of well-regulated letters and digits, then it is very easy for hackers or malicious users to guess the password. They can build a dictionary from some general words or from the user's personal information, then encrypted this password dictionary with Hash function and compare the encrypted password dictionary with Linux password file, if the same, then the Linux password is cracked.
Generally speaking, password analyzer is often used by hackers to obtain user's password, but as a system administrator, we can also use it to verify whether the passwords of system users are vulnerable, so it can remind the system users their vulnerable password and make them to select the non-vulnerable password, therefore, the security of whole system is increased.
There are a lot of password analyzer available on the Internet, among then, John the ripper is a classic, efficient one, it is free and Open Source software, distributed primarily in source code form.
The latest John the ripper version is John the ripper 1.7.2, it can be downloaded from. http://www.openwall.com/john/
(1) First, run the following command:
unsuccessful, then forced attacking
There are a number of security tools available for Linux on the Internet, they can be used by malicious user to attack others, but we can also use these tools to secure our Linux system, the key point is for what purpose we are using these tools.
Malicious user is using them to attack others, we are using them to fight attacking, who will win the battle is depending on who can skillfully use these tools.
Last Revised: April 4th, 2007 by Fei Zhao