Tools for Linux security

By Fei Zhao

Linux is becoming more and more popular because it provides a great UNIX server/workstation environment at a low cost, and as powerful as UNIX system, can be run on a wide variety of platforms, and some distributions of Linux are free and widely available. But in turn, Linux system is not risk free any more. The threats to Linux system is growing more and more as well; these threats include computer Hackers, Viruses, Trojans and Worms etc.

By qualifying the risks, it is possible to take appropriate measures to minimize those risks; therefore the topic of the security of Linux is becoming more important as well. Actually, the security of Linux requires the help of different kind of tools. The open source of Linux also promotes the developing of these excellent tools. There are many security tools for Linux, each good at a specific task or class of tasks. However, there is no universal solution, so, the selection and usage of these tools are crucial.

An appropriate and powerful tool can relieve the workloads of a Linux system administrator and improve the overall performance of Linux-based network.


Protocol analyzer -- Ethereal


Ethereal is the most popular network protocol analyzer, it is a network monitor software and can be run under different platforms such as Linux, Solaris, SGI and so on. It mainly focus on the unsecurity of TCP/IP and monitors the machines running on TCP/IP. It works just like the Sniffer under Windows platform, which captures and analysis the datagrams in a shared network environment, moreover, one can add some Plug-ins to implement extra features for it.


The latest Ethereal version is ethereal-0.99.0, it can be downloaded from
Ethereal has a very convenient and user-friendly GUI, by GUI, the user is able to easily configure and select the display of multi NIC, multi protocols, the latest version is Ethereal 0.99.0 Release

  # cp ethereal-0.99.0.tar.bz2 /usr/local/src/

  # cd /usr/local/src/

  # bzip2 -d ethereal-0.99.0.tar.bz2

  # tar xvf ethereal-0.99.0.tar

In addition, just like Tcpdump, before compiling Ethereal, make sure the "pcap" library(libpcap) is installed, this is necessary to compile Ethereal. If the "pcap" library is already installed, then one can use the following commands to compile and install Ethereal.

  # cd ethereal-0.99.0

  # ./configure

  # make

  # make install

Network port scanner -- Nmap


Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It is designed to rapidly scan large networks, it can detect which TCP/IP ports are currently in listening. User can use it to make sure and verify which ports are currently opening and communicating with external, therefore one may close the unnecessary ports, for instance, some system unsecured application ports or some large bandwidth consuming P2P ports.

The purpose of Nmap is for System Administrator to conveniently monitor the status of network, for instance, how many hosts are running and providing what kind of services. Its scanning speed is very fast, especially suitable for large networks.

When scanning, it is mainly using ICMP echo to detect if a host is running.


The latest Nmap version is nmap-4.20.tar.bz2, it can be downloaded from

  #bzip2 -cd nmap-4.20.tar.bz2 | tar xvf -

  #cd nmap-4.20



  #make install

Sample usage

The follow example is to scan local machine.

# nmap

Starting Nmap 4.20 ( ) at 2007-03-26 11:32 EDT
Interesting ports on localhost.localdomain (
Not shown: 1688 closed ports
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
50000/tcp open iiimsf
50002/tcp open iiimsf

Nmap finished: 1 IP address (1 host up) scanned in 0.282 seconds

Password Analyzer -- John the ripper


In Linux, the password is stored in Hash format, it is almost impossible to get the password from Hash table, because the Hash function has the one way property. But, if the passwords are simple or are some simple combination of well-regulated letters and digits, then it is very easy for hackers or malicious users to guess the password. They can build a dictionary from some general words or from the user's personal information,  then encrypted this password dictionary with Hash function and compare the encrypted password dictionary with Linux password file, if the same, then the Linux password is cracked.

Generally speaking, password analyzer is often used by hackers to obtain user's password, but as a system administrator, we can also use it to verify whether the passwords of system users are vulnerable, so it can remind the system users their vulnerable password and make them to select the non-vulnerable password, therefore, the security of whole system is increased.

There are a lot of password analyzer available on the Internet, among then, John the ripper is a classic, efficient one, it is free and Open Source software, distributed primarily in source code form.


The latest John the ripper version is John the ripper 1.7.2, it can be downloaded from.

  #tar xzvf john-1.7.2.tar.gz

  #cd john-1.7.2/src

  #make linux-x86-any-a.out

  #cd john-1.7.2/run

Other security tools



See also



External Links


Last Revised: March 30, 2007 by Fei Zhao