(continued...)Hardening, Distro Specific URL Local InfoIntrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software.
Note: vulnerability checking: CIS, SATAN, COPS, Tiger, NessusFAQ: Network Intrusion Detection Systems
:Lotek sniffing docs:http://www.l0t3k.org/security/documents/sniffing/Defeating Sniffers and Intrusion Detection Systems, Phrack, http://www.phrack.org/show.php?p=54&a=10Intrusion Detection FAQ (SANS, handling ID in general): http://www.sans.org/resources/idfaq/index.phpIntrusion Detection and Network Auditing on the Internet: http://www.infosyssec.net/infosyssec/intdet1.htmBasic File Integrity Checking (with Aide): http://online.securityfocus.com/infocus/1408IDS, NIDS, File Integrity Checkershttp://www.networkintrusion.co.ukHardening, Distro Specific URL Local InfoThe IDS acronym game:IDS:
Intrusion Detection System refers to an application able to examine traffic for attributes and properties that mark "benign", suspicious, restricted, forbidden or outright hostile activities.NIDS:
Network IDS refers to Intrusion Detection, like running "sensors" on various sentry or sniffer hosts while logging and/or logprocessing and alerting is done on a centralhost (many-to-one topology).
NIDS examples are:
or jump to Snort Basics
Panoptis (DoS, DDoS only):
Some commercial/non OSS examples: Demarc PureSecure, Cisco Secure IDS (NetRanger), ISS Real Secure, Axent Net Prowler, Recourse ManHunt, NFR Network Flight Recorder, NAI CyberCop Network, Enterasys Dragon and Okena Stormfront/Stormwatch.
Snort also is available commercially these days.HIDS:
Host-based IDS. The HIDS acronym itself is subject to flamewars.
IDS examples are Snort, Shoki, Prelude, Defenseworx, Pakemon, Firestorm and Panoptis (DoS, DDoS only).IPS:
Intrusion Protection System. Passive or active (learning, like the heuristics stuff?) enforcement of rules at the application, system or access level. I suppose we're looking at stuff like Grsecurity, Solar Designer's Open Wall, LIDS, LOMAC, RSBAC, Linux trustees, Linux Extended Attributes or Systrace here.
Commercial/non OSS examples: Entercept, ISS RealSecure, Axent Intruder Alert Manager, Enterasys' Dragon, Tripwire, Okena and CA's eTrust.Snort Basics:Using Snort as an IDS and Network Monitor in Linux (SANS): http://www.sans.org/rr/intrusion/monitor.phpArachNIDS (Snort/Dragon/Defenseworx/Pakemon/Shoki rule, research and info library):http://whitehats.com/ids/
<--great site, damn near my favSnort Stealth Sniffer: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging:http://www.linuxjournal.com/article.php?sid=6222Dropping Packets with Snort:
Hogwash: http://hogwash.sourceforge.net/Snort GUI's, management, log reporting and analysis:
Snort Unified Logging: Barnyard: (Sourceforge)
Snort Unified Logging: Logtopcap
Snort Unified Logging: MudpitAnalysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/HOWTO Build Snort with ACID:http://www.sfhn.net/whites/snortacid.htm
ACID FAQ: http://www.andrew.cmu.edu/~rdanyliw/snort/acid_faq.html
SPADE, Snortsnarf: http://www.silicondefense.com/
Sguil: http://sguil.sourceforge.net/Enabling Automated Detection of Security Events that affect Multiple Administrative Domains:http://www.incident.org/thesis/book1.htmlDemarc (commercial):http://www.demarc.com/RazorBack:http://www.intersectalliance.com/pr...Back/index.htmlOinkmaster (rulemanagement): http://www.snort.org/dl/contrib/sig...ent/oinkmaster/Snort alert mailer (C or .perl?):http://rouxdoo.freeshell.org/dmn/snort/Pig Sentry:http://web.proetus.com/tools/pigsentry/Comparison of IDSs ( NFR NID, Snort, INBOUNDS, SHADOW, Dragon, Tripwire):http://zen.ece.ohiou.edu/~nagendra/compids.htmlSnort help, mailinglist (archives), honeypots:Snort: Database support FAQ:http://www.incident.org/snortdb/Snort mailinglists, Aims:http://marc.theaimsgroup.com/Baby steps with a honeypot:http://www.lucidic.net/whitepapers/mcooper-4-2002.htmlHoneypot & Intrusion Detection Resources:http://www.honeypots.net/Snort + 802.11 aka Wireless:http://www.loud-fat-bloke.co.uk/w80211.htmlSniffing (network wiretap, sniffer) FAQ: http://www.robertgraham.com/pubs/sniffing-faq.htmlAn Analysis of a Compromised Honeypot (Snort+Ethereal): http://www.securityfocus.com/infocus/1676To add:
Firestorm NIDS, Barnyard, Mudpit, Snort GUI's, add-ons etc etc.File Integrity Detection Systems
Checking a filesystem's contents against one or more checksums to determine if a file (remember anything essentially is a file on a Linux Filesystem) has been changed.Examples are:Aide:http://www.cs.tut.fi/~rammer/aide.html
(for remote mgmnt see also ICU) http://www.algonet.se/~nitzer/ICU/
(for remote mgmnt see docs)Osiris:http://osiris.shmoo.com/Nabou:http://www.daemon.de/en/software/nabou/Sentinel:http://zurk.sourceforge.net/zfile.htmlViper(DB):http://panorama.sth.ac.at/viperdb/Integrit:http://integrit.sourceforge.net/File Integrity (SecurityFocus, tools list): http://www.securityfocus.com/tools/category/7
Tripwire (for remote mgmnt search Freshmeat.net for "FICC").
Commercial/non OSS examples: Versioner, GFI LANguard System Integrity Monitor, Ionx's Data Sentinel, Tripwire for Servers and Pedestal Software Intact.
Viruses on Linux/GNU, Antivirus software
Sendmail, Tcpdump, OpenSSH, TCP Wrappers, Aide and some other projects have suffered from people succeeding to inject malicious code, and of those only Sendmail and OpenSSH where at main servers, the rest where mirrors AFAIK. Even though all the apps mentioned are safe to use, and the differences were noted soon, the real problem is you 1, have to have the knowledge to read code, and 2, the discipline to read the code each time and question any diffs or 3, have minimal "protection" in place to cope with like rogue compiled apps "phoning home". Which in essence means to end users any Software provided w/o means to verify integrity of the code and the package should be treated with care, instead of accepting it w/o questioning.
As for the "virus" thingie I wish we, as a Linux community, try to "convert" people away from the typical troubles of lesser (game) platforms and direct them towards what's important to know about Linux: user/filesystem permissions, broken /suid/sgid software, worms, trojans and rootkits.Basic measures should be:
- Using (demanding) source verification tru GPG or minimally md5sums,
- Watch system integrity (Aide, Samhain, Tripwire or any package mgr that can do verification: save those databases off-site),
- Harden your systems by not installing SW you don't need *now*, denying access where not needed and using tools like Bastille-linux, tips from Astaro,
- Patch kernel to protect looking at/writing to crucial /proc and /dev entries and/or use ACL's (see Silvio Cesare's site, Grsecurity, LIDS),
- Watch general/distro security bulletins and don't delay taking action (Slapper, Li0n etc),
- Keep an eye on outgoing traffic (egress logging and filtering),
- Don't compile apps as root but as a non-privileged user,
- Inspect the code if you can,
- Don't use Linux warez,But most of all: use common sense.
*If you're still not satisfied you've covered it all you could arm yourself with knowledge on forensics stuff like UML, chrooting, disassembly and honeypots.
If you want to find Antivirus software, Google the net for Central Command, Sophos, Mcafee, Kaspersky, H+BEDV, Trend Micro, Frisk, RAV, Clam, Amavis, Spam Assassin, Renattach, Ripmime, Milter or Inflex.
- AV Software is as good as it's signatures/heuristics. Some vendors don't update their Linux sig db's very well, or field software with lacking capabilities. I've tested some (admittedly a long time ago) on my virus/trojan/LRK/malware libs.Bad (IMHO):
Frisk's F-Prot (sigs), Clam (sigs), H+BEDV (libc version). Good (IMNSHO): Mcafee's uvscan (best) and RAV (2nd). Please do test yourself.
- AFAIK only KAV (Kaspersky) has a realtime heuristic virus scanner daemon. I'm in limbo about it's compatibility with recent kernels tho.
Links to check out:
LAVP/Mini-FAQ Linux/Unix AV SW,
NIST (list of AV vendors),
--------------------------------------------------------------------------Chroot, chrooting, jailing, comparimization
Snort: http://www.norz.org/software/snortstart.htmlOpenSSH for chrooted sessions on Linux: http://mail.incredimail.com/howto/openssh/http://chrootssh.sourceforge.net/OpenSSH, Scponly:http://www.sublimation.org/scponly/OpenSSH, Rssh:http://pizzashack.org/rssh/
OpenSSH Sftp logging patch, contact Mike Martinez: firstname.lastname@example.orgHow to chroot an Apache tree with Linux and Solaris: http://penguin.epfl.ch/chroot.htmlAn Overview of 'chroot jailing' Services in Linux: http://www.incidents.org/protect/borland.phpHow to break out of a chroot() jail: http://www.bpfh.net/simes/computing/chroot-break.htmlBreaking out of a restricted shell: http://online.securityfocus.com/infocus/1575
, down at "Breaking Out of Various Restrictions"Chrooting daemons and system processes HOW-TO: http://www.networkdweebs.com/chroot.htmlOther SW/HOWTO's unsorted:http://www.gsyc.inf.uc3m.es/~assman/jailhttp://www.opensourcedirectory.org/projects/jailchootp/http://people.debian.org/~pzn/howto/chroot-bind.sh.txthttp://www.linuxdocs.org/HOWTOs/Chroot-BIND-HOWTO.htmlhttp://www.linuxdoc.org/HOWTO/Chroot-BIND8-HOWTO.htmlhttp://penguin.epfl.ch/chroot.htmlhttp://tjw.org/chroot-login-HOWTO/http://rr.sans.org/linux/daemons.phphttp://www.mlug.ca/sklav/stories/November_issue2001http://www.floc.net/makejail/http://www.balabit.hu/downloads/jailer
Here's some randomness while I'm at it.802.11(Wireless)http://www.ackers.org.uk/http://airsnort.shmoo.com/http://www.hyperlinktech.com/http://www.cisco.com/en/US/products/...ess/index.htmlhttp://www.fab-corp.com/http://www.free2air.org/http://www.jiwire.com/http://www.kismetwireless.net/http://www.netstumbler.com/http://www.stumbler.net/http://www.proxim.com/http://www.teletronics.com/tii/index.htmlhttp://www.warchalking.org/http://www.wardriving.com/http://wifinetnews.com/http://www.wildpackets.com/http://www.richmondfreewireless.org/...network&V=5001http://www.practicallynetworked.com/...s_articles.htmhttp://www.wireless-warrior.org/http://www.expansys.com/d_wireless.asphttp://www.wirelessanarchy.com/http://store.ydi.com/customer/home.php
<--check out the site as well.Random Linxhttp://home.online.no/~osmoma/
<-- I think it's safe to say, that if all the Linux Links pages out there were ants,This would be the QUEEN.http://www.bsdnexus.com/http://www.linuxcommand.org/
<-- for the newbieshttp://linux.org.mt/article/terminal
<-- for the newbieshttp://s56.net/Books/http://www.newsforge.com/http://www.tldp.org/http://www.unixreview.com/E-books and e-book linx...http://rahmat.zikri.com/books.html
<-- 1 word. WOW.http://freebooks.by.ru/http://www.mindview.net/Books/DownloadSiteshttp://www.maththinking.com/boat/computerbooks.htmlhttp://docs.rinet.ru:8080/http://www.ebone.at/files.php?show=Bookshttp://www.empowermentzone.com/#unix
<--amongst other BS
Here's what a lil friend of mine called "Google" can do... just use this link, and replace the last word in the search to whatever your interest may be.http://www.google.com/search?q=ebook...&start=10&sa=Nhttp://skaiste.elekta.lt/Books/http://content.443.ch/pub/http://www.ods.com.ua/index.phtml
I have quite a bit more, but my mouse finger hurts. I'll post more in time.