% latex generated by the script '/home/project-web/bumble/cgi-bin/text2latex.cgi' 
% with help from the sed script 'text2latex.sed' 
% query string: 'books/linux-security/linux-security-book' 
% sFileName= 'linux-security-book' 
% sDirName = 'books/linux-security' 
% sName = '' -->
% latex by http://bumble.sourceforge.net/scripts/text2latex.sed 
% this script is a work in progress 
\documentclass[11pt]{article} 
\usepackage[hmargin=2cm, vmargin=2cm]{geometry} 
\usepackage{url} 
\usepackage{hyperref} 
\begin{document}


 \\&\\& Defending linux 
 ------------------

 This booklet may provide information about defending linux
 from intruders and other unwanted guests


\title{} 
\author{bumble.sourceforge.net} 
\maketitle 
\tableofcontents security tools
 .. airsnort - wireless 'wep' encryption cracker 802.11b
 .. adore - backdoor
 .. amap - identify remote applications
 .. cheops - host info
 .. dsniff - suite of network sniffers
 .. ettercap - ncurses network sniffer
 .. fata-jack - denial of service attack
 .. firewalk - like traceroute
 .. fragroute - intercept and rewrite net traffic
 .. hping2 - tcp packet assembler
 .. hunt - tpc hijack
 .. hydra - password brute forcer
 .. john
 .. kismet - wireless network sniffer
 .. lrk - linux root kit
 .. loki2 - backdoor
 .. netcat - cat for tcp
 .. ngrep - network grep
 .. nikto - web server scanner
 .. nmap - port scanner
 .. openssl - telnet for ssl
 .. snmpwalk - snmp analyser querier
 .. snort - sniffer
 .. tcpdump - cli sniffer
 .. tomkit - rootkit
 .. wlan-jack - denial of service
 .. xkey - keystroke logging of x sessions
 .. xprobe - os identification
 .. xremote - remote keystrokes to x
 .. whisker - web server scanner
 .. zap3 - log eraser
 .. zebedee - tcp tunnels
 ..
 .. 

WEBSITES

 @@ securityfocus.com
 news, exploits
 @@ insecure.org
 tools
 @@ phrack.org
 hacking magazine
 @@ attrition.org
 articles, advisories, tools
 @@ \url{http://www.vulnwatch.org}
 vulnerability watch


USERNAMES

 * obtain a list of usernames on a unix system
 >> cat \texttt{/etc/passwd}

GOOGLE SEARCHES

 Google searches may uncover insecure configurations for 
 your company

 * search in google for email log files in the web document root
 >> "Index of" dead.letter 

 * search in google for misconfigured apache password file
 >> "Index of" .htpasswd

 * search for misconfigured apache password files on a sourceforge site 
 >> "Index of" .htpasswd site:bumble.sourceforge.net
 >> .htpasswd site:bumble.sourceforge.net

PASSWORDS


\title{} 
\author{bumble.sourceforge.net} 
\maketitle 
\tableofcontents tools 
 .. unshadow - part of the 'john' password cracker suite.
 ..

 * unshadow the linux/unix password list 
 >> sudo unshadow \texttt{/etc/passwd} \texttt{/etc/shadow} > mypasswd
 >> su -c "unshadow \texttt{/etc/passwd} \texttt{/etc/shadow} > mypasswd"

 * view the examples for the 'john' password cracker
 >> zless \texttt{/usr/share/doc/john/EXAMPLES.gz}

 * select some 'john' documentation to view
 >> select f in \texttt{/usr/share/doc/john/[A-Z]*;do} zless \\$f; break; done

 * run the 'john' password cracker on an apache password file
 >> john .htpasswd

 * view the default wordlist for 'john' cracker
 >> less \texttt{/usr/share/john/password.lst}
 >> ls \texttt{/usr/share/john/}

 * edit the 'john' configuration file
 >> sudo vim \texttt{/etc/john/john.conf}

 * change the word list used by john to something bigger
 -------------------------------------------------------
 wget \url{http://download.openwall.net/pub/wordlists/all.gz}
 gunzip all.gz
 sudo cp all \texttt{/usr/share/john}
 In the config file set
 Wordlist = \texttt{/usr/share/john/all}
 ,,,

 @@ \url{http://www.openwall.com/passwords/nt.shtml}
 Utilities for dumping windows passwords (LM or NTLM) in
 PWDUMP format to be used with the 'john' tool

 @@ \url{http://download.openwall.net/pub/wordlists/}
 reduced Password wordlists

FINGERPRINTING

 Fingerprinting is the term used for the process of gathering information
 about a target which will then be used to attack that target


\title{} 
\author{bumble.sourceforge.net} 
\maketitle 
\tableofcontents tools
 .. xprobe - determines remote operating system
 .. amap - determines what type of service open on a port
 ..

 * try to determine the operating system for the server 'www.no.net'
 >> xprobe -v \url{http://www.no.net}

DNS 


\title{} 
\author{bumble.sourceforge.net} 
\maketitle 
\tableofcontents tools
 .. dig - a command line dns look up tool
 .. host - lookup the hostname for a given ip address
 ..

 * query the mail servers for the 'eg.net' server
 >> dig mx eg.net

 * query the domain name belonging to the ip address 
 >> host 10.0.0.3

 * find the domain registrar for a domain name using the global register
 >> whois -h whois.crsnic.net \url{http://www.hlist.org} | less

 This returns 'no match' for me.

EMAIL

 
BRUTE FORCING


\title{} 
\author{bumble.sourceforge.net} 
\maketitle 
\tableofcontents tools
 .. hydra - can discover passwords by brute force
 .. john - the john the ripper tool 
 ..


ANTIVIRUS PROGRAMS

 While Linux is not prone to viruses, it is useful to have anti virus
 programs in order to disinfect usb memory sticks which you may use
 in other peoples computers (running Microsoft Operating Systems)

CLAM

 These notes were synthesised from a 'linux format' magazine 
 article. Clam is one of the more prominent open-source antivirus
 programs for Linux.

INSTALLING CLAM ....

 The Ubuntu 'launchpad' is a little bit like the sourceforge site. 
 That is, designed to foster coding collaboration.

 * put a launchpad ubuntu ppa in \texttt{/etc/apt/sources.list} 
 >> ppa:ubuntu-clamav/ppa

 * put a ppa in sources.list for the 'karmic' ubuntus version
 >> deb \url{http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu} karmic main

 * a bash command to append the correct line to the sources.list file 
 --------------------------------------------------------------------
 sudo echo " 
 deb \url{http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu} karmic main 
 " >> \texttt{/etc/apt/sources.list}
 ,,,

 * view the config file
 >> less \texttt{/etc/apt/sources.list}

 Doing this allows us to get the latest version of clamav for ubuntu
 (rather than just the version supplied with the standard ubuntu
 installation). 'Ppa' means an application from one of ubuntus
 'partners'. (Partner prefered application?). It means that the application
 has not been thouroughly tested with a distribution of Ubuntu Linux
 but that it will probably work.

 * get the keys for the server
 >> sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5ADC2037

CONFIGURING CLAM ....

 An anti virus program is only as good as the virus signature database
 apon which it relies. This database needs to be updated regularly since
 people are constantly inventing new virus.

 * view the list of manual pages for the clamav antivirus scanner
 >> apropos clam

 * get the latest virus definitions
 >> sudo freshclam

 * get all the virus signatures in the virus db
 >> sigtool --list-sigs

 But what is this for exactly, I wonder

 * get the clamtk gui frontend for clam and gnome
 >> sudo apt-get install clamtk

 The clamtk application is extremely basic and doesnt provide many of the
 options available from the command line. For kde the clam graphical user
 interface is called 'clamav-kde', or Klamav

 * get the clamav daemon
 >> clamav-daemon

 * check if the clam daemon is running, should give 3 results
 >> ps ax | grep clamd

 * start the daemon
 >> sudo clamd

 * check the version of the daemon
 >> clamdscan -V

SCANNING WITH CLAM ....

 After installing and configuring you can now, finally, scan some 
 files and folders, to see if they contain any viruses.

 * scan a whole folder tree
 >> clamscan -r \texttt{/path/tree}

 * scan just the contents of 1 folder (not subfolders)
 >> clamscan \texttt{/media/Lexar}

 * scan a folder tree and ring the bell when finished with output
 >> clamscan -r --bell -i \texttt{/media/Lexar}

 * scan the 'lexar' usb memory stick and print verbose messages
 >> clamscan -rv \texttt{/media/Lexar}

 * mail the result of a scan to yourself
 >> clamscan -r -i \texttt{/path/} | mail me@me.com

DEALING WITH THE INFECTED FILES ....

 * scan a memory stick an move all the infected files to the 'bad' folder
 >> clamscan -r --move=bad \texttt{/media/usbstick}

 * scan and automatically remove infected files, a bit dangerous
 >> clamscan -r --bell --remove -i \texttt{/path/}

 This line above may be dangerous because 'false positives' are 
 a definite possibility.


SCHEDULING CLAMAV ....

 It is too easy to forget to run an antivirus, so it is better to 
 schedule it to run automatically at a certain time or on an event.

 * schedule a virus scan for 3am one off 
 >> at 3:00 tomorrow
 >> at> clamscan -i \\$\\verb|~| | \\$\\verb|~|/test.txt

 * schedule it with cron on the hour every hour everyday
 >> export EDITOR=vim
 >> crontab -e
 >> append "0 * * * * sh \texttt{/path/script.sh}

 * schedule it without sending any mail
 >> append "0 * * * * sh \texttt{/path/script.sh} > \texttt{/dev/null} 2>\\&1

 * schedule a virus signature update once a day 
 >> append "0 3 * * * sh \texttt{/path/script.sh} > \texttt{/dev/null} 2>\\&1


\title{} 
\author{bumble.sourceforge.net} 
\maketitle 
\tableofcontents other security tools
 .. SELinux - harden the box
 .. AppArmor
 .. chrootkit = check for rootkits
 .. AVG - a free antivirus
 ..

FIREWALLS

 A firewall is an application which examines tcp/ip packets arriving at
 and leaving a computer and allows or disallows those packets to 
 continue depending upon a set of rules. A firewall does not have to
 run on a separate computer. Since the Internet is the main source of 
 security problems for any computer, the firewall software has a great
 importance in any security set-up.

IPTABLES ....

 Iptables is the traditional unix/linux internet firewall system. It has
 the reputation of being difficult to understand and master but 
 flexible and powerful. 

HANDHELD DEVICES FOR SECURITY AUDITING

 @@ sharp zaurus
 The Sharp Zaurus is a hand-held pda installed with linux along
 with a number of network security auditing tools
 @@ iPAQ

NOTES


DOCUMENT-NOTES:
 
 \\# this section contains information about the document and
 \\# will not normally be printed.

 \\# A small (16x16) icon image to identify the book
 document-icon:

 \\# A larger image to identify or illustrate the title page
 document-image:

 \\# what sort of document is this
 document-type: book

 \\# in what kind of state (good or bad) is this document 
 document-quality: basic

 document-history:
 @@ Oct 2010
 book was begun when I started to get worried about all the 
 messages in my apache logs
 @@ 14 Oct 2010 
 Added some notes about the clam antivirus

 \\# who wrote this
 authors: mjbishop
 \\# a short description of the contents, possible used for doc lists
 short-description: defending linux from attacks
 \\# A computer language which is contained in the document, if any
 code-language: bash
 \\# the script which will be used to produce html (a webpage)
 make-html: ./book-html.sh
 \\# the script which will produce 'LaTeX' output (for printing, pdf etc)
 make-latex: ./booktolatex.cgi


\end{document}
%end generated latex