Defending linux

Table of Contents

last revision
27 October 2011, 6:33pm
book quality
basic


 This booklet may provide information about defending linux
 from intruders and other unwanted guests

 == security tools
 .. airsnort - wireless 'wep' encryption cracker 802.11b
 .. adore - backdoor
 .. amap - identify remote applications
 .. cheops - host info
 .. dsniff - suite of network sniffers
 .. ettercap - ncurses network sniffer
 .. fata-jack - denial of service attack
 .. firewalk - like traceroute
 .. fragroute - intercept and rewrite net traffic
 .. hping2 - tcp packet assembler
 .. hunt - tpc hijack
 .. hydra - password brute forcer
 .. john
 .. kismet - wireless network sniffer
 .. lrk - linux root kit
 .. loki2 - backdoor
 .. netcat - cat for tcp
 .. ngrep - network grep
 .. nikto - web server scanner
 .. nmap - port scanner
 .. openssl - telnet for ssl
 .. snmpwalk - snmp analyser querier
 .. snort - sniffer
 .. tcpdump - cli sniffer
 .. tomkit - rootkit
 .. wlan-jack - denial of service
 .. xkey - keystroke logging of x sessions
 .. xprobe - os identification
 .. xremote - remote keystrokes to x
 .. whisker - web server scanner
 .. zap3 - log eraser
 .. zebedee - tcp tunnels
 ..
 .. 

WEBSITES

  @@ securityfocus.com
     news, exploits
  @@ insecure.org
     tools
  @@ phrack.org
     hacking magazine
  @@ attrition.org
     articles, advisories, tools
  @@ www.vulnwatch.org
     vulnerability watch


USERNAMES

  * obtain a list of usernames on a unix system
  >> cat /etc/passwd

GOOGLE SEARCHES

  Google searches may uncover insecure configurations for 
  your company

  * search in google for email log files in the web document root
  >> "Index of" dead.letter    

  * search in google for misconfigured apache password file
  >> "Index of" .htpasswd

  * search for misconfigured apache password files on a sourceforge site 
  >> "Index of" .htpasswd site:bumble.sourceforge.net
  >> .htpasswd site:bumble.sourceforge.net

PASSWORDS

  == tools 
  .. unshadow - part of the 'john' password cracker suite.
  ..

  * unshadow the linux/unix password list 
  >> sudo unshadow /etc/passwd /etc/shadow > mypasswd
  >> su -c "unshadow /etc/passwd /etc/shadow > mypasswd"

  * view the examples for the 'john' password cracker
  >> zless /usr/share/doc/john/EXAMPLES.gz

  * select some 'john' documentation to view
  >> select f in /usr/share/doc/john/[A-Z]*;do zless $f; break; done

  * run the 'john' password cracker on an apache password file
  >> john .htpasswd

  * view the default wordlist for 'john' cracker
  >> less /usr/share/john/password.lst
  >> ls /usr/share/john/

  * edit the 'john' configuration file
  >> sudo vim /etc/john/john.conf

  * change the word list used by john to something bigger
  wget http://download.openwall.net/pub/wordlists/all.gz
  gunzip all.gz
  sudo cp all /usr/share/john
  In the config file set
  Wordlist = /usr/share/john/all

www: http://www.openwall.com/passwords/nt.shtml
Utilities for dumping windows passwords (LM or NTLM) in PWDUMP format to be used with the 'john' tool
www: http://download.openwall.net/pub/wordlists/
reduced Password wordlists

Fingerprinting ‹↑›

Fingerprinting is the term used for the process of gathering information about a target which will then be used to attack that target

try to determine the operating system for the server 'www.no.net'

 xprobe -v www.no.net

Dns ‹↑›

tools
xprobe - determines remote operating system
amap - determines what type of service open on a port

query the mail servers for the 'eg.net' server

 dig mx eg.net

query the domain name belonging to the ip address

 host 10.0.0.3

find the domain registrar for a domain name using the global register

 whois -h whois.crsnic.net www.hlist.org | less

This returns 'no match' for me.

Email ‹↑›

Brute Forcing ‹↑›

tools
dig - a command line dns look up tool
host - lookup the hostname for a given ip address

Antivirus Programs ‹↑›

While Linux is not prone to viruses, it is useful to have anti virus programs in order to disinfect usb memory sticks which you may use in other peoples computers (running Microsoft Operating Systems)

Clam ‹↑›

These notes were synthesised from a 'linux format' magazine article. Clam is one of the more prominent open-source antivirus programs for Linux.

Installing Clam ‹↑›

The Ubuntu 'launchpad' is a little bit like the sourceforge site. That is, designed to foster coding collaboration.

put a launchpad ubuntu ppa in /etc/apt/sources.list

 ppa:ubuntu-clamav/ppa

put a ppa in sources.list for the 'karmic' ubuntus version

 deb http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu karmic main

a bash command to append the correct line to the sources.list file

sudo echo " deb http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu karmic main " >> /etc/apt/sources.list ,,,

view the config file

 less /etc/apt/sources.list

Doing this allows us to get the latest version of clamav for ubuntu (rather than just the version supplied with the standard ubuntu installation). 'Ppa' means an application from one of ubuntus 'partners'. (Partner prefered application?). It means that the application has not been thouroughly tested with a distribution of Ubuntu Linux but that it will probably work.

get the keys for the server

 sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5ADC2037

Configuring Clam ‹↑›

An anti virus program is only as good as the virus signature database apon which it relies. This database needs to be updated regularly since people are constantly inventing new virus.

view the list of manual pages for the clamav antivirus scanner

 apropos clam

get the latest virus definitions

 sudo freshclam

get all the virus signatures in the virus db

 sigtool --list-sigs

But what is this for exactly, I wonder

get the clamtk gui frontend for clam and gnome

 sudo apt-get install clamtk

The clamtk application is extremely basic and doesnt provide many of the options available from the command line. For kde the clam graphical user interface is called 'clamav-kde', or Klamav

get the clamav daemon

 clamav-daemon

check if the clam daemon is running, should give 3 results

 ps ax | grep clamd

start the daemon

 sudo clamd

check the version of the daemon

 clamdscan -V

Scanning With Clam ‹↑›

After installing and configuring you can now, finally, scan some files and folders, to see if they contain any viruses.

scan a whole folder tree

 clamscan -r /path/tree

scan just the contents of 1 folder (not subfolders)

 clamscan /media/Lexar

scan a folder tree and ring the bell when finished with output

 clamscan -r --bell -i /media/Lexar

scan the 'lexar' usb memory stick and print verbose messages

 clamscan -rv /media/Lexar

mail the result of a scan to yourself

 clamscan -r -i /path/ | mail me@me.com

Dealing With The Infected Files ‹↑›

scan a memory stick an move all the infected files to the 'bad' folder

 clamscan -r --move=bad /media/usbstick

scan and automatically remove infected files, a bit dangerous

 clamscan -r --bell --remove -i /path/

This line above may be dangerous because 'false positives' are a definite possibility.

Scheduling Clamav ‹↑›

It is too easy to forget to run an antivirus, so it is better to schedule it to run automatically at a certain time or on an event.

schedule a virus scan for 3am one off

 at 3:00 tomorrow
 at> clamscan -i ~ | ~/test.txt

schedule it with cron on the hour every hour everyday

 export EDITOR=vim
 crontab -e
 append "0 * * * * sh /path/script.sh

schedule it without sending any mail

 append "0 * * * * sh /path/script.sh > /dev/null 2>&1

schedule a virus signature update once a day

 append "0 3 * * * sh /path/script.sh > /dev/null 2>&1

tools
hydra - can discover passwords by brute force
john - the john the ripper tool

Firewalls ‹↑›

A firewall is an application which examines tcp/ip packets arriving at and leaving a computer and allows or disallows those packets to continue depending upon a set of rules. A firewall does not have to run on a separate computer. Since the Internet is the main source of security problems for any computer, the firewall software has a great importance in any security set-up.

Iptables ‹↑›

Iptables is the traditional unix/linux internet firewall system. It has the reputation of being difficult to understand and master but flexible and powerful.

Handheld Devices For Security Auditing ‹↑›

www: sharp
zaurus The Sharp Zaurus is a hand-held pda installed with linux along with a number of network security auditing tools
www: iPAQ

Notes ‹↑›

DOCUMENT-NOTES:

other security tools
SELinux - harden the box
AppArmor
chrootkit = check for rootkits
AVG - a free antivirus