&& Defending linux ------------------ This booklet may provide information about defending linux from intruders and other unwanted guests == security tools .. airsnort - wireless 'wep' encryption cracker 802.11b .. adore - backdoor .. amap - identify remote applications .. cheops - host info .. dsniff - suite of network sniffers .. ettercap - ncurses network sniffer .. fata-jack - denial of service attack .. firewalk - like traceroute .. fragroute - intercept and rewrite net traffic .. hping2 - tcp packet assembler .. hunt - tpc hijack .. hydra - password brute forcer .. john .. kismet - wireless network sniffer .. lrk - linux root kit .. loki2 - backdoor .. netcat - cat for tcp .. ngrep - network grep .. nikto - web server scanner .. nmap - port scanner .. openssl - telnet for ssl .. snmpwalk - snmp analyser querier .. snort - sniffer .. tcpdump - cli sniffer .. tomkit - rootkit .. wlan-jack - denial of service .. xkey - keystroke logging of x sessions .. xprobe - os identification .. xremote - remote keystrokes to x .. whisker - web server scanner .. zap3 - log eraser .. zebedee - tcp tunnels .. .. WEBSITES @@ securityfocus.com news, exploits @@ insecure.org tools @@ phrack.org hacking magazine @@ attrition.org articles, advisories, tools @@ www.vulnwatch.org vulnerability watch USERNAMES * obtain a list of usernames on a unix system >> cat /etc/passwd GOOGLE SEARCHES Google searches may uncover insecure configurations for your company * search in google for email log files in the web document root >> "Index of" dead.letter * search in google for misconfigured apache password file >> "Index of" .htpasswd * search for misconfigured apache password files on a sourceforge site >> "Index of" .htpasswd site:bumble.sourceforge.net >> .htpasswd site:bumble.sourceforge.net PASSWORDS == tools .. unshadow - part of the 'john' password cracker suite. .. * unshadow the linux/unix password list >> sudo unshadow /etc/passwd /etc/shadow > mypasswd >> su -c "unshadow /etc/passwd /etc/shadow > mypasswd" * view the examples for the 'john' password cracker >> zless /usr/share/doc/john/EXAMPLES.gz * select some 'john' documentation to view >> select f in /usr/share/doc/john/[A-Z]*;do zless $f; break; done * run the 'john' password cracker on an apache password file >> john .htpasswd * view the default wordlist for 'john' cracker >> less /usr/share/john/password.lst >> ls /usr/share/john/ * edit the 'john' configuration file >> sudo vim /etc/john/john.conf * change the word list used by john to something bigger ------------------------------------------------------- wget http://download.openwall.net/pub/wordlists/all.gz gunzip all.gz sudo cp all /usr/share/john In the config file set Wordlist = /usr/share/john/all ,,, @@ http://www.openwall.com/passwords/nt.shtml Utilities for dumping windows passwords (LM or NTLM) in PWDUMP format to be used with the 'john' tool @@ http://download.openwall.net/pub/wordlists/ reduced Password wordlists FINGERPRINTING Fingerprinting is the term used for the process of gathering information about a target which will then be used to attack that target == tools .. xprobe - determines remote operating system .. amap - determines what type of service open on a port .. * try to determine the operating system for the server 'www.no.net' >> xprobe -v www.no.net DNS == tools .. dig - a command line dns look up tool .. host - lookup the hostname for a given ip address .. * query the mail servers for the 'eg.net' server >> dig mx eg.net * query the domain name belonging to the ip address >> host 10.0.0.3 * find the domain registrar for a domain name using the global register >> whois -h whois.crsnic.net www.hlist.org | less This returns 'no match' for me. EMAIL BRUTE FORCING == tools .. hydra - can discover passwords by brute force .. john - the john the ripper tool .. ANTIVIRUS PROGRAMS While Linux is not prone to viruses, it is useful to have anti virus programs in order to disinfect usb memory sticks which you may use in other peoples computers (running Microsoft Operating Systems) CLAM These notes were synthesised from a 'linux format' magazine article. Clam is one of the more prominent open-source antivirus programs for Linux. INSTALLING CLAM .... The Ubuntu 'launchpad' is a little bit like the sourceforge site. That is, designed to foster coding collaboration. * put a launchpad ubuntu ppa in /etc/apt/sources.list >> ppa:ubuntu-clamav/ppa * put a ppa in sources.list for the 'karmic' ubuntus version >> deb http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu karmic main * a bash command to append the correct line to the sources.list file -------------------------------------------------------------------- sudo echo " deb http://ppa.launchpad.net/ubuntu-clamav/ppa/ubuntu karmic main " >> /etc/apt/sources.list ,,, * view the config file >> less /etc/apt/sources.list Doing this allows us to get the latest version of clamav for ubuntu (rather than just the version supplied with the standard ubuntu installation). 'Ppa' means an application from one of ubuntus 'partners'. (Partner prefered application?). It means that the application has not been thouroughly tested with a distribution of Ubuntu Linux but that it will probably work. * get the keys for the server >> sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5ADC2037 CONFIGURING CLAM .... An anti virus program is only as good as the virus signature database apon which it relies. This database needs to be updated regularly since people are constantly inventing new virus. * view the list of manual pages for the clamav antivirus scanner >> apropos clam * get the latest virus definitions >> sudo freshclam * get all the virus signatures in the virus db >> sigtool --list-sigs But what is this for exactly, I wonder * get the clamtk gui frontend for clam and gnome >> sudo apt-get install clamtk The clamtk application is extremely basic and doesnt provide many of the options available from the command line. For kde the clam graphical user interface is called 'clamav-kde', or Klamav * get the clamav daemon >> clamav-daemon * check if the clam daemon is running, should give 3 results >> ps ax | grep clamd * start the daemon >> sudo clamd * check the version of the daemon >> clamdscan -V SCANNING WITH CLAM .... After installing and configuring you can now, finally, scan some files and folders, to see if they contain any viruses. * scan a whole folder tree >> clamscan -r /path/tree * scan just the contents of 1 folder (not subfolders) >> clamscan /media/Lexar * scan a folder tree and ring the bell when finished with output >> clamscan -r --bell -i /media/Lexar * scan the 'lexar' usb memory stick and print verbose messages >> clamscan -rv /media/Lexar * mail the result of a scan to yourself >> clamscan -r -i /path/ | mail me@me.com DEALING WITH THE INFECTED FILES .... * scan a memory stick an move all the infected files to the 'bad' folder >> clamscan -r --move=bad /media/usbstick * scan and automatically remove infected files, a bit dangerous >> clamscan -r --bell --remove -i /path/ This line above may be dangerous because 'false positives' are a definite possibility. SCHEDULING CLAMAV .... It is too easy to forget to run an antivirus, so it is better to schedule it to run automatically at a certain time or on an event. * schedule a virus scan for 3am one off >> at 3:00 tomorrow >> at> clamscan -i ~ | ~/test.txt * schedule it with cron on the hour every hour everyday >> export EDITOR=vim >> crontab -e >> append "0 * * * * sh /path/script.sh * schedule it without sending any mail >> append "0 * * * * sh /path/script.sh > /dev/null 2>&1 * schedule a virus signature update once a day >> append "0 3 * * * sh /path/script.sh > /dev/null 2>&1 == other security tools .. SELinux - harden the box .. AppArmor .. chrootkit = check for rootkits .. AVG - a free antivirus .. FIREWALLS A firewall is an application which examines tcp/ip packets arriving at and leaving a computer and allows or disallows those packets to continue depending upon a set of rules. A firewall does not have to run on a separate computer. Since the Internet is the main source of security problems for any computer, the firewall software has a great importance in any security set-up. IPTABLES .... Iptables is the traditional unix/linux internet firewall system. It has the reputation of being difficult to understand and master but flexible and powerful. HANDHELD DEVICES FOR SECURITY AUDITING @@ sharp zaurus The Sharp Zaurus is a hand-held pda installed with linux along with a number of network security auditing tools @@ iPAQ NOTES DOCUMENT-NOTES: # this section contains information about the document and # will not normally be printed. # A small (16x16) icon image to identify the book document-icon: # A larger image to identify or illustrate the title page document-image: # what sort of document is this document-type: book # in what kind of state (good or bad) is this document document-quality: basic document-history: @@ Oct 2010 book was begun when I started to get worried about all the messages in my apache logs @@ 14 Oct 2010 Added some notes about the clam antivirus # who wrote this authors: mjbishop # a short description of the contents, possible used for doc lists short-description: defending linux from attacks # A computer language which is contained in the document, if any code-language: bash # the script which will be used to produce html (a webpage) make-html: ./book-html.sh # the script which will produce 'LaTeX' output (for printing, pdf etc) make-latex: ./booktolatex.cgi