(LinuxWorld) -- Last week, we talked about some simple steps that a user or administrator can take to see if his or her machine had been hacked. (See How to tell if your Linux box has been cracked.) This week, I update that article and introduce you to some products I am evaluating.
First, the update. Several readers responded with feedback to the article, and I thought one of them had a great suggestion. Unfortunately, I misplaced the e-mail, but the respondent directed me to the chkrootkit Web site. (See resources below.)
The chkrootkit program is designed to check for many well-known root kits (the chkrootkit Web site lists the kits). Running chkrootkit is simple: Download the source, unpack it, and type make in the extracted directory. Voila! You have the chkrootkit program ready to go. Here is an example output from my machine:
[root@jd chkrootkit-0.34]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
[...]
The chkrootkit program is a nice utility, and it confirmed what I already knew: We haven't been cracked.
Continuing in this vein, I have been looking for a good set of tools to set up network monitoring, and general network security, for some time. In the process of my investigation I came across several programs, including NetSaint, OpenNMS, nmap, Bastille Linux, and Snort.
NetSaint
NetSaint is a simple, Web-based utility for monitoring your networks. It even has a WAP (Wireless Access Protocol) interface. It supports a strong plug-in facility for adding additional options and features. As I played with NetSaint, the one thing I immediately didn't like was that it appears to be one of the side projects of the Open Source community.
A side project of the Open Source community can be spotted by matching several of the following characteristics:
- A lot of features
- Not a lot of documentation
- Sporadic release schedules
- No support
- Difficult installation
- No RPM packages
Okay, I might get some flames for No. 6, but I have been into this Open Source thing for a very long time, and outside of compiling PostgreSQL or Apache for customized parameters and optimization, I am getting tired of dealing with all this source. I want to type rpm -i so I can actually get some work done. However, I digress.
OpenNMS
Moving on, OpenNMS appears to be a great program. I downloaded and installed it in the past, but I was not able to get it working correctly. This was some time ago, and I am sure it is much improved since then.
If you are familiar with the OpenView/Network Node Manager product from HP then you will like OpenNMS. OpenNMS requires Java, SNMP, and PostgreSQL (anything else would be uncivilized). Installing OpenNMS is a no-brainer, as the developers have matured the product to a point where it rivals commercial (and sometimes better than commercial) installation software.
nmap
If you are looking to perform portscans on your network to see how well things are locked down, I suggest nmap. Below is some sample output from nmap:
Interesting ports on (192.168.1.1):
(The 1545 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
53/tcp open domain
2030/tcp open device2
32778/tcp filtered sometimes-rpc19Remote operating system guess: Linux 2.1.19 - 2.2.17
Uptime 10.959 days (since Sun Oct 7 16:26:15 2001)
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
nmap supports several different type of scans, including Stealth, Fin and Connect()-based scans. You can use it for operating system detection and different types of protocol scans, such as TCP ping versus ICMP ping.
You can also have nmap report the ident information of the machine you are scanning. A quick warning about running nmap: if you do use nmap for scanning -- you may want to make sure the machine you are scanning from is in your portsentry.ignore file. If you do not, you could find your machine blocked by the machine you are scanning.
Bastille Linux
Bastille Linux is a software package designed to secure or harden Linux. Bastille Linux supports Red Hat- and Mandrake-based systems. I have used Bastille in the past, and it works well. The one thing I enjoyed about Bastille is that it teaches you as you use it. Each step that you take with the program is explained. You are told why it is good, and what the potential side effects are. This makes Bastille not only a powerful hardening tool, but a teaching tool as well.
Snort
The last item I would like to bring up, and the one that I will be actually writing about next week, is Snort. Snort is an Open Source Network Intrusion Detection system that sports a large array of features, and is well respected within the network security community. It has customizable rulesets, the ability to log to databases, and work with other programs such as tcpdump.
Look for my column next week where we begin a series of installing and using the Snort Network Intrusion Detection System.
Subscribe to Linux Email News Alerts
Subscribe via RSS
