Data Centers

Open discussion: Security applications for Linux

Linux has many applications available to protect your system. During this Guild Meeting, Nate Russell helped TechProGuild members explore and make the best choice.


Linux has many applications available to help you protect your system. On February 3rd Nate Russell was here to help explore and choose the best option. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Linux has many applications available to help you protect your system. On February 3rd Nate Russell was here to help explore and choose the best option. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Note: TechProGuild edits Guild Meeting transcripts for clarity.

Welcome to the meeting
MODERATOR: Welcome to tonight's Guild Meeting. And welcome especially to Nate Russell, our guest speaker for tonight. So, without further ramblings from me, here's Nate.

NATE RUSSELL: Hi.

THEWRITERGUY: What's cooking for tonight? Security Apps?

NATE RUSSELL: For Linux :) It's 8:59, ready to start?

MIKKILUSA: OK, lay it on us what works best and where do we get them.

NATE RUSSELL: Okay, first I'd like to talk about Bastille-Linux for hardening your Red Hat 6.x. Bastille is a Perl hardening script. It currently can only be run once. It's best to run after a fresh install. That's what the read me says anyway. It asks you dozens of questions, like what services do you need, should it change some well-known problems. Each question is preceded by a screen or two worth of text describing what it is about to do. You can get it at www.bastille-linux.org.

MIKKILUSA: Ask any apache webserver questions?

NATE RUSSELL: Any questions so far? Yes, it asked what modes you want to run and some more basic questions. One problem I find is during the execution it ask if it should download the any new RPMs. I install the new RPMs first before running Bastille. It also tries to install ssh from the net, again I install that first. For the most part it does a fine job. The text with each question is quite informative.

MIKKILUSA: And you feel it is the best for web server security?

NATE RUSSELL: One question is do you want to run send mail as a deamon.

MIKKILUSA: Not decided yet.

NATE RUSSELL: I think it helps in starting your web security, but you should dive in deeper once it's setup. Did that answer your question mikkilusa?

How about that for an answer?
MIKKILUSA: Yes, good answer.

NATE RUSSELL: Most home users do not need send mail running as a deamon. Bastille will ask if running send mail via cron. This is probably best for home users. Another question is to create another root account. You use the new account as root instead of root.

MIKKILUSA: Keeps them from getting to true root?

NATE RUSSELL: This helps confuse would-be hackers. A good hacker will still get by this one though. I believe it disables the account root, and any attempts show up in your log. I'll have to test that one again. But I seem to remember trying to login as root and was denied, and it was logged. It also will disable anon.

MIKKILUSA: Then how do good hackers get around it?

NATE RUSSELL: Through exploits in deamons, usually. So the fewer services you run the safer you are. Wu-ftp seems to have its share of root exploits. Once in, a good hacker will notice the renamed root. But it doesn't really matter because they are already in. :)

DAHUNTER: This is good info.

NATE RUSSELL: Good I hope so. You see I've been hacked before. :(

MIKKILUSA: Once in a good hacker will is all we got.

NATE RUSSELL: Once in, a good hacker will notice the renamed root. But it doesn't really matter because they are already in. Any more questions on Bastille before I move to the next proggie?

MIKKILUSA: Not here.

These are a few of my favorite things
NATE RUSSELL: Next is PortSentry. This one is my favorite. It looks for port scans. I downloaded it as a tar file. It installs easily. It has three modes of operation for TCP and three for UDP. I use the advanced stealth mode for each. It install in /usr/local/psionic/portsentry. There you will find a portsentry.conf. If you use pico to edit make sure you use pico –w. The conf file has long lines and pico by default will wrap them thus breaking your conf file. You will find a line that is commented out. It has ipchains command. Uncomment that line. By doing this anyone who portscan you will be denied access to your Linux box. This remains in effect until you reboot. I run a cron job that saves my ipchains. When I reboot the same sites are still denied.

NATE RUSSELL: Any questions?

MIKKILUSA: What site did you get PortSentry from?

DAHUNTER: How open is Rhat Linux out of the box?

ANDY_DAVIS: Are there articles about port scanning?

NATE RUSSELL: Freshmeat.net If not let me know I'll look up the URL. Red Hat has some open areas. Bastille helps close those down. Freshmeat will have a URL for PortSentry, there you will find some good info about portscanning. If you're looking for a portscanner for Linux then nmap is the best.

ANDY_DAVIS: Found 29 articles. Great.

NATE RUSSELL: Where?

ANDY_DAVIS: http://www.freshmeat.net/search.php3?query=scanning.

MIKKILUSA: Freshmeat?

NATE RUSSELL: Good. Freshmeat is usually where I start. One more portsentry.conf item is SCAN_TRIGGER="0". If you're using advanced stealth this should probably be 1 or 2. The conf file is well documented and explains that 0 may cause false positives. For my home box a false positive is okay. But for a business web server you may keep out good guys as well. To start PortSentry use the following two commands: ./portsentry –atcp, ./portsentry –audp. This puts it into advanced stealth mode. I have a script in my init.d file that starts it. PortSentry will log all attempt in /var/log/messages. Since I started using PortSentry it is amazing how many scans I get.

MIKKILUSA: So not been hacked yet? So far?

Getting hacked to bits
NATE RUSSELL: I have four Linux boxes on the Internet. I'll see them start on the first and go through of them. I have been hacked.

ANDY_DAVIS: Newbie question: Other than hackers, is there a legitimate use of port scanning by apps?

NATE RUSSELL: Yes, some ftp clients will portscan before establishing a ftp connection.

ANDY_DAVIS: Can that be taken advantage by hackers?

NATE RUSSELL: Another, I recently read, uses it to verify you are who you are. Usually the ftp clients scans only one port. Can what be taken advantage of?

ANDY_DAVIS: Can a hacker take advantage of a legitimate scan?

NATE RUSSELL: I would think so. If they scan and see a value in result they may gleen what version of a deamon you're running.

MIKKILUSA: The who you are a callback type feature?

ANDY_DAVIS: How do we control that the ports are being used as "designed?" I guess we then have other methods to monitor this?

NATE RUSSELL: And exploit its weakness. Good question. TCP_wrappers helps with that one. It watches the ports and then sends the connection on to the deamon. If the deamon ain't broke you should be okay.

SECTOR: http://psionic.com/ is the homepage for PortSentry (and Logcheck and HostSentry).

NATE RUSSELL: Right. Logcheck is the next item I was going to mention. If we're done with Port Sentry. Are we?

SECTOR: Finally, don't think you could see what I was typing before.

NATE RUSSELL: Logcheck looks at your log files and greps the good stuff and leaves the chaff. Although I still look at the logs from time to time. Logcheck will place messages into three categories.

SECTOR: Logcheck will email the results to you.

Active attack!
NATE RUSSELL: ACTIVE ATTACK. Right I have it run every six hours and then I read my email. Security Violations, Unusual System Events. I have my .procmail copy active attacks to my main account. I want to see these as soon as possible. After logcheck lists the active attack the next line is: ipchains blah blah blah deny.

MIKKILUSA: Very cool.

NATE RUSSELL: Retype after logcheck lists the active attack the next line reads, ipchains. Logcheck is not a deamon, it must be run from the command line or the crontab file.

MODERATOR: 10 min warning all. :-(

NATE RUSSELL: I port scanned one of my test boxes only to be denied. I had to come in the side door to drop the ipchain. Already? Any questions on logcheck?

MIKKILUSA: Really seem like we just got going :(

SECTOR: Just started.

MIKKILUSA: Where is it fresh meat too?

NATE RUSSELL: www.freshmeat.net. Oh misread. www.psionic.org. Or net? I forget.

MODERATOR: Hey all, if you send e-mail to us, and state that you want UNMODERATED chats, we may be able to arrange longer subject chats.

MIKKILUSA: OK Nate give us the condensed version of your other way cool security secrets please.

NATE RUSSELL: Here's a good nds: http://www.tripwiresecurity.com/.

MIKKILUSA: But then we put you out of a job moderator we would fill bad.

NATE RUSSELL: This will create a database with md5 and other hashes of your binaries and important conf files. That not a nds but a ids I think.

SECTOR: That's www.psionic.COM.

NATE RUSSELL: This will alert you if a file has been messed with. In my case I didn't have an ids. But using rpm -V on my redhat rpms I found in .ftpd had been changed.

MIKKILUSA: Do you run virus scanners on your servers Nate?

ANDY_DAVIS: http://www.psionic.com/ paints a welcome screen. That's the one!

NATE RUSSELL: Not on Linux.

SECTOR: Yes that's the one I gave.

MIKKILUSA: I keep getting log off sector poor guy:(

NATE RUSSELL: I only see half lines.

MIKKILUSA: It is the frown faces the kill the text.

NATE RUSSELL: I quit with the colon paran combos. That seemed to do it for me.

MODERATOR: I'll see that this is fixed, didn't know. Sorry.

MIKKILUSA: Me too bummer.

NATE RUSSELL: Things been okay once I quit smiling.

MIKKILUSA: Mine was frowning on sector being booted.

ANDY_DAVIS: Well, folks. This has been very informative. I have a lot of bookmarks and reading to do. Thanks do much.

MODERATOR: That's about a wrap, I'm afraid.

NATE RUSSELL: If you email me I can send you my init files to start up PortSentry and ipchains.

MIKKILUSA: Yes Nate was great thanks.

Thanks so much
MODERATOR: Thanks all for participating tonight. And thanks Nate this will make an awesome transcript when it's up <smirk>. Which will be next week.

STORM: Sounds great though. I've missed a few, and really wanted to see what happened in them especially about Linux security, but me system keeps blowing up!! (MB meltdown....)

MIKKILUSA: We need more ppl here tell your friends guys I do but there lazy.

STORM: LOL! I'm ALWAYS too late for those.

NATE RUSSELL: Thank you.

MODERATOR: That about wraps it up for tonight.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Editor's Picks

Free Newsletters, In your Inbox