Doug Burks has created an IDS Live DVD running Ubuntu. Pre-installed are the following packages:
Snort
Squil
Suricata
Xplico
nmap
scapy
hping
netcat
tcpreplay and others.
The .iso can also be installed on a USB flash drive, giving you an IDS-on-a-stick. Very handy.
I'm looking forward to trying it out on the security test box I have at home.
Doug's page is at http://securityonion.blogspot.com. There you'll find a download link, a presentation on Security Onion and a FAQ, as well as his posts on network security.
Friday, October 29, 2010
Wednesday, October 27, 2010
Firesheep
Security experts recommendation for users to subscribe to a VPN service isn't practical...even if there weren't the possibility that someone might grab that cookie as it leaves the VPN server for the destination. I just can't see many ordinary users shelling out money for a VPN service, setting it up on their laptops and using it. whatever the final solution is, it's going to have to be an end service fix, and transparent or nearly so, to get most folks to adopt using it.
Firesheep's site here.
Firesheep's site here.
Friday, October 8, 2010
A Few Handy Built-Ins
Anyone who's worked with Linux knows it's a great operating system (which ever of the many flavors you run). Not only is it stable and secure, but it makes great use of hardware with lower overhead, making it fast as well. Another really nice thing about an open source OS is the constant additions of utilities that make life easier for both the admin of the box and the user.
Here are a few of my favorites for those new to Linux...
watch: watch allows you to re-execute a program over and over and output to the screen. It's very handy to watch for changes to a directory, or to watch for a service to start or monitor connections. For example, let's say you run a service on port 8000. You want to watch for any connections to that port. You could do that by running "netstat -an | grep 8000", or better yet, "netstat -an | grep 8000 | grep EST". that would take the output of netstat, which shows network connectivity, statistics and such, pipe it through grep to filter out all lines except those that contain 8000, the port you wish to monitor, then filter out from those lines any except ones that have upper case EST in them. This would show ports in the ESTABLISHED state.
That's great, but what if you were watching for connections over an hours time span? watch works great for this. watch takes a -n parameter, which is the number of seconds between executions. The default is 2 seconds. If we wanted updates as quickly as possible, we would run:
watch -n 1 'netstat -an | grep 8000 | grep EST'. Every second, watch would rerun the netstat command and show you the results, clearing the screen between each iteration.
lokkit: lokkit is a command line (used to be ncurses GUI based) utility to modify the iptables firewall. It's very simple to quickly open up a port with lokkit (I'd recommend making a copy of iptables, found in /etc/sysconfig, first). If you want to open port 21 to all inbound traffic, you'd run "lokkit -p 21:tcp". Viewing your firewall tables by running "iptables -L' should show:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
You can also disable and enable the firewall, open ports by service name, add trusted interfaces, add custom rules and add and remove modules.
Just make sure you back up before making changes, and be careful modifying iptables remotely, whether using lokkit or manually, as you could lock yourself out when you restart (if you screw up).
ntsysv: ntsysv is a ncurses GUI that allows you to enable or disable services at start up, the equivalent of using the chkconfig command. chkconfig is more granular, as you can specify the startlevel you wish, but if you're unfamiliar with Linux, it's helpful till you get up to speed. Just invoke the command, no parameters, and you'll be presented with a list of all the available services. Each has a box beside it that can be checked to enable it. Use the arrow keys to scroll down and back up and hit the space bar to toggle on or off.
Yes, there X apps that do the same thing with a nice GUI, but if you're working on NetSec boxes, you won't have X installed a lot of times (or shouldn't). Do you really want a GUI, with all the myriad of apps that installs that could have security flaws installed on your IDS or packet auditor?
Here are a few of my favorites for those new to Linux...
watch: watch allows you to re-execute a program over and over and output to the screen. It's very handy to watch for changes to a directory, or to watch for a service to start or monitor connections. For example, let's say you run a service on port 8000. You want to watch for any connections to that port. You could do that by running "netstat -an | grep 8000", or better yet, "netstat -an | grep 8000 | grep EST". that would take the output of netstat, which shows network connectivity, statistics and such, pipe it through grep to filter out all lines except those that contain 8000, the port you wish to monitor, then filter out from those lines any except ones that have upper case EST in them. This would show ports in the ESTABLISHED state.
That's great, but what if you were watching for connections over an hours time span? watch works great for this. watch takes a -n parameter, which is the number of seconds between executions. The default is 2 seconds. If we wanted updates as quickly as possible, we would run:
watch -n 1 'netstat -an | grep 8000 | grep EST'. Every second, watch would rerun the netstat command and show you the results, clearing the screen between each iteration.
lokkit: lokkit is a command line (used to be ncurses GUI based) utility to modify the iptables firewall. It's very simple to quickly open up a port with lokkit (I'd recommend making a copy of iptables, found in /etc/sysconfig, first). If you want to open port 21 to all inbound traffic, you'd run "lokkit -p 21:tcp". Viewing your firewall tables by running "iptables -L' should show:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
You can also disable and enable the firewall, open ports by service name, add trusted interfaces, add custom rules and add and remove modules.
Just make sure you back up before making changes, and be careful modifying iptables remotely, whether using lokkit or manually, as you could lock yourself out when you restart (if you screw up).
ntsysv: ntsysv is a ncurses GUI that allows you to enable or disable services at start up, the equivalent of using the chkconfig command. chkconfig is more granular, as you can specify the startlevel you wish, but if you're unfamiliar with Linux, it's helpful till you get up to speed. Just invoke the command, no parameters, and you'll be presented with a list of all the available services. Each has a box beside it that can be checked to enable it. Use the arrow keys to scroll down and back up and hit the space bar to toggle on or off.
Yes, there X apps that do the same thing with a nice GUI, but if you're working on NetSec boxes, you won't have X installed a lot of times (or shouldn't). Do you really want a GUI, with all the myriad of apps that installs that could have security flaws installed on your IDS or packet auditor?
Subscribe to:
Posts (Atom)