[Techtalk] Security course

Raven, corporate courtesan raven at oneeyedcrow.net
Fri Jan 11 17:09:50 EST 2002


Heya --

Quoth Linda Laubenheimer (Fri, Jan 11, 2002 at 10:00:20AM -0800):
> *perk* *perk* Security? *perk* *perk* This is an area that I am not
> very experienced in, damnit.  I have the mindset, but not the
> "toolset", or the nuts & bolts understanding of how and why. 

	Well, at least you've got a place to start, then.  And in
today's unfriendly, automated-worm-exploiting Internet, it can be really
important to know.
 
> I would love to learn more, and take some of the "standard practices" 
> and automate them for checking an installation (from the inside), both 
> initial config, and periodic audit.  If there are already tools to do 
> this, I don't know of them.

	There are tools to do this, but none that will do it in a
completely automated way.  You can automate the checking, but someone
will have to look at the results.  (I'm sure you could do a quick script
to have the results e-mailed to you, though, somewhat like what logcheck
does.)

	First of all, take a look at Bastille Linux.  It's a script that
runs on Red Hat, Mandrake, and SUSE (currently being ported to Debian,
HP-UX, Solaris, and Turbo-Linux).  It checks many of the things you want
to do to make sure a box is secure, and asks you how you'd like them
set.  I don't think it would be too hard to adapt the code to make it
check that they are matching your original settings, and mail you the
diff.  http://www.bastille-linux.org

> As I understand it, even tripwire you have to go look at periodically,
> rather than have something mail you when something's "fishy", and it's
> passive. 

	You run Tripwire and compare its results against the database of
previous results at will.  Suggestions for Tripwire: keep the database
somewhere not writable on the computer (burn it to a CD-ROM and mount
that, or something), do NOT check the database itself with Tripwire (it
freaks), and after you've installed Tripwire, reboot your system and
then run Tripwire again immediately so that you know what "normal"
changes from a reboot are.  That way you won't freak out the first time
you run it after a power outage and see a bunch of modified files.  (I
nearly had a heart attack when that happened to me; I thought my box had
been owned for sure.)

	Other things you may be interested in, and that I'll probably
bring up as topics in the security course:

	Logcheck.  Handy little program available at
http://www.psionic.com/abacus/logcheck which will parse through your
system logs and e-mail you the results.  You can configure files for it
to check, what's important, what to ignore, lots of things like that.

	Snort.  An intrusion detection system/packet sniffer.  Very
popular, very good, incredibly flexible, and can be used with its sister
program ACID to give you friendly reporting of its findings.  Available
at http://www.snort.org/ 

	Nessus.  Not for internal vulnerability assessment per se, but
you can use it to scan your own network for known holes and weaknesses.
Don't scan anyone else's network without written permission, or you may
find yourself having a very unpleasant conversation with your ISP's
abuse department, or even the cops.  But rest assured that zillions of
blackhats are out there using it to find vulnerable servers.   It's good
to know where your own problems are.  http://www.nessus.org

	Nmap.  Great for finding out which ports on a given machine are
listening, and for OS fingerprinting.  Again, only use it on your own
boxes, or dire things may occur.  http://www.insecure.org/nmap/

	Of course, various of these tools can be incorporated into a
cron'd script, and you could easily set the script to redirect output to
a file and mail that file to you.

Cheers,
Raven

"You're some sort of nifty self-created non-categorizable thing.  I
 don't know what to call you, so I can't curse you." 
  -- Louis, regarding vituperation



More information about the Techtalk mailing list