[ Pobierz całość w formacie PDF ]
.Asthis tool is in beta I would recommend against using it, however with some age it shouldmature into a solid and useful tool.Port Sentry is available at:http://www.psionic.com/abacus/portsentry/.Network based attack detectionNFRNFR (Network Flight Recorder) is much more then a packet sniffer, it actually logs data andin real time detects attacks, scans and so on.This is a very powerful tool and requires asignificant investment of time, energy and machine power to run, but it is at the top of thefood chain for detection.NFR is available at: http://www.nfr.com/.96 Packet sniffersPacket sniffing is the practice of capturing network data not destined for your machine,typically for the purpose of viewing confidential/sensitive traffic such as telnet sessions orpeople reading their email.Unfortunately there is no real way to detect a packet sniffer sinceit is a passive activity, however by utilizing network switches and fiber optic backbones(which are very difficult to tap) you can minimize the threat.tcpdumpThe granddaddy of packet sniffers for Linux, this tool has existed as long as I can remember,and is of primary use for debugging network problems.It is not very configurable and lacksadvanced features of newer packet sniffers, but it can be useful.Most distributions ships withtcpdump.sniffitMy favorite packet sniffer, sniffit is very robust, has nice filtering capabilities, will convertdata payloads into ASCII text for easy reading (like telnet sessions), and even has a graphicalmode (nice for monitoring overall activity/connections).Sniffit is available at:http://sniffit.rug.ac.be/sniffit/sniffit.html.Other sniffersThere are a variety of packet sniffers for Linux, based on the libpcap library among others,here is a short list:http://www.mtco.com/~whoop/ksniff/ksniff.html - KSniffhttp://ksniffer.veracity.nu/ - Ksnifferhttp://mojo.calyx.net/~btx/karpski.html - karpskihttp://www.ozemail.com.au/~peterhawkins/gnusniff.html - Gnusniffhttp://elektra.porto.ucp.pt/snmpsniff/ - SNMP Sniffer97 Virii, Trojan Horses, Worms, and Social EngineeringLinux is not susceptible to virii in the same ways that a Dos/Windows or Mac platform is.InUNIX security controls are a fundamental part of the operating system, things like notallowing users to write promiscuously to any location in memory that they choose to,something that Dos/Windows and the Mac allow.To be fair there are viruses for UNIX,however the only Linux one I have seen was called "bliss", had an uninstall option ("--uninstall-please") and had to be run as root to be effective.Or to quote an old Unix favorite "ifyou don't know what an executable does, don't run it as root".Worms are much moreprevalent in the UNIX world, the first major occurrence being the Morris Internet wormwhich exploited a vulnerability in sendmail.Current worms for Linux exploit broken versionsof imapd, sendmail, WU-FTPD and other daemons, the simplest fix is to keep up to date, andnot make daemons accessible unless necessary.These attacks can be very successfulespecially if they find a network(s) that are not up to date, but typically their effectivenessfades out as people upgrade their daemons.In general I would not specifically worry aboutthese two items, and there is definitely no need to buy anti virus software for Linux.Social engineering on the other hand can be very effective, as no matter how many safeguards, security probes and patches you apply, humans can provide a wonderfully weak linkto exploit.Case in point:A customer bet me I couldn't crash his NT server (the bet was pizza and beer).The mainproblem in attacking his NT server was I had no idea what it's name or IP address was.Now Icould have scanned the ISP's network using tools like ntinfosec, nbtstat and the like to lookfor likely netbios names, this would have taken several hours and annoyed the ISP's securityofficer (who I know quite well).The simplest solution was to ask the helpdesk."Well youknow I shouldn't be telling you this" and I was given his IP address after claiming I needed tofix the server.One mangled ping packet after business hours and I got my free pizza and beer."Hi this is Bob from the IT department, we need to reinitialize all the accounts so pleasechange your password to "temporary"".You get the idea.This is by far one of the moredifficult threats to protect against, the only real answer is user education, which doesn't workvery well (case in point the Melissa macro virus, many users have been told not to opendocuments with macros yet they did).Worms have a long and proud tradition in the UNIX world, by exploiting known securityholes (generally, very few exploit new/unknown holes), and replicating they can quicklymangle a network(s).There are several worms currently making their way around Linuxmachines, mostly exploiting old Bind 4.x and old IMAP software, defeating them is as easy askeeping software up to date.Trojan horses are also popular, recently ftp.win.tue.nl was broken into and the tcp_wrapperspackage (among others) was modified to email passwords to an anonymous account.This wasdetected when someone checked the PGP signature of the package and found that it wasn'tquite kosher.Moral of the story? Use software from trusted sites, and check the PGPsignature(s).98 Disinfection of virii / worms / trojansBack up your data, format and reinstall the system from known good media.Once an attackerhas root on a Linux system they can literally do anything, from compromising gcc/egcs toloading interesting kernel modules at boot time.99 Conducting baselinesOne major oversight made by a lot of people when securing their machines is that they forgetto create a baseline of the system, that is a profile of the system, it's usage of resources, and soon in normal operation.For example something as simple as a "netstat -a -n > netstat-output" can give you a reference to latter check against and see if any ports are open thatshould not be.Memory usage and disk usage are also good things to keep an eye on, a suddensurge in memory usage could result in the system being starved of resources, likewise for diskusage, it might be a user accident, a malicious user, or a worm program that has compromisedyour system and is now scanning other systems.Various tools exist to measure memory anddisk usage: vmstat, free, df, du, all of which are covered by their respective man pages.At the very minimum make a full system backup, and regularly backup config files and logfiles, this can also help you pinpoint when an intrusion occurred (user account "rewt" wasadded after the April 4th backup, but isn't in the March 20th backup).Once a system iscompromised typically a "rootkit" is installed, these consist of trojaned binaries, and are nearimpossible to remove safely, you are better of formatting the disk and starting from scratch.There is of course a notable exception to this rule, if you were diligent and used file/directoryintegrity tools such as tripwire you will be able to pinpoint the affected files easily and dealwith them (unfortunately tripwire is no longer free).There is an alternative to tripwirehowever, L5, available at: ftp://avian.org/src/hacks/L5.tgz, unfortunately tripwire was turnedover to a commercial company and is ridiculously expensive now.Another simple tool to useis diff, you can directly compare binary files (this is rather slow however), so given a knowngood backup you can find what is bad relatively quickly.100 Conducting auditsSo you've secured your machines, and done all the things that needed to be done [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • czarkowski.pev.pl
  •