Saturday, June 18, 2011

10 simple ways in which you can secure your wireless network.

1. Change default administrator usernames and passwords
Most routers or access points come enabled with a default set of username/password combinations. These combinations are well documented and available online for hackers to use.
If a hacker can access your device's administrative pages they can modify the configuration and control all aspects of your device. These username/password combinations can be changed from the administrative panel and should be set to something difficult to guess.
Keep a password which is difficult to guess and not easy to crack. A good password is 8 characters long, not easily guessable, contains mixture of uppercase and lowercase letters as well as numbers and preferably contains special characters like $,*,%,!.
2. Turn on encryption
All wireless devices support some form of encryption. Encryption technology scrambles messages sent over the air and ensures that they cannot be intercepted by hackers. Several encryption technologies exist for wireless communication today.
WPA is the strongest commonly available encryption technology for home devices. While WEP can also be used cracking WEP is just a matter of few minutes.
We would advice corporates to go for WPA with EAP AuthenticationTKIP/RC4 Encryption or WPA 2 with EAP Authentication,AES-CCMP encryption for better security.
3. Change the default SSID
Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set for all routers.
For example, the SSID for Netgear devices is normally 'NETGEAR'. The default SSID can be changed from the administrative panel and should be set to something unique.
4. Enable MAC Address filtering
Each wireless device possesses a unique identifier called the physical address or MAC address.
Access points and routers keep track of the MAC addresses for all devices that connect to them.
Wireless routers offer the option to key in the MAC addresses of your home equipment so as to restrict the network to only allow connections from those devices.
It ensures that rogue users cannot connect to the wireless router without using advanced MAC spoofing techniques.
5. Disable SSID Broadcast
The wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where wireless clients may roam in and out of range.
For the home user, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network.
Fortunately, most wireless access points allow the SSID Broadcast feature to be disabled by the network administrator.
Your SSID name can be manually entered into your devices to prevent the need for SSID Broadcasts to be enabled.
6. Do not auto-connect to open wireless networks
Connecting to an open wireless network like a free wireless hotspot or your neighbour's router exposes your computer to security risks and attacks.
Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying the user. This setting should not be enabled except in temporary situations.
7. Assign static IP addresses to devices
Most home wireless devices use dynamic IP addressesDHCP technology is indeed easy to set up.
Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool.
Turn off DHCP on the router or access point, set a fixed IP address range instead and then configure each connected device to match.
Using a private IP address range (like 10.0.0.x) prevents computers from being reached directly from the Internet.
8. Enable firewalls on each computer and router
Modern network routers contain built-in firewall capability, but the option also exists to disable them.
Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.
9. Position the router or access point safely
Wireless signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit.
Wireless signals often reach through neighbouring houses and into streets.
When installing a wireless home network, the position of the access point or router determines its reach.
Try to position these devices near the centre of the home rather than near windows to minimise leakage.
Many routers allow you to reduce the range of your router from the administrative panel to prevent the signal leakage.
10. Turn off network during extended periods of non-use
The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in!
While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods of downtime.

Best of Android in India – Phones, Tablets

There aren’t many tablets in the Indian market right now and Honeycomb has just landed. So, don’t expect much in that department. On the other hand, being one of the most important markets for smartphone manufacturers, India has been getting phones within a month or more of their International launch. Motorola has been the only manufacturer leaving out India – No Atrix or Xoom still in India, or other recent devices.
Best High-end Android Phones:
Samsung Galaxy S II: There is no second-thought about the fact that there is no other smartphone of this caliber currently in Indian market or will be launched in couple of weeks. So, if you have money and you want a seriously powerful Android smartphone – Galaxy S II is your baby. It will be on sale from June 9/10 in all major stores.
MRP:  INR 32,890 | Street Price: INR 30,500 (expected)
LG Optimus 2x: You want power of dual core processor, but don’t want to spend more than 30K for SGS2, or you simple find Galaxy S II too big – then don’t go too far LG Optimus 2x is your option. Sporting a powerful Tegra 2 processor, Optimus 2x is one of best Android devices available in market around the world.
MRP: INR 30,000 | Street Price: Around INR 26K
Nexus S: Don’t like software customizations, Nexus S is the best option for anyone looking for pure Android. You will always be the first ones to get Android updates and what else do you want.
MRP: INR 30,000 | Street Price: INR 25K
Other options for you: HTC Incredible S [INR 26K], Desire S[INR 23K], SE Xperia Arc[INR 27.5K], Samsung Galaxy S  [INR22K], HTC Desire HD, Dell Streak [INR 23K]
Best Mid-Level Android Phones:
Samsung Galaxy SLCD: A toned down Galaxy S variant, but still has the 1GHz processor in it and other specs are equally good. If you have a budget below 20K, look no further – this is your best bet.
Street Price: INR 19K
  • Acer Liquid Metal: Yes, Acer is also very much in Android arena, Liquid Metal packs style and power – both in one device. Android 2.2 is on-board, and we are expecting that company will update it to Gingerbread also.
MRP: INR 20,999 | Street Price: INR 20K
  • Samsung Galaxy Ace: For those of you looking for Android phone under 15K, Samsung Galaxy Ace is a good candidate.
Street Price: INR 14.5K
  • HTC Wildfire S: Recently launched in India, Wildfire S is the cheapest Android smartphone with Gingerbread on-board. Others specs are no less.
MRP: INR 14,700| Street Price: INR 13.5K
Other options in the segment: Motorola Defy
Best Entry Level Android Phones:
  • Dell XCD35
  • Samsung Galaxy Fit
  • LG Optimus One
Other options for you: Samsung Galaxy Pop, LG Optimus Me, Acer Liquid Mini, Huawei Ideos
Best Android Tablets in India:
Acer Iconia Tab A500: India’s first Honeycomb tablet, and the only option with it. Until other manufacturers launch their tablets in India, Iconia Tab A500 is your best bet. It has got everything that you will get in other tablets – dual core processor, 10 inch display, Honeycomb and more.
MRP: INR 27,990 | Street Price: INR 27K
Other options: Samsung Galaxy Tab [INR 24.5K], Adam, OlivePad, HCL ME Tablet AM7-A1,ViewPad 7

Installing and configuring FTP server

A. Installing FTP server
#yum install vsftpd
#rpm -qa|grep -i vsftpd
#rpm -ql vsftpd
B. Allow anonymous upload files
Task: allow anonymous upload file to incoming/, but could NOT download or list files from the directory.
#mkdir -p /var/ftp/incoming
#chown root.ftp /var/ftp/incoming
#chmod 730 /var/ftp/incoming
#ls -ld /var/ftp/incoming/
drwx-wx--- 2 root ftp 4096 Nov 1 03:34 /var/ftp/incoming/
Note: this results that ftp group users can ONLY upload(write) to the incoming/ folder, but could NOT list the contents of this directory or even download from it.
#vi /etc/vsftpd/vsftpd.conf
anonymous_enable=YES    # By default, YES
anon_upload_enable=YES    # Allowanonymous to upload files (by default NO)
chown_uploads=YES    # Allowed to change owner of the uploaded files from "ftp" or "anonymous" to other users
chown_username=daemon    # Change owner of the uploaded file to "daemon"
anon_umask=077    # i.e. the uploaded files with permission of 600 ( rw-------); in other means, anonymous user can NOT upload the same file twice
#service vsftpd restart
C. Testing
On FTP server:
#touch /var/ftp/incoming/
#touch /var/ftp/pub/
On FTP client:
#touch client.upload
Name:ftp (or anonymous)
Password: (empty)
257 "/"
* Change-rooted directory: /var/ftp
drwx-wx---    2 0        50           4096 Dec 10 05:06 incoming
drwxr-xr-x    2 0        0            4096 Dec 10 05:09 pub
ftp>cd incoming
257 "/incoming"
150 Here comes the directory listing.
226 Transfer done (but failed to open directory).
* Could NOT list contents of this folder.
ftp>put client.upload
150 Ok to send data.
226 File receive OK.
* Upload successfully to incoming/.
ftp>put client.upload
553 Could not create file.
* Could NOT upload the same file twice in incoming/.
ftp>get client.upload
550 Failed to open file.
* Could NOT download files from incoming/, even the files uploaded by the anonymous user itself.
ftp>cd ..
ftp>cd pub
257 "/pub"
150 Here comes the directory listing.
-rw-r--r--    1 0        0               0 Dec 10 05:19
226 Directory send OK.
* Can list contents of pub/
ftp>put client.upload
553 Could not create file.
* Could NOT upload file to pub/
226 File send OK.
* Can download file from pub/

SSH Hardening

One of the most common uses of remote management in the Linux world is SSH. In another post I talked about setting up an SSH server including a few tweaks to make it more secure. Today though I want to talk about SSH Hardening. Being that it is the most common way into a system it is important that you take the time to harden the service and review any log messages that may be produced. The first thing to look at when hardening SSH is the server's config file which can be found at /etc/ssh/sshd_config.

Lets look at a few options that should be changed in config file:

# Disallow users to forward ports from the server
AllowTcpForwarding no
# Explicitly allow only the follow users
# The root user should never be able to log in remotely
DenyUsers root
DenyGroup root
PermitRootLogin no
# Don't read the rhosts file of clients
IgnoreRhosts yes
# Display a banner for users
Banner /etc/ssh_banner # You must create /etc/ssh_banner if it doesn't exist
# Send info to the syslog service
LogLevel INFO
# Don't allow anyone to log in without a password
PermitEmptyPasswords no
# Enforce using the more secure protocol (v2)
Protocol 2
# Don't allow X11 to forward anything
X11Forwarding no
# Change the default port to listen on
Port 222

This is a good set of options to configure your sshd_config file with to make the SSH service more secure. On top of locking down the service itself however there are other steps we can take to ensure more security for SSH. We can setup TCP Wrappers to only allow particular hosts or subnets to be able to access the SSH server remotely. The following assumes that I'm only allowing connections from the 172.168.1.x /24 network:

echo "sshd: 172.168.1." >> /etc/hosts.allow
echo "ALL: ALL" >> /etc/hosts.deny

This will allow all clients within the 172.168.1.x subnet to connect into the SSH server (provided they have a valid user account), and it will disallow anything else. One mistake that some people make is assuming this is a firewall, it is not! Conveniently the next topic to touch on is iptables however. For those that prefer the GUI interface there are dozens of utilities that interface with iptables to configure ports and services. Essentially you are going to need to create a rule which allows access to whatever port you have defined the SSH service to run on (port 222 for the example given above). For those following this guide and the command line oriented:

# -A RH-Firewall-1-INPUT -s -m state --state NEW -p tcp --dport 222 -j ACCEPT

At this point you should be all set with the hardening for SSH. You will want to restart the iptables service and the SSH service so that all the new settings take effect, and then test out your connections.

# service iptables restart
# service sshd restart

Below is just a sample sshd_config file to show what it looks like with all the changes made. Most sshd_config files will be longer and have more options to set or choose from. Check the official documentation for a full list of options.

### Sample sshd_config File ###

# General Options
Port 222
Protocol 2
AllowTcpForwarding no
Banner /etc/ssh_banner
IgnoreRhosts yes
X11Forwarding no

# Logging
SyslogFacility AUTHPRIV
LogLevel INFO

# Authentication
PermitEmptyPasswords no
DenyUsers root
DenyGroups root
PermitRootLogin no
AllowUsers jsmith
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

# Accept locale-related environment variables

In a separate post we will talk about the use of public/private keys with SSH making the service even more secure and for home users, easier.

Previously we looked at ways to harden the SSH service and reviewed a number of options that can be used in the config file. Here we are going to look at public and private keys to make the SSH service more secure and possibly easier to use. With key authentication users will have a private key (on their local client machines) and a private key (on the server which they want to connect to). When the user goes to log into the server the two keys are used (with an optional passphrase) to allow the user to log in. There are a few steps involved with settings this up, and most importantly is knowing where the keys will be located:

~/.ssh/ -> is the location on the client machine where the private key is located
~/.ssh/authorized_keys -> is the location on the server where the public key is located

Lets look at the steps for setting up key authentication. Login to your client machine and execute the following:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tc_user/.ssh/id_rsa): [Press Enter]
Created directory '/home/tc_user/.ssh'.
Enter passphrase (empty for no passphrase): [Enter a STRONG password]
Enter same passphrase again:
Your identification has been saved in /home/tc_user/.ssh/id_rsa.
Your public key has been saved in /home/tc_user/.ssh/
The key fingerprint is:
8f:a2:03:e9:5b:df:52:a4:8d:80:ad:3b:50:01:7e:23 tc_user@localhost.localdomain

Here you can see both the private and public key being generated. You should cd over into ~/.ssh and use ls -l to check and make sure that you are the only user that has read/write access to your private key.

$ cd ~/.ssh
$ ls -l
total 8
-rw------- 1 tc_user tc_user 1743 Apr  8 10:32 id_rsa
-rw-r--r-- 1 tc_user tc_user  411 Apr  8 10:32 
Now that your private key is in place and secured from other users viewing it you will need to take your public key and give it to your system admin. We are going to assume that you are the admin, so you will take the public key of the user and copy the contents of it into the users account on the server under the authorized_keys file. You should also secure this file:

$ cat ./ >> /home/tc_user/.ssh/authorized_keys
$ chmod 600 /home/tc_user/.ssh/authorized_keys

There is one final change that you should make on the server. In the /etc/ssh/sshd_config file change the following two options:

PasswordAuthentication no
PubKeyAuthentication yes

This will prevent users from logging on with anything but their public/private key combination. Reload the SSH server for the settings to take effect. Now you should be all set! Assuming that you are not currently logged into the server remotely, go ahead and log in. You should now be asked for a passphrase (which pertains to your password created above and not your system password).

Command line:
$ ssh -i /home/tc_user/.ssh/id_rsa tc_user@ssh_server_ip

Under Connection -> SSH -> Auth specify the private key file and then login normally

In one more post we will look at a final program that can be used to take hardening the SSH service one step further.

The /proc Filesystem

Most of the /proc filesystem is read only, however there are some directories and files like /proc/sys which can be edited to modify the kernel.  Lets look into each area of the /proc filesystem.

/proc/apm -> used for checking the battery status and gaining information about a system's battery

/proc/buddyinfo -> used to diagnose fragmentation issues in memory

/proc/cmdline -> parameters that were passed to the kernel during boot

/proc/cpuinfo -> identifies the CPU and information about it on the system

/proc/crypto -> lists all installed cryptographic ciphers used by the kernel

/proc/devices -> displays information on various character and block devices

/proc/dma -> contains a list of registered ISA DMA channels

/proc/fb -> contains a list of frame buffer devices

/proc/filesystems -> shows a list of file system types that are currently supported by the kernel

/proc/interrupts -> lists the number of interrupts per IRQ

/proc/iomem -> shows a current map of the system's memory for each physical device

/proc/ioports -> contains a list of currently registered port regions

/proc/loadvg -> contains load average of the CPU and IO over time, as well as the number of running processes

/proc/mdstat -> contains information about multi-disk RAID configurations

/proc/meminfo -> contains information about memory usage on the system

/proc/modules -> contains the modules currently loaded into the kernel

/proc/mounts -> contains a list of all mounts in use by the system (similar to /etc/mtab)

/proc/partitions -> contains partition block allocation information

/proc/pci -> lists all pci devices on the system, use /sbin/lspci -vb for a more readable version

/proc/slabinfo -> detailed information about system memory

/proc/stat -> information about the system since last reboot

/proc/swaps -> shows swap space and utilization

/proc/uptime -> shows amount of time system has been up (uptime command is better)

/proc/version -> shows kernel version information as well as gcc

These are just some of the files contained in the /proc directory which provide information useful for troubleshooting and maintanence.  There are also a number of directories listed in the /proc directory which are numbered.  These numbers represent the process ID (PID) of different programs and stores the information of them within these directories.

$ ls -l | grep apache

dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4427
dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4324
dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4387
dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4426
dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4427

You can see from the example that these directories are owned by the apache process and the folders are numbered after the processes running them.  This makes it easier for troubleshooting to hunt down information about particular processes.  There are a few other directories worth noting in the /proc filesystem as well.

/proc/bus -> this directory contains information relating to the various buses available on the system
/proc/driver -> contains information relating to drivers in use by the kernel
/proc/fs -> this directory shows which file systems are exported if an NFS server is running
/proc/ide -> this directory contains information about each IDE device, each channel has a directory
/proc/irq -> each IRQ has its own directory which contains configuration for each IRQ
/proc/net -> provides details about system networking including parameters and statistics
/proc/scsi -> same as /proc/ide but for SCSI drives
/proc/sys -> this directory is unique in that it allows you to tune the kernel and its features
/proc/sys/dev -> contains parameters for particular devices
/proc/sys/fs -> contains information relating to filesystem parameters and features

The one particular directory to note here is the /proc/sys directory.  This directory contains files that can be used to tune the kernel in its running state.  You can use the echo command to insert changes into the different files and change the paremeter of the kernel, however note that a reboot to the system will restore any changes made with the echo command.  An easy way to see which files can be modifed is to use the ls -l command and look for the 'w' write access to the particular file.  There is another command sysctl which can be used in place of directing echo output to files.  The sysctl command will also change parameters in the kernel.  In order for the changes to be permanent you must edit them in the /etc/sysctl.conf file which is executed during system boot.  This would be used more after testing is done with the echo command to tune the kernel the way you want.  You shouldn't try to memorize all the locations and files in the /proc directory.  An administrator should have an understanding of where the files are and an idea of what they do in order to troubleshoot or tune their system.  There are also other utilities including lspci, top, free, apm, lsusb, and other which can produce the same output of many of the /proc files.

System Notes Security Tools

Major Security Sites for Information and Tools

COAST Archive
Axent – Raptor
Risks Forum Digest
Forum of Incident Response and Security Teams

Description: Remote network security auditor, the client The Nessus Security Scanner is a security auditing tool. It makes possible to test security modules in an attempt to find vulnerable spots that should be fixed. . It is made up of two parts: a server, and a client. The server/daemon, nessusd, is in charge of the attacks, whereas the client, nessus, interferes with the user through nice X11/GTK+ interface. . This package contains the GTK+ 1.2 client, which exists in other forms and on other platforms, too.

NetcatTCP or UDP protocol. It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Description: A powerful tool for network monitoring and data acquisition This program allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface that matches a given expression. You can use this tool to track down network problems, to detect “ping attacks” or to monitor the network activities.

Description: flexible packet sniffer/logger that detects attacks Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGIattacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate “alert” file, or even to a Windows computer via Samba.

Description: SAINT (Security Administrator’s Integrated Network Tool) is a security assesment tool based on SATAN. Features include scanning through a firewall, updated security checks fromCERT & CIAC bulletins, 4 levels of severity (red, yellow, brown, & green) and a feature rich HTMLinterface.

Description: Network traffic analyzer Ethereal is a network traffic analyzer, or “sniffer”, for Unix and Unix-like operating systems. It uses GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library.

Description: Rain.Forest.Puppy’s excellent CGI vulnerability scanner

Internet Security
Note: This tool costs significant $$$ to use, and does not come with source code.
Description: A popular commercial network security scanner.

Abacus Portsentry
Description: Portscan detection daemon PortSentry has the ability to detect portscans(including stealth scans) on the network interfaces of your machine. Upon alarm it can block the attacker via hosts.deny, dropped route or firewall rule. It is part of the Abacus program suite. . Note: If you have no idea what a port/stealth scan is, I’d recommend to have a look at before installing this package. Otherwise you might easily block hosts you’d better not(e.g. your NFS-server, name-server, ...).

Note: Depending on usage, this tool may have expensive licensing feesassociated with it.
Description: A file and directory integrity checker. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.

Cybercop Scanner
Note: This tool costs significant $$$ to use, and does not come with source code. A powerful demo version is available for testing.
Description: Another popular commercial scanner

Description: hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping2, you can: test firewall rules, perform [spoofed] port scanning, test net performance using different protocols, packet size, TOS (type of service), and fragmentation, do path MTU discovery, tranfer files (even between really Fascist firewall rules), perform traceroute-like actions under different protocols, fingerprint remote OSs, audit a TCP/IP stack, etc. hping2 is a good tool for learning TCP/IP.

Description: The Security Auditor’s Research Assistant (SARA) is a third generation security analysis tool that is based on the SATAN model which is covered by the GNU GPL-like open license. It is fostering a collaborative environment and is updated periodically to address latest threats.

SniffitTCP/UDP/ICMP packets. sniffit is able to give you very detailed technical info on these packets (SEC, ACK, TTL, Window, ...) but also packet contents in different formats (hex or plain text, etc. ).

Description: Security Auditing Tool for Analysing Networks This is a powerful tool for analyzing networks for vulnerabilities created for sysadmins that cannot keep a constant look at bugtraq, rootshell and the like.

Description: IP Filter is a TCP/IP packet filter, suitable for use in a firewall environment. To use, it can either be used as a loadable kernel module orincorporated into your UNIX kernel; use as a loadable kernel module where possible is highly recommended. Scripts are provided to install and patch system files, as required.

Description: IP packet filter administration for 2.4.X kernels Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. The iptables tool also supports configuration of dynamic and static network address translation.

Description: Firewalking is a technique developed by MDS and DHG that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. The newest version of the tool, firewalk/GTK introduces the option of using a graphical interface and a few bug fixes.

Description: A “Classic” high-speed TCP port scanner

L0pht Crack
Note: No source code is included (except in research version) and their is a $100 registration fee.
Description: L0phtCrack is an NT password auditting tool. It willcompute NT user passwords from the cryptographic hashes that are stored by the NT operation system. L0phtcrack can obtain the hashes through many sources (file, network sniffing, registry, etc) and it has numerous methods of generating password guesses (dictionary, brute force, etc).

John The Ripper
Description: An active password cracking tool john, normally called john the ripper, is a tool to find weak passwords of your users.

Description: Advanced packet sniffer and connection intrusion. Hunt is a program for intruding into a connection, watching it and resetting it. . Note that hunt is operating on Ethernet and is best used for connections which can be watched through it. However, it is possible to do something even for hosts on another segments or hosts that are on switched ports.

Note: The version cost money for some uses, but source code is available.
Description: Secure rlogin/rsh/rcp replacement (OpenSSH) OpenSSH is derived from OpenBSD’s version of ssh, which was in turn derived from ssh code from before the time when ssh’s license was changed to be non-free. Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. It is intended as a replacement for rlogin, rsh and rcp, and can be used to provide rdist, and rsync with a secure communication channel.

tcp wrappers
Description: Wietse Venema’s TCP wrappers library Wietse Venema’s network logger, also known as TCPD or LOG_TCP. . These programs log the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests. Security options are: access control per host, domain and/or service; detection of host name spoofing or host address spoofing; booby traps to implement an early-warning system.

Description: display network usage in top-like format ntop is a Network Top program. It displays a summary of network usage by machines on your network in a format reminicent of the unix top utility. . It can also be run in web mode, which allows the display to be browsed with a web browser.

Description: These are utilities that virtually all UNIX boxes already have. In fact, even Windows NT has them ( but the traceroute command is called tracert ).

NAT (NetBIOS Auditing Tool)
Note: This is an unofficial download site.
Description: The NetBIOS Auditing Tool (NAT) is designed to explorethe NETBIOS file-sharing services offered by the target system. It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.

Description: A portscan detecting tool Scanlogd is a daemon written by Solar Designer to detect portscan attacks on your maschine.

Sam Spade
Description: Online tools for investigating IP addresses and tracking down spammers.

Note: Source code was once freely available but I do not know if this is still the case. Some usage may cost money.
Description: A commercial sniffing application for creating intrusiondetection systems. Source code was at one time available, but I do not know if that is still the case.

Description: Mails anomalies in the system logfiles to the administrator Logcheck is part of the Abacus Project of security tools. It is a program created to help in the processing of UNIX system logfiles generated by the various Abacus Project tools, system daemons, Wietse Venema’s TCPWrapper and Log Daemon packages, and the Firewall Toolkit� by Trusted Information Systems Inc.(TIS). . Logcheck helps spot problems and security violations in your logfiles automatically and will send the results to you in e-mail. This program is free to use at any site. Please read the disclaimer before you use any of this software.

Description: A very powerful scripting language which is often used to create “exploits” for the purpose of verifying security vulnerabilities. Of course, it is also used for all sorts of other things.

Description: grep for network traffic ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Description: A GTK based network “swiss-army-knife” Cheops gives a simple interface to most network utilities, maps local or remote networks and can show OS types of the machines on the network.

Description: Vetescan is a bulk vulnerability scanner which contains programs to check for and/or exploit many remote network security exploits that are known for Windows or UNIX. It includes various programs for doing different kinds of scanning. Fixes for vulnerablities are included along with the exploits.

Note: Commercial product with no source code available. A demo binary is available for testing.
Description: A commercial security scanner by the great guys at eeye.

Description: Routines for the construction and handling of network packets. libnet provides a portable framework for low-level network packet writing and handling. . Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary functionality. Still in it’s infancy however, the library is evolving quite a bit. Additional functionality and stability are added with each release. . Using libnet, quick and simple packet assembly applications can be whipped up with little effort. With a bit more time, more complex programs can be written (Traceroute and ping were easily rewritten using libnet and libpcap).

Crack / LibcrackCerberus Internet Scanner
Description: CIS is a free security scanner written and maintained by Cerberus Information Security, Ltd and is designed to help administrators locate and fix security holes in their computer systems. Runs on Windows NT or 2000. No source code is provided.

SwatchUNIX syslog utility. It has multiple methods of alarming, both visually and by triggering events. The perfect tools for a master loghost. This is a beta release of version 3.0, so please use it with caution. The code is still slightly ahead of the documentation, but examples exist. NOTE: Works flawlessly on Linux (RH5),BSDI and Solaris 2.6 (patched).

Description: The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts place emphasis on portability, standardization, correctness, security, and cryptography. OpenBSD supports binary emulation of most programs from SVR4(Solaris), FreeBSD, Linux, BSDI, SunOS, and HPUX.

Description: The Nemesis Project is designed to be acommandline-based, portable human IP stack for UNIX/Linux. The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts.

Description: List open files. Lsof is a Unix-specific diagnostic tool. Its name stands for LiSt Open Files, and it does just that. It lists information about any files that are open by processes current running on the system. The binary is specific to kernel version 2.2

Description: The LIDS is an intrusion detection/defense system inLinux kernel. The goal is to protect linux systems against root intrusions, by disabling some system calls in the kernel itself. As you sometimes need to administrate the system, you can disable LIDS protection.

Description: Interactive Colorful IP LAN Monitor IPTraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others. . Note that since 2.0.0 IPTraf requires a kernel >= 2.2

Description: iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP andICMP traffic. iplog 2.0 is a complete re-write of iplog 1.x, resulting in greater portability and better performance. iplog 2.0 contains all the features of iplog 1.x as well as several new ones. Major new features include a packet filter and detection of more scans and attacks. It currently runs on Linux, FreeBSD, OpenBSD, BSDI and Solaris. Ports to other systems, as well as any contributions at all, are welcome at this time.

Description: Fragrouter is aimed at testing the correctness of a NIDS,according to the specificTCP/IP attacks listed in the Secure Networks NIDS evasion paper. [2] Other NIDS evasion toolkits which implement these attacks are in circulation among hackers or publically available, and it is assumed that they are currently being used to bypass NIDSs

Note: A couple of the OS detection tests in Queso were later incorporated into Nmap. A paper we wrote on OS detection is available here.
Description: Guess the operating system of a remote machine by looking in the TCP replies.

Description: The GNU Privacy Guard (GnuPG) is a complete and free replacement for PGP, developed in Europe. Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application. PGP is the famous encryption program which helps secure your data from eavesdroppers and other risks.