freeware security tools you need l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Freeware Security Tools You Need PowerPoint Presentation
Download Presentation
Freeware Security Tools You Need

Loading in 2 Seconds...

play fullscreen
1 / 119

Freeware Security Tools You Need - PowerPoint PPT Presentation


  • 92 Views
  • Uploaded on

Freeware Security Tools You Need. Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Marchany@vt.edu 540-231-9523. Suggested Strategy. Use freeware tools to gain experience with your system/network environment.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Freeware Security Tools You Need' - zoie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
freeware security tools you need

Freeware Security Tools You Need

Randy Marchany

VA Tech Computing Center

Blacksburg, VA 24060

Marchany@vt.edu

540-231-9523

suggested strategy
Suggested Strategy
  • Use freeware tools to gain experience with your system/network environment.
  • Gain experience with the features provided by these tools in order to better analyze a vendor tool.
  • Freeware tools provide a good short-term solution.
  • Vendor tools may provide better long-term solution.
the tools
The Tools
  • Audit/Port Scanning Tools
    • Nessus
    • Saint
    • Sara
    • Nmap, strobe
    • Tripwire, AIDE
  • “Personal” Firewall
    • TCP Wrappers
    • Portsentry,ipfilters
    • ZoneAlarm, BlackIce, NeoWorks
the tools4
The Tools
  • Syslog Scanners
    • Logcheck
  • Sniffers
    • Snoop, iptrace, tcpdump
    • Netwatch (NT)
    • Snort
the tools5
The Tools
  • Sysadmin Tools
    • Big Brother
    • Password Checkers
      • Crack, nt-crack, l0phtcrack,npasswd, passwd+
    • Lsof, inzider (NT)
    • Sudo (unix)
  • Remote Control Tools
    • VNCviewer
  • Homegrown Tools
    • Network Mgt Tools that can be used for Incident Response
audit port scan tools
Audit/Port Scan Tools
  • These tools can be used to scan your systems and network for vulnerabilities.
  • Some tools can perform integrity checks on designated files.
  • They have very good reporting tools usually based on HTML.
nessus
Nessus
  • Available from www.nessus.org
  • Best of the scanning tools
  • Easy to build for Linux, harder for Solaris, need to work on other OS.
  • Requires GNU tools
  • Provides HTML based reports
  • Has distributed architecture: clients (Windows, Unix) & engines (Unix only)
nessus building it
Nessus – Building It
  • Linux
    • Download the RPMs
    • Add nessus user
    • Start up nessusd daemon
    • Start up nessus client
    • Start testing
nessus pros con
Nessus – Pros/Con
  • Pro
    • Easy to install if you have linux
    • Most comprehensive tests for your money
  • Con
    • Not that easy to understand at first
    • Non-linux builds require GNU software
    • Some inconsistency in quality of checks
    • Must use Unix server for specific user accounts
saint
SAINT
  • Based on SATAN, developed by World Wide Security, Inc. (www.wwdsi.com)
  • Security Administrator’s Integrated Network Tool
    • Gathers info on remote hosts/nets
    • Looks at finger, NFS, NIS, ftp, tftp, rexd, statd
    • Can run heavy, moderate or light probes on targets.
  • Will check for the SANS Top 10 Threats
slide25
SARA
  • Security Auditor’s Research Assistant
    • www.www-arc.com/sara
  • Checks for SANS Top 10 Threats
  • Does Unix/Windows vulnerability tests
  • Has CVE dictionary support
  • Search engine for post audit analysis
  • Has a Report Writer
port scanning tools
Port Scanning Tools
  • Strobe was one of the earliest port scanning tools.
    • Available from ciac.llnl.gov
  • Nmap is the more sophisticated grandson of strobe
    • Available from www.insecure.org
tripwire
Tripwire
  • Available from www.tripwire.com
  • First of the file integrity checkers
  • Unix and NT versions available
    • Network capable versions available
  • Academic version is free. Commercial and NT versions are not.
  • Useful in finding trojan programs
tripwire34
Tripwire
  • Generates a “signature” for each file based on checksums and other characteristics.
  • These signatures are stored in a database file that should be kept offline.
  • This is the baseline.
  • Latest threat involves dynamic exec redirection. This is part of the newer Kernel Module Rootkits.
tripwire35
Tripwire
  • List of files to check: tw.config
    • All files in a directory will be checked.
    • Can prune directories from the check step.
    • Can examine just the directory and nothing else.
    • Can check by access time but not recommended since you’ll get a report of everything that changed. Everything!
tripwire36
Tripwire
  • To initialize the DB: tripwire –initialize
  • Update DB interactively: tripwire -interactive
  • Non-interactive DB update: tripwire – update <FN>
tripwire37
Tripwire
  • Security Issues
    • Need to protect the DB
    • Need to protect the vulnerable executables
  • Advantages
    • Simple interface, good choice of crypto hash functions, good all-around tool
  • Disadvantages
    • Kernel mod attacks, initial tw.config takes some time to customize, NT version is good but costs $$$, no network security
personal firewall tools
Personal Firewall Tools
  • These tools monitor connection attempts to your system and give you the option of allowing or denying the access
  • They log the connection attempt to standard log files
  • More valuable than real Firewall, IMHO.
portsentry tcp wrappers
Portsentry/TCP Wrappers
  • Available from www.psionic.com
  • TCP Wrappers available from ciac.llnl.gov and a ton of other sites
  • Any host that scans a list of “banned” ports is placed in an /etc/hosts.deny file
  • Need TCP Wrappers installed on the machine
    • Tcpwrappers logs attempts to connect to services
tcp wrappers
TCP Wrappers
  • Everyone should buy Wietse Venema dinner for writing this tool. 
  • Purpose
    • Log network connections to a system
    • Allow you to filter who connects to the system
  • Needs an inetd-like program to act as the dispatcher of network services
tcp wrappers features
TCP Wrappers Features
  • Allows you to monitor/filter incoming requests for SYSTAT, FINGER, FTP, TELNET, R-Commands, TFTP, TALK and other network services.
  • Provides access control to restrict what systems connect to what network daemons.
  • Provides some protection from host spoofing
tcp wrapper installation
TCP Wrapper Installation
  • Easy to do
  • “Advanced Installation” easier than “Easy Installation” IMHO
  • Install done by Makefile
    • make <os-type>
  • Creates 5 modules that are ready to use.
tcp wrappers44
TCP Wrappers
  • 4 components
    • Tcpd – the actual wrapper program
    • Tcpdmatch, tcpdchk – ACL testing programs
    • Try-from – tests host lookup function
    • Safe-finger – a better version of finger
  • Logs hostname, IP address and username (identd if possible) via syslog facility. Typically, it logs to the mail facility logs
  • Change this by editing Makefile:
    • FACILITY=LOG_AUTH
    • FACILITY=LOG_WARN
tcp wrappers45
TCP Wrappers
  • Access Control is enabled by default.
  • 2 files
    • /etc/hosts.deny – restrict access if IP addr here
    • /etc/hosts.allow – allow access if IP addr here
      • Can restrict to username@host if services are enabled
  • Reverse lookup is done. Paranoid selection terminates the connection immediately if there’s a mismatch.
  • Set KILL_IP_OPTIONS in Makefile to refuse connections that use source routing. This prevents IP spoofing although your routers should do this.
tcp wrappers46
TCP Wrappers
  • IDENT service
    • Remote username lookup required remote host to run ident (RFC 1413) protocol.
    • Works only for TCP not UDP
  • Limitations
    • TCP – checks the 1st connection for each instance of the daemon
    • UDP – 1st datagram only for the service
    • RPC/TCP – no checking since portmapper does this.
tcp wrappers47
TCP Wrappers
  • Advantages
    • Logs and applies access controls to remote connections
    • Lets you define which daemons are wrapped
    • Does good reverse lookup on hosts
  • Disadvantages
    • Ident service not reliable
    • Only looks at network daemons spawned by inetd
    • Doesn’t wrap ALL services (RPC)
    • Could give a false sense of security
portsentry
Portsentry
  • Available from www.psionic.com
  • Monitors ports and performs an action when an attempt to access the port is made.
  • Usually access is denied to the probing systems.
  • Monitors TCP and UDP traffic. A little more flexible than TCP Wrappers
portsentry configuration files
Portsentry Configuration Files
  • Portsentry.conf contains the list of ports to be monitored.
  • 3 levels of paranoia 
ip filter
IP Filter
  • Software package that can do NAT or basic firewall services.
  • Designed to be used as a loadable kernel module but can be incorporated into a Unix kernel
  • Can be configured to do IP Accounting (count # bytes), IP Filtering or IP authentication or NAT.
  • http://coombs.anu.edu.au/~avalon/ip-filter.html
ip filter52
IP Filter
  • Can explicitly allow/deny any packet.
  • Distinguishes between multiple interfaces.
  • Filters by IP network, hosts or protocol.
  • Filters by port number or port range.
  • Logs the following:
    • TCP/UDP/ICMP/IP packet headers
    • First 128 bytes
    • Pass or blocked status
ip filter53
IP Filter
  • Statistics collected include:
    • Packets blocked
    • Packets used for accounting (packet count)
    • Packets passed
    • Packets logged
    • Inbound/outbound packet information
ip filter log format
IP Filter Log Format

Jul 30 01:46:52 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:46:52.196772 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN

Jul 30 01:47:03 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:47:03.269595 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN

Jul 30 05:53:51 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 05:53:50.699235 hme0 @0:5 b 203.90.84.163,1781 ->198.82.255.255,21 PR tcp len 20 60 -S IN

logcheck
Logcheck
  • Available from www.psionic.com
  • Syslog keyword scanner
  • When it matches something, it does something
    • Send email
    • Page someone
    • Run a command
slide57

logcheck.violations

These keywords denote a

problem and are flagged by

logcheck.

slide58

logcheck.ignore

Phrases listed in this file

are ignored by the

logcheck program.

slide59

logcheck.hacking

Keywords in this file indicate

an attack is taking place

zone alarm
Zone Alarm
  • Available from www.zonelabs.com
  • Not quite free
  • Client based, application level firewall
  • Designed to prevent unauthorized sending and receiving of packets to your workstation
  • Good defense against trojans
basic installation steps
Basic Installation Steps
  • The following steps were developed by Marc Debonis for our site.
    • Download latest version from http://www.zonelabs.com
    • Run the installer, zonealarm.exe
    • Click Next, click Next
    • Enter name, company and email (can be invalid)
    • Uncheck both boxes
    • Click Next , click next, click finish, click start
    • Check “don’t show this message again” box
    • Click OK and reboot if necessary
    • Zone Alarm is installed
configuring zone alarm
Configuring Zone Alarm
  • ZA requires you authorize each & every application that attempts to send receive information to/from your network connection.
  • Default is BLOCK. This pops up a window asking what to do
basic setup
Basic Setup
  • Click the arrow in ZA box that points down and to the right
  • Click the security button
  • Verify local security is set to MEDIUM
  • Verify internet security is set to HIGH
  • Click the advanced button
  • Do NOT put a checkmark next to your adapter, OW, all machines in your subnet will be considered to be in your local zone
  • Click OK
black ice defender
Black Ice Defender
  • Available from www.networkice.com
  • Workstation Version
    • End-user PC with a single connection
    • Tuned for common attacks to workstations
  • Server Version
    • Additional NT and W2K attacks signatures
  • IcePac Suite allows multiple agents to be managed from a single host. Can install agents remotely.
  • Not quite free 
neowatch
NeoWatch
  • Available from www.neoworx.com
  • Another Personal FW type tool for Windows systems.
  • Does traceback to the originating site.
  • Similar features as Zone Alarm and Black Ice Defender
  • Can send data to a central site.
  • Not quite Free  $39.95. Trial version is free for 30 days
sniffers snoop iptrace tcpdump snort
Sniffers: snoop, iptrace, tcpdump, snort
  • Some systems have builtin sniffers
    • Solaris - snoop
    • AIX - iptrace
    • Linux - tcpdump
    • NT/2000 - netwatch
  • Tcpdump is the generic sniffer for those systems with no builtin sniffer
big brother
Big Brother
  • Web based system and network monitor
  • Client server model
    • Clients run on the systems you want to monitor
    • Simple shell scripts that monitor different aspects of your system and network
  • What can it check?
    • Disk space, CPU Utilization, critical processes, weather parameters, building monitors
big brother78
Big Brother
  • Color coded WWW page showing a matrix of machines and monitored functions
  • Notifies sysadmins by email, pager, SMS.
  • System requirements
    • Unix – www server, /bin/sh, C compiler to port BB
    • NT – v4.0 with SP3 minimum, Intel or Alpha platforms.
big brother82
Big Brother
  • Installation Steps
    • cd install
    • ./bbconfig
    • cd ../src
    • Make
    • Make install
    • cd ../etc
      • Edit bb-hosts, bbdef.sh, bbwarnrules.cfg
    • cd ..
    • ./runbb.sh start
big brother83
Big Brother
  • Can monitor more service by modifying bb-network.sh
  • BB shows historical data. Drilling down a host page and clicking on the history buttons shows the last 24 hr stats.
  • Doesn’t need to run as root. Run as ‘bb’.
  • Restricts incoming connections by ACL.
vncviewer
VNCViewer
  • Available from www.uk.research.att.com/vnc
  • Great remote control tool for Windows 95/98, NT, 2000, Macintosh, Unix clients
  • Nice help desk tool
  • It displays the remote desktop on your system.
  • A better version of BackOrifice, BO2K tool
lsof inzider
Lsof, inzider
  • These programs list the processes running on a system.
  • They also list the files opened by those processes.
  • Useful in finding where a sniffer log file is located
sysadmin tools
Sysadmin Tools
  • Sudo
    • Unix access control is all (root) or nothing (user).
    • Some commands (backup, restore) are restricted to root but are really an OPER class command. You don’t want an operator to have root access but you want them to do backups.
    • Sudo lets you set up this “pseudo” privilege scheme.
slide91
Sudo
  • Sudo uses user identity and host to restrict the commands the user can run in “root” mode.
  • It is a restricted root shell.
  • User is prompted for a special password that allows them to run the command.
slide92
Sudo
  • The sudoers files lists the commands, shells, hosts that a user can execute commands
  • Should always list the full path name for the commands
  • Notifies sysadmins if illegal uses of sudo is attempted.
  • Notifies sysadmins if user in sudoers tries to run a restricted command
slide93
Sudo
  • Advantages
    • Good warning if someone tries to use it incorrectly.
    • Easy to configure for multiple machines
    • Adequate internal security checks
      • Check for “.” in PATH
      • Removes LD* variables before execution
  • Disadvantages
    • Works with root userid only. Can’t use with other userids.
    • Doesn’t handle commands that use a subshell to spawn other commands
proactive password tools
Proactive Password Tools
  • Most newer OS allow you to set password rules in config files.
  • Crack is still the best of the bunch.
  • Npasswd and passwd+ are two older but still effective tools.
  • Npasswd is a good tool for those who don’t want to spend a lot of time configuring a password checker
  • Passwd+ requires more configuration time.
crack
Crack
  • The first of the really good password crackers. Available on the net for the past 10 years.
  • Easy to customize. Works on non-shadow password files.
  • Use a preprocessor to rebuild in old format or use NIS, NIS+ 
  • Can be distributed among systems
  • http;//www.users.dircon.co.uk/~crypto/
npasswd
npasswd
  • Uses ASCII dictionaries or DBM format dictionaries.
  • Programs to build directories included.
  • If the password is in the dictionary, it’s rejected. Case and reversed word checks are done as well
  • Does singlecase (Yes/No) checks
    • Allow passwords in one case. Default = No.
  • Does Control Character (Yes/No) checks.
    • Allows passwords with ASCII control characters in them. Default = Yes.
  • Does min/max length checks.
npasswd97
npasswd
  • Checks for 3 sequential occurrences of the same character. This value can be modified.
  • Does illegal character check. (^C, ^D, ^G, ^J, ^M, ^O, ^Q, etc.
  • Good, quick easy tool to use.
home grown tools
Home Grown Tools
  • Network Mgt Group developed a couple of tools for their use.
  • Our CIRT can use the same tools to track an attack in our network.
  • Our Netadmins controls the ENTIRE University net and developed these tools to help them manage, fix and bill usage of net resources. SQL front ends to Oracle DB.
using the tools a strategy
Using the Tools – A Strategy
  • Preparation
  • Detection
  • Containment
  • Eradication
  • Recovery
  • Followup
preparation
Preparation
  • Unix Host Systems
    • Install TCP Wrappers, Portsentry, logcheck, tripwire, lsof, ipfilter
  • NT/2000
    • Inzider,syslog converters
  • Network
    • Ingress, egress filters in place
    • Router logs in place
detection
Detection
  • Portsentry, TCP wrappers, Personal Firewall tools usually send the first alarm.
  • Network router filters may trigger an alarm as well.
  • Once an event is detected, reaction mechanisms are enabled
containment
Containment
  • Detection tools give the source IP address.
  • Router blocks may be enabled to prevent additional attacks.
  • HC++ tool used to isolate offending system
  • Portsentry or PFW tools prevent further access to the systems
eradication
Eradication
  • HC++ tool used to shut off internal port.
  • Router blocks on external IP address.
  • Tripwire used to remove offending files.
  • Network backup software can be used to verify this. Why? Most network backup software does incremental backups so they can capture a newly installed file.
recovery
Recovery
  • “Jumpstart” style OS installation
  • Network and regular backup software
  • File servers may limit the damage
followup
Followup
  • See what components worked.
    • Could additional scanning detect the holes?
    • How fast did the reaction mechanisms work?
    • Internal network tools work?
    • Backup procedures work?
    • What didn’t work? Why? How?
summary
Summary
  • There are some excellent freeware tools that will help you with sysadmin and security issues at your site.
  • Use these tools to gain experience in evaluating vendor tools.
  • A combination of vendor and freeware tools is desired
  • There are MORE tools out there.
where to get the tools
Where to Get the Tools
  • Http://ciac.llnl.gov
    • TCP Wrappers, crack, tcpdump, lsof
  • Http://www.wwdsi.com
    • SAINT
  • Http://www.www-arc.com/sara
    • SARA
  • Http://www.tripwire.com
    • tripwire
where to get the tools118
Where to Get the Tools
  • Http://www.psionic.com
    • Logcheck, portsentry
  • Http://www.uk.research.att.com/vnc
    • VNCViewer
  • Http://www.insecure.org
    • Nmap
  • Http://www.ssh.org
    • SSH
where to get the tools119
Where to Get the Tools
  • www.nessus.org
    • Nessus
  • http://packetstorm.securify.com (now defunct)