Features Category

Loading...

intrusion preventionopen sourcecyber defense

Exclusive Interview with CrowdSec CEO on Cybercrime Defense Strategies

Exclusive Interview with CrowdSec CEO Philippe Humeau With the widespread adoption of cloud and container infrastructure, protecting servers, services, containers and virtual machines exposed on the Internet with a reliable, intelligent intrusion prevention system is more important than ever. Cloud-native environments foster rapid growth and innovation, but also introduce an element of added complexity, along with new security challenges. . Recently, LinuxSecurity researchers had the opportunity to speak with CrowdSec CEO Philippe Humeau about modern cyber risk, CrowdSec’s unique and advantageous community-powered approach to intrusion prevention with an extremely accurate IP reputation system, what users can expect from the latest CrowdSec release, what the future holds for CrowdSec, and more! We’re excited to share key insights and highlights from this exclusive interview with our readers to help them better understand the modern cyber threat landscape and how they can bolster their intrusion prevention strategy to prevent attacks. Introducing CrowdSec: A Collaborative Open-Source Intrusion Prevention Solution CrowdSec is a cybersecurity solution designed to protect servers, services, containers and VMs with a server-side agent. It was inspired by Fail2Ban and aims to provide a modernized, collaborative version of the popular intrusion-prevention tool. CrowdSec leverages the power of the community to create an extremely accurate real-time IP reputation system that benefits all of its users. It uses a behavior analysis system to determine whether someone is trying to hack your system based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to “immunize” them against this IP. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner that you feel appropriate. Interview with CrowdSec CEO Philippe Humeau LinuxSecurity: What are the main cyber threats Linux users face today that CrowdSec protects against? Philippe Humeau: CrowdSec is essentially a metasploit of defense. Everything creates logs nowadays - planes, cars, phones, TVs, and obviously servers and services. If an attack leaves traces in the logs - which over 95% of attacks do - then it’s simply a matter of writing the proper scenario to catch it. To date, we have tens of scenarios, ranging from L7 DDoS, to credential bruteforce, credit card stuffing, port or web scans, PHP attacks, and more. Lately we are active on the front of ransomware, using CrowdSec as a canary to avoid lateral moves. Possibilities are limitless! The only limit of CrowdSec’s protection capabilities is when an attack leaves no trace, either due to poor log configuration or because it's “silent”, like a stack overflow. That being said, those exploits are very rare and only demonstrate true stealth if the demon crashes aren’t logged or if the said attack doesn’t crash the process at all. The Power of Crowdsourcing LS: Can you explain the power of crowdsourcing? How are you leveraging it to benefit your users, or the people who participate in your “crowd”? How does open-source development facilitate this approach? PH: Crowdsourcing can be seen as a digital version of the famous neighborhood watch. If everyone is watching over everyone else’s servers and services, everyone is safer from attacks. By detecting and sharing IPs of bad actors, we are removing their most precious asset: anonymity. Since cybercriminals want to remain under the radar, they are either forced to stop when their IPs are shared, or at the very least slow down their operations tremendously. Members of our “crowd” benefit directly by constantly receiving IPs that target similar technological signatures as theirs. For instance, if you run a LAMP with Wordpress, you receive all IPs that are agressing SSH, Apache, MySQL,Wordpress, and the like. Crowdsourcing is the cornerstone of the CrowdSec project. Our point of view is that, through this collaboration, we are more numerous than the aggressors. Hence, instead of the out-powering approach, where a super soldier tries (and fails, except in Hollywood movies) to resist 1000 bad guys, we adopt the outnumbering approach. No one fights a bee hive! Open Source facilitates this approach by enabling us to create a product that is adapted to the largest base, where anyone can contribute and adapt it to meet their specific needs. It’s also free, meaning we do not have any friction in adoption - money typically being the first break. Since we are after a network effect, we need to have as many users as possible and Open Source is a great engine with the flexibility and trust it fosters. The Open Source Advantage LS: Expanding on our discussion of Open Source, what are the main advantages of the open-source development model? Do you feel that Open Source provides a superior vehicle for engineering exceptionally secure, resilient software and technology? PH: Well, there are pros and cons, honestly. It’s surprisingly complex to offer something for free! First, people look for the catch and think you might be a trickster, until they realize the business model is not based on their data or a belated monetization strategy. Second, each line of code written requires three times more checking prior to publication, especially given the responsibility you have toward your users and other contributors. On the bright side, many people get to test open-source code, report bugs or inconsistencies and collaborate to improve upon software. It is no secret that the concept of security through obscurity has failed big time, and it’s true that being audited constantly by the community is also a great strength. Thus, nowadays proprietary products are typically considered less trustworthy. LS: How did you make the decision to open source part of your technology while leavingsome of it proprietary? PH: To be transparent, this is a question of pace. On the IPS part, we are 100% open sourced, with an MIT license, while the “Consensus” engine is not (yet) open. The reason behind this choice is that we are extremely agile and constantly fine tuning the Consensus engine, which is used to avoid false positives and poisoning. It’s taking a lot of extra time to make a piece of code “Open Source compliant”, and making it open as of day one would have only slowed us down. Also, at first, we thought it could be a weakness to reveal how we defeat aggressions toward this set of algorithms. Now time has passed and we have grown more confident that this piece will also be opened to scrutiny and contribution soon. We just need to sprint for half a year before adopting a steadier pace and letting the community review and contribute to the Consensus engine. LS: CrowdSec is a community-powered, open-source version of the popular Fail2Ban intrusion prevention tool designed to run on complex modern architectures including clouds, containers and lambdas. Can you explain the similarities between CrowdSec and Fail2Ban, and the key differences between the two. What are the main advantages that CrowdSec offers over Fail2Ban? Can these advantages be attributed to (or partially attributed to) CrowdSec’s collaborative, open-source approach? PH: Fail2ban created the 1st “anti bruteforce system”. Simple in essence, it nevertheless dealt with a lot of credential bruteforce attempts, over a large spectrum of services, on millions of machines, for sixteen years. Quite a legacy for code initially written as Python training for its author! CrowdSec borrows the philosophy of Fail2Ban in the sense that it’s working out of the box to protect the services running on your machine, based on what it finds in your log. And that’s where the parallel between the two ends, because the software design, scope, architecture, orientation, goals and performance are entirely different. CrowdSec iswritten in Golang, to deliver 60x faster treatments, but also to be able to run in all environments - from VM to Docker, from Linux to Windows. It is designed to support a large surface of attacks with L7 DDoS, credential or credit card stuffing, port scans, web scans, and any attack that leaves trails in your logs. It’s modern in the sense that it’s not monolithic and detection is separated from remediation. Furthermore, remediation can be anything you would like it to be - not just banning in your firewall (like Captcha, MFA, messaging, etc.). CrowdSec is also made to meet the needs of individuals and enterprises alike, running successfully on personal firewalls as well as on hundreds of thousands of machines for large hosting companies. Last but not least, CrowdSec shares the IP it bans with other instances (after a curation on our end), to help further protect all members of the network against known offenders. Monumental Changes in CrowdSec v1.1 & v1.2 LS: As part of the CrowdSec v1.1.x release , CrowdSec services were moved to PackageCloud, a fast, reliable and secure cloud-hosted package distribution. Can you explain how this transition is benefiting your customers? PH: Yes, we love PackageCloud! This is a huge step forward for us. We often joke internally that some Debian packages are old enough to buy alcohol! But it’s not only Debian - the majority of platforms are somewhat slow to move. When you release features every other week for more SoC, more OS, more packaging systems than ever before, you need the proper tooling. This packaging is an effort to make CrowdSec available to the largest number of Linux, BSD and even Windows systems running on ARM or Intel. Now customers constantly receive the freshest packages, regardless of their environment, which is key for any security product. LS: CrowdSec v1.1 and v1.2 feature a brand-new Console. What are the main changes and improvements that have been made to the CrowdSec Console? PH: We are extremely excited about this newConsole! First, because it helps people see what is happening on their machines in a consolidated, centralized view. When you run many CrowdSec agents in your network, the standalone metabase running in Docker isn’t enough to provide this level of observability. Beyond the observability aspect, we have two important goals with this Console: gamification and monetization. Gamification is part of what we want the community to experience. A bit like the SETI at home project, except that instead of hunting aliens, we hunt cybercriminals. You’ll get badges, ranks, and maybe swag or other forms of recognition for helping other users. The second part is monetization - and the console will be its headquarters! We are absolutely fine with making money while being an open-source editor. Some would love to see talented authors only feed on edible moss and little animals, wear monk robes and walk in bare feet because “it’s the way Open Source should be”. Well, I strongly disagree. If you want talented people committed overtime and dedicating 100% of their time and effort to a project, you need to pay them well, hence to monetize. With CrowdSec, the “crowd” that makes us stronger benefits for free, while large corporations with more complex and extensive requirements have the option of paying for additional services. BlackHat USA 2021 Reflections LS: You recently received a Black Unicorn Award at BlackHat USA 2021 for the Top 10 cybersecurity startups of the year. Congratulations on this accomplishment! Can you briefly reflect on what this award means to you and your team. What are some of the biggest challenges you have faced and what are some of the most notable accomplishments you’ve experienced as a startup? What was the “mission” behind starting CrowdSec? Do you feel this mission is being fulfilled? PH: I was a rookie red team pentester when I first attended a Blackhat. This conference is both legendary and very insightful! Now, having a Black Unicorn Award sitting on my desk has aspecial taste indeed. What it precisely represents is that we DO have a different approach. What the BlackHat jury saw in CrowdSec is a new approach to cyber - the collaboration age, the very concept that sharing is not giving away and getting poorer, but instead it’s making everyone stronger. We have a good IPS, that I’m sure of, but the fact that it’s coupled with a CTI approach and that tens of thousands of machines enrolled in our “crowd” in under a year proves with out a doubt that this path needs to be explored. In four years from now, we should have millions of machines sharing the rogue IP addresses they identify, making CrowdSec the biggest collaborative effort to date to influence the war against cybercrime. This will become the real-time world map of criminals over the Internet, like Waze became the de-facto standard for road hazards worldwide. Have we delivered yet? Yes, sort of. We took off, some trust we are up to something and adoption is accelerating. Have we achieved something? Not yet, it’s still day one, so please don’t hesitate to help us by contributing, adopting the product , commenting on the roadmap and connecting with us on Gitter ! A Bright Future for Crowdsec LS: What does the future hold for CrowdSec? Upcoming releases? New features and capabilities in the works? PH: This is a make or make (I don’t like the break part!) year for CrowdSec. The Console, the new premium features, the growing network, all is uncharted territory to us. We’ll probably have another fundraiser around early 2023, and plan to work on a blockchain approach, which could also be a game changer. We need to expand our team and reach probably 35 people while building a rock solid relationship with our community. The future is bright, our team is under constant shots of serotonin and the market offers us great feedback. As CEO, I also have to prepare the team and company for the hangover, when we’ll discover the world isn’t just about bull adoption, unicornpictures on the walls and encouragement messages on our Gitter . At some point, there will be harder times - missed deadlines, concerns on our KPIs, meaningful bugs, trials to try to slow us down or people leaving the company. I know it for a fact, and this will be the moment where we’ll see if we are experienced enough to persevere, giving us the opportunity to build the team and company to be resilient to those challenges. But for now, I wouldn’t wish to be anywhere but here in our journey! Closing Remarks LS: Thank you so much for your time and shared insights! Is there anything else you think the LinuxSecurity community should know about CrowdSec? Any closing remarks? PH: It’s up to you to defend yourselves, while helping everyone else around you. It doesn’t require you to be a bodybuilder or an expert in a martial art - all it takes is an apt-get install … Will you be involved in this cyberwar alongside CrowdSec’s community? Next Steps Download CrowdSec v1.2.0 from the project’s GitHub page to join the fight on cybercrime! Have a thought to share or another open-source security tool you’d like us to cover? Connect with us on Twitter and let us know! . Uncover perspectives from CrowdSec's founder regarding the power of collective security in combating cyber threats and enhancing online protection.. Collaborative Security, CrowdSec, Open Source Protection, Cyber Defense, Intrusion Prevention. . Brittany Day

Oct 03, 2021 •

Brittany Day

Linux securitythreat managementopen source tool

CrowdSec: Effective DDoS Mitigation and IP Threat Management

CrowdSec is a massively multiplayer firewall designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool. . CrowdSec is free and open-source (under an MIT License), with the source code available on GitHub . It uses a behavior analysis system to qualify whether someone is trying to hack you, based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to “immunize” them against this IP. The goal is to leverage the power of the crowd to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the community to create an extremely accurate IP reputation system that benefits all its users. It was clear to the founders that Open Source was going to be one of the main pillars of CrowdSec. The project's founders have been working on open-source projects for decades - they didn’t just jump on the train. Rather, they are strong Open Source believers. They believe that the crowd is key to the mass hacking plague we are experiencing, and that Open Source is the best lever to create a community and have people contribute their knowledge to the project, ultimately make it better and more secure. The solution recently turned 1.x, introducing a major architectural change: the introduction of a local REST API. How CrowdSec Works CrowdSec is written in Golang and was designed to run on modern, complex architectures such as clouds, lambdas, and containers. To achieve this, it's "decoupled," meaning you can "detect here" (e.g., in your database logs) and "remedy there" (e.g., in your firewall or rproxy). Thetool uses leaky buckets internally to allow for tight event control. Scenarios are written in YAML to make them as simple and readable as possible without sacrificing granularity. The inference engine lets you get insights from chain buckets or meta-buckets, meaning if several buckets (e.g., web scan, port scan, and login attempt failed) overflow into a "meta-bucket," you can trigger a "targeted attack" remediation. Aggressive IPs are dealt with using bouncers. The CrowdSec Hub offers ready-to-use data connectors, bouncers (e.g., Nginx, PHP, Cloudflare, Netfilter), and scenarios to deter different attack classes. These bouncers can remedy threats in various ways. Crowdsec works on bouncers such as Captcha, limiting applicative rights, multi-factor authentication, throttling queries, or activating Cloudflare attack mode just when needed. You can get a sense of what's happening locally (and where it's occurring) with a lightweight visualization interface and strong Prometheus observability . Crowdsourcing Security While the Crowdsec software currently looks like a spruced up Fail2Ban, the project's goal is to leverage the power of the crowd to create a highly accurate IP reputation database. When CrowdSec bounces a specific IP, the triggered scenario and the timestamp are sent to our API to be checked and integrated into the global consensus of bad IPs. While we are already redistributing a blocklist to our community, we plan to really improve upon this aspect as soon as we have dealt with other prerequisite code lines. The network already has sightings of 130,000+ IPs (refreshed daily) and is able to redistribute ~10% (13,000) of those to our community members. Our vision is that once the CrowdSec community is large enough, we will all generate, in real-time, the most accurate IP reputation database available. This global reputation engine, coupled with local behavior assessment and remediation, should allow many businesses to achieve tighter security at a very low cost. Case Studies Here are two examples of what CrowdSec does: Case #1 A company protecting its customers from DDoS attacks set up a DDoS mitigation strategy relying on Fail2Ban. When one of its customers was attacked by a 7,000-machine botnet, CrowdSec was able to ingest all the logs and successfully banned more than 95% of the botnet, efficiently mitigating the attack in less than five minutes. For the sake of comparison, to deal with this attack Fail2Ban would have needed to process several thousand logs per minute, which is quite challenging and would have taken nearly 50 minutes. Case #2 An e-commerce business was going through a massive credit card stuffing attack. The attacker was spamming the payment gateway, testing thousands of different credit card details using a sole IP address. Instead of having to amend all of its apps to try to detect the attack, by installing CrowdSec, the company could scan all the logs and block the intrusion within minutes. Business model A common stress among open-source projects is setting up a viable monetization model. So, in full transparency, we'll offer premium subscriptions to businesses that want to leverage our IP reputation database without contributing to it or sharing their banned IP data. This will allow anyone to query the IP reputation database upon receiving the first packet from an unknown IP before accepting it. Getting Started and Getting Involved CrowdSec's setup is quick and easy (taking just five minutes, tops). It's heavily assisted by a wizard to allow as many people and organizations as possible to use it. The project is production-grade and already runs in many places, including hosting companies (although it's still in beta). Currently, community members come from 70+ countries across six different continents and have blocked 130,000+ malicious IPs. The Crowdsec team is looking for more users, contributors, and ambassadors to take the project to the next level. The team would love to hear your feedback about this latest release. If youare interested in testing the software or would like to get in touch with the team, check the following links: Download CrowdSec v1.x The CrowdSecwebsite Their GitHub repository Thank you to the Crowdsec project for contributing this article. . Uncover the ways in which CrowdSec, an open-source security tool, fortifies Linux systems by leveraging a community-powered IP reputation framework.. crowdsec, collaborative firewall, IP security, threat remediation, open source. . Brittany Day

Feb 22, 2021 •

Brittany Day

Banner 2 1028x280 1708121730 1 1771599631

network securityDoS attackopen source tools

Pull The Plug: Community Driven Growth and Security Training

Five years after our original interview with Brian Gemberling, founder of PullthePlug.org, we catch up with Daniel Alvarez and the rest of the site's administrative management. Its structured management and focus on the community will ensure many years of continued success. You're asking, what is pull the plug? Read more to find out... . LinuxSecurity.com: Please explain again for our readers what Pull the Plug is about. What is the concept? How does it work? Who can participate? PullthePlug.org: The concept of PullThePlug has always been to provide an arena for like minded individuals to discuss, train, and learn about computer security and associated technologies. The primary focus of PullThePlug as a community is to deliver information and resources on computer security to a wide range of audiences. Some services we currently offer are war-game machines (vortex, semtex, catalyst, blackhole), mailing lists, IRC channels, and live lectures ( ) and repository/web hosting for research efforts ( ).. As a result of PullThePlug being community driven (by the community for the community), anybody can participate in some way or another. More often then not, new talents are seen when participating in our wargames or contributing to mailing lists, and people are also free to join the IRC and discuss any topic of interest, or provide ideas or services which help in furthering the community driven learning experience. LinuxSecurity.com: Daniel, how did you get involved with Pull the Plug? What is your current role with the site? PullthePlug.org: I first became interested in PullThePlug in 2001 when a co-worker showed it to me. Eager to learn about network security, I visited the site frequently, reading documentation, and playing war-games. Near the end of that year the organization was running short on resources and the servers being used to run the war-games were shut down. By 2003 I became really involved in the project when I helped create the first new war-game since the lastones were shut down (vortex.labs.pulltheplug.org). A friend, Kurtis Meyers, and I donated a server to run the new war-game and Andrew G. Administered it. The initial founder of PullThePlug, Brian Gemberling, was happy to rack our server and provide the necessary bandwidth. The new war-game led to a large increase in traffic and more interest than Brian could manage by himself, so Brian gave me the responsibility of handling the day to day management of PullThePlugs resources. Since then we have continued to increase our traffic and interest quite a bit. A management team has been created to organize PullThePlug. This group includes Andrew Griffiths, Samy Al Bahra, Daniel Hudson, and myself. Together we make all of the decisions and work allocations related to PullThePlug. LinuxSecurity.com: What happened to Brian Gemberling (founder)? Is he still involved with the project? PullthePlug.org: Brian keeps himself busy with his newly made business PullThePlug Technologies LLC (), located in Aushburn, Virginia. His business offers secure collocation, rack space, and a variety of Internet services with an emphasis on security. Initially PTPTECH only offered services to private parties, but on June 13 his services became available to the public. He provides bandwidth and rack space forour servers. Brian is no longer involved in the everyday operation of PullThePlug, However, he still donates bandwidth, rack space, and time. LinuxSecurity.com: How has the project changed since our original interview? (June 26th 2000) How much has it grown? How many people are now involved, and how many hosts do you currently maintain? PullthePlug.org: The management of PullThePlug has changed hands from Brian to a four person management team created from outstanding community members. Other people who are not a member of the management team still take part in many of the administrative services such as managing the IRC chat rooms and the war-games. We moved from PullThePlug.com to PullThePlug.orgsince PullThePlug is on it's way to becoming a non-profit. PullThePlug.com is now part of PullThePlug Technologies owned and operated by the founder of PullThePlug, Brian. The staff has changed a lot. Many of the old crew wanted PullThePlug to remain private, while others wanted to grow and acquire/provide new resources to the public. Many people left as PullThePlug got too big for their tastes. The old war-games are gone and a whole new breed of them are up, including vortex, semtex, catalyst and blackhole. Vortex resembles mainsource which is a level based wargame focusing on learning security concepts such as buffer overflows, format strings and some encryption stuff. Blackhole is also level based and focuses on remote exploitation of overflows, format strings etc. Semtex is much more "Down to earth" it doesn't focus on vulnerabilities - instead - it's purpose is to allow players to hone their network programming skills. Catalyst is for those looking to play around with binaries and hone their "binary analysis" skills. Technology has changed a lot in 4 years and we try to keep up with all the "latest and greatest". We've also pioneered new things like Live Tutorials ( ). Basically, people can choose a topic to 'lecture' on and choose a medium such as irc, silc, voip or even teleconferences and physical meetings. Listeners can login to suntzu and see what's being explained real time. Allowing for the observer to actually see with his/her own eyes what's being discussed. We also have a Development machine which provides SVN/CVS services to various projects. Some of the projects we host include kerneled (, home to many popular FreeBSD ports and various software patches), which includes quite a subset of software and other various private projects. Our size: Currently we have 4 "master" (physical) machines and over 8 virtual servers. How many People are involved now? 4 people in management team about 8 total people just helping out Including wargame administrators like"aton" - who runs semtex.labs.pulltheplug.org and Ken Davies who helps us out whenever our servers go down by going to the datacenter and fixing stuff. Both of which have been with us for quite sometime. We receive 250 300 visitors to our site per day on average. As well as an average of 80-90 people on our IRCD and over 60 people on our mailing list. LinuxSecurity.com: How often are your systems compromised? What have you learned from the process? How has it benefited your skill set personally? PullthePlug.org: Oddly enough PullThePlug does not receive an excessive amount of hacking attempts, but we have experienced several Denial of Service (DoS) attacks against the wargame machines, and other services we provide (such as the live lectures). The management team have always been swift in their response to these incidents. There has been no known successful compromise of the PullThePlug network. We believe our war-games provide a unique challenge to the security community, and thus much more challenging than a simple dotslash. As a learning curve, we have realised the benefits in network monitoring, securing systems, patch management, and other such day-to-day administrative activities. This has taught most of the staff how to look for and identify interesting event patters (most of the data on the PullThePlug network is logged and managed remotely), in addition we use complex filters on the upstream router to block out traffic to hosts which we deem sensitive. We utilize virtual servers extensively as well. This creates an environment that minimizes possible exposure to the rest of the systems and also segregates "trouble" machines, effectively cutting off any chance of total compromise. We also use grsecurity kernel patches ( grsecurity ). Not only from a security perspective, but administering the network has always provided a unique challenge to staff and as such is constantly teaching us new things. LinuxSecurity.com: Although everyone who attempts to compromise a machine usesdifferent techniques, have you noticed any common patters (methods) that are used across the board? Please describe the anatomy of a typical attack. PullthePlug.org: We simply don't leave machines open to attack - instead we close off the machines and leave 'conduits' for attacking, which are levels. An attacker must then work their way up through the levels with increasing difficulty. This provides a unique challenge that turns out to be very rewarding in the end. Another benefit from doing this method is that if people are unfamilar with some aspect, they'll need to learn it before progressing, which encourages people and exposes them to new stuff. One interesting effect of the level based wargames we provide is that people are constantly suprising us with new and innovative ways to approach certain levels. With semtex, one user submitted an solution developed with Microsoft Excel, while another user has reverse engineered linux binaries (on catalyst) under the Windows platform. Typically the most common approach to the wargames is the most obvious, and people will compromise the levels via standard stack smashing techniques, format strings, heap exploitation and so on. Though I state the "standard" techniques are used, there is no definative approach people are taking. This is primarily due to the challenges being different to all other wargames we have seen - they all provide the opportunity for exploitation, but there is always that slight twist to make it all the more interesting, challenging and rewarding. As for the PullThePlug network being attacked, we often see portscan attempts followed by brute forcing - occasionally an exploit against a service we don't provide (which we usually consider to be worm traffic). If we were to class the most common attack scenarious, it would probably be due to worm traffic, and involves probes against particular port's (to determine whether or not a service is provided), followed by multiple malicious payloads sent to that service. LinuxSecurity.com: After being involved in this project, what have you learned to be the single most important step in keeping a linux/unix system secure? PullthePlug.org: The single most important step is trusting in the abilities of the people who are protecting your assets. If you cannot trust them. Then you cannot Trust the security of your systems and networks. For small environments where they don't have the funds available to do a any serious security stuff, their most important step would be ensuring machines are kept up to date, along with anti-virus signatures, and perhaps some basic end-user training. In larger environments, you'll need to have skilled administrators who know their field inside out, who will keep abreast of security issues, will look at and examine methods of improving the security of the systems, and hopefully designing away various security issues. In huge environments, you'll generally have duty seperation, and teams of people handling various facets, such as people who write policies, the people who implement them, the people response for monitoring the security of systems, and so fourth. In this case, its nessesarcy that people work together on achieving the required level of security. Problems will generally be approached by doing a risk analysis and attemtping to remove or mitigate high risk / high impact and working down. To solve the problems though, you'll need to have the appropriately skilled people with the backing of the company. To bring this back to pulltheplug, a lot of the stuff we do involves minimizing exposure while trying to make the appropriate systems accessible by people. A example of minimising exposure would be seperating various services we provide from people's shell accounts, and only providing the files needed to make that service work as expected. LinuxSecurity.com: Pull the plug is a slightly different concept from a honeynet. While the goals are similar, are the results different? Explain the advantages of operating openly asopposed to covertly like the administrator of a honeynet would. PullthePlug.org: Pulltheplug is pretty much completely different from a honeynet. We aim to help people understand applied security concepts, rather than setting up boxes for random people to compromise. We do get the joy of observing some of the more interesting exploit's against challenges when people wish to tell us about them, but there is a significant difference between that and a honeypot. We differ not only in terms of goals, but also strategy. The games are not setup to observe peoples actions, and are not setup as bait to understand new exploit strategies. All levels are generally left un-moderated, which allows participants to choose whether or not to share information with the rest of the community (this could be an exploit technique, or idea's for new challenges etc). Because participants have this freedom, it also builds a strong level of trust within the community, and provides people with a safe zone to experiment and broaden their ideas without penalty. Community members and new comers alike - see our community as a place to share ideas without the ego's that plague many other communities. Some say we are the next best thing before being a totally private community. LinuxSecurity.com: For those readers interested in system monitoring, what open source tools would you recommend? Would you mind providing the names, a short description, and the URLs to several of your favorite host and network monitoring tools? PullthePlug.org: These are tools we recomend overall. grsecurity grsecurity - grsecurity is a kernel patch which provides a comphrensive approach to increasing the security of a system. grsecurity provides detection, prevention, and containment, which is useful on a couple of the systems Pulltheplug runs. openwall kernel patch Openwall - bringing security into open computing environments - The openwall kernel patch allows us to provide an increased level of security that isn't asextreme as grsecurity. This is used to allow people to learn such things as bypassing non-executable stacks for example. syslog-ng syslog-ng - Log Management Solutions - Secure replacement to syslog. We utilize syslog-ng to monitor our network and facilitate remote storage of logs. stunnel stunnel: Home - We utilize stunnel to provide secure encrypted means of transporting logs and other streamed data across the network and internet. Linux VServer Project Linux-VServer/ - Linux Virtual Servers provides the means for complete segregation of server processes allowing us to minimize exposure in the event of a successful attack. They also allow us to extend the value of our limited resources by running several modularized Linux Distributions under the same linux kernel. TrustedBSD Security Extensions TrustedBSD - Home - "The TrustedBSD project provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC)." We utilize many of the extensions on our development hosting server. LinuxSecurity.com

Jul 05, 2005 •

Benjamin D. Thomas

Stay Ahead With Linux Security Features

Refine features

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Top Linux Vulnerability Scanners in 2026: A Guide to Open-Source Security Tools

How Linux Pentesting Improves Network Security

Understanding Log Management and Analysis Tools for Linux Systems

What is Nmap? How To Use It Effectively for Network Security

Explore Latest Linux Security features

Exclusive Interview with CrowdSec CEO on Cybercrime Defense Strategies

CrowdSec: Effective DDoS Mitigation and IP Threat Management

Pull The Plug: Community Driven Growth and Security Training

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Top Linux Vulnerability Scanners in 2026: A Guide to Open-Source Security Tools

How Linux Pentesting Improves Network Security

Understanding Log Management and Analysis Tools for Linux Systems

What is Nmap? How To Use It Effectively for Network Security

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Stay Ahead With Linux Security Features

Refine features

Topics

Authors

Published Date

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Explore Latest Linux Security features

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending Features

Search Topics

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!