Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found 3 articles for you...
102
network securityopen sourcecyber defenseEnhance Network Security with Open-Source Honeypots for Threat Detection
Security-savvy Linux sysadmins automatically assume they face online and cloud security breaches, for threats targeting Linux grow increasingly pervasive due to its growing popularity as an Operating System (OS). Linux malware reached an all-time high in 2022. . When detecting and protecting against network security threats, traditional intrusion detection and prevention systems typically dispatch too many false positives. Threat hunters are hard to find and can only catch some risks. As a result, administrators and organizations have turned to active defense or deception technologies to help identify malicious actors within their systems. Honeypots are an invaluable offensive network security toolkit for learning the Blackhat community’s tactics and motives. They share gathered information and insights and can be pretty effective when finding lateral movement and attacks in network security, protecting remotely accessible services, and improving active directory security. This article will explore deception technologies, how they work, and what open-source honeypots you can use for free. What Are Deception Technologies & How Do They Work? Deception technology deceives attackers by setting up decoys and traps that imitate actual environments. This cybersecurity defense strategy is triggered if an attacker gains access to one of these environments, and all actions and events get recorded and monitored. These logs can help determine how attackers plan to gain access to a company’s network and what actions they will carry out once they are inside. This information will assist organizations in defending against these attacks in network security. Companies can use security patching on cybersecurity vulnerabilities and strengthen endpoints so attackers cannot use their deceptive methods during the breach. What Should I Prioritize in an Open-Source Deception Tool? Think about these requirements when choosing your open-source deception tool: Concealment : Limit the severity of attacks byconcealing sensitive data rather than treating the tool as a decoy asset. Redirection : A robust tool will drop the attacker in decoy environments that look believable to the hacker. Coverage : Make sure the tool covers the platforms your company uses, such as cloud-based environments, hybrid, IoT, networks, and so on. Effectiveness : The tool should monitor reconnaissance activity, stolen credentials, AD attacks, lateral movement in general, and more. Comprehensiveness : Understand the tool’s scope by considering the deception lures available, its coverage, and whether it checks endpoints. Authenticity : Ensure the tool can fool anyone, or hackers will not fall for the deception technology. Capabilities : Know how the tool operates, whether you perform tasks manually or automatically and easily or with difficulty. Attack reports : See if the tool can identify attacks in network security without having the patterns or signatures previously recorded, and find out if the information collection has a usable format. What Is a Honeypot & How Does It Work? A honeypot is a type of deception technology attached to a network to attract and study environment-access attempts that could be considered attacks in network security. Virtual Machines (VM) set up honeypots so the tool can mitigate compromised services quickly. More than one honeypot in a server is called a honey farm. Honeypots present themselves as vulnerable targets and then send alerts to monitoring security professionals who can study the hacks to patch cybersecurity vulnerabilities. The leading production network is kept separate from the honeypot, which companies isolate in demilitarized zones on the network where applications and data mimic actual environment behavior. Triggering alerts through attempts to communicate with the honeypot is hostile, as this monitoring gives an organization logged activity to understand network security threats and web application security vulnerabilities. Honeynets focus on datacontrol and capture. Since they are highly customizable and flexible, honeynets can mitigate risks with data control and prevent compromise on non-honeynet systems with data capture. Data collection for honey farms provides organizations with all the data in a central location. Open-Source Honeypots that Detect Threats for Free You must research all the free open-source honeypots available to pick the best option that suits your data and network security needs. Make sure to deploy honeypots with caution because incorrect configurations can lead to easier access and compromise from hackers: Modern Honey Network (MHN) is a user-friendly, easy-to-install honeypot that runs on a centraliz ed server. It combines Snort, Kippo, Dionaea, and Conpot. Honeydrive is a GNU/Linux distribution that comes pre-installed. It offers active defense capabilities, and you can view it as the “anti-Kali.” Cowrie is an SSH honeypot miming an interactive SSH server and customizing command responses. It logs brute force exploits in cybersecurity as well as attacker shell interactions. Dionaea is a multi-protocol honeypot that covers everything from FTP to SIP. It excels in SMB decoys and can simulate malware payload execution to analyze multi-part stagers. Cuckoo Sandbox is a sandbox rather than a honeypot, but it is an excellent tool for malware analysis because it provides a detailed report on executed code. Thug is a “honey client” that emulates a web browser to analyze client-side exploits. MongoDB-HoneyProxy is a honeypot proxy mimicking an insecure MongoDB database, logging all traffic to a dummy MongoDB server. ElasticHoney emulates an elastic search instance and searches for attempted remote code execution. Canarytokens helps you track the activity on your network by positioning decoy data across your systems. Honeything is a honeypot for IoT devices supporting the TR-069 (CWMP) protocol. It acts as a modem/router with a RomPager-embedded web server. Conpot canemulate complex infrastructures to attract attackers to a vast industrial complex. The design is easy to deploy, modify, and extend. Moreover, it comes with a web server that can emulate SCADA HMI. GasPot is suitable for organizations in the oil and gas industry since it mimics a Veeder Root Guardian AST, a familiar concept to those in the industry. Final Thoughts on Open-Source Honeypots that Detect Threats for Free Deception technology is critical in detecting and eliminating modern network security threats in Linux systems to maintain and improve security posture. Honeypots have a low false-positives rate, so you can trust their effectiveness in identifying cybersecurity vulnerabilities. Open-source honeypots can be a free and reliable way to stop malware and attacks in network security before facing any damage. Are you using one of these honeypots? Comment below- we’d love to hear how your experience has been! . Open-source honeypots serve as vital cybersecurity tools, simulating vulnerabilities to attract malicious actors and detect threats effectively and accurately. Open Source Honeypots, Network Security Tools, Cyber Defense Solutions. . Zaid AlBukhari
Dec 12, 2022
•
102
cyber defensesecure codingopen source securityEnhance Your Cybersecurity: Open-Source SAST and DAST Tools Explained
As open-source software becomes increasingly common in the infrastructure of businesses, it is essential to ensure the security of the software being relied upon. An increasingly popular cyber security solution is open-source SAST (Static Application Security Testing) and DAST (Dynamic Analysis Security Testing) security scanning, which give IT technicians and developers the ability to access the code of a certain piece of software to remove threats or improve the strength of its security. . Software scanning tools allow developers and users to scan the code of the programs they are using to check for security flaws. The two types of security tools, SAST and DAST, each have their strengths and weaknesses. Running these tools (and your wider organizational systems) through an open-source operating system like Linux will provide you with additional security and peace of mind and increase control over your hardware infrastructure. This is what you need to know about SAST and DAST on Linux and why it is important for your organization. What Is Open Source Security? Open-source is software that is accessible to outside users, who can change or share the source code at will. The source code, which open source refers to, is what can be used by developers or technicians to modify the nature of the software. This is used to improve performance, eliminate any technical gremlins, or bolster security. Naturally, open-source security allows you to be incredibly flexible with your security processes because you can immediately dive into the software and fix any issues. There is no need to wait for a software upgrade, call out a specialist, or leave yourself with lasting software problems at the whim of the proprietary software vendor that could damage your organization’s health and reputation. Given the relentless demand for the latest software and technology solutions within businesses today, it is little surprise that open-source security processes are an increasingly prevalent means of tacklingsecurity problems. Using the increasingly popular open-source Linux operating system offers additional security benefits due to its modular construction. This limits user access to applications and separates them from each other, meaning that if there were a cyber-attack, less damage would be done in a single breach. Despite the benefits associated with open-source development discussed above, not every open-source security tool is equal, and there are a few different approaches to consider. This includes SAST and DAST tools, which we will cover in more depth below. What Are SAST and DAST Tools? Ultimately, SAST and DAST tools have the same goal- to improve the security of code within software. However, they take different approaches to solving this problem, which is important to note if you consider utilizing them. What Types of Vulnerabilities can SAST Tools be Used to Find? Firstly, SAST tools are used to examine software source code, which is still under development and not out on the open market. SAST tools can be of great assistance if you are trying to identify and fix bugs during the development phase of a piece of software or technology. SAST tools work by analyzing code to look for vulnerabilities. They use the white box testing methodology, meaning the program is never actually run and is “tested” only on a logical level. By scanning the code, SAST tools can identify vulnerabilities such as: weak random number generation SQL injection cross-site scripting buffer overflows Since SAST tools are usually used earlier in development, they can prevent the need to pull a piece of software later in the development cycle, which could cost a lot of time, money, and even reputational damage. To further improve the efficiency of the software development process, you can add a SAST tool to an integrated development environment (IDE). Essentially, this alerts the development team of any technical glitches or software vulnerabilities as they work, speeding up thesoftware creation process and minimizing the chance of errors. What Types of Vulnerabilities can DAST Tools be Used to Find? Conversely, a DAST tool is designed for use after a piece of software has already been completed. Unlike a SAST tool, a DAST tool does not focus on troubleshooting issues within the code. Instead, it attacks a system from the outside inwards, hacking the program using a variety of approaches - including through exposed HTML and HTTP. Unlike SAST tools, DAST tools use a black box approach, meaning that the program is only tested from the outside without any knowledge of the inner workings, the way a hacker would likely attack it. DAST tools are useful for finding: configuration problems issues with error handling input and output issues Unlike SAST tools, DAST tools can not tell you from where in the code an error originates–it is by design as blind as a real user of the software would be. A DAST tool is particularly useful if you have an existing system or piece of software that is likely to suffer from a certain cyber-attack. For example, if your organization operates an online retail store, then there are certain attacks you should be vigilant of. A DAST tool can be programmed to run a simulation of these hacks to expose any potential weaknesses within your infrastructure. There is a tendency for businesses to focus on deploying either a SAST tool or a DAST tool, focusing on one as though it is better than the other. This is rarely the case because they fulfill different roles within your cyber security processes. By using both tools, you safeguard yourself both at the software development and deployment phases. Which Open-Source Security SAST and DAST Tools are Available? There are various strong open-source security tools available, and choosing between them can be difficult. Here are a few options to consider: Zed Attack Proxy (ZAP) : ZAP is a DAST tool available on Windows, Mac, and Linux that is designed primarily fortesting web applications by using penetration testing. ZAP is a popular tool that is used by dozens of other services and has a beginner-friendly user interface. GoLismero : GoLismero is another DAST tool and is available on Windows, Mac, BSD, and Linux. GoLismero is a bit less beginner friendly than ZAP, as it does not have a UI–it is installed and run solely via the command line. However, it is very robust as it consolidates the results of security frameworks including sqlmap, xsser, openvas, dnsrecon, and theharvester, and has several output options. SonarQube Downloads : SonarQube is an SAST tool that can analyze 17 different languages including Java, Javascript, Python, HTML, and CSS. It also has a dynamic UI, a community forum, and thorough documentation. There are several expanded versions of SonarQube with more features and support for additional programming languages, but only the “Community Edition” is free and open-source. w3af: w3af is a DAST tool designed primarily to test web applications. It is a framework specifically made to be easy to extend and incorporate into other projects. w3af can be downloaded on Linux, Mac, and BSD (it is also possible to run on Windows, but it is not officially supported or tested.) What Are the Top Five Things I Should Look for in an Open-Source Security Scanning Tool? With so many software scanning tools available, it can be helpful to narrow your focus when deciding what tools to use. Tips for choosing the right scanning tool include: Easiness to Use (Especially if You’re a Beginner) Not all software scanning tools are beginner friendly. Some tools, like the aforementioned GoLismero, can only be run or even installed using the command line. On the other hand, tools like ZAP and SonarQube are designed to be easier to use thanks to their detailed user interfaces, making them a good starting point. What Programming Languages It Can Check Not all tools are made for checking all types of programs. While sometools, like SonarQube, can check most types of code, tools like ZAP and w3af are made for testing certain types of programs, like web applications. Limited False Positives Software scanning tools sometimes make mistakes by flagging safe code as dangerous. Attempting to fix these nonexistent flaws can lead to wasting time by rewriting code for no reason, so it is important to look for scanning tools that have as few false positives as possible. What Flaws It Can Find (Don’t Rely on Just SAST or DAST) No one software can find every exploit. Because SAST and DAST tools use fundamentally different methodologies to find flaws and are meant to be used in different stages of development, they should ideally both be used in order to help find more types of errors and bugs. Active Support, Updates, and Community (You Don’t Want a Tool that Can’t Find New Vulnerabilities) When using any open-source software or tool, it is important to check that it is up to date and frequently updated since out-of-date code can be a security risk. Ensuring that the tools you are using are up-to-date is especially important with a security tool like software scanners so that they can find the latest exploits. What Are Some Strengths and Weaknesses of Open-Source Testing Tools? There are many strengths and weaknesses to be aware of when considering the use of open-source testing tools and open-source technology in general. To start with the advantages, open-source testing tools can save your organization substantial money. When you have an open-source variant of a software solution, you can make changes yourself, adapt the software to your specific needs, and even operate without a license, all of which cuts a lot of unnecessary costs. Furthermore, you will (hopefully) be able to identify problems within the system before they cause any significant damage. This could save your organization a substantial amount in damages, potential losses (both data losses and financial losses), and reputationaldamage. Another key advantage of open-source testing tools is increased agility. When you can dive into open-source code at any time, fixing issues and improving performance are made far more efficient. Technically, anyone can work on the software, which eliminates potential delays in waiting for system updates or a professional fix. When you are growing an organization quickly, delays in software updates or bug fixes can stop your progress overnight, so having user-focused testing tools allow you to constantly build upon your base layer solutions. Know that Open-Source Tools Are Not Perfect While open-source tools can provide many advantages, they are not perfect. Commercial tools often have more features. For example, as mentioned before, the paid, closed-source versions of SonarQube offer significantly more features and compatibility with more programming languages. The open-source version is more of a “try before you buy” where features are intentionally limited in an effort to draw clients to their subscription model; it’s not necessarily a limitation of open source itself. However, many open-source scanning tools have large user bases with lots of community support, meaning that bugs can be fixed just as quickly, if not faster, as a proprietary closed-source software. Ultimately, it is up to developers to weigh the pros and cons of open-source tools against the needs of their projects. Final Thoughts on DAST vs. SAST: Which One Is Better? While SAST and DAST are both useful for testing the security of programs, they use fundamentally different methods for finding exploits. SAST programs analyze the code itself; while an error checker that analyzes code sounds more thorough, not all programming errors can be found in code. The fact that SAST never executes the program means that it can not find runtime errors or exploits that can be taken advantage of by a user. While DAST never looks at the code of the program it is testing, it is able to find runtime issuesby executing the program. It is unfair to say that either SAST or DAST is better–they both serve different purposes. Since SAST analyzes code, it is usually used earlier in development to assist with programming. On the other hand, DAST is usually used after the programming is finished as a way of finding exploits in the complete software. Both tools should be used hand in hand for ideal error prevention, and a best-practice security strategy should incorporate both SAST and DAST tools in its software development cycle. . Open-source SAST and DAST tools are essential for enhancing software security. By integrating them into development, vulnerabilities are identified early and reduce risks.. Open Source Security,SAST Tools,DAST Tools,Secure Coding. . Yosef Davidowitz
Jun 13, 2022
•
102
intrusion preventionopen sourcecyber defenseExclusive Interview with CrowdSec CEO on Cybercrime Defense Strategies
Exclusive Interview with CrowdSec CEO Philippe Humeau With the widespread adoption of cloud and container infrastructure, protecting servers, services, containers and virtual machines exposed on the Internet with a reliable, intelligent intrusion prevention system is more important than ever. Cloud-native environments foster rapid growth and innovation, but also introduce an element of added complexity, along with new security challenges. . Recently, LinuxSecurity researchers had the opportunity to speak with CrowdSec CEO Philippe Humeau about modern cyber risk, CrowdSec’s unique and advantageous community-powered approach to intrusion prevention with an extremely accurate IP reputation system, what users can expect from the latest CrowdSec release, what the future holds for CrowdSec, and more! We’re excited to share key insights and highlights from this exclusive interview with our readers to help them better understand the modern cyber threat landscape and how they can bolster their intrusion prevention strategy to prevent attacks. Introducing CrowdSec: A Collaborative Open-Source Intrusion Prevention Solution CrowdSec is a cybersecurity solution designed to protect servers, services, containers and VMs with a server-side agent. It was inspired by Fail2Ban and aims to provide a modernized, collaborative version of the popular intrusion-prevention tool. CrowdSec leverages the power of the community to create an extremely accurate real-time IP reputation system that benefits all of its users. It uses a behavior analysis system to determine whether someone is trying to hack your system based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to “immunize” them against this IP. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner that you feel appropriate. Interview with CrowdSec CEO Philippe Humeau LinuxSecurity: What are the main cyber threats Linux users face today that CrowdSec protects against? Philippe Humeau: CrowdSec is essentially a metasploit of defense. Everything creates logs nowadays - planes, cars, phones, TVs, and obviously servers and services. If an attack leaves traces in the logs - which over 95% of attacks do - then it’s simply a matter of writing the proper scenario to catch it. To date, we have tens of scenarios, ranging from L7 DDoS, to credential bruteforce, credit card stuffing, port or web scans, PHP attacks, and more. Lately we are active on the front of ransomware, using CrowdSec as a canary to avoid lateral moves. Possibilities are limitless! The only limit of CrowdSec’s protection capabilities is when an attack leaves no trace, either due to poor log configuration or because it's “silent”, like a stack overflow. That being said, those exploits are very rare and only demonstrate true stealth if the demon crashes aren’t logged or if the said attack doesn’t crash the process at all. The Power of Crowdsourcing LS: Can you explain the power of crowdsourcing? How are you leveraging it to benefit your users, or the people who participate in your “crowd”? How does open-source development facilitate this approach? PH: Crowdsourcing can be seen as a digital version of the famous neighborhood watch. If everyone is watching over everyone else’s servers and services, everyone is safer from attacks. By detecting and sharing IPs of bad actors, we are removing their most precious asset: anonymity. Since cybercriminals want to remain under the radar, they are either forced to stop when their IPs are shared, or at the very least slow down their operations tremendously. Members of our “crowd” benefit directly by constantly receiving IPs that target similar technological signatures as theirs. For instance, if you run a LAMP with Wordpress, you receive all IPs that are agressing SSH, Apache, MySQL,Wordpress, and the like. Crowdsourcing is the cornerstone of the CrowdSec project. Our point of view is that, through this collaboration, we are more numerous than the aggressors. Hence, instead of the out-powering approach, where a super soldier tries (and fails, except in Hollywood movies) to resist 1000 bad guys, we adopt the outnumbering approach. No one fights a bee hive! Open Source facilitates this approach by enabling us to create a product that is adapted to the largest base, where anyone can contribute and adapt it to meet their specific needs. It’s also free, meaning we do not have any friction in adoption - money typically being the first break. Since we are after a network effect, we need to have as many users as possible and Open Source is a great engine with the flexibility and trust it fosters. The Open Source Advantage LS: Expanding on our discussion of Open Source, what are the main advantages of the open-source development model? Do you feel that Open Source provides a superior vehicle for engineering exceptionally secure, resilient software and technology? PH: Well, there are pros and cons, honestly. It’s surprisingly complex to offer something for free! First, people look for the catch and think you might be a trickster, until they realize the business model is not based on their data or a belated monetization strategy. Second, each line of code written requires three times more checking prior to publication, especially given the responsibility you have toward your users and other contributors. On the bright side, many people get to test open-source code, report bugs or inconsistencies and collaborate to improve upon software. It is no secret that the concept of security through obscurity has failed big time, and it’s true that being audited constantly by the community is also a great strength. Thus, nowadays proprietary products are typically considered less trustworthy. LS: How did you make the decision to open source part of your technology while leavingsome of it proprietary? PH: To be transparent, this is a question of pace. On the IPS part, we are 100% open sourced, with an MIT license, while the “Consensus” engine is not (yet) open. The reason behind this choice is that we are extremely agile and constantly fine tuning the Consensus engine, which is used to avoid false positives and poisoning. It’s taking a lot of extra time to make a piece of code “Open Source compliant”, and making it open as of day one would have only slowed us down. Also, at first, we thought it could be a weakness to reveal how we defeat aggressions toward this set of algorithms. Now time has passed and we have grown more confident that this piece will also be opened to scrutiny and contribution soon. We just need to sprint for half a year before adopting a steadier pace and letting the community review and contribute to the Consensus engine. LS: CrowdSec is a community-powered, open-source version of the popular Fail2Ban intrusion prevention tool designed to run on complex modern architectures including clouds, containers and lambdas. Can you explain the similarities between CrowdSec and Fail2Ban, and the key differences between the two. What are the main advantages that CrowdSec offers over Fail2Ban? Can these advantages be attributed to (or partially attributed to) CrowdSec’s collaborative, open-source approach? PH: Fail2ban created the 1st “anti bruteforce system”. Simple in essence, it nevertheless dealt with a lot of credential bruteforce attempts, over a large spectrum of services, on millions of machines, for sixteen years. Quite a legacy for code initially written as Python training for its author! CrowdSec borrows the philosophy of Fail2Ban in the sense that it’s working out of the box to protect the services running on your machine, based on what it finds in your log. And that’s where the parallel between the two ends, because the software design, scope, architecture, orientation, goals and performance are entirely different. CrowdSec iswritten in Golang, to deliver 60x faster treatments, but also to be able to run in all environments - from VM to Docker, from Linux to Windows. It is designed to support a large surface of attacks with L7 DDoS, credential or credit card stuffing, port scans, web scans, and any attack that leaves trails in your logs. It’s modern in the sense that it’s not monolithic and detection is separated from remediation. Furthermore, remediation can be anything you would like it to be - not just banning in your firewall (like Captcha, MFA, messaging, etc.). CrowdSec is also made to meet the needs of individuals and enterprises alike, running successfully on personal firewalls as well as on hundreds of thousands of machines for large hosting companies. Last but not least, CrowdSec shares the IP it bans with other instances (after a curation on our end), to help further protect all members of the network against known offenders. Monumental Changes in CrowdSec v1.1 & v1.2 LS: As part of the CrowdSec v1.1.x release , CrowdSec services were moved to PackageCloud, a fast, reliable and secure cloud-hosted package distribution. Can you explain how this transition is benefiting your customers? PH: Yes, we love PackageCloud! This is a huge step forward for us. We often joke internally that some Debian packages are old enough to buy alcohol! But it’s not only Debian - the majority of platforms are somewhat slow to move. When you release features every other week for more SoC, more OS, more packaging systems than ever before, you need the proper tooling. This packaging is an effort to make CrowdSec available to the largest number of Linux, BSD and even Windows systems running on ARM or Intel. Now customers constantly receive the freshest packages, regardless of their environment, which is key for any security product. LS: CrowdSec v1.1 and v1.2 feature a brand-new Console. What are the main changes and improvements that have been made to the CrowdSec Console? PH: We are extremely excited about this newConsole! First, because it helps people see what is happening on their machines in a consolidated, centralized view. When you run many CrowdSec agents in your network, the standalone metabase running in Docker isn’t enough to provide this level of observability. Beyond the observability aspect, we have two important goals with this Console: gamification and monetization. Gamification is part of what we want the community to experience. A bit like the SETI at home project, except that instead of hunting aliens, we hunt cybercriminals. You’ll get badges, ranks, and maybe swag or other forms of recognition for helping other users. The second part is monetization - and the console will be its headquarters! We are absolutely fine with making money while being an open-source editor. Some would love to see talented authors only feed on edible moss and little animals, wear monk robes and walk in bare feet because “it’s the way Open Source should be”. Well, I strongly disagree. If you want talented people committed overtime and dedicating 100% of their time and effort to a project, you need to pay them well, hence to monetize. With CrowdSec, the “crowd” that makes us stronger benefits for free, while large corporations with more complex and extensive requirements have the option of paying for additional services. BlackHat USA 2021 Reflections LS: You recently received a Black Unicorn Award at BlackHat USA 2021 for the Top 10 cybersecurity startups of the year. Congratulations on this accomplishment! Can you briefly reflect on what this award means to you and your team. What are some of the biggest challenges you have faced and what are some of the most notable accomplishments you’ve experienced as a startup? What was the “mission” behind starting CrowdSec? Do you feel this mission is being fulfilled? PH: I was a rookie red team pentester when I first attended a Blackhat. This conference is both legendary and very insightful! Now, having a Black Unicorn Award sitting on my desk has aspecial taste indeed. What it precisely represents is that we DO have a different approach. What the BlackHat jury saw in CrowdSec is a new approach to cyber - the collaboration age, the very concept that sharing is not giving away and getting poorer, but instead it’s making everyone stronger. We have a good IPS, that I’m sure of, but the fact that it’s coupled with a CTI approach and that tens of thousands of machines enrolled in our “crowd” in under a year proves with out a doubt that this path needs to be explored. In four years from now, we should have millions of machines sharing the rogue IP addresses they identify, making CrowdSec the biggest collaborative effort to date to influence the war against cybercrime. This will become the real-time world map of criminals over the Internet, like Waze became the de-facto standard for road hazards worldwide. Have we delivered yet? Yes, sort of. We took off, some trust we are up to something and adoption is accelerating. Have we achieved something? Not yet, it’s still day one, so please don’t hesitate to help us by contributing, adopting the product , commenting on the roadmap and connecting with us on Gitter ! A Bright Future for Crowdsec LS: What does the future hold for CrowdSec? Upcoming releases? New features and capabilities in the works? PH: This is a make or make (I don’t like the break part!) year for CrowdSec. The Console, the new premium features, the growing network, all is uncharted territory to us. We’ll probably have another fundraiser around early 2023, and plan to work on a blockchain approach, which could also be a game changer. We need to expand our team and reach probably 35 people while building a rock solid relationship with our community. The future is bright, our team is under constant shots of serotonin and the market offers us great feedback. As CEO, I also have to prepare the team and company for the hangover, when we’ll discover the world isn’t just about bull adoption, unicornpictures on the walls and encouragement messages on our Gitter . At some point, there will be harder times - missed deadlines, concerns on our KPIs, meaningful bugs, trials to try to slow us down or people leaving the company. I know it for a fact, and this will be the moment where we’ll see if we are experienced enough to persevere, giving us the opportunity to build the team and company to be resilient to those challenges. But for now, I wouldn’t wish to be anywhere but here in our journey! Closing Remarks LS: Thank you so much for your time and shared insights! Is there anything else you think the LinuxSecurity community should know about CrowdSec? Any closing remarks? PH: It’s up to you to defend yourselves, while helping everyone else around you. It doesn’t require you to be a bodybuilder or an expert in a martial art - all it takes is an apt-get install … Will you be involved in this cyberwar alongside CrowdSec’s community? Next Steps Download CrowdSec v1.2.0 from the project’s GitHub page to join the fight on cybercrime! Have a thought to share or another open-source security tool you’d like us to cover? Connect with us on Twitter and let us know! . Uncover perspectives from CrowdSec's founder regarding the power of collective security in combating cyber threats and enhancing online protection.. Collaborative Security, CrowdSec, Open Source Protection, Cyber Defense, Intrusion Prevention. . Brittany Day
Oct 03, 2021
•
102
data analysissecurity toolscyber defenseHarnessing Threat Intelligence For Optimal Cyber Defense Strategies
Thank you to Oyelakin Timilehin Valentina and Duane Dunston for contributing this article. Threat intelligence (or threat intell) is information used to understand past, present, and future threats targeting an organization. It is evidence-based knowledge about a previous, existing or emerging threat to organizational assets. Threat intelligence also includes settings, implications, mechanisms, context, and even action-oriented advice on the threat. Context mentioned here includes who the attackers are, what their motivation is, what their capabilities are, and what indicators of compromise are in your system. An Indicator of compromise (IOC) is forensic data in a system log file, for example, which identifies malicious activities on a system or network. . Also, threat intelligence can be defined as data analysis using tools and techniques to get information about an existing or emerging threat targeting the organization. Notice that the definitions mentioned above include using knowledge (obtained from data) to achieve a common goal of mitigating cyber threats or cyberattacks. In this series, we will define threat intelligence as collecting, processing, and analyzing data that gives us meaningful knowledge to understand the pattern of previous or present attacks and leads to the building of a stronger and better cyber defense to help mitigate or prevent future attack. Importance of Threat Intelligence Threat intelligence provides deep knowledge on the potential threats to an organization. It helps to know all that is happening outside of the network, because it helps to recognize threats and exploits that the organization is vulnerable to using data from various tools and threat event sources to build a risk management plan to prevent future threats. Cyberattacks and data breaches lead to loss of data, but it also leads to costs like damage to the organization's reputation, market position, fines, lawsuits, expenses that come from investigation, and post-incident restoration andremediation. Practical threat intelligence that comes with effective defense strategies can also save an organization by cutting down or avoiding the cost of data breaches. With vulnerabilities being actively exploited, practical threat intelligence can quickly identify and mitigate their impact and increase the security team's efficiency in handling security alerts. Also, threat intelligence helps gather IOCs like signatures of tools used by the attackers, malware characteristics, and behavior. In this series, we will explore some tools that can be used for creating a threat intelligence program for an organization. The tools will be explained along with examples of how to run it and interpreting its output. While it cannot cover all possible implications to an organization, it can help provide a starting point for interpreting the output in context to your organization. We will begin with discussing how nmap can be used as one source to gather information to add to a threat intelligence program. Stay tuned! About the Authors Oyelakin Timilehin Valentina is a self-taught cybersecurity professional. As someone who loves to contribute to social responsibility, she volunteers for Cybersafe Foundation with its initiative #NoGoFallMaga. She is also a volunteer for The Young Ciso Network and The Diana Initiative. Duane Dunston is an Associate Professor of Information Security at Champlain College. He has been in information security since 1997, starting in the education sector, then to federal, and then into academia. . Profound understanding of threat intelligence and its importance in counteracting cyber risks for enhanced organizational safeguarding.. Threat Intelligence, Cyber Defense, Risk Management, Security Strategies. . Duane Dunston
Jun 03, 2021
•
102
cybersecuritynetworkingcyber defenseValentina's Nmap Journey: Insights on TryHackMe and Cybersecurity
Thank you to Oyelakin Timilehin Valentina for contributing this article. Our newest member, Valentina, an up and coming cybersecurity professional in Nigeria, studying cybersecurity and showing stellar skills in learning and applying her knowledge, recently went through the Tryhackme online learning platform, and shared her experiences, as well as a few quick tips on using nmap. . Tryhackme is an online platform with courses available for beginners, intermediates and professionals in cybersecurity. There are real world labs and challenges to give you an on-the-job challenge and experience. Nmap is one of the courses in this platform and an important tool in cybersecurity that is used for port scanning. This article explains the following; How, why I got into Tech and also my Tech Background My experience with a mentor How I discovered the online platform, Tryhackme My experience getting through the Nmap lab Getting Into Tech In my high school days, I wanted to be referred to as Engr. Val; although I was clueless as to what part of engineering I would like to venture into. Because I loved the name Engr., I made sure I worked towards getting into an engineering department in college where I obtained a degree in Electronics and Computer Engineering in the University of Port Harcourt, Nigeria. I must tell you; I was still as clueless as I was in my high school days on what path to follow. Then came a seminar in my second year that structured and shaped my vision in the department and also connected me to my first mentor. I realized then and found telecommunications interesting and I started doing some research on it and took my telecommunication courses more seriously; it was indeed interesting. I got my first 6 months internship job with Nokia Solutions and Network, Nigeria in my fourth year and the experiencewas priceless, but I still wasn’t satisfied, I just kept telling myself that there is more in tech. After graduation, I decided to do moreresearch on areas of technology and I discovered cyber security. Wow, I bonded so much with this aspect of technology that I was so much convinced this is it. Before then, I didn’t find any programming language interesting, but discovering that knowledge of it is needed made me go into learning python programming; that I find very interesting now. You would ask what my major drive is; I just want to make my country a safer place, I want to reduce criminal activity in my country and discovering cybersecurity became the answer to my thirst in technology. I did a lot of research and I am still doing, I discovered a lot of areas in cyber security, I took 3 certification exams which are Introduction In Cyber Security and IT Essentials, both in Cisco, HCIA(Routing and Switching). In All of These, I was still uncertain on the path to take in Cyber Security. This led to the next point on this article. Getting a Mentor This aspect of my life helped and guided me to where I am today; my first mentor gave me an insight in technology. My second mentor guided me into taking the Routing and Switching course with Huawei. My third mentor guided me all through my training in IT essentials with cisco. But I still needed someone in the cyber security field, I had lots of questions in my mind to clear the uncertainty in my head as to what to do to start my career in cybersecurity, there are numerous fields in cybersecurity that I discovered during my research, so I needed to know which aligns with my passion. On Monday, December, 7 2020, I saw a post on twitter with the tag #cybermentoringmonday, I went through it and indicated that I needed a mentor; there I met one. I told him about the areas of cybersecurity that I am interested in and why I am interested in them, I also told him what I was doing at the moment to gain more knowledge in tech. He demystified the areas of cybersecurity I was interested in and told me in his words “you sound more blue team oriented” he went further to explain the blue team andalso the red team, this cleared the uncertainty in my head to a large extent. He introduced me to Mosse Cyber Security institute where I did research on my own and it helped me to gain more knowledge. Getting to Know the Amazing TryHackMe On New Year Day, he introduced me to Tryhackme and sponsored me for a membership for 2 months with the instruction that I will update him on my progress and most likely get an extension of my membership for a year, this was my first 2021 big gift and I was excited. He said “let me know if you have questions or get stuck and I think you will learn a lot” .He is always there to answer my questions. Getting Through the nmap Lab You know that excitement that comes after completing a task, that excitement you get after crossing a hurdle and you get the right to say “I am proud of myself” that was me after getting through the Nmap lab. The first learning path I started in Tryhackme was Cyber Defense, you would ask why this was my first, it was the first captivating topic, but little did I know that I need the knowledge of some fundamentals that include Nmap. The first room in cyber defense; introductory networking, is an introduction to the basic principles of networking, it gave me the detailed and easy understanding of the OSI model and also the TCP/IP model, where I got a better understanding of the “three-way handshake”. I was also introduced to the Wireshark tool which is used to capture and analyze packets of data going across a network. This room also explained some networking tools like ping that are used to test the possibility of a connection to a remote network. Traceroute tool that is used to show all the routes your request took as it gets to you. Whois tool that lets you query who a domain name is registered to and Dig tool that lets you query any DNS servers to get information about their domain. This room was very interesting and easy and I was eager to go to the next room- network services. In the network services room, I gotto know about SMB(Server Message Block) Protocol which is used to share access to files, printers, serial ports and some other resources on a network. Also, I got the understanding of telnet, an application protocol that works with a telnet client and aids in connection and execution of commands on a remote machine that is hosting the telnet server. Finally, FTP (File Transfer Protocol) as its name implies, lets you transfer files remotely over a network. This particular room was more difficult than the previous, but I kept moving to the next room which is Network services 2 But, a good knowledge on Linux would have made this room much easier to walkthrough. In the network services 2 room, I got to know about NFS (Network file System) that allows sharing of files/directories by a system with others over a network, I was finding it all interesting until I got to task 3, Enumerating NFS and got stuck, I couldn’t provide answers to the quiz. At this point, I had to tell my mentor, the first thing he said was that I should make sure that I am always connected to the OpenVPN Server, this helped me get through the task but I got stuck again in task 4, Exploiting NFS, at this stage I realized I needed the good understanding of NMAP. So, I diverted to the NMAP room. You may be thinking, how did I know that I needed to divert to Nmap room, in the task 3 of network services 2, one of the topics mentioned was port scanning, which was covered but not detailed, then my first quiz for the task 3 was about scanning for open port, and this can only be answered by getting the understanding of how to scan for open port which can be learnt in the Nmap lab. Diverting to the Nmap room helped me answer the quiz. In the NMAP room, I made sure that I was connected to the OpenVPN server, and then I deployed my machine. Nmap means network mapper and I learnt about the NMAP switches, the Scan types which are TCP connect scans (-sT) that takes into consideration the TCP three-way handshake. Here, NMAP connects to each TCPport and determines if the port is open or closed. if port is open, a TCP packet with the SYN/ACK flag is sent, if port is closed a RST (reset) flag is sent back, if a port is filtered, it is because it is protected by a firewall, in this case, when Nmap sends a TCP SYN request, it receives nothing back. Another scan type, the SYN scans(-sS) is referred to as half-open scans or stealth scans and are used by Nmap if they are run with sudo permissions, the only difference between TCP scan and SYN scan is in the case of open port, in SYN scans, when port is open, an RST packet is received. The next scan type, which is the UDP scan(-Su), a port is considered open|filtered when no response is sent back, but when a response is received (which is rarely possible), then the port is open, a port is closed when the target response with an ICMP ping packet message indicating that the port is unreachable. The less commonly used TCP port scans; Null (-sN), FIN (-sF), Xmas (-sX) Scans were also taught, and the response expected is similar to that of UDP port scan. The next task talks about the ICMP Network scanning where I was taught how to perform a ping sweep; a ping sweep is used to see IP addresses with an active host and those without. When I got to task 10, NSE (Nmap Scripting Engine) scripts, I got stuck again, I couldn’t give correct answers to the quiz, and I decided to watch videos on Nmap and noticed that Nmap is being performed on kali Linux. Also, I applied for an internship position sometime last month and lack of experience in Linux couldn’t let me get it, this made me divert to the Linux fundamentals, after completing part 1 and 2 of Linux fundamentals, I was able to successfully complete the Nmap lab. Conclusion From my experience so far, it is first about your passion, then the effort you put into gaining more knowledge and experience. If you enjoy what you do, you will thirst for more knowledge and experience. To become a pro or an expert in something, you have to startfrom today, put in effort, then more effort, you just can’t stop putting in effort, and you have to be up to date, to remain relevant in the field. Most importantly, get a mentor that will guide you and when you do, give him/her every reason to be happy and proud to be your mentor; this is through the effort you make into gaining more knowledge and showing positive results. . My journey with Nmap and TryHackMe has been pivotal in my cybersecurity growth, enhancing both my skills and knowledge of networks for aspiring professionals. Nmap Training, TryHackMe Courses, Cybersecurity Learning. . Brittany Day
Feb 16, 2021
•
102
network securityopen source softwarecyber defenseImplementing Geolocation For Nftables: A New Era In Firewall Security
What if you could block connections to your network in real-time from countries around the world such as Russia, China and Brazil where the majority of cyberattacks originate? What if you could redirect connections to a single network based on their origin? As you can imagine, being able to control these things would reduce the number of attack vectors on your network, improving its security. You may be surprised that this is not only possible, but straightforward and easy, by implementing geographic filtering on your nftables firewall with Geolocation for nftables . . Geolocation for nftables is a simple and flexible Bash script released in December of 2020 designed to perform automated real-time filtering using nftables firewalls based on the IP addresses for a particular region. In a recent interview with LinuxSecurity researchers, the project’s lead developer Mike Baxter explained the mission of Geolocation for nftables, “I hope this project is beneficial to those who may not have the IT budget or resources to implement a commercial solution. The code runs well on servers, workstations and low-power systems like Raspberry Pi. The script has the built-in ability to flush and refill geo filtering sets after a database update without restarting the firewall, allowing servers to run uninterrupted without dropping established connections.” This article will examine the concept of geo filtering and how it could add a valuable layer of security to your firewall, and will then explore how the Geolocation for nftables project is leveraging Open Source to provide intuitive, customizable geo filtering on Linux. What Is Geo Filtering? Geo filtering is a firewall technology that filters and blocks both incoming and outgoing network connections based on geographic location using IP addresses. Geo filtering technology enables a computer firewall to compare the source or destination IP address of a network packet to a list of location specific IP address ranges, which can be found in freelyavailable geolocation databases such as db-ip.com . Firewall rules can then determine what to do with each packet - accept, reject, redirect to a server with localized content, drop, or simply count the packet - based on the location of its origin or destination. How Can Geo Filtering Enhance Firewall Security? Geographic filtering enables administrators to mitigate threats to their network by blocking IP addresses associated with countries or locations where the majority of cyberattacks originate, or that they have no reason to allow traffic from. If you have no reason to accept incoming online communications from certain countries, then implementing whole-country Geo filtering on your firewall may make sense. However, keep in mind that if you’re using software or online services from other countries, you may have to accept communications from these countries. Cutting off entire countries is quick and effective, but in many cases it makes sense to use more sophisticated IP filtering settings to either block only certain IP addresses, ranges of IPs or lists of IPs known to be malicious, or to create rules in your firewall that make exceptions and allow trusted IP addresses to access your systems. Geo filtering is a valuable security feature, but does have some limitations. For instance, the technology could potentially block legitimate online traffic, and isn’t able to prevent targeted attacks, as criminals can easily hide their location by using servers or compromised computers in different locations to launch attacks. Implementing Geo filtering on your nftables firewall can add a valuable layer of security to your network by reducing its attack surface and helping to protect against malware and other dangerous, persistent threats - but it should not be viewed as a cybersecurity cure-all. Baxter emphasizes the importance of implementing this technology as part of a comprehensive, defense-in-depth approach to cybersecurity: “Geo filtering is one layer of security that can help to reducethe number of attack vectors on a computer or network, but it’s not a silver bullet. There are ways around every type of computer security, so it’s important to do security in layers.” Geolocation for nftables Leverages Open-Source Development to Make Filtering by Country Seamless, Easy & Effective Geolocation for nftables makes implementing real-time geographic filtering on your nftables firewall simple, convenient and effective, while offering granular control over network traffic. The Bash script converts the 400,000 lines of IP address ranges and country codes in its database to a format that Linux nftables firewalls can access with firewall rules. The script automatically generates country-specific nftables address range sets, and automatically determines the installed version of nftables and recommends the correct "include" statements for an administrator’s ruleset. User settings are conveniently stored in a standard configuration file, as opposed to using command line arguments. The geographic database is automatically downloaded from db-ip.com in real-time, keeping nftables Geo Filtering sets up-to-date. This is critical, as the IP address ranges assigned to each country change over time and geographic databases must be updated regularly in order to remain accurate and effective. Geolocation for nftables also has the unique ability to automatically run an nftables script to flush and refill IP sets with new data after a database update, allowing servers to run uninterrupted - without dropping established connections. Geolocation for nftables is an open-source project, and offers users an array of unique benefits that can be attributed to its use of Open Source - namely, enhanced security and a high level of customization. The script is easy to set up, configure and tailor to meet your specific needs with open-source code that is heavily vetted by the community. The “many eyes” reviewing this code on an ongoing basis results in rapid identification and elimination ofvulnerabilities and security issues. The global community input that the project receives fosters innovation by offering ideas, feedback and programming expertise. Geolocation for nftables source code is heavily commented on, making it easy to understand and customize. This selection of benefits comes at no cost to the end user as, in the words of Baxter, open-source development is “just people helping people”. Geolocation for nftables seamlessly integrates with other firewall applications by allowing multiple matches per firewall rule, so matches can be combined with matches from other sources to determine how a network packet is handled. For instance, an administrator can accept a packet with an IP address that’s on his or her IP “allow” list, but not on his or her Fail2ban “block” list with a single firewall rule. Geo Filtering for nftables has a small memory footprint and offers flexible configuration, making the script ideal for any system - even those with limited RAM. Key feature and benefits of Geolocation for nftables include: A script written for the widely used Bash shell that automatically generates country-specific nftables address range sets Easy to implement, configure and customize with heavily reviewed open-source code Small memory footprint and flexible configuration makes the script run well on systems with limited RAM User settings are conveniently stored in a standard configuration file rather than using command line arguments Packets can be filtered by geography with a single nftables rule rather than two rules to mark and match packets Automatically determines your installed version of nftables and recommends the correct "include" statements for your ruleset Creates "include-all" files to allow you to include all geographic IP sets with a single reference on older versions of nftables that don't support include wildcards Offers a User Guide which explains how to define all element definitions for Geolocation sets in one file, eliminating thechance of having out-of-sync definitions in multiple files when flushing and refilling sets with new data Simplified directory structure to shorten "include" path names Creates ~500 IPv4 and IPv6 set files from the geographic database in about 10 seconds on a low power quad-core 2200ge server with SSD storage Tested on Ubuntu Server , Fedora Server , and Raspberry Pi OS Key Takeaways Geographic filtering is a valuable layer of defense that you should consider adding to your nftables firewall to reduce the attack surface on your network and help secure your system against malware and other serious, prevalent threats. Geolocation for nftables provides Linux users with a simple, flexible and automated way to implement real-time geographic filtering on their nftables firewall. Visit the project’s Github page to learn more about Geolocation for nftables and how you can install the script on your system. Please reach out to us if you have an open-source security project you would like us to cover in a future LinuxSecurity feature article! Connect with us on social media: Twitter | Facebook . Enhance your network security using Geolocation with nftables, a versatile Bash script designed for live geo-filtering on Linux firewall systems.. GeoFilter, NftablesSecurity, BashScript, FirewallEnhancement, LinuxSecurity. . Brittany Day
Feb 09, 2021
•
102
open source softwaresecurity insightscyber defenseDefcon 26 Highlights on Cyber Defense And Open-Source Security
Defcon 26 provided individuals and organizations with valuable tips and insight on security and the latest and most effective defenses. Here are some security-related highlights from the event.. Defcon 26, a high-profile hacking conference that recently took place in Las Vegas, offered a multitude of predictions and implications regarding changes and trends in the field of cyber security. Although Defcon is an event that is mainly attended by ethical hackers who are aiming to learn how to better protect the systems they are responsible for, everyone can gain knowledge from the experts who spoke and the activities and contests that took place at Defcon 26. With cyber threats becoming increasingly prevalent and dangerous, cyber security is an issue that affects all individuals and organizations. According to CSO, cyber crime damage costs are expected to hit $6 trillion annually by 2021 (CSO Online). Email is an extremely popular attack vector used by cyber criminals, so effectively securing email accounts is becoming increasingly important. Here are two highlights from Defcon 26 and a summary of what they suggest in the context of today’s cyber threat landscape: 1. NSA Brings Nation-State Details to Defcon: “Spot the Fed” has been a longstanding tradition at Defcon, but the task was extremely easy this year. Rob Joyce, senior advisor for cybersecurity strategy at the NSA, discussed the latest details on nation-state hacking and defense. He suggested that there are four actors that are most concerning in regard to nation-state hacking: Russia, China, Iran and North Korea. In terms of defense strategies, Joyce emphasized that the transparency provided by public hacking is critical in finding and fixing flaws that nation-state hackers could exploit. He also referred to cybersecurity as a “team sport”, suggesting that the government and private enterprises should share information on vulnerabilities and attacks. Finally, Joyce reminded the audience that basic security measures, such as software patchingand multifactor authentication, should not be overlooked. (DarkReading) 2. Tesla Plans to Open-source Security Software: Following Defcon 26, CEO of Tesla Elon Musk announced that Tesla is planning to open-source its security software to other automakers for free. Musk feels that doing this will decrease the risk of cyber criminals hacking self-driving vehicles. Tesla has a good relationship with security researchers and whitehat hackers, whose work has led to the rapid fixing of various vulnerabilities in the past. Open-sourcing security software will likely encourage more security researchers to search for and identify vulnerabilities, making Tesla cars even more secure. (Electric) These are just two of many security-related highlights of Defcon 26. The schedule was packed with speeches from experts in the field of security, hacking-related activities and contests and Q & A sessions. As expected, Defcon 26 proved to be a hub for innovation in the field cyber security and advancement in the practice of ethical hacking. With the evolution of cyber crime and email-related threats, it is crucial that businesses and individuals stay informed and implement the latest and most advanced defenses and protection strategies. . Defcon 26, a high-profile hacking conference that recently took place in Las Vegas, offered a multit. defcon, provided, individuals, organizations, valuable, insight, security. . Brittany Day
Sep 06, 2018
•
102
network securityintrusion detectioncyber defenseExploring IDS Triggered Countermeasures for Linux Network Security
In this paper, Anton looks at network intrusion systems, IDS-triggered countermeasures, what are they, how they can be triggered and when they should not be triggered. . Intrusion detection systems (IDS) seem to be one of the fastest growing technologies within the security space. Together with firewalls and vulnerability scanners, intrusion detection forms one of the cornerstones of modern computer security. In the commonly mentioned prevention-detection-response philosophy, IDSs take an honorable place for [sometimes] effective detection of threats let through by prevention technologies such as firewalls. However, there are attempts to position IDS products as the technology that can stop or prevent network attacks. It is easy to forget that 'D' stands for detection and not for deterrent or deflection. This article will investigate those attempts in the Linux world. On the technical level, most network IDS are set to send alerts upon seeing a known pattern (signature-based IDS) or some traffic anomaly (anomaly-based IDS) indicating an attack. While some programs can look only at packet level data (such as attack string present in one packet), many others are TCP connection-aware, are able to look at TCP streams and also can reassemble fragmented IP packets. In this paper we will look at IDS-triggered countermeasures, what are they, how they can be triggered and when they should not be triggered. Lets first assume we have an IDS that looks at traffic passing through the wire (see Picture 1 ). That corresponds to the majority of deployed IDS. What actions can thus deployed IDS invoke? First, it can send an alert that can be handled by outside programs to accomplish pretty much any action. Seconds, IDS itself can try to influence the traffic that passes by. IDS Alert Actions The first opportunity presents a rich spectrum of possible actions: IDS alerts can be send via pager, SMS message and other mechanisms to trigger humans into actions. On the other hand, the alerts can causesome software to activate, such as to block an attack by imposing a new firewall rule or even to launch a counter-attack or an investigative probe towards an attacker. The practice of applying firewall rules based on IDS alerts is sometimes known as "shunning". IDS running inside the network (as on Picture 1 ) or on the firewall machine (listening to the internal network interface) is in a good position to block an attack. IDS has to notify the firewall (locally or over the network) to apply the rule blocking the source of detected malicious packet. What are the requirements for such as setup? Some follow below: IDS should transmit the request as fast as possible since the damage from attack could increase with time and do it over reliable channel unaffected by the above attack IDS might want to block the address entirely or for a certain time and for certain protocols only Most important at all, IDS should not block on false-positives or on signatures that can be faked (spoofed) What do the above requirements mean for real-life IDS deployment. The evident conclusion, for example, is that UDP- or ICMP-based signatures should never be used for blocking since the packets can be spoofed. TCP packets should only cause a block if there is an established connection between an attacker machine and the protected machine. Otherwise, malicious hackers can cause significant damage to your network by using spoofed packets (such as by sending "attacks" seemingly originating from root DNS servers, upstream providers or partner's networks). See Understanding IDS Active Response Mechanisms for more details. Spoofing the TCP connection with a completed three-way handshake is much harder and is often appears impossible. Even with full TCP connection tracking, having a "whitelist" of addresses that should never be blocked is strongly suggested. In addition, blocking on signatures that have a known high false-positive rate is not recommended due to the obvious risks of blocking non-malicioustraffic. Moreover, while it is too late to stop an attack detected by the IDS (since the packet has proceeded to its destination within the internal network), promptly blocking the subsequent communication is of crucial importance. It takes only few seconds for the modern automatic penetration tools to get access, elevate the privileges on the attacked system and deploy a backdoor or a rootkit. There are several options for sending commands over to the firewall. For single box setup, the options are: IDS itself runs the command to implement the block (for example, using Linux ipchains/iptables) or some program reads IDS log files and then blocks the connection. Both methods have some problems that call for a careful design before implementation. The former method should not make IDS wait for the response from the firewall (unless IDS is a multi-threaded process), since it will slow down the detection. On the other hand, the latter method might introduce a delay since IDS should create an alert and write it to a log file. Then blocking program checks the IDS log file (presuming the data was already flushed to disk) and implements the block. Both methods can be used if their limitations are understood. For the IDS and firewall on different machines, the situation is similar. While makeshift solutions are possible the delay issue should be handled. For example, using insecure out-of-band communication (such as direct ethernet cable from firewall to IDS) is better than running a command via SSH over the monitored network (secure but slow). Establishing SSH session takes too much time. It is reported that Checkpoint OPSEC interface is handling these issues very well, since it was designed for that purpose. The issue of reliable transmission calls for out-of-band management. The problem does not manifest itself for IDS and firewall on the same machine, but for separate systems the separate subnet should be used for their communication (as shown on Picture 1 ). Using the protected network for thecommunication is highly discouragd, since attackers migth have means to disrupt it. Time-limit on shuns is essential as well. For example, if attacker is a modem dial-up user his or her IP address might be assigned to non-malicious users after modem session terminates. In any case, an ability to disable automatic blocking should be provided. Direct IDS Intervention The second reaction option mentioned above is direct interaction by IDS itself. IDS can send a TCP reset (to one or both communicating parties) or an ICMP message to attack source (ICMP_NET_UNREACH, ICMP_HOST_UNREACH or ICMP_PORT_UNREACH types can be used). TCP reset is a TCP packet with RST flag set, that is usually used in the teardown phase of the network connection. If signatures that trigger a response were carefully selected to have low false-positives, the white list (as for firewall blocking) is not really essential, since only a single connection will be terminated. It should be noted, that if IDS sends TCP RSTs or ICMPs (or anything else, for that matter), it provides an avenue for possibly identifying the IDS type and operating system. Unless TCP/IP options on the packet can be played with, the IDS presence and type will be uncovered by an attacker. Implementing Countermeasures Now lets consider how open-source IDS Snort implements the above options. It is worth noting that most commercial IDS (such as Cisco Secure IDS, Cisco PIX IDS and ISS products) also implement blocking based on alarms. Several programs that read snort log files and generate firewall rules based on Snort alerts exist. Guardian appears to be the most flexible from open-source tools. It implements time-based blocking, supports several firewalls (Linux iptables/ipchains, FreeBSD ipfw, ipfilter, Checkpoint FW-1, Cisco PIX firewall), features a "white list" and can even do blocking on a machine with no packet-filtering software using black-hole routing. Guardian runs as a daemon alongside snort and reads alerts from standard snortfile ( /var/log/snort/alert in default snort configuration). It will block on ALL logged events and port scans, thus Snort's signature set should be severely cleaned up. In addition, snort must be run with "-z est" flags to only alert on attacks present in established TCP connections. Otherwise, spoofed attacks might turn this setup into a "DoS machine". Even with "-z est", white list ( /etc/guardian.ignore ) must be populated with hosts for which connectivity is essential (example of defense in-depth). Snort have an ability to send output via custom output plug-ins. One such plug-in called snortsam supports Checkpoint Firewall blocking. Encrypted communication, time-based blocking and other features are supported. Unlike the previous program, Snortsam uses a rule target to decide whether to block based on alert. Thus it is possible to run with a full signature set and only block on selected alerts. The targeting is extremely flexible. See for full details. Snort can send TCP RSTs and various ICMPs to terminate the connection. The code makes use of "resp" keyword added to a rule. Thus, snort can respond only to selected attack signatures. The excerpt below was used for testing: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; resp: icmp_all,rst_all; nocase; classtype:web-application-attack; sid:1002; rev:2;) In the above example, all possible response messages are sent. Namely, both sender and receiver of an attack packet get a TCP reset and a sender gets 3 ICMPs (port, host, network unreachable). In fact, ICMPs can be used to stop UDP transmissions and TCP RSTs are used to tear down TCP sessions. That is how it looks in packet capture (tcpdump and browser run on host "anton", snort runs on host "fw"): In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always kill the HTTP connection using the RST and/or ICMPs. In most of the cases connection is reset and sometimes it remains running and the file (dummy " cmd.exe" placed onApache web server) is successfully downloaded. The possible explanation is that RST arrives too late for the connection to be reset since the response from server comes earlier with the right sequence number. The delayed RST is then discarded. Thus RST/ICMP is not a reliable security mechanism (exactly as claimed in the snort documentation). Conclusion To conclude, IDS ability to respond to attacks is a useful feature. With expert tuning, it can provide added security to the IT environment. Inherent dangers and weaknesses of auto-response should then also be addressed. The best compromise is to only use IDS active response on high-risk alerts with low false positives (such as backdoor responding, known virus transmission, DoS master-slave communication, etc). Interesting development in the active IDS field might come from "inline IDS" systems (shown on Picture 3 ). In this setup, IDS actually IS able to drop the offensive packet, and not only the connection that ensues sice IDS engine is actually making the routing decision. Snort-based Hogwash is an example of such system. About the Author Anton Chuvakin, Ph.D. is a Senior Security Analyst with netForensics ( ), a security information management company that provides real-time network security monitoring solutions. . Intrusion Detection Systems (IDS) are vital in securing Linux systems, monitoring network traffic to detect threats and automating real-time responses for enhanced security. Intrusion Detection, Network Threats, Cybersecurity Best Practices, Linux Protection. . Brittany Day
Apr 22, 2002
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More