Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -3 articles for you...
102
network securityfirewall testingnetwork scanningNmap Firewall Evasion Techniques Guide for Effective Security Testing
The primary goal of firewall penetration testing is to prevent unauthorized internet access to your organization's internal network, or check to make sure your security policy is doing what you think it's doing. In order to successfully test your organization's firewall, you must think like the adversary. Collecting intelligence on the network, such as operating system and firewall type, are important to know in order to proceed with the penetration test. . A firewall penetration test's success is determined by a number of factors. Making sure firewall policies and rules are properly configured can greatly limit the success of attacks and prevent the majority of unauthorized connection attempts. The first step in firewall penetration testing is to find the firewall. Nmap, a popular open-source tool for network discovery and auditing, can be used to accomplish this. This tutorial will demonstrate how nmap can be used for firewall penetration testing to evaluate and improve the security of your network. Detecting a Firewall Determine Firewall Rules Understanding firewall policies is the first step towards passing them. Firewall rules must be tested in a vigorous way to make sure they're protecting the internal systems the way we expect they are. Individual firewall subversion techniques each have a low probability of success, so admins should try as many different methods as possible. The attacker only needs to find one misconfiguration to succeed, while network defenders must close every hole. Nmap distinguishes between ports that are reachable but closed and those that are actively filtered as much as possible. To obtain a deeper grasp of the network, start with a standard SYN port scan and work your way up to more advanced techniques like ACK scans and IP ID sequencing. OS Detection Nmap can run scans to detect the operating system, version, and services on a single or numerous devices. When conducting network penetration testing, detection scans are important to the enumerationprocess. It's critical to know where susceptible devices are on the network so that they can be repaired or replaced before being attacked.Other tests that make use of the information obtained are enabled by OS detection. Run the following command to detect OS and Services nmap -A [Target IP] Note: This command returns much more information than shown, however, I decided that this was the most relevant. SYN Port Scanning In Nmap, a stealth scan, also known as a half-open scan, is one of the scanning methods that an intruder can use to get beyond the firewall and authentication systems. Furthermore, by employing this strategy, the scan is disguised as typical network traffic, obscuring the scan. The connection is not fully established since the attacker does not send the ACK packet to the victim system. This type of scan can be used to prevent transmission from being captured in the target network. nmap -sS -P0 [Target IP] ACK Probing The goal of this type of scan is to learn more about filter settings rather than the condition of the port. This form of scanning is rarely useful on its own, but when paired with SYN scanning, it provides a more full picture of the firewall rules. Whenever a TCP ACK segment is sent to a closed port or sent out-of-sync to a listening port, the device is expected to respond with a RST, according to RFC 793. Receiving RSTs in response to an ACK scan provides useful information to the attacker, which can be used to determine the firewall present. Out-of-sync ACK packets will be discarded by stateful firewalls, resulting in no response. The port is marked as filtered when this happens. For this scan, we will probe port 22: nmap -sA -p22 [Target IP] Firewall Evasion Decoy Scan Nmap can fake packets from other hosts in this type of scan. It will be far more difficult to tell which machine launched the scan because the firewall logs will include not just our IP address but also the IP addresses of the decoys. It'simportant to remember that the hosts you'll be using as decoys must be online for this method to work. Using a large number of decoys might also generate network congestion. When performing this type of scan, you have two options. nmap -D decoy1, decoy2, decoy3 etc. This option allows you to manually specify the IP addresses of the decoys nmap -D RND:3 [Target IP] This option generates a random number of decoys. In this example we use 3 decoys. Below is a screenshot from wireshark demonstrating the random IP addresses of the decoys: Fragment packets IP packet fragments cause problems for some packet filters. Firewalls could reassemble the packets on their own, but it would necessitate additional resources. It's also possible that fragments will take separate paths, making reassembly impossible. Because of this complication, some filters discard all pieces, while others pass all but the first. If the first fragment isn't long enough to carry the entire TCP header, or if the second packet partially overwrites it, unexpected events can occur. This technique was very effective a long time ago but is now obsolete against today’s firewalls. However, you can still use it against a firewall that is improperly configured. For this example we will target port 22: nmap -f -p22 [Target IP] Below is a screenshot from wireshark demonstrating the fragmented packets sent: Specifying MTU Nmap allows the user to specify a specified MTU (Maximum Transmission Unit) for a packet. This is comparable to the packet fragmentation process. During the scan, Nmap will create packets with a size based on the number that we give. The number must be a multiple of 8. In this example we use 16: nmap --mtu 16 [Target IP] MAC Address Spoofing Spoofing your host's MAC address is another way to get around firewall restrictions when running a port scan. This can be highly effective, especially if a MAC filtering rule is in place to allow only communication fromspecific MAC addresses, so you will need to find out which MAC address you need for this to work. Your scan will be more stealthy because your actual MAC address will not be visible in the firewall log files. The –spoof-mac option allows you to select a MAC address from a specified vendor, a random MAC address, or a specific MAC address of your own. Nmap -sT -Pn –spoof-mac [Vendor or Specified MAC] [Target IP] Source Port Manipulation A common error system admins make is trusting traffic only based on the source port number. DNS may be damaged in particular because UDP DNS responses from external servers can no longer reach the network. Another common example is FTP. The remote server tries to establish a connection with the client to send the requested file during active FTP transfers. Secure solutions are available to address these issues, however, administrators continue to make the mistake of allowing incoming traffic from DNS and FTP ports, without securing them. To exploit these flaws, Nmap provides the -g and —source-port options. Provide a port number, and Nmap will send packets from that port if it is available. For specific OS detection tests to operate effectively, Nmap must use distinct port numbers. Most TCP scans, including SYN scan, and UDP scans, fully support the option. nmap -g [Target IP] Conclusion Because firewalls are the first line of protection against outside incursions, firewall testing is one of the most critical types of network tests that can be performed. Many of these techniques may not work on a network with properly configured IDS and firewalls. Because each scenario is unique, you must determine which option will work best for you. After testing, you should go through the policies and rules ensuring that they are properly configured. This can greatly limit the success of attacks and prevent the majority of unauthorized connection attempts. More tests should be done after this to confirm the expected configurations. Once policieshave been properly configured, you should make a report. It's just as crucial to document everything as it is to perform the test. Instead of waiting until the end of the test, add all important facts and tools as you go through the procedure. This will save time and confusion when it is time to make a report. . A firewall penetration test's success is determined by a number of factors. Making sure firewall pol. primary, firewall, penetration, testing, prevent, unauthorized, internet. . James Bogert
Mar 07, 2022
•
102
intrusion detectionsecurity toolnetwork scannerExploring Essential Network Scanners and Security Tools for Linux Admins
"A scanner is a program that automatically detects security weaknesses in a remote or localhost.". Scanners are important to Internet security because they reveal weaknesses in the network. . System administrators can strengthen the security of networks by scanning their own networks. The primary attributes of a scanner should be: The capability to find a machine or network. The capability to find out what services are being run on the host ( once having found the machine). The capability to test those services for known holes. There are various tools available for Linux system scanning and intrusion detection. I will explain some of the very famous tools available. I have divided the scanners into three categories: Host Scanners, Network Scanners, and Intrusion Scanners. Host Scanners Host scanners are software you run locally on the system to probe for problems. Cops COPS is a collection of security tools that are designed specifically to aid the typical UNIX systems administrator, programmer, operator, or consultant in the oft neglected area of computer security. COPS is available at: Tiger Tiger is a UNIX Security Checker. Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. You can get it from: check.pl Check.pl a perl script that looks through your entire filesystem, (or just the directory you tell it to) for suid, sgid, sticky, and writeable files. You should run it as a regular user maybe once a week to check for permission problems. It will output a list of questionable files to stdout which you can redirect wherever. It's available at: . Network Scanners Network scanners are run from a host and pound away on other machines, looking for open services. If you can find them, chances are anattacker can too. These are generally very useful for ensuring your firewall works. NSS (Network Security Scanner) NSS is a perl script that scans either individual remote hosts or entire subnets of hosts for various simple network security problems. It is extremely fast. Routine checks that it can perform include the following: sendmail Anon FTP NFS Exports TFTP Hosts.equiv Xhost NSS can be found at: SATAN (Security Administrator's Tool for Analyzing Networks) SATAN is an automated network vulnerability search and report tool that provides an excellent framework for expansion.Satan scans remote hosts for most known holes: FTPD vulnerabilities and writable FTP directories NFS vulnerabilities NIS vulnerabilities RSH vulnerability sendmail X server vulnerabilities SATAN performs these probes automatically and provides this information in an extremely easy to use package. You can obtain SATAN from: Network Scanners (cont.) Strobe Strobe is Super optimised TCP port surveyor. It is a network/security tool that locates and describes all listening tcp ports on a (remote) host or on many hosts in a bandwidth utilisation maximising, and pro- cess resource minimising manner. It is simple to use and very fast, but doesn't have any of the features newer port scanners have. Strobe is available at: . Nmap Nmap is a newer and much more fully-featured host scanning tool. Specifically, nmap supports: Vanilla TCP connect() scanning TCP SYN (half open) scanning TCP FIN, Xmas, or NULL (stealth) scanning TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters) TCP ACK and Window scanning UDP raw ICMP port unreachable scanning ICMP scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap isavailable at: Nmap: the Network Mapper - Free Security Scanner . Portscanner PortScanner is a Network Utility especially designed to "scan" for listening TCP ports. It uses a simple method to achieve its goal, and it is extremely compact taking in account all of the options available. It's opensource and free to use, you can get it at: . Queso Queso is a tool to detect what OS a remote host is running with a pretty good degree of accuracy . Using a variety of valid and invalid tcp packets to probe the remote host it checks the response against a list of known responses for various operating systems, and will tell you which OS the remote end is running. You can get Queso from: . Intrusion Scanners Intrusion scanners are software packages that will actually identify vulnerabilities, and in some cases allow you to actively try and exploit them. Nessus Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.Nessus is one of the best intrusion scanning tools. It has a client/server architecture, the server currently runs on Linux, FreeBSD, NetBSD and Solaris, clients are available for Linux, Windows and there is a Java client. Nessus supports port scanning, and attacking, based on IP addresses or host name(s). It can also search through network DNS information and attack related hosts at your request. Nessus is available from Tenable® - The Exposure Management Company . Saint SAINT is the Security Administrator's Integrated Network Tool. Saint also uses a client/server architecture, but uses a www interface instead of a client program. In its simplest mode, it gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services. Saint produces very easy to read and understand output, with security problems graded by priority (although not always correctly) and also supports add-in scanning modules making it veryflexible. Saint is available from: Products - Trusted Cybersecurity and Risk Management . Cheops Cheops is useful for detecting a hosts OS and dealing with a large number of hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture of a domain, or IP block, what hosts are running and so on. It is extremely useful for preparing an initial scan as you can locate interesting items (HP printers, Ascend routers, etc) quickly. Cheops is available at: Marko.net - Get some help using the Wayback Machine . Ftpcheck / Relaycheck Ftpcheck and Relaycheck are two simple utilities that scan for ftp servers and mail servers that allow relaying. These are available from: . BASS BASS is the "Bulk Auditing Security Scanner" allows you to scan the Internet for a variety of well known exploits. You can get it from: Firewall Scanners There are also a number of programs now that scan firewalls and execute other penetration tests in order to find out how a firewall is configured. Firewalk Firewalking is a tool that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. System administrators should utilize this tool against their systems to tighten up security. Firewalk is available from: . Conclusion "Security is not a solution, it's a way of life." System Administrators must continuously scan their systems for security holes and fix the hole on detection. This will tighten the security of system and reduce the chance of security breaches. This process is a continuous process. The security vulnerabilities will keep on arising and process of fixing the security holes will never end! After all, "Precaution is better than cure." This article is Copyright (c) 2000 by Kapil Sharma. This material may be distributed only subject to the terms and conditions setforth in the Open Publication License, v1.0 or later (the latest version is presently available at opencontent). Written by: Kapil Sharma Email:
Sep 13, 2000
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More