Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found 2 articles for you...
102
security best practicesnetwork threatdeveloper practicesUnderstanding Security Threats In Open-Source Software Supply Chains
When you think of supply chains, your mind probably jumps to physical products—a t-shirt passing through farms, factories, trucks, and stores before landing in your hands. Now take that same idea and apply it to software. . Each application, library, or tool you use passes through a digital supply chain, made up of developers, repositories, package managers, and ultimately, end-users. But here’s the catch: every link in that chain is a potential target for cybercriminals looking to exploit weaknesses, inject malicious code, or cripple downstream systems. If you work with open-source software , this isn’t some distant hypothetical—it’s a very real security challenge you might face right now. The rise in open-source software supply chain attacks is alarming, with incidents growing exponentially every year. Why? Because targeting the chain lets attackers impact not just one company but potentially thousands. Whether it’s a repository compromise, vulnerability in shared dependencies, or malicious packages sneaking through, every phase has its risks. The question isn’t whether you’re exposed—it’s what you’re doing to discover and mitigate those risks before they escalate. Let’s break this down and figure out how to tighten your defenses at every level without getting buried in complexity. What Is Supply Chain Security and Why Is It So Important? As the name suggests, supply chain security protects the resources passed along in the trading process from network security threats. Cybersecurity vulnerabilities are assessed during the development process so companies can stop weaknesses from affecting other companies in the open-source software supply chain. Robust security is crucial because open-source supply chains have various vulnerabilities that cybercriminals can target. Just one open-source supply chain attack can affect hundreds or thousands of end-users. Open-source logistic software plays a vital role in stopping these security threats. Many programs todaybuild on open-source tools , which involve contributions from various developers and users who bring more cybersecurity vulnerabilities to the forefront so they can be addressed to strengthen overall data and network security to prevent breaches. What Supply Chain Security Threats Should I Be Aware Of? Cybersecurity vulnerabilities can arise at any point in the software supply chain. Let’s discuss the various components at risk: Developer Practices A software’s initial developers are the first link in the supply chain, where the first risks arise. Because this phase lays the groundwork for the entire project, how these developers approach their work has a massive impact on open-source supply chain security. The reality is that even experienced developers can make mistakes, so security threats in this phase often arise from simple failure to adhere to security best practices, such as: Using multifactor authentication on developer accounts. Having a formal change-tracking process. Giving each release a unique identifier. Testing for bugs and unexpected behavior throughout the development cycle. Documenting and managing a project’s dependencies. Cryptographically signing a project’s integrity. Tracking and addressing cybersecurity vulnerabilities in open-source security toolkits used in development. Developers may overlook these procedures due to distractions or time crunches. However, as simple as they are, ignoring these tactics can leave a company facing various security issues in its software supply chain. Repositories The next phase in the software supply chain is a repository or a server that hosts publicly available software packages where developers place their open-source code for others to use. Repositories have been the most used app development for in-house or licensed code, and the Linux Foundation reports that now 70%–90% of software solutions use open-source resources. Because these repositories are so large, managing themcan lead to threat oversights. Code in them may lack notes or dependencies, creating future cybersecurity vulnerabilities or misconfigurations. Weak access controls could let cybercriminals inject malicious code into these repositories. Downloading a software package is also fairly easy without crucial security features. Project Dependency Managers After downloading software from a repository, developers and users often use Project Dependency Managers (PDMs), which are programs that automate installation, updating, or configuration tasks to help watch over the open-source supply chain and maintain data and network security. Unfortunately, it is easy to over-apply PDMs, as they automate a lot, but they don’t modify the software and can’t check it for reliability issues or other cybersecurity vulnerabilities. As a result, teams may overestimate what these security toolkits can do, thus missing critical security checks in the process. Vulnerability Databases Because modern programs are often the result of dozens or thousands of software packages, it’s almost impossible to keep track of all cybersecurity vulnerabilities and dependencies. Developers turn to databases like the Common Vulnerabilities and Exposures Program and the National Vulnerability Database Programs to assist workers in maintaining open-source supply chain security. However, this phase in the supply chain can introduce risks of its own. Databases need help to keep up with the rapidly changing world of cybercrime, so their records may need to be completed or made more accurate once other security threats are identified. End-User Practices The final step in the supply chain is using the software. End-users can sometimes find or introduce new cybersecurity vulnerabilities as they use a program. Most network security issues and incidents result from end-user errors. However, if errors are manageable, then it could just be a design flaw that developers should try to fix. In open-source software supply chains,end-users are also crucial in addressing network security threats, as they can discover and report problems to developers so they can patch them and update notes in repositories, creating a cycle of open-source supply chain security improvements. Supply Chain Vulnerabilities in Open Source While open-source software offers the advantage of having multiple contributors that can find cybersecurity vulnerabilities, this can also introduce some unique risks. Most notably, malicious code has more chances to enter the open-source supply chain because so many people can contribute to repositories. Since open-source tools spread so widely, an attack on one storage or database could affect many parties down the line. In one notorious instance, an attacker compromised an open-source scripting language server to push two malicious updates in the repository. Later that same year, an attacker inserted password-stealing malware into two packages for a popular open-source PDM. One of these packages saw 14 million weekly downloads, so this one attack could have affected tens of millions of projects. The rapid growth in these attacks is easy to understand, as a single open-source supply chain attack can have far-reaching consequences, and this software has become an industry standard. Addressing Security Concerns for the Open-Source Software Supply Chain Many businesses still overlook open-source software security because these cybersecurity vulnerabilities are easy to miss when focusing on internal processes. Teams are concerned with ensuring their workflows and in-house programs are secure, taking attention away from network security threats earlier in the open-source supply chain, where attacks are far more accessible. Open-source software’s collaborative nature makes it easy for cybercriminals to insert malicious code into various aspects of the system. However, that same collaboration is also the key to better open-source supply chain security. The industry should encourage all supply chainparties, from initial developers to end users, to share their findings, discuss network security issues, and collaborate to label and review repositories effectively. Then, the community can benefit from others’ experience and expertise. Following the NIST’s secure software development framework and engaging in the best security practices is also essential. If more teams adopt these principles and standards, the software supply chain will become more standardized, enabling more helpful collaboration. Supply Chain Security Best Practices While every development cycle is unique, some practices apply to every software supply chain. That starts with a risk assessment. Map out your supply chain to see all your dependencies, revealing where cybersecurity vulnerabilities can arise. Once you know where you’re most likely to encounter network security issues, you can address them appropriately. Next, modernize your processes. Outdated technology can create data silos, making it difficult to spot potential network security threats and risks, creating more room for human error, and taking too long to respond to security alerts efficiently. Modern network security toolkits with automation, encryption, data consolidation, and file and access monitoring are crucial to spotting and preventing open-source supply chain threats. To make those permissions measurable and enforceable across teams and partners, an IGA solution helps organizations govern identities, review access rights, and reduce excessive privilege throughout the supply chain. You should also review and update your permissions throughout the supply chain. Most companies should give supply chain partners less access. Restrict permissions throughout the supply chain so everyone can only access what they need, and use strict identification and verification tools to enforce these policies. Be sure to verify every bit of code before deploying it. Scan everything before using it in the development process. If you find a vulnerabilityor bit of malicious code, alert others in the open-source community. Proactively hunting threats will ensure others’ oversight doesn’t affect you. Our Final Thoughts on Improving Open-Source Software Supply Chain Security Securing your open-source software supply chain isn’t just a task—it’s a responsibility shared among all contributors, from developers to end-users. You can’t rely on the idea that “someone else will catch it.” Every link in the chain matters, and cracks anywhere can ripple outward, leaving vulnerabilities that attackers love to exploit. Whether you’re choosing dependencies, hardening repository access, or locking down permissions, every small step counts toward protecting your systems—and, more importantly, your users. Addressing these challenges takes a sharp eye, steady habits, and, honestly, a little teamwork sprinkled throughout the lifecycle. But don’t let the scale of this responsibility feel overwhelming. You have tools, frameworks, and a community to lean on. Most importantly, this isn’t a fixed target; it’s an evolving process that thrives on iteration. When you regularly assess risks, modernize workflows, tighten permissions, and verify every bit of code before deployment, you're building security into the foundation of your processes. It’s not about the perfect solution—it’s about staying adaptable and proactive. The threats to open-source software supply chains aren’t going away. But with diligence and collaboration, you can build processes that keep the attacks at bay and ensure your systems are as resilient as possible. . The landscape of open-source software supply chains presents distinct vulnerabilities. Discover effective strategies to pinpoint and alleviate these dangers.. Supply Chain Risks, Open Source Security, Cybersecurity Practices, Network Threats. . Brittany Day
May 23, 2025
•
102
security advisorynetwork threatprotection solutionProtecting Your Business Against WordPress Network Threats
As businesses continue to require a website for promoting content online, the demand for easy-to-navigate management systems remains necessary. Fortunately, WordPress is a platform that gives inexperienced, non-technical users a chance to create professional websites that can bring in traffic and attention. W3Techs explained that forty-three percent of companies utilized WordPress for their websites in 2022. . While it is fantastic that WordPress has allowed so many organizations to establish themselves online, WordPress’ widespread use has turned it into a target for malicious hackers, who can install malware, phishing attacks, and other network security issues on a server. Threat actors use WordPress security vulnerabilities to effectively hack into systems to steal valuable data and maintain their presence through harmful software. Organizations must learn how to secure their WordPress server against damaging data and network security threats that could result in cloud security breaches and data loss. This article will answer a few WordPress FAQs, explain how you can improve your security posture on WordPress, and demonstrate how one solution works to mitigate an attack. Is WordPress Secure? And Other FAQs WordPress is an online content management system where you can set up a website, forum, mailing list, membership site, and online storefronts. The server offers users default encryption methods, firewalls, frequent monitoring, and backup and recovery. Their website also suggests a few best practices that website owners implement to strengthen data and network security. The built-in features of WordPress make the domain a secure, immediate solution for users. However, network security threats can bypass security measures to harm a company on WordPress. Why Is WordPress A Popular Target Among Malicious Hackers? WordPress is a favorite target for cyber thieves due to its popularity on the Internet. As more companies use the platform for their online domains, hackers develop moreopportunities to implement against WordPress exploits in cybersecurity. What Common Security Issues Does It Have? Threat actors can target multiple websites simultaneously due to the similar setups on WordPress. Cybercriminals can efficiently launch malicious phishing campaigns on WordPress through repeated brute-force attacks, watering-hole attacks, Cross-Site Scripting (XSS), Denial of Service (DoS), and malware . Employees must also know the best practices for organizing their online platform. Frequent misconfigurations, predictable login information, outdated plugins, and CMS versions can give malicious actors easy ways to hack a system and install harmful software on a server. Why Does WordPress Security Matter? If WordPress environments face attacks in network security, one website can impact thousands of others. While the other servers were not compromised initially, WordPress security vulnerabilities across platforms can result in severe, widespread consequences for employees, companies, and clients. Sensitive data compromise, malicious software, and ransomware can cause lasting reputational harm, significant downtime, and financial loss for a business. Vali Cyber Vice President of Product and Technical Marketing Drew Vanover explains, “Shared cloud computing offers many benefits to customers, such as not needing to maintain hardware or patching in cybersecurity on operating systems. However, this shared model also shares the increased risks of a successful attack.” He elaborates, “It is not just the hosting provider's customers that are impacted, but the hosting provider itself has to deal with the repercussions, remediation, brand exposure, and customer reactions in the wake of a successful attack. Because it is a shared environment, the odds are in the malicious actor's favor; it only takes one vulnerable installation to let them in.” Organizations must do everything they can to improve the security posture for their business and ensure that their data is safe from most– if not all – network security issues that head your way. How Can I Improve WordPress Security? WordPress is not an unsafe platform for establishing websites, but there are a variety of cybersecurity vulnerabilities on the system that can permit hackers into a server. Fortunately, solutions like Vali Cyber ZeroLockTM can add a strong data layer and network security protection for WordPress sites. Defend against malicious attacks in network security to maintain your organization's sensitive data, critical systems, and hard-earned reputation. What is Vali Cyber ZeroLockTM? Vali Cyber ZeroLockTM provides some of the most robust protection options for WordPress websites and Linux-based systems. ZeroLock delivers comprehensive data and network security on-premise, on the cloud, and through IoT and edge devices. The service is easy to install and manage, giving employees full access to security monitoring with Multi-Factor Authentication, ransomware, crypto-jacking protection, automated remediations, and more. According to Forrester, this purpose-built solution for securing WordPress has a remarkably low overhead of less than five percent for businesses now spending thirty-three million dollars on the cloud annually. ZeroLock is a much more cost-efficient solution for security patching than other legacy network security toolkits that can have twenty to thirty-five percent overhead costs. Vali Cyber CTO Austin Gadient mentions, “With automated lockdown configuration and sophisticated access control capabilities combined with advanced behavioral threat detection technology, admins using ZeroLock can quickly and easily secure all of their Linux workloads against damaging attacks and detect and recover any threats that get through with minimal consumption of critical computing and human resources. Running entirely in user space, ZeroLock does not require any kernel modules and is compatible with all Linux systems kernel version 3.5 or greater and across deployment environments." How CanZeroLock Protect a Vulnerable WordPress Website? A cryptominer can bypass security and remain undetected if security professionals, companies, and employees need to monitor their servers properly. As a result, hackers can exploit WordPress security vulnerabilities. Our security team demonstrates how ZeroLock combats network security issues like malware attacks before an organization loses resources, data, and time. Phase 1: Malicious Plugin Upload Malicious actors attempt to gain access to the targeted website using a wp-login.php console page. In this instance, the user has a weak password that the hacker figured out during a brute-force attack . Figure 1: Attacker Brute Forces wp-login Password With access to the target website, the attacker tries to use “Wordpress-webshell-plugin” to run arbitrary commands on WordPress through the operating system. Figure 2: WordPress Webshell Plugin Github This attempt fails since ZeroLock protects the server immediately after detecting the attack. Figure 3: ZeroLock Alert for Malicious WordPress Plugin Upload Github ZeroLock deletes the potential malicious PHP files the hacker uploaded so that WordPress plugins and servers remain unharmed. Figure 4: Files Removed by Malicious Plugin Upload Detection Phase 2: Webshell Interaction For this part of the demonstration, we disabled ZeroLock's plugin protection so you can see what ZeroLock can do if the above efforts succeed. The attacker plans to start a webshell by utilizing WordPress-webshell- plugin's console.py tool to run commands. console.py establishes a network connection to the WordPress-webshell-plugin, and the hacker can work on the target system. Thankfully, ZeroLock detects webshells, too! ZeroLock receives an alert, and the “INFO” column mentions the MITRE technique T1059. Figure 5: WordPress Plugin is Successfully Uploaded Figure 5: console.py Webshell ZeroLock contains detection capabilities for numeroustechniques within the MITRE framework. Figure 6: MITRE T1059 Webshell Detection ZeroLock provides a detailed log with all indicators of compromise you could face when alerted to an attack. You can view a process tree to see all of the programs and tactics hackers use when manipulating exploits in cybersecurity. The figure below shows how Apache launched the program Dash to attempt to run the "ls".F command. Figure 7: Webshell Process Tree Phase 3: Malware Payloads If the attacker could utilize the web shell (since we disabled ZeroLock's protection for this demonstration), they would have to launch the cloud security breach as an unprivileged www-data user. Figure 8: Attempt to Run ‘ls’ Command Figure 9: Webshell whoami Command In this case, the threat actor chooses a crypto-jacking attack, XMRig crypto miner, since you do not need privileged access to gain cryptocurrency abilities. Before the attack can succeed, ZeroLock uses AI to inspect the instructions the attacker executes, allowing the cybersecurity platforms to determine that a hacker is attempting an attack. Implementing AI in this process will enable ZeroLock to learn existing malware strains and immediately combat new and developing crypto mining attacks, keeping your server safe. Figure 10: Attacker Downloads and Runs Cryptominer Figure 11: ZeroLock’s Cryptomining Alert Unable to use the system for crypto mining, the attacker launches a ransomware attack that would disable the website with malware Defray777 until the victims pay a ransom. Figure 12: Attempt to Download and Execute Defray777 Ransomware ZeroLock’s unique behavioral detection engine identifies the ransomware attack within milliseconds, and automatic remediation kicks in to clean and restore the system to its normal state. Figure 13: Ransomware Alert ZeroLock displays the list of any files the ransomware impacted. As a result of ZeroLock’s patent-pending rollbackcapabilities for Linux, the threat detection service restores encrypted files to their original state, cleans up ransom notes, and ensures that persistent ransomware does not penetrate systems. Then the website can return to its optimum operational status. Figure 14: Files Restored by ZeroLock LinuxSecurity expert and LinuxSecurity.com Founder Dave Wreski states, “As you can see, this is a powerful tool for detecting and remediating attacks exploiting WordPress vulnerabilities, as well as any threat to a Linux environment. With its AI and behavioral detection capabilities that identify and remediate all threats virtually instantaneously, an adversary doesn’t stand a chance of evading this solution.” ZeroLock is a handy cybersecurity toolkit that can protect WordPress security vulnerabilities that Linux patches may have yet to take care of. Final Thoughts on ZeroLock and WordPress Security WordPress security vulnerabilities can leave many companies susceptible to attacks, but proper website protection can help anyone's platform stay safe. With comprehensive cybersecurity platforms like Vali Cyber ZeroLockTM , your business can implement predictive analysis detection and automated remediation to identify and remediate data and network security issues without sacrificing more time and money than necessary. Wreski concludes, “I am thoroughly impressed with ZeroLock’s complete, minimum impact protection for WordPress websites. It’s the only threat management platform that effectively uses predictive analysis detection to stop attacks exploiting WordPress vulnerabilities that evade traditional security solutions.” Interested in learning more? Visit valicyber.com to see if ZeroLock is the right solution for you. . Uncover reliable strategies to safeguard your WordPress website against prevalent threats and investigate tools such as SecureGuard for enhanced defense.. WordPress Protection, Cyber Threat Management, Network Security Measures. . Brittany Day
May 14, 2023
•
102
security advisorynetwork threatClamAVClamAV: Critical Bugs Patched for RCE and Info Leakage Threats
Recently, researchers found two critical flaws in the ClamAV open-source antivirus engine . These network security issues lead to Remote Code Execution (RCE) and remote information leakage for susceptible devices. ClamAV has now released patch versions addressing these dangerous cybersecurity vulnerabilities. This article will discuss the flaw’s discovery, its impact, and how to protect against this network security threat. . The Discovery & The Impact An HFS+ file parser ( CVE-2023-20032 ) was discovered to have an RCE vulnerability. This network security threat received a CVSS score of 9.8 out of 10 in the National Vulnerability Database and affects 1.0.0, 0.105.1, 0.103.7, and earlier versions of all three. Cisco Talos states, “This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device.” Attackers could run arbitrary code with the same privileges as that of the ClamAV scanning process due to these exploits in cybersecurity, crashing the system and formulating Denial-of-Service (DoS) attacks in network security. The second network security threat is a vulnerability to remote information leakage in the DMG file parser ( CVE-2023-20052 ). The bug affects 1.0.0, 0.105.1, 0.103.7, and earlier versions. Cisco Talos notes, “This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device." What Can I Do to Protect Against These Bugs? ClamAV has released security patching versions 0.103.8, 0.105.2, and 1.0.1 that can mitigate these network security issues. Fedora has also created a security advisory for these cybersecurity vulnerabilities . ClamAV states, “All users should update as soon as possible to patch for two remote codeexecution vulnerabilities that we recently discovered and patched.” The release files are available for download on ClamAV.net , the Github Release page , and through Docker Hub . We urge all users to update now to protect against attacks in network security leading to compromise and prevent unauthorized disclosure of sensitive information. Be sure to register as a LinuxSecurity user , then subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use to stay up-to-date on the latest, most significant problems impacting your systems' data and network security. . The Discovery & The Impact An HFS+ file parser (CVE-2023-20032) was discovered to have an RCE vulner. recently, researchers, found, critical, flaws, clamav, open-source, antivirus, engine, these. . Brittany Day
Feb 19, 2023
•
102
security advisorymalwareLinux distributionSysrv-K Botnet: New Threat to Linux Web Servers and Systems
Last Friday, Microsoft announced that they have discovered a new botnet that exposes both Windows and Linux computers and web servers to new threats. The botnet, known as Sysrv-K, takes advantage of unpatched computers by installing cryptocurrency miners. . According to NHS Digital, the technology provider for England’s National Health Service, the original version of Sysrv was first discovered in late 2020. Sysrv contains a worm that searches for computers running outdated internet-facing software in order to take advantage of unpatched security vulnerabilities. Once inside, it adds the newly infected computer to the botnet and installs a program that siphons power from the infected machines in order to mine the Monero cryptocurrency . Once Sysrv is on a computer, it also attempts to spread by adding other computers in the network to the botnet, endangering the entire network. Unlike previous versions of Sysrv, Sysrv-K can also capture database credentials, allowing it to take over web servers. Although Linux is generally known for being more secure than Windows, NHS Digital reports that Sysrv is a threat not only to Windows but to “most popular distributions” of Linux. Sysrv-K’s new ability to take over web servers is especially dangerous for Linux users; according to ZDNet, over 95% of web servers run Linux . Because Sysr-K automatically deletes the cryptominer’s configuration files and hides itself from the process list, it can be difficult to detect manually. However, NHS Digital still recommends monitoring systems for unusual activity. Additionally, Microsoft announced that Syrsv-K can be detected by Microsoft Defender. Most importantly, since Sysr-K seeks out security flaws that already have patches released, one of the best ways users can protect against Sysr-K is to make sure that all of their software is up to date . . Uncover the dangers posed by the Sysrv-K botnet targeting Linux environments and learn effective strategies to safeguard your infrastructureagainst its cryptojacking exploits.. Sysrv-K Botnet,Linux Security Threat,Cryptomining Malware,Network Vulnerabilities. . Yosef Davidowitz
May 17, 2022
•
102
data protectioncybersecurity trendsnetwork threatIoT Cybersecurity: Protect Your Router With Open-Source Firmware
The Internet of Things (IoT) is rapidly growing, connecting more devices each day, making it a huge aspect of modern cyber security trends. It is projected that by 2025, the world will have an astounding 64 billion IoT devices. . IoT expansion offers significant benefits, including connected healthcare devices, which provide people with better insight into their health than ever before, and the implementation of smart lighting, which can reduce energy consumption and lower your electric bill. However, with this increased connectivity also comes increased digital risk, as malicious hackers and cybercriminals have more entry points and exploits in cybersecurity they can utilize to instigate attacks and cloud security breaches. Web crawlers like Shodan and BinaryEdge, which are intended to aid in security research, make it easy for threat actors to identify cyber security vulnerabilities in Internet systems in order to compromise a server and introduce it to a botnet. IoT introduces a few privacy concerns, as new Fraunhofer Institute for Communication (FKIE) research examined in this feature article reveals that your wireless router could very well be the biggest network security threat in your Linux system. These routers could be left exposed 24/7, leaving them susceptible to malware infections and other network security issues that could be the result of poor safety configurations and outdated policies. Luckily, there are various measures that Linux users can take to secure their wireless routers and protect their systems, such as a Linux firmware replacement. This article will explore the benefits of “flashing” your wireless router with alternative open-source firmware as well as introduce some great alternative firmware and single-purpose OSes to consider. What Are the Benefits of Open-Source Router Firmware on Data and Network Security? Using open-source firmware instead of stock router firmware is fundamental in securing your network against malware and other exploits in cybersecurity. Stock router firmware is limited in functionality, generally unreliable, and susceptible to dangerous cyber security vulnerabilities. Wireless router manufacturers frequently fail to utilize security patching to take care of critical flaws in the system, leaving devices exposed and defenseless. Conducting a firmware replacement can mitigate this risk. Alternative open-source firmware is vetted and tested by a vibrant global community to detect and eliminate network security threats like bugs and potential backdoors by implementing the latest cybersecurity trends. Open-source firmware provides exceptional security and product quality. Flashing the firmware in your wireless router also results in superior performance, network stability, and a wider range of advanced features, including VPN integration, bandwidth monitoring, VLAN Support, and Advanced Wireless Setups. While flashing your wireless router with open-source firmware can help mitigate network security issues posed within your system, firmware replacements do not make you immune to cyber security vulnerabilities. You should still integrate as many basic practices as possible to improve security posture, such as changing default passwords and keeping on top of firmware upgrades. Router Firmware Alternatives to Mitigate Network Security Threats Flashing wireless routers has become an increasingly common way to improve security posture, and fortunately, there is a wide selection of open-source router firmware alternatives available for users to consider. Each firmware alternative offers similar advantages but also contains a few unique characteristics that should be looked into based on your company's needs and priorities. Here are the five greatest options: DD-WRT DD-WRT is the most popular Linux-based alternative open-source firmware and is well-sui ted for a variety of wireless routers and embedded systems. The freely available firmware supports a wide range of functionality, including IPv6, DNS caching, and adblocking, and iseasy to manage. DD-WRT is a highly reliable firmware that often reduces the number of aggravating router connectivity issues that users would experience elsewhere. This is in part due to the fact that DD-WRT is a Linux-based program, and the transparency of its source code enables developers worldwide to collaborate in continually updating its code. Moreover, no corporation has the ability to modify the firmware to increase profits. DD-WRT is also highly customizable, providing users with increased control over their router so they can use the privacy-enhancing technology and security controls as needed. Other key benefits of flashing your WLAN router with DD-WRT firmware include increased power from your router through overclocking, improved Quality of Service (QoS), more insight into your router’s performance, faster connection speeds, and better VPN support. Learn how to install DD-WRT on your router in this detailed tutorial . What Makes DD-WRT So Great: Supports over 200 wireless routers and IoT devices Highly reliable and customizable Provides easy handling Supports all current WLAN standards Offers a wide range of advanced functionalities, including bandwidth management IPv6, DNS caching, and adblocking Improved VPN support and QoS Increased power from your router and faster connection speeds Helpful Resources: Explore DD-WRT and look at Supported Devices Learn how to install DD-WRT on your router in this informative YouTube video OpenWrt OpenWrt is a single-purpose Linux OS that focuses on embedded devices, most commonly wireless routers. OpenWrt provides a fully writable filesystem with package management rather than static firmware and is both stable and full-featured. Besides the fact that it is closely monitored by the open-source community, the OS keeps software components up-to-date, a task that is often neglected in the industry, resulting in serious network security issues. One of the most attractive features of OpenWrt is the levelof customization that it offers through the use of packages. For developers, OpenWrt provides the framework to build an application without having to develop a complete firmware around it. For users, the OS makes it possible to use IoT devices in ways that they may have previously written off as unthinkable. Another key benefit of flashing your router with OpenWrt is the ability to use its SSH server for SSH tunneling. By exposing the SSH server to the Internet, users can access it remotely and use SSH tunneling to securely access websites from public Wi-Fi. This feature also makes it possible to visit websites that can typically only be accessed in your home country while traveling abroad, demonstrating the software’s capabilities as privacy-enhancing technology. Finally, if you’re already using a router, why not have that same router also function as a server? OpenWrt makes it possible for a router to also function as a server, whether it is a web server, an IRC server, a BitTorrent tracker, or something else. What Makes OpenWrt So Great: Provides a fully writable filesystem with package management Offers a high level of customization through the use of packages Eliminates the need for application selection and configuration Enables developers to build applications without needing to build firmware around them Allows users to securely access websites over public Wi-Fi and abroad by using its SSH server for SSH tunneling Makes it possible to perform traffic-shaping and QoS on the packets traveling through a router, prioritizing certain types of traffic Offers increased stability and improved performance Helpful Resources: Explore OpenWrt and look at Supported Devices Connect with OpenWrt on Facebook Learn how to install OpenWrt on an x86 router in this brief YouTube video AdvancedTomato AdvancedTomato is a small, lean, open-source alternative firmware for Broadcom-based routers. The firmware features a user-friendly GUI, making it ideal for userswho have never flashed their router before. As its name suggests, AdvancedTomato offers a selection of advanced features, including QoS, a new bandwidth usage monitor, a wireless distribution system (WDS), wireless client modes, and increased P2P maximum connection limits. The firmware also provides users with the ability to run custom scripts, reprogram the SES/AOSS button, and perform a wireless site survey. What Makes AdvancedTomato So Great: Has a user-friendly GUI Offers new and improved features, including a bandwidth usage monitor, WDS, and wireless client modes Provides advanced QoS and password access restrictions Increases the P2P maximum connection limit Gives users the ability to run custom scripts, connect via Telnet/SSH, reprogram the SES/AOSS button, and perform a wireless site survey Configurable buttons and LEDs Helpful Resources: Explore AdvancedTomato and look at Supported Devices Learn how to install AdvancedTomato on your wireless router in this YouTube video . FreshTomato FreshTomato , a fork of the AdvancedTomato firmware, is another alternative open-source firmware for Broadcom-based routers. Like AdvancedTomato, this firmware offers a particularly user-friendly interface, making it another great option for inexperienced users. FreshTomato is ideal for privacy-conscious users - as protecting privacy online is where the firmware truly shines. FreshTomato features a built-in OpenVPN server and client, a built-in Tor client, and a built-in Ad-block. The firmware also provides bandwidth and IPTraffic monitoring and support for a selection of wireless modes, among a plethora of other useful features. FreshTomato version 2020.5, the latest stable version, was released on July 17, 2020. What Makes FreshTomato So Great: Offers built-in privacy-protecting features, including an OpenVPN server and client, a Tor client and an Ad-block The very user-friendly interface makes the firmware ideal for inexperienced users Provides IPTraffic andbandwidth monitoring Support for various wireless modes Advanced QoS is accompanied by the ability to configure labels for QoS classes Enabled SSH/Telnet protocols Helpful Resources: Explore FreshTomato and Supported Devices Install FreshTomato on a Linksys E1200 router in this informative YouTube video Gargoyle Gargoyle is a free open-source firmware upgrade for wireless routers based on the OpenWRT firmware. Like AdvancedTomato , Gargoyle is heralded for its ease of use and reliability. Gargoyle offers a multitude of benefits, including abilities such as monitoring bandwidth usage for every computer in your system, configuring a wireless bridge that connects two networks and blocks forbidden websites, and blocking everything except for a list of allowed addresses for security-conscious users. With Gargoyle, everyone can set quotas and throttles to ensure that data and network security are maintained through all resources, which are then allocated fairly. What Makes Gargoyle So Great: Reliable and easy to use Gives users the ability to monitor bandwidth usage for each computer in their system Simplifies configuring a wireless bridge between two networks Allows users to block forbidden websites or restrict access to only a list of allowed addresses if they wish to do so Quotas and throttles can be set to ensure that network resources are allocated fairly Helpful Resources: Explore Gargoyle and look at Supported Devices Use YouTube to install Gargoyle on a TP-Link TL-WR1043ND V2 router in three minutes Final Thoughts on Preventing Cybersecurity Vulnerabilities from Harming Your Router Recent security research has made it clear that router manufacturers are losing interest in implementing proper security measures, which is a terrible bout of security news to swallow. It is imperative that users assume responsibility for their data and network security through the wireless users they utilize. Dave Wreski, the founder of LinuxSecurity.com , provided some valuable insight on the topic of cybersecurity vulnerabilities, pulling knowledge from his expertise on open-source security and his experience working with wireless routers: “Engaging in general router security best practices such as keeping firmware updated, changing default passwords and doing adequate research prior to purchasing a router can help mitigate the risk that your wireless router poses to your system and protect your security and privacy online. That being said, flashing the likely-vulnerable stock firmware in your router with alternative open-source firmware is the single most effective way to secure your router against the prevalent and serious firmware vulnerabilities present in many leading wireless router brands.” . The growth of IoT devices brings challenges yet presents opportunities via collaborative software to safeguard systems against vulnerabilities.. IoT Security, Open Source Routers, Firmware Replacement, Network Safety. . Brittany Day
Aug 03, 2020
•
102
incident responsesecure accessnetwork threatCreating A Virtual Honeynet: Configuration and Data Capture Techniques
Hisham shares his experiences with building a virtual honeynet on his existing Linux box. He describes data capture and control techniques, the types of honeynets, and configuration changes to get one running on your system. . Introduction Creating a virtual honeynet is no more than configuring a number of virtual networked systems to log all activity heading to it, while looking as inconspicuous as possible. Don't worry if you feel you can't afford the resources needed to run the honeynet. Virtual honeynets are cheap, powerful and easy to administer. This paper includes an account of my experiences, which should make the process of configuring your own virtual honeynet easier. Before getting started, there are a few points that may require some explanation. Both the UML and OpenSSH definitions were taken from their respective homepages. Honeynet Data Capture and Data Control Tools What does DCAP and DCON mean and what are their uses? Data CAPture (DCAP) tools are tools made specially for the purpose of capturing data streams whether network or host-based activity. These tools are placed everywhere in your honeynet to capture every little spouse made by the attackers. Data CONtrol (DCON) tools are devices or systems built for the purpose of controlling the activity of specified sources, in other words, a firewall that limits the amount of allowed outbound connections is considered a form of DCON. So when the paper talks about firewalls, that is Data Control. When the paper talks about SNARE, that is one form of Data Capture. What is an IDS? Intrusion Detection Systems are technologies that detect/reduce risk, but do not eradicate it altogether. Mr. Danny Rozenblum's goes pretty deep into the subject of intrusion detection through his paper Understanding Intrusion Detection Systems. Honeypot or Honeynet? A honeynet is only one type of honeypot which is supposed to emulate a real production network, while a honeypot is a single host designed as a lure-and-log system (i.e. asystem with a packet sniffer and a keylogger to log all activity on it, and most likely programs that simulate vulnerable services). Lance Spitzner has written a more in-depth paper which discusses the definitions and value of honeypots. It also covers various honeypot solutions you can download and try on your own. What is OpenSSH? OpenSSH is a free implementation of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are rely on for secure remote communications. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. User-Mode Linux and the Honeynet User-Mode Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions, and poke around in the internals of Linux, all without risking your main Linux setup. User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software. What are the advantages and disadvantages of a honeynet? If your honeynet was connected to your production network, most attackers would trip over your honeynet before reaching your real systems. (i.e. the honeynet will detect attacks in their early stage). After a while of monitoring the activity of your honeynet, a moreaccurate security policy could be created. A honeynet could teach you something about incident response, if a honeypot was compromised, the forensics that you would do to understand how the attack happened could be a nice way to hone your incident response skills, before a real system gets compromised and you don't know where to start. Some attackers take honeynets as a challenge to their powers, with this little tip, you could clone your real network, mainly the DMZ, and create a honeynet out of it, that way you could make sure no miss-configurations may lead to a unwanted compromise (consider it as a free pen-test). If you don't consider any of the points above to be advantages, then maybe you would like to go for a research honeynet to learn more about the tactics and methods of the blackhat community. Having your systems rooted is bad but having them used to launch future attacks is even worse. If a honeynet was successfully compromised, the attacker could use it as a hop to start other attacks or as a hop for an attack against one of your real systems, this is considered the main disadvantage of a honeynet (having your honeynet attack a third party could start some unwanted trouble). Honeynets may lead to wrong decisions related to enhancing your security policy (i.e. maybe you consider telnet to be insecure because it transmits data in the clear, but installing a ssh1 server may represent a bigger threat as ssh1 is known to have a number of problems that usually lead to system compromises). Types of honeynets There are various types of honeynets, but due to the limited space of this paper, I will only discuss the commonly used types. Classic Honeynets -- A classic honeynet is created using real (physical) systems per honeypot, this method is not encouraged for price and difficulty administrating reasons, so admins usually drop the idea of having a honeynet after two months of headaches caused by this type of honeynet. Virtual Honeynets -- A virtual honeynet is a group of virtual systems, each run within an emulator, that when networked together creates a virtual production environment, this type of honeynet overcomes the disadvantages of classic honeynets without losing any of its power or flexibility, Mike Clark of the Honeynet Project has written a nice paper that covers this topic. There are some important points that we have to keep in mind before starting. The honeynet should be as basic as possible with the least modifications to the system (i.e. the attacker should never find out that the media he is on is actually a honeynet). As mentioned in the first disadvantage of honeynets, a honeynet could be used to start future attacks, therefore a solution to limit the attackers chance of successfully attacking a third party should be decreased (limiting the number of outbound connections is one way of decreasing the risk). The honeynet should follow the Honeynet Definitions, Requirements, and Standards stated by the Honeynet Research Alliance. Preparing the Honeynet There are a number of tools that will help us in creating our virtual honeynet. Many of these are likely already installed on your system. These tools include: MySQL Snort Eyes On Exec FireWall Builder OpenSSH Modular Syslog SNARE Now we are completely ready for creating the honeynet, so let's get started!! Creating the Host Because all our honeynets are going to run off one system, we should prepare that system to act as a gateway, firewall, and router for our virtual honeynet. The first step is to prepare Firewall Builder. Installing fwb is pretty straight, assuming fwbuilder-0.9.7.tar.gz (the latest version as the time of writing) is in /usr/local/downloads. # cd /usr/local/downloads # tar -zxf fwbuilder-0.9.7.tar.gz # cd fwbuilder-0.9.7 # ./configure # make && make install This will perform the install in /usr/local/bin . Assuming X is running onyour system, fwbuilder should appear as a new item in your Menu. Start the GUI (assuming the install went ok, the GUI should load without any troubles) and define localhost as the target fw to push the security policy to, then create network objects as follows (this honeynet is based on SFHN's honeynet, take the tour here. For the sake of simplicity, I will consider 10.10.10.0/24 routable addresses and I will also consider the firewall, snort management and syslog server to be on the same machine. Name Type IP or Group items Description Firewall Workstation 10.10.10.1 honeynet administrator Roxen Workstation 10.10.10.80 This system is running the Roxen webserver instead of running an IIS DNS Workstation 10.10.10.53 This is our DNS server Sendmail Workstation 10.10.10.110 This is our mailserver Apache Workstation 10.10.10.81 This is another webserver running beside Roxen, it would be nice to find vulnerabilities in it honeynet Group Roxen+DNS+Sendmail+Apache These are our honeypots Security Policy Now that we have all our systems defined, we should create our rulebase, but first we need to outline our security policy. Any host may connect to "Firewall" using ssh or MySQL. Any host could connect to our honeynet. Our honeynet is allowed to access any host. Anything else should be dropped. Everything that passes our firewall should be logged. Now we must define the rulebase. Num Source Destination Service Action Log 00 any Firewall ssh or MySQL Accept Log 01 any honeynet any accept log 02 honeynet any any accept log 03 any any any drop log Now that our system is readyto pass connections to and from our honeynet, we should move on to the next step. Configuring the Remote Log Server There are two types of logging that can be used. MySQL ssyslogd Assuming mysql-3.23.28-gamma-pc-linux-gnu-i686.tar.gz is in /usr/local/download , perform the following steps to configure. # cd /usr/local/download # tar xzf mysql-3.23.28-gamma-pc-linux-gnu-i686.tar.gz # ln -s mysql-3.23.28-gamma-pc-linux-gnu-i686 mysql # cd mysql # ./mysql install db Start MySQL with: # cd /usr/local/mysql/bin/safe mysqld & Now setup a password for user root (the word password "mypass" will be our password). # ./bin/mysqladmin -u root password mypass Finally, create a user for snort and another for ssyslogd and give them INSERT , DELETE , USAGE , SELECT for their respective databases. # echo CREATE DATABASE snort | mysql -u root -pmypass # echo CREATE DATABASE ssyslog | mysql -u root -pmypass # mysql -u root -pmypass # mysql> grant INSERT,SELECT on snort.* to root@* # mysql> grant INSERT,SELECT on ssyslog.* to root@*; # mysql> quit This should have everything MySQL related done, we only have one last point related to logging which is installing ssyslog (our first level of DCAP). Assuming msyslog-pre 1.08f.tar.gz is in /usr/local/downloads , perform the following steps. # cd /usr/local/downloads # tar -zxvf msyslog-pre 1.08f.tar.gz # cd msyslog-pre 1.08f # ./configure # make && make install This will install msyslogd , the default configuration is pretty fine, we only have to do one more thing which is telling it to use MySQL as its default logging method, so, we simple copy the syslog.mysql.conf file to syslog.conf and change the logserver, user and password to whatever suits your environment. So far, so good. Now for the IDS. The IDS (our second level of DCON) As this is a honeynet, there will be too much activity to analyze by hand, that's why IDS are installed on most honeynets nowadays, but which type of IDS shouldwe use? Answering this question requires some understanding of the types of IDSs. Types of IDS There are two common types of IDSs, Network-based (NIDS) and Host-based (HIDS). Network-based methods record communication packets and attempt to identify attacks thru network traffic. NIDS are easy to manage and transparent to users (which is important in a honeynet environment). However, NIDS aren't scalable to large networks and tend to generate more false positives than HIDS. On the other side, Host-based methods deploy a monitor on each system, which is a more scalable solution than NIDS, but harder to manage. Still, Intrusion detection is easier on the system level and the accuracy rate is better than that of NIDS. Making the Decision In order to choose whether to go for a HIDS or a NIDS we should outline what we want our IDS to do, well since this is a research honeynet our primary goal will be to log all activity on both the system and network level. Yet, a HIDS on the real (physical) system would be of no use, as most attacks would be against the honeynet and most attackers just don't target the firewall in normal circumstances. So, I will not have an advanced HIDS on the real (physical) system, instead, I will only prevent it from loading a shell with super-user privileges and use snort on it to log and detect attacks against any virtual system. The HIDS : Eye On Exec As I said before, there is no need for an advanced HIDS on the real (physical) system, but for prevention reasons, I will install EoE which is a basic HIDS that detects any attempt made by a process to start a shell with super-user privileges, kills the shell and either prints a warning, e-mails the administrator or both. Setting up EoE Installing EoE is the basic and usual. Follow the steps outlined below. # cd /usr/local/downloads # tar -zxvf eoe-2.51.tar.gz # cd EoE # make && make install eoe.pl is the configuration file, its defaults are pretty good, just change the e-mail address that should beused to your current e-mail. EoE will prevent a huge amount of attacks targeting the firewall. The NIDS: Snort Well, because snort's installation, preparation and configuration need too much space, I would discuss it even briefly, instead I would point you to Richard La Bella 's HOWTO Build a Snort/ACID Console on Red Hat Linux which is a great paper that covers this topic in great detail. I would just like to name a simple addition to Richard's paper, in case of honeynets, we do not setup snort to detect attacks only. Instead, because it is going to be installed on the gateway (i.e. all traffic will pass through it), I would prefer to have it log all connections first then detect attacks. The Honeynet Project have provided a sample configuration file for this. I prefer this way for two reasons. It eliminates the need for another sniffer (too much load) and in case an attack is not detected by Snort, we could go thru the traffic logs briefly and find such attacks. Just remember to setup logging to your MySQL database in real time, and to syslogd ( ssylogd in our case) on daily basis (this should match the Honeynet Definitions, Requirements, and Standards). So far, our systems is setup as a gateway and a packet sniffer+IDS (i.e. everything is ready to move on to the last stage) except that we want to allow logging into the system in a secure fashion. So, lets set that up first. Secure Remote Logins: OpenSSH Most Unix users have started using ssh as a replacement for the insecure "r" commands including rsh, rcp, rlogin and telnet. Originally SSHG was free software, but after version 1.2.12 it had some strict limitations (porting to some Operating Systems and exporting issues related to encryption) which made it an undesirable solution. So, the good guys from the OpenBSD Project have decided to create a free sshd . OpenSSH depends on two other packages to install (which may or may not be installed on your system). These packages are OpenSSL and zlib. Because I'm on a Red Hat boxat the moment, I will just install from RPM . Don't worry if your system is not RPM compatible (whether Debian or Slackware ), installing from source is pretty similar to installing any other package. Installation the RPMs is simple. Just change dir to wherever you downloaded the RPMs ( /usr/local/downloads in our case) and install the packages in the following order (if you try to change the order, your system will complain from unavailable dependencies). # rpm -Uvh zlib.rpm openssl-0.9.6c.rpm openssh-3.0.2p1.rpm The version numbers might differ, just make sure you get the correct RPMs for your distribution. If OpenSSH was installed correctly a ssh -V should show output similar to this: OpenSSH 3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f As I said before, version numbers may differ, but this is the general formula. Configuring OpenSSH As you know, the real (physical) system should only use sshv2. So, open /etc/ssh/sshd config in your preferred editor and change " #Protocol 2,1 " to " Protocol 2 " then restart sshd . Also, only DSA keys are allowed and not RSA keys, so, change " RSAAuthentication yes " to " RSAAuthentication no " in /etc/ssh/sshd config . That should do it for configuring OpenSSH, to test your configuration issue the command " ssh -l user localhost ", this should present you with a remote login requesting the user's password. If so, then everything went pretty ok, and you are ready to go start creating your virtual honeynet. Configuring the Virtual Honeynet Virtual honeynets usually run on a piece of software called emulators that simplify the process of running multiple Operating Systems in real-time on one system (examples of such emulators are VMWare , Bochs and Plex86). All of those have the ability to run other Operating Systems under your real Operating System, but after experiencing with them for a while, I found them to be more problematic than expected (i.e. resource hogs, expensive, hard to use, etc..), So, I started looking for a simplesolution that would do only one job, run linux-on-linux. I just wanted to run a virtual Linux network on my real system, and after spending some time searching for something that would do the job, I found User-Mode-Linux which is a port of the Linux kernel to itself. Well after reading its documentation I thought "wow! that's exactly what I want". Plus using UML isn't hard at all, all you need is a kernel executable and a filesystem to boot. So, I'll walk you thru the basic steps of starting up linux-on-linux. Building the Kernel Executable Just because you could get your hands on a pre-built kernel executable isn't a good excuse for not building from source. Building from source gives you the chance to add whatever patches you want or change whatever settings to what suits your needs. Download the latest kernel to /usr/local/downloads/linux (which will be our UML setup directory) untar the image (as the time of writing the latest kernel was 2.4.15), then download and patch the kernel source tree with the latest UML patch. Assuming the patch is called uml-patch-2.4.16-2.bz2 the following set of commands should do the job. # cd /usr/local/downloads/linux # tar -zxvf linux-2.4.15.tar.gz # cd linux-2.4.15 # wget https://sourceforge.net/projects/user-mode-linux/files/kernel%20patch/0.53-2.4.16/uml-patch-2.4.16-2.bz2/download # cat uml-patch-2.4.16.bz2 | bunzip2 - | patch -p1 You might also be interested in referring to the Kernel HOWTO for further instructions. Now we should have the kernel source patched with the UML patch (include any patches that you want using " cat /path/to/patch | patch -p1" ), So, build the kernel with your favorite configuration, but remember to include " ARCH=um " on the make line. This tells the make process that we want a kernel executable and not a normal kernel (i.e. " make xconfig " becomes " make xconfig ARCH=um "). After you are done choosing the configuration that best suits you (just remember to enable multicast networking support when asked),save and exit, then execute " make dep ARCH=um " and " make linux ARCH=um ", you should now have an executable called " linux " in the top of your kernel source tree directory. Linux is the kernel executable that will be used to boot UML, but before we move on to the next step, there is one simple point that should be explained. If two systems are booted from the same HDD, the HDD filesystem will be corrupted. This is the same case in UML, you cannot boot two UMLs from the same filesystem. So, while you're at the UML download page get a number of filesystems (or download one and create multiple copies of it). Before we boot "linux" we should understand the syntax/arguments used, the most important arguments are discussed below. UML Arguments " ubdx=file " means that the virtual device /dev/ubx (where x is a number) is present in the file called "file". This file must be a Linux native filesystem, another option that could be used instead of "file" is "swap" which creates a swap partition on the specified device (although swap is not a linux native filesystem, it is required by linux to run in a correct manner) and always remember the bigger the better. " eth0=mcast " tells the real (physical) system to use the first Ethernet adaptor as a multicast device, this will be needed for virtual networking (unless you want to assign an Ethernet device per system). Other parameters are available. For more on those consult the User Mode Linux HOWTO. To have a properly functioning network, you need to have uml switch and uml net running before booting "linux." Obtain uml switch and uml net from the UserMode Linux download page then build and install them with "make all && make install DESTDIR=/"). Booting the Virtual System You would probably endup booting "linux" with a command like # linux ubd0=root fs.rh72.pristine ubd1=swap eth0=mcast I used " umn=10.10.10.50 " for this example (although we did not assign 10.10.10.50 to any system) just to show you an example,instead, you will probably be booting each system with its own IP address to configure its services and traps. If everything went ok, you should be represented with a login screen, log in as 'root' with no password. Starting here you will feel at home. You will need to have several services running, including Apache , BIND, Sendmail or Roxen . I can only recommend you read their installation documentation, which will really help in case you feel everything is Greek to you. Also, I would recommend you setup their logging to the highest possible level. Now that you have your servers/honeypots up and running do some testing for the configuration before moving on. There has been quite a number of issues related to virtual networking, some people complain of mis-configured routes, packet drops, etc., but I have not encountered any of that. If you pass by such a situation, please report it. I would like to recommend that you visit Setting up the network part of the UML documentation. The blackhat trap Next comes some ideas that I found to be the best when it comes to monitoring activity. Ssyslog -- I previously mentioned setting up and installing Syslog and configuring it to send logs to your MySQL database, just re-do those steps (this time, inside your virtual systems) and set them to log to your real (physical) system's MySQL database. Snare -- One of the biggest problems faced by honeynet admins is not knowing what exactly to log, huge logs can't be examined easily, and small ones usually do not provide enough info, and even if they had the correct amount of info, it is not stored in a user-friendly format, and this is where Snare's role comes. Snare is a HIDS made specially for auditing purposes It could log most important system calls on your system, and by keeping compatibility with the Department of Defense’s C2 standards. Snare represents an all-in-one auditing solution which will make life easier when its time for the real analysis. Installing Snare Atthe time of writing, Snare version 0.8.1 was the current release. Assuming your system is a RPM compatible system, use the following to install: # rpm --install snare-core-0.8-1.i386.rpm snare-0.8-1.i386.rpm Installing from source is also possible for non-RPM systems. Check out Snare's documentation for mor Configuring Snare I am not an XFree86 fan (having it on a honeypot is useless) plus, it is not worth the trouble to get it up and running under UML. So, I prefer editing the Snare configuration file manually by hand. The file is located at /etc/audit/audit.conf , usually the files defaults are more than enough, just take a peak and change anything you don't like (a full explanation of the file's contents could be found here). You could also configure Snare to log to a remote logging server. In our case, the real system, or to make sure the systems logs couldn't be tampered get an ACL program and set the log files to append only. The grsecurity tool has a nice patch that contains a really powerful ACL admin. Note that this patch must be applied during creating the kernel executable. Last thing we have to do now is tell the system to start Snare's auditd on bootup, this could be done with: # ln -s /etc/init.d/auditd /etc/rc.d/rc3/S90audit One big drawback of Snare is that it doesn't log LKM loading into the kernels. LKMs could change a lot when it comes to security (you will understand how in Appendix A), so, I provided a kernel patch in the Appendix that should be built applied while creating the kernel executable. This patch will detect any LKM loading and log it to ssyslogd . The previous configuration should be applied to all honeypots, starting here you are on your own to change and modify anything inside the honeypots. I have intended to keep the section about UML as small as possible because, in my honest opinion, virtual honeynets are pretty flexible and could be customized to suit any environment, so writing about this section would probably need more space than this paper has. At last you are done with your virtual honeynet, nothing else is left, but before ending this paper I would like to show you what I learned from other honeynets (this is like presenting you with a starter) just in case a honeypot was compromised. I just hope this paper has represented a good resource and a real How-To on the subject of creating virtual honeynets. References Loadable Kernel Modules -- This section represents some issues that started to arise lately like using LKMs for covering tracks, DDoS, etc.. Kernel patch for detecting and logging LKM loading. -- This patch does not block LKM loading attempts, it just detects them and drops a line in ssyslogd. Modified rc.firewall to block outgoing DDoS attacks. -- This script needs to be modified manually to suit your needs. By default the script does not block DDoS attacks as this is yet experimental. Port-Scand --Port-Scand is a port of Lance Spitzner 's alert.sh to iptables. Despite the huge differences between CheckPointFireWall-1 and iptables the script maintains full functionality of the original alert.sh Know Your Enemy: Honeynets -- The Honeynet Project is an effort to learn the tools, tactics, and motives of the blackhat community and share these lessons learned. Honeynet Project Forensic Challenge Results -- Dave Dittrich of the Honeynet Project announced the results of the "Honeynet Fornesic Challenge". The results of all submitted reports are available on the page. Dave also talks about how the Honeynet Project is going to continue using this example to "develop examples and best practices that fit the needs of local, state and federal law enforcement agencies in understanding and assessing computer crime cases and pursuing suspects." Honeynet Research Alliance Announced -- The Honeynet Resea community of organizations dedicated to researching, developing and deploying Honeynets and sharing the lessons learned. Its goal is to bringtogether people and organizations actively involved in Honeynet research. Its primary means of communication is a closed maillist. Conclusion There are other sections that will be added to this paper later on (one of them will be reverse engineering, i.e. using the attackers tools including rootkits, backdoors, etc., to learn their own tactics. This paper is not the end release. Check back soon!! If you find any mistakes or any point that you would like to discuss, please contact me by mail at
Feb 17, 2002
•
102
security toolsnetwork threatworm mitigationCheese Worm Patches 1i0n Worm Threats: Security Implications
This is exactly the question many security personnel are asking themselves with the new Cheese worm. The Cheese worm basically patches up the backdoor that the 1i0n worm created and then looks for more 1i0n worm cracked machines. . Even though it does close the backdoor, it is generally thought that once a system is cracked, it cannot be resecured in any other way than wiping the disks and starting over. Assuming that the worm is written well enough that it always does exactly what it is supposed to do, I feel a patcher worm is a good thing for the Internet. The systems that the Cheese worm is breaking into are already wide open due to the 1i0n worm. After finding an open system, a cracker could use it to mask their identity during further attacks, but after the Cheese worm has patched a system, it becomes significantly harder for a cracker to use a 1i0n worm infected system for attacking other computers. Since it is impossible for the cracked systems to be resecured until the system's disks are wiped and everything reinstalled, the administrators of 1i0n infected systems have nothing to lose from the Cheese worm patching their system. Furthermore, bandwidth usage of the scans by the Cheese worm is similar to the amount used by 1i0n worm scans. The Cheese worm simply increases the security on the systems it invades. Considering it has been 3 months since the 1i0n worm was released, it is fair to assume that systems still infected by the 1i0n worm have administrators that do not plan to fix the systems in the near future. While it is illegal to access another computer without authorization (IANAL), the Cheese worm does help the internet as a whole become a better place by limiting the number of open systems for less experienced crackers to use for attacks. Still, the Cheese worm sets a dangerous precedent if widely accepted as a positive contribution to the field of security because that sounds like the security community is saying it is okay for a cracker to takeover a person's computer as long as the cracker's heart is in the right place.. Larvae cheese proposes a remedy for systems compromised by 1i0n, prompting concerns about security among IT managers. Learn further.. Cheese Worm, 1i0n Worm, Network Threats, Security Patching. . Brittany Day
Jun 04, 2001
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More