Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found 5 articles for you...
102
network securityintrusion detectionnetwork monitoringEffective Network Intrusion Detection Guide: Snort Configuration Details
This document takes you through the basics of intrusion detection, the steps necessary to configure a host to run the snort network intrusion detection system, testing its operation, and alerting you to possible intrusion events. . Snort is a software-based real-time network intrusion detection system developed by Martin Roesch that can be used to notify an administrator of a potential intrusion attempt. The ever-increasing amount of Internet crackers, armed with "ready-to-run" exploits, as well as the sophisticated attacker that's intent on defacing your web page necessitates the use of a method to track their activity and alert you to this. Until now, intrusion detection devices were either dedicated-use commercial products, or not real-time and difficult to install. Snort is the solution for monitoring small TCP/IP networks where it is not cost-effective to deploy commercial products. Snort is an easy-to-use, "lightweight", and very functional alternative. What is Network Intrusion Detection? A Network Intrusion Detection System (NIDS) is a system that is responsible for detecting anamolous, inappropriate, or other data that may be considered unauthorized occuring on a network. Unlike a firewall, which is configured to allow or deny access to a particular service or host based on a set of rules. If the traffic matches an acceptible pattern, it is permitted regardless of what the packet contains. However, an NIDS captures and inspects all traffic, regardless of whether it's permitted or not. Based on the contents, at either the IP or application level, an alert is generated. Snort is a "lightweight" NIDS in that it is non-intrusive, easily configured, utilizes familiar methods for rule development, and takes only a few minutes to install. Snort currently includes the ability to detect more than 1100 potential vulnerabilities. Keep in mind that Intrusion Detection devices work in conjunction with other security measures, and are not a replacement for other good security practices. It is also quitefeature-packed right out of the box. Among its features include the ability to: Detect and alert based on pattern matching for threats including buffer overflows, stealth port scans, CGI attacks, SMB probes and NetBIOS queries, NMAP and other portscanners, well-known backdoors and system vulnerabilities, DDoS clients, and many more; Use syslog, SMB "WinPopUp" messages, or a file to alert an administrator; Develop new rules quickly once the pattern (attack signature) is known for the vulnerability; Record packets in their human-readable form from the offending IP address in a hierarchial directory structure. Used as a "passive trap" to record the presence of traffic that should not be found on a network, such as NFS or Napster connections; Used on an existing workstation to monitor a home DSL connection, or on a dedicated server to monitor a corporate web site Snort uses the popular libpcap library, the same library that tcpdump uses to perform its packet sniffing. Snort decodes all the packets passing by on the network to which it's attached by entering promiscous mode. Based upon the content of the individual packets and the rules defined in the configuration file, an alert is generated. Why Use Intrusion Detection? Intrusion detection devices are an integral part of any network. The Internet is constantly evolving, and new vulnerabilities and exploits are found regularly. They provide an additional level of protection to detect the presence of an intruder, and help to provide accoutability for the attacker's actions. Before Installing Snort There are a few things you should determine before you install snort. Do you have approval to run an intrusion detection device by your organization? Is the system you're installing snort on secure? The last thing you want is the feeling of that false sense of security that you get by looking at what you think is happening but really has been modified by an intruder. The use of OpenSSH is mandatory for remote access. Reading the SolarisSecurity FAQ and the Linux Security HOWTO should provide you with a starting point. Where are you going to put it? If you are simply trying to find out who is port scanning or attempting to attack your home system, it's an easy decision. However, placement in an organization may be more difficult. Is the date and time correct? Ensure the time and date are correct on the host that snort will be running on. Install the xntpd time server so you can be sure the time of the events you are recording is correct. Chances are it is included with or already installed on your system but may still need to be configured. Once you have found a suitable timeserver from the URL provided above, a root crontab entry such as the following should suffice: 00 * * * * root /usr/sbin/ntpdate -u The device may be placed outside an organization's firewall between the firewall and the external untrusted network. This allows snort to detect not only the attacks that may make it through the firewall, but also those that are blocked by the firewall. The presence of switches, routers and firewalls will all have an effect on the correct placement of the box. A decision must be made as to which network segment will catch the traffic you actually want to monitor. Placement of the NIDS on the local side of the firewall will allow the NIDS to monitor traffic that the firewall has already determined to be permissable, but not necessarily benign. This will, of course, not catch traffic that the firewall has already blocked, potentially masquerading port scans, probes and other types of attack. Single Interface The easiest configuration is a box with a single interface. The same interface that listens to the network traffic is the same one from which administration is done. Images Courtesy Network Flight Recorder This will be the typical configuration for home network users and administrators monitoring internal networks. Dual Interface In a dual-interface configuration, oneinterface is used to listen to network traffic in promiscuous mode while the other is used for remote administration. This type of configuration is used in environments where it is not possible to administrate the box from the same interface that is listening to the network traffic. In this configuration, the external interface should be well-protected and the box designed explictly for this purpose. The box should not be offering any network services except for ssh on the internal interface only. Images Courtesy Network Flight Recorder Installation of Snort The file INSTALL included with the distribution contains information on installing and configuration snort from the downloadable source code. It is very easy to compile, configure, and install. If you are a Red Hat or compatible user, a precompiled RPM file is available from . You will also need the libpcap-0.4 package which is included with all Linux distributions. The source code and other information are downloadable from . Installing the Snort Ruleset After snort is installed, you'll want to download the latest rules file. Currently there are two different rulesets that people use. A ruleset developed by Jim Forster can be downloaded from Another ruleset, developed as part of Max Vision's ArachNIDS work, is available from and updated hourly. The Max Vision ruleset is particularly nice because it follows the Common Vulnerabilities and Exposures (CVE) database, allowing people to refer to a particular vulnerability using a consistent name. From the CVE Frequently Asked Questions: "CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability databases and security tools with this "common enumeration." " If you've installed the snort RPM, the /usr/sbin/snort-update script written by Dave Dittrich can be used to download thelatest Max Vision ruleset from cron: 00 00 * * * root /usr/sbin/snort-update -q It can also be downloaded from This assumes the wget package is installed, the local box can download the file at , and it can successfully deliver mail to an administrator. The snort-update script will place the vision.conf file in /etc/snort/vision.conf.new and an email notification will be sent to the local root account with the differences from the previous version, if any. You must then rename the vision.conf.new to vision.conf . You might also consider using the snort.org ruleset in addition to the Max Vision ruleset. This can be achieved by downloading the snort.org ruleset. Information on combining these rulesets together is included below. The backdoor-lib , misc-lib , overflow-lib and other similar files are included with the source code, but are pretty dated and not typically used. Before snort can be started, a few variables must be defined. Also included in the snort RPM is a file called rules.base which was derived from Max Vision's vision.conf file. It is a short file that contains a few variables that define your internal and external networks, hosts that snort should ignore portscans from, and on which networks snort should watch for portscans. It can also be downloaded from . A portscan is defined as TCP connection attempts to more than P ports in T seconds or UDP packets sent to more than P ports in T sections. Read Martin's "Writing Snort Rules" for a full description of portscan. You'll need to supply the information for your INTERNAL and EXTERNAL networks, and from DNS servers which tend to trigger the portscan detection. The rules.base file looks as follows: # # Taken and modified from "vision.conf", part of Max Vision's # ArachNIDs work. See /usr/doc/snort-1.6/README.snort-stuff for more # information on how to use this file. var INTERNAL 192.168.1.0/24 var EXTERNAL 63.87.101.0/24 var DNSSERVERS63.87.101.90/32 63.87.101.92/32 preprocessor http_decode: 80 443 8080 preprocessor minfrag: 128 preprocessor portscan-ignorehosts: $DNSSERVERS preprocessor portscan: $EXTERNAL 3 5 /var/log/snort/portscan.log # | # Log file (path/name) ----------------------------------+ # Ruleset, available (updated hourly) from: # # # Include the latest copy of Max Vision's ruleset include /etc/snort/vision.conf # # Uncomment the next line if you wish to include the latest # copy of the snort.org ruleset. Be sure to download the latest # one from # # include /etc/snort/06082k.rules # # If you wish to monitor multiple INTERNAL networks, you can include # another variable that defines the additional network, then include # the snort ruleset again. Uncomment the two following lines. # # var INTERNAL 192.168.2.0/24 # include /etc/snort/vision.conf # include other rules here if you wish. If you are on a dialup machine, the INTERNAL setting would be your dialup interface with a /32 subnet mask, indicating the host itself. Additionally, you may need to configure syslogd to log snort and other security events to a specific log file. Edit /etc/syslog.conf to log snort alerts, then signal syslogd to re-read the /etc/syslog.conf file: authpriv.* /var/log/secure.log [root@krypton ~]# /usr/bin/killall -HUP syslogd Using Preprocessors The preprocessor directives listed above are used to examine the data flow before the intrusion detection engine applies the ruleset to the packets. This can be used to modify the contents of the packet, or to signal the detection engine to not process a particular packet. The preprocessor http_decode: directive instructs the detection engine to convert the data within HTTP URI strings into a format that defeats attempts at eluding the content analysis strings used to examine HTTP traffic for suspicious activity. Supply the ports on which a web serveris running. The preprocessor portscan: directive is used to define the host or network for which snort should watch for a portscan. The /32 appearing after the IP addresses indicates CIDR notation for a 32-bit subnet mask (the host itself). For a Class C network, use /24 . It may also be necessary to exclude some hosts from triggering the portscan detection module. Boxes that generate legitimately generate traffic on a large number of ports in a short amount of time, including NFS or DNS servers are typical candidates. More on Patrick Mullen's portscan preprocessor can be found at . The portscan-ignorehosts preprocessor is used for this, and includes the hosts to ignore as its argument seperated by spaces: preprocessor portscan-ignorehosts: 63.87.101.90/32 63.87.101.92/32 You might consider trying it without the portscan-ignorehosts directive first, as you don't want to unnecessarily disable the ability to detect portscans if it's not necessary. The minfrag preprocessor checks for fragmented packets which can be used to disguise TCP packets from IP filters used in routers and hosts. Packets less than 512 bytes do not need to be fragmented with modern networks, and packets found smaller than that typically indicate attempts to subvert a firewall or intrusion detection. You should now be able to test your configuration file and the normal operation of snort: [root@krypton ~]# snort -d -l /var/log/snort -c /etc/snort/rules.base Initializing Network Interface... User level filter, protocol ALL, raw packet socket Decoding Ethernet on interface eth0 Initializing Preprocessors! ------------------------------------------------- Keyword | Preprocessor @ -------------------------------------------------http_decode : 0x8053070 minfrag : 0x8053290 portscan : 0x8053ce0 portscan-ignorehosts: 0x8054340 -------------------------------------------------InitializingPlug-ins! ------------------------------------------------- Keyword | Plugin Registered @ -------------------------------------------------content : 0x8052050 offset : 0x8052080 depth : 0x80520f0 nocase : 0x8052160 flags : 0x8052710 itype : 0x80528f0 icode : 0x8052a00 ttl : 0x8052b10 id : 0x8052bf0 ack : 0x8052cd0 seq : 0x8052dc0 dsize : 0x8052ec0 ipopts : 0x8054420 rpc : 0x8054670 icmp_id : 0x8054830 icmp_seq : 0x8054930 session : 0x8055300 -------------------------------------------------Initializating Output Plugins! ------------------------------------------------- Keyword | Output @ -------------------------------------------------alert_syslog : 0x8054a20 log_tcpdump : 0x8054ff0 ------------------------------------------------- +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 255 Snort rules read... 255 Option Chains linked into 140 Chain Headers +++++++++++++++++++++++++++++++++++++++++++++++++++ Performing Rule List Integrity Tests... ---------------------------------------Alert TCP Chains : OK Alert UDP Chains : OK Alert ICMP Chains : OK Log TCP Chains : Empty list... Log UDP Chains : Empty list... Log ICMP Chains : Empty list... Pass TCP Chains : Empty list... Pass UDP Chains : Empty list... Pass ICMP Chains : Empty list... --------------------------------------- -*> Snort! 192.168.200.189:32771 TCP TTL:42 TOS:0x0 ID:5410 ***F*P*U Seq: 0x0 Ack: 0x0 Win: 0x400 00 00 00 00 00 00 ...... The corresponding syslog entry looks like: Jun 18 00:48:31 krypton snort[8757]: MISC-Attempted Sun RPC high port access: 192.168.100.189:57554 -> 192.168.200.189:32771 Several perl scripts exist to process this information intoan HTML page which can be accessed periodically to determine what is occuring on the network. The snort2html is a perl script written by Dan Swan that does a nice job of producing useable information in HTML format. If you decide to save this in a directory accessable by a web server, be sure to apply the proper authentication mechanism to prevent outsiders viewing this file. It contains a great deal of helpful information to a potential intruder. It can be used as follows: [root@krypton ~]# /usr/bin/snort2html /var/log/auth.log This will produce an HTML file in /var/log/snort-log.html that is for use with the Max Vision ruleset and creates links to the CVE definition of each intrusion attempt. This version has been modified from the original to accept the filename from the command-line. You can edit this file to save the resulting HTML file in another location. Resources Lance Spitzner shows snort in action as he tracks an intruder and performs forensic analysis on the trails of the intruder. Fyodor has put together a document that describes the snort internals The snort download page includes pointers to source code, plugins to send snort output data directly to a database, the Win32 port, and the latest rulesets. The snort.org has a wealth of helpful information and documentation. Have questions or comments about this document? We'd love to discuss them with you- please leave a comment below! . Delve into Suricata, the advanced network threat detection framework. Configure triggers and observe network breaches in real-time.. Snort Detection, Network Monitoring, Intrusion Alerts, Open Source Solutions. . Brittany Day
Jan 14, 2022
•
102
open source softwarelinux distributionsecurity toolsExplore Predator-OS 20.04 LTS: A Secure Linux Distro for Pentesters
Predator-OS - "the OS that naturally preys on others"- is a free and open-source security-centric project for penetration testing and ethical hacking that can also be used as a privacy-focued, hardened Linux distro. LinuxSecurity researchers spoke with Founder and lead developer Hossein Seilany to get insight into the unique features and benefits that newly released Predator-OS 20.04 LTS offers hackers, pentesters and privacy-conscious Linux users. . Predator-OS was established in 2021 and is maintained by Hossein Seilany. It is a free open-source community project, Free (as in freedom). The project just recently announced the release of Predator-OS 20.04 LTS. Predator-OS is well-suited for penetration testing and ethical hacking and also provides a secure, anonymized Linux OS. Predator Linux is based on Ubuntu 20.04 LTS Mini, kernel 5.10 LTS, and uses a fully customized xfce4 lightweight desktop with a special menu of tools. Predator Linux has around 1300 pre-installed tools which are split into 40 categories. These tools are imported from both Debian and Ubuntu repositories and the GitHub page. Most kernel and user configs are customized by default to prevent hacking, non-privileged access, and to reduce the attack surface. A wide array of built-in firewalls and defensive tools provide end-users with granular control over the OS. The distro can be run as Live-CD or from a USB Drive and installation mode. Operates in 9 Different Modes Predator-OS has nine different modes and operates in the following modes for easy and faster access to all tools: defensive, offensive, privacy, hardened, secured, settings, and pentesting modes. Users can switch between these modes quickly and easily. The Predator-OS distribution has its own unique features and benefits including: Easy installation and extensive hardware support Lightweight with a user-friendly interface Includes all features and tools of popular secure Linux distros - and more! Offers the ability to run Windows tools onLinux Users have the option of either booting live or installing You can view a full list of the distro’s features predator-os downloads. Predator-OS At-A-Glance OS Type: Linux Based on: Ubuntu Mini 20.04 LTS Kernel: 5.10 LTS Architecture: armhf, i686, PowerPC, ppc64el, s390x, x86_64 Desktop: Xfce Other Desktop: as soon as possible: KDE plasma, mate Category: penetration testing, security, privacy, Forensics, Live Medium, hardened, anonymized Click> predator-os downloads to download Predator-OS on your system. Are you using Predator-OS? If so, we'd love to hear your thoughts and feedback! Please share your experience in the Comments section below. . Unveil the capabilities of Viper-OS 20.04 LTS, an innovative Linux distribution tailored for security testing and safeguarding personal privacy. Explore further.. Predator-OS, Ethical Hacking Tools, Open-Source Pen Testing, Privacy Focused Linux. . Brittany Day
Jan 05, 2022
•
102
open source softwareLinux securitycybersecurityEnhancing Remote Work Security With Linux Customization And Tools
Operational security at least seemed so much easier back when traditional 9-to-5 office life was still dominant. Talk of professionals taking their work home with them was largely metaphorical, with only occasional instances of C-suite types dragging their laptops everywhere they went. Business hardware and systems would be shielded through physical security and isolated networks. One office (or office complex), one place to guard: entirely straightforward. . Now, after a year that’s seen countless businesses (some eagerly and others reluctantly) adopt the working-from-home model, there are different challenges to overcome. Teams are scattered and must share sensitive data across the internet — data to which other companies and fraudsters would love to gain access. When information gets out, reputations are destroyed and businesses (particularly those working entirely online) struggle to survive. So what can be done about this? Well, there are various steps you can take to improve cybersecurity, and in this post we’re going to consider whether the use of Linux is one of them. Can companies bolster their remote-working operations — even offline — through swapping their current operating systems for Linux? Let’s see what conclusions we can reach. What are the strengths of Linux for securing online activities? While this certainly isn’t a comprehensive account of what makes Linux great for online security, there are three long-standing benefits of Linux distributions that we should focus on here: They’re entirely customizable, removing the need to rely on third parties. Windows is updated by Microsoft, and iOS is updated by Apple. It’s possible to find unofficial and unsigned patches, but they’re always going to cause issues with support services (and that’s if they work at all). This means that those using these systems must rely on those companies to react appropriately to security threats. Because Linux is open-source software, it doesn’t rely on securityupdates from any single provider, and its ever-improving compatibility options make it a stable like-for-like replacement. If you want to run a VPN service, you’ll find that all the leading contenders support Linux — and if you want to do something like implement a system-level proxy server, you can easily load up a caching proxy like Squid through the terminal. Additionally, the fundamental transparency of Linux makes it relatively simple to review for potential security issues. If you’re willing to put in the effort to steer the ship, you can achieve far more impressive levels of security through Linux systems. They’re updated by people who care about privacy and security. Leading software companies do care about security, but largely in the sense that their profits and reputations are affected by system vulnerabilities. Linux, on the other hand, is heavily driven by passionate enthusiasts who actually care about user privacy. If you’re looking to resolve a certain issue, you can inevitably find free community support to point you in the right direction. And if you want to run a cut-down OS with none of the default telemetry services that plague all the mainstream alternatives, Linux isn’t just your best option: it’s your only practical option. Throw in superior support for things like using SSH and saving and reviewing comprehensive log files, and you have a fantastic out-of-the-box option (so to speak) that will only get better the more you work on it. They’re not high-priority targets for hackers due to their niche appeal. While it’s true that Linux servers have become very popular ( and thus attracted attention ), the same can’t yet be said of Linux desktop operating systems. Almost all attention goes towards Windows and iOS, all because it’s far more economical to target them. On top of that, you need to factor in the presence of different Linux distros. Where Windows installations will differ only marginally, systems running on Debian,Red Hat and Linux Mint can have far more substantial differences. There isn’t much motivation for a hacker to specifically target Linux Mint systems, making them much safer. How can Linux secure remote-working hardware? We’ve looked at how Linux helps to secure online operations, but what about offline activity? Remote-working hardware still poses a threat, after all, and needs to be kept in line. Well, just as it supports plenty of online security services, Linux also offers a tremendous array of at-home security solutions that allow extensive configuration. For businesses that still want to use office spaces (or those determined to monitor their remote-working employees extremely closely, however much that seems like a bad idea), there’s open-source monitoring software like Zoneminder . For network user authentication (key for all remote-working companies, and often managed through cloud systems like Azure Active Directory), there’s the free Kerberos protocol. And for those who need to keep their business hardware secure on the go (despite lockdowns, there are still workers who need to travel), it’s easy enough to take advantage of tools like the Yubico Pluggable Authentication Module (PAM). The PAM makes it convenient to use hardware dongles for user authentication, ensuring that lost laptops don’t present major weaknesses. Linux can shield smart technology from threats by offering a robust and customizable security framework capable of combating a wide array of cyber vulnerabilities. What is the value of tech comprehension in cybersecurity? User error is the one thing that even the most tightly-secured systems can’t fully move past. This is why social engineering is such a popular endeavor for fraudsters. Hacking an up-to-date system is complicated and risky, while convincing a poorly-trained employee to volunteer their login details under false pretences can provide quick success. Due to this, ensuring that your employees have strong awareness of security basics willdo much to make your operation stronger — and though Linux still has an intimidating learning curve, it’s sufficiently approachable that you could make it your main operating system without asking more of your workers than they can reasonably provide. It certainly helps that so much is done through browsers at this point. If someone can use a Chromebook, they can get to grips with a Linux distribution, and learning more about how Linux works (and how it treats something like admin authentication) will slowly but surely leave them less likely to make basic security mistakes. Wrapping up, the answer to the titular question is a strong yes. Less likely to be attacked than other systems, built with security and flexibility in mind, and equipped with rich compatibility features that make it easier than ever to swap from Windows or iOS, Linux is a mature solution that every modern business should consider using. About the Author Elliot Mark is a senior writer at Ecommerce Platforms with a deep curiosity for all things digital and the changing world of ecommerce. He’s helped create a number of unique online stores, providing content and marketing support to help people grow their own ecommerce biz. Connect with him on Twitter @EcomPlatformsio. . In today's remote work environment, Linux emerges as a strong OS that enhances organizational security with its built-in features and community support. Remote Work Security, Linux Customization, Cyber Tools, Open Source Solutions, Cybersecurity Best Practices. . Brittany Day
Apr 19, 2021
•
102
network securityopen source softwarecyber defenseImplementing Geolocation For Nftables: A New Era In Firewall Security
What if you could block connections to your network in real-time from countries around the world such as Russia, China and Brazil where the majority of cyberattacks originate? What if you could redirect connections to a single network based on their origin? As you can imagine, being able to control these things would reduce the number of attack vectors on your network, improving its security. You may be surprised that this is not only possible, but straightforward and easy, by implementing geographic filtering on your nftables firewall with Geolocation for nftables . . Geolocation for nftables is a simple and flexible Bash script released in December of 2020 designed to perform automated real-time filtering using nftables firewalls based on the IP addresses for a particular region. In a recent interview with LinuxSecurity researchers, the project’s lead developer Mike Baxter explained the mission of Geolocation for nftables, “I hope this project is beneficial to those who may not have the IT budget or resources to implement a commercial solution. The code runs well on servers, workstations and low-power systems like Raspberry Pi. The script has the built-in ability to flush and refill geo filtering sets after a database update without restarting the firewall, allowing servers to run uninterrupted without dropping established connections.” This article will examine the concept of geo filtering and how it could add a valuable layer of security to your firewall, and will then explore how the Geolocation for nftables project is leveraging Open Source to provide intuitive, customizable geo filtering on Linux. What Is Geo Filtering? Geo filtering is a firewall technology that filters and blocks both incoming and outgoing network connections based on geographic location using IP addresses. Geo filtering technology enables a computer firewall to compare the source or destination IP address of a network packet to a list of location specific IP address ranges, which can be found in freelyavailable geolocation databases such as db-ip.com . Firewall rules can then determine what to do with each packet - accept, reject, redirect to a server with localized content, drop, or simply count the packet - based on the location of its origin or destination. How Can Geo Filtering Enhance Firewall Security? Geographic filtering enables administrators to mitigate threats to their network by blocking IP addresses associated with countries or locations where the majority of cyberattacks originate, or that they have no reason to allow traffic from. If you have no reason to accept incoming online communications from certain countries, then implementing whole-country Geo filtering on your firewall may make sense. However, keep in mind that if you’re using software or online services from other countries, you may have to accept communications from these countries. Cutting off entire countries is quick and effective, but in many cases it makes sense to use more sophisticated IP filtering settings to either block only certain IP addresses, ranges of IPs or lists of IPs known to be malicious, or to create rules in your firewall that make exceptions and allow trusted IP addresses to access your systems. Geo filtering is a valuable security feature, but does have some limitations. For instance, the technology could potentially block legitimate online traffic, and isn’t able to prevent targeted attacks, as criminals can easily hide their location by using servers or compromised computers in different locations to launch attacks. Implementing Geo filtering on your nftables firewall can add a valuable layer of security to your network by reducing its attack surface and helping to protect against malware and other dangerous, persistent threats - but it should not be viewed as a cybersecurity cure-all. Baxter emphasizes the importance of implementing this technology as part of a comprehensive, defense-in-depth approach to cybersecurity: “Geo filtering is one layer of security that can help to reducethe number of attack vectors on a computer or network, but it’s not a silver bullet. There are ways around every type of computer security, so it’s important to do security in layers.” Geolocation for nftables Leverages Open-Source Development to Make Filtering by Country Seamless, Easy & Effective Geolocation for nftables makes implementing real-time geographic filtering on your nftables firewall simple, convenient and effective, while offering granular control over network traffic. The Bash script converts the 400,000 lines of IP address ranges and country codes in its database to a format that Linux nftables firewalls can access with firewall rules. The script automatically generates country-specific nftables address range sets, and automatically determines the installed version of nftables and recommends the correct "include" statements for an administrator’s ruleset. User settings are conveniently stored in a standard configuration file, as opposed to using command line arguments. The geographic database is automatically downloaded from db-ip.com in real-time, keeping nftables Geo Filtering sets up-to-date. This is critical, as the IP address ranges assigned to each country change over time and geographic databases must be updated regularly in order to remain accurate and effective. Geolocation for nftables also has the unique ability to automatically run an nftables script to flush and refill IP sets with new data after a database update, allowing servers to run uninterrupted - without dropping established connections. Geolocation for nftables is an open-source project, and offers users an array of unique benefits that can be attributed to its use of Open Source - namely, enhanced security and a high level of customization. The script is easy to set up, configure and tailor to meet your specific needs with open-source code that is heavily vetted by the community. The “many eyes” reviewing this code on an ongoing basis results in rapid identification and elimination ofvulnerabilities and security issues. The global community input that the project receives fosters innovation by offering ideas, feedback and programming expertise. Geolocation for nftables source code is heavily commented on, making it easy to understand and customize. This selection of benefits comes at no cost to the end user as, in the words of Baxter, open-source development is “just people helping people”. Geolocation for nftables seamlessly integrates with other firewall applications by allowing multiple matches per firewall rule, so matches can be combined with matches from other sources to determine how a network packet is handled. For instance, an administrator can accept a packet with an IP address that’s on his or her IP “allow” list, but not on his or her Fail2ban “block” list with a single firewall rule. Geo Filtering for nftables has a small memory footprint and offers flexible configuration, making the script ideal for any system - even those with limited RAM. Key feature and benefits of Geolocation for nftables include: A script written for the widely used Bash shell that automatically generates country-specific nftables address range sets Easy to implement, configure and customize with heavily reviewed open-source code Small memory footprint and flexible configuration makes the script run well on systems with limited RAM User settings are conveniently stored in a standard configuration file rather than using command line arguments Packets can be filtered by geography with a single nftables rule rather than two rules to mark and match packets Automatically determines your installed version of nftables and recommends the correct "include" statements for your ruleset Creates "include-all" files to allow you to include all geographic IP sets with a single reference on older versions of nftables that don't support include wildcards Offers a User Guide which explains how to define all element definitions for Geolocation sets in one file, eliminating thechance of having out-of-sync definitions in multiple files when flushing and refilling sets with new data Simplified directory structure to shorten "include" path names Creates ~500 IPv4 and IPv6 set files from the geographic database in about 10 seconds on a low power quad-core 2200ge server with SSD storage Tested on Ubuntu Server , Fedora Server , and Raspberry Pi OS Key Takeaways Geographic filtering is a valuable layer of defense that you should consider adding to your nftables firewall to reduce the attack surface on your network and help secure your system against malware and other serious, prevalent threats. Geolocation for nftables provides Linux users with a simple, flexible and automated way to implement real-time geographic filtering on their nftables firewall. Visit the project’s Github page to learn more about Geolocation for nftables and how you can install the script on your system. Please reach out to us if you have an open-source security project you would like us to cover in a future LinuxSecurity feature article! Connect with us on social media: Twitter | Facebook . Enhance your network security using Geolocation with nftables, a versatile Bash script designed for live geo-filtering on Linux firewall systems.. GeoFilter, NftablesSecurity, BashScript, FirewallEnhancement, LinuxSecurity. . Brittany Day
Feb 09, 2021
•
102
security practicesopen source softwarecommunity contributionThe TANSTAAFL Price and Developer Burnout in Open Source Projects
Open-source projects can become victims of their own success. What can developers do to secure their open-source software? . One of the reasons behind the popularity of Open Source is the volunteer communities improving and updating code. It’s what software developer and author Eric Raymond called Linus’s Law in action: with many eyes looking at code, “all bugs become shallow.” A Purdue University study showed that Linus’s Law does work. Open-source communities regularly issue patches faster than their proprietary software counterparts. But Linus’s Law only works when there are enough eyes on the code. And there’s no guarantee that the community behind any given open-source project will continue maintaining the code. Of the 1,200+ codebases examined for the 2020 Open Source Security and Risk Analysis (OSSRA) report , 88% contained open-source components that had had no development activity in the last two years. OpenSSL, Heartbleed, and Developer Burnout OpenSSL, an open-source encryption protocol, secures a substantial portion of the web: as much as two-thirds of all active websites, plus hundreds of thousands of email servers, chat servers, and VPNs, as well as the network infrastructure of various military, government, and financial institutions. In 2011, a programming bug that allowed an attacker to intercept information secured by OpenSSL was introduced into the code, where it remained undiscovered for almost three years before being reported by a Google developer. Within 24 hours of its disclosure, the vulnerability, dubbed “ Heartbleed ,” was used to break into a major corporation and steal taxpayer data from the Canada Revenue Agency, according to a report in The New York Times . Although a patch was quickly issued, Heartbleed still lives on in hundreds of thousands of devices, with Shodan—an Internet of Things search engine—reporting over 91,000 instances of the vulnerability as of late 2019. Steve Marquess, the former CEO of the OpenSSLFoundation, noted in a blog post that the coding error leading to Heartbleed was partially attributable to developer burnout. In 2011 there was only one overworked, full-time developer on the OpenSSL project. “There should be at least a half dozen full-time OpenSSL team members, not just one,” Marquess wrote. And that developer should be “able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work.” Things have improved somewhat in 2020. There are now 18 contributors listed on the OpenSSL site and their work is funded through at least 2021, thanks to a grant from the Linux Foundation Core Infrastructure Initiative, a project dedicated to distributing resources to open-source projects that are critical to the security of the Internet. But the Heartbleed bug is what happens when people ignore the TANSTAAFL price. The TANSTAAFL Price In the early 19 th century, “free lunches” were a popular saloon promotion. Patrons still had to buy a beer or other drink in order to wash down whatever food the barkeep offered, and that was the catch. Profits on whiskey and beer sales more than compensated the saloon for putting out the free lunch spread, which often was little more than soup, crackers, and problematic pickled eggs. Coined by science fiction author Robert Heinlein, TANSTAAFL (“There ain’t no such thing as a free lunch”) reminds us that things always have to be paid for, whether the price is evident or not. With popular open-source code, the TANSTAAFL price has been the increased pressure on its maintainers—the people who handle bug reports, feature requests, code reviews, and code commits for their “free” software. Increasingly, as open-source software grows in popularity, the TANSTAFFL price has been developer burnout and their open-source projects being abandoned. It’s the tragedy of the commons in action—a resource growing so much in popularity that it can’t remain viable unless the community shifts to sustenancerather than exploitation. Witness the Twitter thread started by James M. South, creator of several popular open source solutions, who bemoaned the fact that, “#ImageSharp passed 6 million downloads this weekend and I’m a lot less happy about it than I probably should be.” Why? South goes on in several follow-up tweets, “Over 5 years of development there have only been 98 collaborators, 23 of which have made more than 10 commits…. it’s not about money, it never was and never will be, it’s about sustainability.” Several other developers chimed in with their experiences: “…a similar story for #FluentValidation. Over 41 million downloads … 140 contributors, but only 1 has made more than 10 commits.” “Same with ReportGenerator… 15 million downloads but not a single sponsor.” Too few people—and their organizations—who rely on open-source software are contributing to the projects whose open-source software they use. If you’re a developer and have a favorite open-source component, you can contribute to its development through development, sharing your modifications, bug reporting, crowd-funding, letting the developers know how you are using it, and helping others get started. That last may be the most important thing you can do for any open-source project—helping build a user community large enough to sustain the project. While development support is important, it’s not necessarily just about the code. Whether you’re a writer, translator, designer, or information security or legal specialist, the chances are good that you too can help support the community in some fashion. About the Author Fred Bals is a researcher and senior technical writer at Synopsys . This post originally appeared on the Synopsys Software Integrity blog . . Open-source projects can thrive sustainably by building inclusive communities and prioritizing developer well-being, which reduces burnout and encourages flexibility. Open Source Contributions, DeveloperCommunity Support, Secure Open Source, Software Project Maintenance, Community Engagement. . Brittany Day
Sep 22, 2020
•
102
open source softwaresecurity insightscyber defenseDefcon 26 Highlights on Cyber Defense And Open-Source Security
Defcon 26 provided individuals and organizations with valuable tips and insight on security and the latest and most effective defenses. Here are some security-related highlights from the event.. Defcon 26, a high-profile hacking conference that recently took place in Las Vegas, offered a multitude of predictions and implications regarding changes and trends in the field of cyber security. Although Defcon is an event that is mainly attended by ethical hackers who are aiming to learn how to better protect the systems they are responsible for, everyone can gain knowledge from the experts who spoke and the activities and contests that took place at Defcon 26. With cyber threats becoming increasingly prevalent and dangerous, cyber security is an issue that affects all individuals and organizations. According to CSO, cyber crime damage costs are expected to hit $6 trillion annually by 2021 (CSO Online). Email is an extremely popular attack vector used by cyber criminals, so effectively securing email accounts is becoming increasingly important. Here are two highlights from Defcon 26 and a summary of what they suggest in the context of today’s cyber threat landscape: 1. NSA Brings Nation-State Details to Defcon: “Spot the Fed” has been a longstanding tradition at Defcon, but the task was extremely easy this year. Rob Joyce, senior advisor for cybersecurity strategy at the NSA, discussed the latest details on nation-state hacking and defense. He suggested that there are four actors that are most concerning in regard to nation-state hacking: Russia, China, Iran and North Korea. In terms of defense strategies, Joyce emphasized that the transparency provided by public hacking is critical in finding and fixing flaws that nation-state hackers could exploit. He also referred to cybersecurity as a “team sport”, suggesting that the government and private enterprises should share information on vulnerabilities and attacks. Finally, Joyce reminded the audience that basic security measures, such as software patchingand multifactor authentication, should not be overlooked. (DarkReading) 2. Tesla Plans to Open-source Security Software: Following Defcon 26, CEO of Tesla Elon Musk announced that Tesla is planning to open-source its security software to other automakers for free. Musk feels that doing this will decrease the risk of cyber criminals hacking self-driving vehicles. Tesla has a good relationship with security researchers and whitehat hackers, whose work has led to the rapid fixing of various vulnerabilities in the past. Open-sourcing security software will likely encourage more security researchers to search for and identify vulnerabilities, making Tesla cars even more secure. (Electric) These are just two of many security-related highlights of Defcon 26. The schedule was packed with speeches from experts in the field of security, hacking-related activities and contests and Q & A sessions. As expected, Defcon 26 proved to be a hub for innovation in the field cyber security and advancement in the practice of ethical hacking. With the evolution of cyber crime and email-related threats, it is crucial that businesses and individuals stay informed and implement the latest and most advanced defenses and protection strategies. . Defcon 26, a high-profile hacking conference that recently took place in Las Vegas, offered a multit. defcon, provided, individuals, organizations, valuable, insight, security. . Brittany Day
Sep 06, 2018
•
102
network securityopen source softwareconfiguration managementExploring SCC: An Exclusive Interview with Siem Korteweg Uncovered
In this interview we learn how the System Configuration Collector (SCC) project began, how the software works, why Siem chose to make it open source, and information on future developments.. Introduction : Have you ever noticed changes on your departmental server, but couldn't quite pinpoint what exactly happened? How many times have staff forgotten to make an entry in the log-book, or the entries made were not detailed enough? Administrators are faced with these problems on a day-by-day basis. The System Configuration Collector (SCC) project attempts to automate this process. Rather than depending on staff to keep accurate records, SCC enables a system to record all changes taking place. Additionally, the software has the functionality to send all configuration data to a central server so that it can be analyzed when needed. System Configuration Collector Project Website: LinuxSecurity.com : Please tell us about the SCC project and how it began. When did it start, and who are some of the key contributors? Siem Korteweg : In 2001 a younger colleague asked whether it was possible to automatically track the changes that were made to the configuration of a system. I told him that was impossible due to variable nature of the output of the commands we have to use to show the configuration of a system. Being a much younger colleague he accepted this answer. But I did not like to say it was "impossible" and it kept nagging me. I thought that when I could split the variable and fixed parts of the output of system commands, I would be able to track changes. I started a small, hobby project by collecting configuration data and preceding each line with "fix:" or "var:". After some time I was able to detect some changes made to configuration. But when a kernel parameter was changed, all I saw was a change from 128 to 256. I had to search in the snapshot to find out what part of theconfiguration had changed. Therefore I extended the fix-var classification with a hierarchy of keywords indicating the nature of the data. The development continued and the customer where I was developing the software, was wondering how to maintain this software without hiring me indefinitely. By that time I realized that this software also could/should be used by others. I talked to the manager of the customer and to the manager of the company I am working for and suggested to make SCC a GPL project. They both agreed and from then on, SCC was an Open Source project. To extend the collection of configuration data I looked at the code of cfg2html and check.sh (HP specific) and the FAQ's of several newsgroups. At the customer site where I started developing SCC, we deployed the software on some 300 systems. This gave us a great opportunity to tune the "fixed" and "variable" parts of the configuration to avoid unnecessary changes. The first versions of the software collected configuration data and converted the data and logbook to HTML on a per system basis. At the customer site, Bram Lous started to collect all snapshots and logbooks on a server and built the first version of the CGI-interface. Later on, Paul te Vaanholt contributed much for the HP OpenView modules. His main contribution is the analysis and conversion to SCC-format of the Operations Center database. A colleague Oscar Meijer wrote the Windows version of the SCC-client, based on WMI and WSH. The configuration of the data we are collecting on Windows systems still needs to be tuned. The software itself is stable, but it detects too many changes. The whole process of tuning what data is "fixed" and what data is "variable" takes quiet some time. LinuxSecurity.com : What is the most important benefit an administrator can get out of SCC? How can this improve the overall security of a network or host? Siem Korteweg : Each administrator should document his/her systems. We all know that, but we all lack time to do this properly. SCC automates the documentation process. For HP-UX systems SCC collects more than 95% of the configuration of the system is covered by SCC. For other system the percentage is somewhat lower at the moment. The logbooks and snapshots can assist administrators in finding the cause of an incident. Configuration changes can have unwanted side-effects (on other systems). By examining the logbooks for the changes during the last days/weeks an administrator might find the cause of an incident easier/faster. Another way of using the SCC-data to find the cause of an incident is to compare (parts of) the configuration of a system with a comparable system that does function correctly. Comparing the configuration of systems can also be used to assure that the systems in a cluster are consistent and identical. Do they run the same (versions of) software? Do they have the same kernel-configuration? It is also possible to check your security policies. Just check the snapshots on the server for the aspects of the policies. By default the server checks and signals accounts without a password. Another use of the SCC-data on the server is to quickly identify systems. After an advisory from Sun, I was able to identify within one minute the 100 systems that needed to be addressed out of a total of 600 systems. Because the selection was automated and because the collection of SCC-data was accurate and outdate, I did not miss a system. This obviously contributes to the safety of the network. LinuxSecurity.com : How difficult is it to get started? How long would it take for an administrator to get the system fully setup? Can you describe at a high level the steps necessary to setup SCC? Siem Korteweg : The easiest way tostart and get the feeling of the software is to install only the client part and keep the data and logbook on the client. Just create a simple cron-job after the installation of the client and you are finished. This way you are able to pilot the software before you deploy it more widely. The setup of the server takes some more steps. First you have to decide how to transport the SCC-data from the clients to the server. Supported mechanisms are email (optionally encrypted, using OpenSSL), scp, rcp and cp. Then setup the webserver to display the data. To achieve this, you have to indicate the path under the document-root and indicate the CGI-script of SCC. Then schedule a cron-job to transfer the SCC-data that is sent by the clients from the transfer-area to the website Finally all cronjobs of the clients have to be extended with the proper options to transfer the SCC-data to the scc-server. For several systems I recorded the entire process of configuring the server in logbooks. These logbooks are present at the website. For our HP-UX 11.i system: LinuxSecurity.com : What improvement would you like to make in the future? What direction is this project heading? Siem Korteweg : When running SCC on a system that uses clustering software, like MC ServiceGuard from HP, switching a "package" from one system to another, results in changes of the SCC-data for both systems involved in switching. We want to make the software cluster-aware by extracting the configuration data for each package and sending it separately to the scc-server. Another future extension is the collection of the configuration of network devices like routers and switches. LinuxSecurity.com : What advantage does SCC have over using a typical pen & paper log book for recording system changes? Siem Korteweg : It is automated, so it does not "forget" to record achange (supposing the changed attribute is part of the SCC-snapshot). It is not lazy (once you run it through cron). - The pen & paper logbook is a physical item that can only be at one place. Each admin of a group of systems can be at a different place, without access to the paper logbook. Suppose 7x24 systems, where the admins "follow the sun". - By consolidating all snapshots on a system with scc-srv, you obtain much data that can be searched automatically. This enables you to quickly identify the systems that need an update or to compare two systems when one of them does not function correctly. This is impossible with pen & paper. LinuxSecurity.com : What operating systems does SCC run on? What type of license is it under? Siem Korteweg : HP-UX, Solaris, AIX, Linux (RedHat, Suse, Gentoo). As the code of SCC only uses "standard" Unix tools, I think it runs on almost all Unix/Linux systems. The coverage of the configuration data depends on the OS. For example the coverage of HP-UX configuration is more than 90%. For other systems this will be less. The license is GPL. LinuxSecurity.com : If an administrator needs assistance setting up or configuring SCC is support available? If so, how can support be obtained? Siem Korteweg : Besides the documentation on our website, SCC comes with documentation and manual pages. We offer an implementation service, where a consultant visits a customer and installs the server and at most 5 clients and introduces the software to the admins of the customer. This is only feasible in the Netherlands. Otherwise, support via email is possible. When the requested support is more than a few simple questions, we have to agree upon payment. LinuxSecurity.com : How does SCC differ from other similar configuration collectors? What are some of the strengths and weaknesses of SCC? SiemKorteweg : SCC collects configuration data without formatting it immediately to HTML. Instead it prefixes each line of configuration data with fix/var and a hierarchical classification. This makes it easy to process the snapshots. The processing consists of comparing consecutive snapshots to generate the logbook, formatting the snapshot to HTML and comparing the snapshots of two systems to determine the differences. The philosophy of SCC is to collect data, not to judge its value or correctness. Stupid configuration errors in Apache/Samba are not detected in scc, this should be done at the server where all snapshots are collected. Some might question the value of all the data in the snapshots. It is true that a considerable part of the snapshots will never change during the lifetime of a system. Nevertheless this data is collected, just in case someone needs it sometimes. One commercial configuration collector works by allowing remote root-access to all clients from their server. This is not very security minded. I had security in mind when coding scc and scc-srv. A weakness of SCC is that I coded the classifications of all collected configuration data. This classification has to be used when an admin wants to view specific information. I decided to store cron configuration data under classification "software:cron:" and swap info under classification "system:swap:". Each user of SCC has to follow my intuition. Another weak point is that the clients are autonomous. The scc-srv can be DOSed by mailing much snapshots from seemingly different systems. Therefore, I suggest to install scc-srv only in a "trusted" network. Finally, scc has to do "reverse engineering" to collect for example the Apache configuration. Apache can be installed and configured in dozens of different locations. We have to determine the correct paths and files from the running processes. LinuxSecurity.com : How can the project benefit from the open source community? Siem Korteweg : The project can benefit from the open source community when admins use it and contribute their extensions. These extensions can be specific applications/hardware/OS they use or new features. At the moment some people already contribute knowledge of specific software. Feedback concerning the strong and weak aspects admins experience while they are using SCC, is also valuable. Area's for future extensions are SAN/NAS and network devices. I am looking for people and organisations that are willing to contribute in any way in these areas. LinuxSecurity.com : I wish to thank Siem, and other contributors to the System Configuration Collector project. We at LinuxSecurity.com would like to wish you the best of luck! . Introduction: Have you ever noticed changes on your departmental server, but couldn't quite pinpoint. interview, learn, system, configuration, collector, (scc), project, began, softw. . Brittany Day
Mar 25, 2004
•
102
open source softwaresecurity toolsnetwork auditingExploring Netwox: A Talk with Creator Laurent Constantin on Network Tools
In this article Duane Dunston gives a brief introduction to Netwox, a combination of over 130 network auditing tools. Also, Duane interviews Laurent Constantin, the creator of Netwox.. Introduction : Performing a security or network audit with a large number of security tools available can be quite overwhelming. Even basic network troubleshooting has a plethora of tools to chose from as well. Selecting the right one to get the job done fast can even cause a headache. Let's see, hackbot.pl, nmap, nessus, and sara just four tools that can be used to determine if a webserver is running. Even a quick telnet to port 80 would work: telnet www. 80 All of these tools have their place for sure and should be included in a security or network auditing toolkit. However, netwox solves the problem of having multiple tools to choose from to perform specific tasks. Netwox ( ) removes the issue of having to go to a machine and compile multiple programs to start auditing a network. Netwox contains over 130 tools built into one program. Each tool is referenced by a particular number and is readily available and searchable. The coolest tool is the network sniffing program. This tool sniffs network packets and doesn't output it like you normally see with tcpdump or ethereal. No, it outputs the packets just like you learned it. In the cool graphical format. See the example here. You can run it with the command: netwox 7 Watch each packet fly-by the way you learned. Check out the tcpdump format : 20:08:35.691525 12.150.157.4.3266 > 68.153.244.213.80: S 1614678159:1614678159(0) win 16384 (DF) now the netwox format: Netwox has other tools like base64, decimal, and hex converters, port scanner, mail client, syslog client, dns server, dns client, http server, ping, traceroute, etc.. It gives you the tools to do quick tests without having to use a suite of tools. The defaultoutput and way to run netwox is via the command-line though a gui interface exists for its use as well. Interview : We interviewed Laurent Constantin creator and developer of netwox, which was formerly the unpronounceable lcrzoex. LinuxSecurity.com : Laurent, I hope that you have been doing well? I just got over a cold that came about on New Year's Eve. It's the same for me. I got it during Christmas. Now, I'm ok :) LinuxSecurity.com : What do you do when you are not programming and away from computers? I also like electronics, which I discovered before computers. I'm not creating boards anymore, but I often have devices to repair. LinuxSecurity.com : Netwox has over 130 tools in one program. First of all, THANK YOU!! Why did you write a program that does all this instead of helping to document existing programs that have the same functionality? Before creating netwox, I was using a lot of other tools. Those tools are good, but I faced two problems. The main one is you had to spend time to install and configure them all. It was aggravating to go to a computer which had a network problem, and to see that only some, or even none, tools were installed. You had to spend time installing what you need, before being able to spot and solve the problem. This was really annoying. The second problem is that tools for Linux, Solaris, BSD and Windows do not have the same command line parameters. Now, there is netwox on all computers I manage. There is something important to remember about netwox : it contains the functionalities of a lot of tools, but it's not as powerful as them. They are specialized in their job, and they do it very well. Sometimes, when the problem is hard to solve, netwox permits to spot the problem, and then one of those specialized tools can be installed to solve it. LinuxSecurity.com : How longdid it take you to write netwox until it was ready for its first release? Netwox was developed during 2 years for my private use. During this period, several people showed interest in it, so it was published. I'm not proud of the first versions : I was more interested in adding functionalities (I needed them!), than creating them well. Now there is a lot of tools available, I concentrate on the source code quality. It's more motivating, even if the update frequency is slower. LinuxSecurity.com : Honestly, do you know the number of each tool by heart? No. Some tools are only used once or twice a year. But, when there are needed, they are ready :) LinuxSecurity.com : Tool number 7 shows the packets with the full packet diagram, just as we learned the different parts of the packet. How did you decide to have a feature like that? I ask because it is, to me, the coolest tool in this program for that reason. Late 1999, for security tests, I had to spoof IP packets. To check them, it was important to see them. Tcpdump or snoop are good sniffers, but packets' fields can't be easily seen. Ethereal is excellent, but xfree is needed, which was not installed on production servers. So, I thought about a text mode display of packets. Naturally, formats described in the RFCs came to my mind. (See RFC 793, RFC 768, RFC 792, etc..) LinuxSecurity.com : What do you plan to add to Netwox next? Any new features, anything you are going to change? Currently, version 5.7.0 is in progress. It will support IPv6 packet creating, decoding and displaying. In previous versions, only IPv6 sockets and raw sniff/spoof were available. People having an IPv6 network will enjoy version 5.7.0 ;) Then, I'd like to port netwox for MacOS, to add SNMP and SMB/CIFS tools, etc. That's for the beginning. Generally users require new functionalities, which becomenew priorities, so there is no definitive road map. LinuxSecurity.com : Can this tool supplement an entire suite of auditing tools or distribution designed for network auditing? Netwox can be seen as a collection of simple tools. People who use netwox are identified in two main groups: network administrators and security professionals. Network administrators want to setup a new computer or to repair an existing architecture. They need to send an email to test an SMTP server or to TCP traceroute to see if a flow is allowed by a firewall. Those simple tools are not sufficient if the problem becomes too complicated. Security professionals want to obtain malicious information or to prove a customer that its network is vulnerable. Nessus does a good job in notifying administrators about their vulnerable or outdated services. Then, netwox can be used to demonstrate the vulnerability found by Nessus. To sum up, netwox cannot replace an entire suite. It has to be used before of after the specialized tools. LinuxSecurity.com : How do you pronounce the original name "lcrzoex"? What does it mean? How did you get the new name, netwox? Lcrzoex can be pronounced "L C RESO(lv) EX". What a bad idea I had! I wanted an unique name. So I searched on the web to find something unused. Lcrzoex was unused, but now I know why : it's impossible to pronounce :). Perhaps 40% of people sending me an email misspelled it. When I physically met people, it was worse because they were annoyed to not being able to say it in front of me. Now netwox is much better. LinuxSecurity.com : In what situations do you use netwox? As soon as I encounter a network problem. I can't surf the web? Netwox will find if the problem belongs to DNS, local network, network path, remote host, etc. When I was a security auditor (now I work for a vulnerability survey), Icould have used it for all IP audits. LinuxSecurity.com : Any advice for network auditors out there on using many tools to audit, besides to use netwox? Netwox is not perfect, so I don't think it can fully replace those tools. However, try it and you might be surprised. For people new to security, I would really recommend to start by using netwox, because it contains most of the tools needed for learning. On your website there are two other programs mentioned, netwib and netwag. What are those programs? Netwag is a graphical front end to netwox. It is highly recommended for new users. Netwib is a network library which is needed for compiling netwox. Most people install it, and then ignore it. LinuxSecurity.com : You have any seminars or speeches you are going to be giving about security, auditing, or netwox? There is nothing planned. My current job does not permit me to easily move around the world, or even France. People are welcome to contact me by email or to meet me in the city of Rennes, where I live. LinuxSecurity.com : On your website, you tend to note when you are going to be away from email for an extended period of time. Any more big vacation plans coming up? Yes, 3 weeks in June :) Duane Dunston is an Information Technology Specialist (Security) for the National Climatic Data Center. He was previously a contractor for STG Inc. for the same organization. He received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS . He revels in the arts in Asheville, NC, writes poetry. He hangs out at Anntony's, Early Girl Eatery (tell'em Duane sent you), The New French Bar, and still wakes up every morning ready to go to work. . Introduction: Conducting a thorough security or network assessment utilizing Netwox along with perspectives from its developer.. Network Auditing, Open Source Tools, SecurityAudits, Netwox Utility. . Duane Dunston
Jan 27, 2004
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More