Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -1 articles for you...
102
security toolcybersecuritythreat detectionWhat is Nmap? How To Use It Effectively for Network Security
Nmap, short for “Network Mapper,” is an open-source network security tool for discovery and auditing. It is one of the most widely used network mapping tools for system administrators to search for hosts and services within a network. . Nmap stands out among other monitoring and vulnerability scanning solutions used by cybersecurity professionals because it is free, incredibly flexible, portable, well-documented, and simple to use. Various abilities are combined into one package with Nmap, which makes those familiar with command-line interfaces much more comfortable. This article will discuss how to use it for port scans, other useful Nmap functions, and why threat actors also use port scanning. What is a Port Scan? How Do You Run It? Port scans are a type of vulnerability scanning used to identify open ports on a server that send or receive data. Open ports can lead to data and network security issues, making your company more susceptible to cloud security breaches. To run a port scan, you enter the domain or IP address into the port scanner tool, which then examines the entire network for any cybersecurity vulnerabilities related to open ports. Network mapping with port scans is an effective way to find network security threats within a system. As a result, they can help you to close ports and protect your business. What are Ports and Port Numbers? A port is the starting and finishing point of online communications. Ports are typically linked to a specific function or operation, are software-based, and are managed by the company using the service. Port numbers are identification codes that help a server manager determine where a network packet should be sent. This allows a steady stream of communication between two parties. However, open ports without the proper configuration are an invitation for network intrusion and a whole host of preventable security threats. How Do You Scan Ports on Nmap? The simplest way to start port scanning is to enter nmap , where is the name of a network host. From this command, Nmap converts the hostname to an IP address, pings the host, and then returns a list of port statuses for the most popular 1,000 ports listed in nmap-services. This report categorizes all ports as open, closed, filtered, unfiltered, open|filtered, or closed|filtered. Similar results are condensed into a single line, while notable statuses are highlighted for the administrator to read. Can You Detect an Nmap Scan? Nmap scans run by cybercriminals are not always picked up quickly, if at all. Threat actors can use Nmap to find vulnerable server hosts that they will target for an attack. Modern forms of port scanning detection can pick up on Nmap scans, but the best defense against hostile scanners is to stay a step ahead by preemptively scanning your ports. It is important to be aware of any and all cybersecurity vulnerabilities within your company. Routine network mapping scans will notify you of open ports so you can close them before a breach. Within Nmap, there are options listed that you can select to verify your system has proper data and network security with scanners. How to Scan with Nmap Here are a few of the more popular scans customers use with Nmap: Ping Scans The most basic function of Nmap is to identify hosts on your network, which can be done through a ping scan. This scan logs all IP addresses and hosts without sending packets to the admins. You can run more commands on the found hosts to examine them more thoroughly. Run the following command to execute a ping scan: # nmap -sp 192.168.0.1/22 Host Scans Host scans are a powerful technique that can be used to verify data and network security. They send ARP request packets to all the hosts on your network, who respond with the ARP packet status and MAC address. Run the following command to execute a host scan: # nmap -sp OS and Services Scans Nmap can run scans to detect the operating system, version, and services on a single or numerous devices.Detection scans are important to the enumeration process when conducting network penetration testing. It's critical to know where susceptible devices are on the network so they can be repaired or replaced before any attacks on network security can get to them. Run the following command to detect OS and Services: # nmap -A How Can You Prevent Port Scanning? You can prevent a port scan by installing a super-strong firewall. This keeps external networks from looking at your business’s protection (or lack thereof). If a firewall sees that someone is trying to execute a port scan, the firewall will shut the port scan down. How Do Bad Actors Use Port Scanning as an Attack Method? Cybercriminals will use port scanning to identify cybersecurity vulnerabilities in your company’s system. Network mapping helps them to find the easiest ways to access your sensitive information and collect your data. Threat actors will scan the company, identify where they can break into your business assets, and execute cloud security breaches. Final Thoughts on Port Scanning with Nmap Nmap can be used to perform various scans to gather information for network discovery and auditing. Vulnerability scanning provides actionable intelligence and ensures that your company's data and network security is not an unknown variable. This way, administrators can detect weaknesses before they become a problem. Using Nmap or other network mapping tools for firewall pentesting is an important step towards improving your overall security posture. . Nmap stands out among other monitoring and vulnerability scanning solutions used by cybersecurity pr. short, “network, mapper, open-source, network, security, discovery. . Andrew Kowal
Apr 17, 2026
•
102
security toolkernel exploitLinux kernelBlackHat USA 2022: eBPF Kernel Exploitation Detection and Prevention
Let's take a brief look at what Guillaume Fournier from Datadog presented at Blackhat USA 2022: “One of the fastest growing subsystems in the Linux Kernel is, without any doubt, eBPF (extended Berkeley Packet Filter)." . He elaborates, "Although eBPF initially targeted network monitoring and filtering use cases, its capabilities have been broadened over time. With each new kernel version, the capabilities of eBPF are getting closer to that of a kernel module with additional benefits: system safety and stability. Like any other kernel features, eBPF has introduced its fair share of kernel bugs and vulnerabilities, questioning the maturity of a solution that introduces a rich feature set but considerably increases the kernel attack surface. On the other hand, eBPF is now powering an increasing amount of endpoint protection solutions, showcasing original ideas to detect threats at runtime. Unlike many projects that aim at detecting malicious behaviors in user space, this talk focuses on how eBPF can be leveraged to detect and prevent various kernel exploitation strategies.” Now I know you may be wondering: what exactly is eBPF? Well, let's go through it together! Given the linux kernel's unrestricted ability to monitor and manage the entire operating system, it has always been the ideal location to incorporate observability, security, and networking features. At the same time, because of its key function and high requirements for stability and security, the kernel is difficult to use when it comes to applications. Berkeley Packet Filter, or BPF for short, introduced a new interface for programs to make kernel requests alongside syscalls, making a significant modification to the old kernel model. Big name companies such as Netflix and Facebook run many BPF applications due to its capability of running new types of user-defined and kernel-mode applications. BPF is essentially a kernel and user-space observability mechanism for executing code in kernel or user space that reacts to events such asfunction calls, function returns, and trace points. BPF programs offer both rapid and extremely powerful and flexible ways of deep observability of what is happening in the Linux kernel or user space. Understanding the Linux Kernel Architecture When it comes to the Linux Kernel, there are roughly three parts to it: the user space, the linux kernel itself or the OS, and then finally we have the actual hardware. Essentially, this all works together and is wrapped in a process. Anything that is not a kernel process, such as normal apps, operates in the user space. Any code that runs within the user space has restricted hardware access and relies on kernel space code for privileged activities, such as reading and writing on the disk, or even network interaction such as sending data via a BSD or TCP socket. The Kernel space, on the other hand, contains the operating system's core. It has complete and unlimited access to all hardware, including RAM, storage, and the CPU. As we stated earlier, the kernel space is secured and only permits the most trusted programs to execute, including the kernel itself and numerous device drivers, which means code within the user space has limited access. In the image below, it basically sums up the this entire process: While the system call interface might be enough in some cases, developers may require complete flexibility to handle new hardware, create new programs, etc, and this requires expanding the underlying kernel without directly modifying the kernel source code. This is where eBPF comes into play. How eBPF Works What eBPF allows users to do is quite incredible; it allows users to take a system call and run a program that takes over on its behalf. With this in mind, it can be used to create programs for networking, debugging, tracing, firewalls, and more. eBPF was inspired by dtrace, a dynamic tracing tool available primarily for the Solaris and BSD operating systems, since there was a need for better Linux tracing capabilities. Unlike dtrace, linux at thetime could not provide a layout of systems that were running hence the need to improve eBPF, giving a similar set of functionalities as dtrace. To avoid hazards such as limitless loops, eBPF applications are evaluated within the kernel. As a result, as compared to an arbitrary Linux loadable kernel module, eBPF applications represent less risk. There is an eBPF Runtime within the kernel, and the runtime ensures that these programs guarantee and meet all programmability standards. Additionally, programs are written and executed in bytecode when using eBPF. As a result, eBPF allows programmers to securely run custom bytecode within the Linux kernel without altering or adding to kernel source code, allowing applications with custom code to interact with protected hardware resources while putting the kernel at little risk. Benefits of eBPF eBPF can be adapted to do a variety of things, and its benefits are highlighted below: Performance : eBPF allows packet processing to be moved from the kernel to the user space. eBPF is also a just-in-time (JIT) compiler. eBPF is invoked after the bytecode is compiled, rather than a fresh interpretation of the bytecode for each method. Invasiveness is minimal: When used as a debugger, eBPF does not require the application to be stopped in order to examine its status. Security: Programs are essentially sandboxed, as shown in the image below, which means that kernel source code stays safe and unmodified. The verification phase guarantees that resources are not overburdened by programs that perform infinite loops. Moreover, eBPF provides a unified, robust, and user-friendly framework for tracing processes which improves both visibility and security. Convenience: It takes less effort to write code that hooks into kernel functions than it does to construct and maintain kernel modules. There are many reasons why people should use eBPF as listed above, but here are some reasons why you shouldn’t: Detecting post compromission isfighting a lost battle There are dozens of ways to disable an eBPF program eBPF can have a significant in kernel performance impact Known Issues within the Linux Kernel Critical CVEs are regularly discovered within the Linux Kernel. As of now, there are a recorded 3349 CVE Records for the linux kernel alone. This causes security administrators and daily users to worry about: Keeping up with security updates Deploying security patches Monitoring & protecting vulnerable hosts As of now, we already have 2 vulnerabilities for the month of August with regards to the linux kernel. Firstly, we have CVE-2022-1012 , which consists of a memory leak problem that was found in the TCP source port generation algorithm in the net/ipv4/tcp.c file due to the small table perturb size. This flaw could allow an attacker to leak information and can give them free rein to cause a denial of service problem or carry out a full-fledged DoS attack. The second vulnerability would be CVE-2022-1973 , which consists of a use-after-free flaw that was found in the Linux kernel in the log_replay in fs/ntfs3/fslog.c file in the NTFS journal. Essentially, this flaw allows a local attacker to crash the system and leads to a kernel information leak problem. With the implementation and modification of eBPF, we can monitor kernel activity and patch zero-day attacks and vulnerabilities before they are found. For the sake of what was presented at Blackhat USA 2022, we will be discussing how to prevent the following 3 vulnerabilities with eBPF: Execution flow redirection Logic bugs Post compromise kernel runtime alteration DataDogs Solution: KRIe Kernel Runtime Integrity with eBPF is an Open-Source, Compile Once Run Everywhere tool that aims to detect Linux Kernel exploits with eBPF. KRIe is far from being a bulletproof strategy: from eBPF related limitations to post exploitation detections that might rely on a compromised kernel to emit security events, it is clear that a motivated attacker willeventually be able to bypass it. That being said, the goal of the project is to make attackers' lives harder and ultimately prevent out-of-the-box exploits from working on a vulnerable kernel. Requirements This project was developed on Ubuntu Focal 20.04 (Linux Kernel 5.15) and has been tested on older releases down to Ubuntu Bionic 18.04 (Linux Kernel 4.15). golang 1.18+ (optional) Kernel headers are expected to be installed in lib/modules/$(uname -r), update the Makefile with their location otherwise. (optional) clang & llvm 14.0.6+ To best show how this tool works, the developers created two scenarios for us users: Scenario 1: the attacker controls the address of the next instruction executed by the kernel Scenario 2: the attacker is root on the machine and wants to persist its access by modifying the kernel runtime In scenario 1, machines with SMEP & SMAP can prevent an attacker from carrying out the instruction executed in the user space, however, what about machines without SMEP & SMAP? KRIe places a kprobe and checks if the Stack pointer / Frame pointer / Instruction pointer registers point to user space memory. Remember earlier we said that KRIe is not bulletproof and attackers can find a way around the kprobe by disabling it using the commands echo 0 > /sys/kernel/debug/kprobes/enabled Or sysctl kernel.ftrace_enabled=0 An attacker can also disable a kprobe by killing the user space process that loaded it to begin with. KRIe combats this by setting up what they call booby traps, essentially setting the Return Object Programming or ROP chain to set the instruction the attacker is trying to take over to null. In scenario 2, the attacker could: Insert a rogue kernel module Hook syscalls to hide their tracks Using kprobes By hooking the syscall table directly Use BPF filters to silently capture network traffic Use eBPF programs to implement rootkits KRIe combats thisby: Monitoring All bpf() operations and insertion of BPF filters Kernel module load / deletion events K(ret)probe registration / deletion / enable / disable / disarm events Ptrace events Sysctl commands Execution of hooked syscalls All syscall tables are checked periodically and KRIE is also able to detect and report when a process executes a hooked syscall whilst also locking down the execution flows in the kernel by controlling call sites at runtime. Moreover, every detection is configurable whether it be Log, Block, Kill, or Paranoid which are different detection definements. Our Thoughts Powerful defensive tools can be implemented with eBPF as shown with the KRIe tool however, eBPF is not really the ideal technology to detect kernel exploits. KRIe is realistically a last resort and not a bulletproof strategy but why not put that to the test! Follow along with us in our next article as we put this open-source tool through various test-environments. . Uncover the ways eBPF elevates the monitoring and protection of the Linux kernel by detecting vulnerabilities and reinforcing the overall integrity of system operations.. Kernel Exploitation, eBPF Monitoring, Security Tools, Linux Kernel, Runtime Protection. . Brian Gomez
Aug 29, 2022
•
102
intrusion preventionsecurity toolopen sourceCrowdSec v1.1.x Release: Exciting Features and Installation Steps
On July 8, 2021, the CrowdSec team released CrowdSec v1.1.x - the latest version of their free and open-source cybersecurity solution designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent - with new packages and repositories, as well as improvements to to the CrowdSec agent itself. LinuxSecurity spoke with the CrowdSec team to provide readers with insight into what they can expect from this exciting release, and how they can get started with CrowdSec v1.1.x. . A Brief Introduction to CrowdSec CrowdSec is a modernized, collaborative version of the Fail2Ban intrusion-preventio n tool that is designed to run on complex modern architectures including clouds, containers and lambdas. It leverages a behavior analysis system based on logs to determine whether someone is trying to hack you. If your agent detects such aggression, the offending IP is then sent for curation. If it passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to “immunize” them against this IP. Philippe Humeau, CEO and co-founder of the company explains, “The goal is to leverage the power of the crowd to create a real-time IP reputation database. Ultimately, CrowdSec harnesses the power of the community to create an extremely accurate IP reputation system that benefits all its users. With its collaborative, transparent roots, Open Source has provided and continues to provide our team with the optimal framework to accomplish this mission”. Enhancing Package Support with Package Cloud As part of the CrowdSec v1.1.x release, CrowdSec has moved its services to Package Cloud , a fast, reliable and secure cloud-hosted package distribution. This move has enabled CrowdSec to distribute more packages to their customers . Thibault Koechlin, CTO, elaborates, “Alongside existing packages for Debian and Ubuntu including Bionic, Bullseye, Buster, Focal, Stretch, Focal for x86-64 and arm, we now provide packagesfor Red Hat Enterprise Linux (RHEL), CentOS and Amazon Linux. We encourage users to update repositories’ URLs as soon as they can. The “old” repository (S3 bucket used as a repository) will no longer be updated and will be decommissioned shortly.” As part of this landmark release, CrowdSec has also added RPM and Debian package support to its firewall bouncer , which fetches new and old decisions from a CrowdSec API and adds them to a blocklist used by supported firewalls, and its custom bouncer , which fetches new and expired or removed decisions from a CrowdSec Local API and passes them as arguments to a custom user script. Various improvements have also been made to CrowdSec itself, one of the most notable being a revamp of the data acquisition process to add support for CloudWatch sources. Their CTO states, “We are excited to announce that CrowdSec can also now act as a syslog server, which should allow for the addition of many more data sources in future releases!” Getting Started with CrowdSec v1.1.x With the release of v1.1.x, getting started with CrowdSec is now easier than ever! To install CrowdSec on Ubuntu or Debian, add the repositories: curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash Then install: sudo apt-get install crowdsec -y On a CentOS or Red Hat Enterprise Linux (RHEL) system, add the repositories: curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash Then install: sudo dnf install crowdsec If you install new services after this, you can update CrowdSec to install the required collections using: /usr/share/crowdsec/wizard.sh -c Repel Attacks with Bouncers CrowdSec’s detection capabilities provide visibility into the threats targeting your system; however, deterring attacks requires an intelligent, proactive security strategy, which is where bouncers come into play! Bouncers work by querying CrowdSec’s API to know when to block anIP. They can be downloaded directly from the CrowdSec Hub . To install the Cs-firewall-bouncer in an Ubuntu or Debian repository, use: sudo apt install crowdsec-firewall-bouncer-nftables crowdsec-firewall-bouncer If you are an CentOS or RHEL user, use: sudo dnf install crowdsec-firewall-bouncer-nftables The CrowdSec Console: CrowdSec Values Your Feedback! The brand-new CrowdSec Console, which is now in private beta, provides an easy-to-use web interface to inspect multiple CrowdSec agents spread across different networks. You can create a Console account and find instructions to enroll the CrowdSec agent app . Philippe, CEO, concludes, “The CrowSec team encourages testing and feedback! To get in touch with us, visit our Gitter channel . We look forward to continuing to provide our users with versatile, reliable and user-friendly intrusion-prevention services.” . Explore the latest enhancements in CrowdSec v1.1.x for bolstered protection and learn straightforward installation methods across different operating systems.. CrowdSec Installation,Linux Security Tools,Intrusion Detection,Cloud Package Management. . Brittany Day
Aug 01, 2021
•
102
intrusion detectionsecurity toolnetwork scannerExploring Essential Network Scanners and Security Tools for Linux Admins
"A scanner is a program that automatically detects security weaknesses in a remote or localhost.". Scanners are important to Internet security because they reveal weaknesses in the network. . System administrators can strengthen the security of networks by scanning their own networks. The primary attributes of a scanner should be: The capability to find a machine or network. The capability to find out what services are being run on the host ( once having found the machine). The capability to test those services for known holes. There are various tools available for Linux system scanning and intrusion detection. I will explain some of the very famous tools available. I have divided the scanners into three categories: Host Scanners, Network Scanners, and Intrusion Scanners. Host Scanners Host scanners are software you run locally on the system to probe for problems. Cops COPS is a collection of security tools that are designed specifically to aid the typical UNIX systems administrator, programmer, operator, or consultant in the oft neglected area of computer security. COPS is available at: Tiger Tiger is a UNIX Security Checker. Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. You can get it from: check.pl Check.pl a perl script that looks through your entire filesystem, (or just the directory you tell it to) for suid, sgid, sticky, and writeable files. You should run it as a regular user maybe once a week to check for permission problems. It will output a list of questionable files to stdout which you can redirect wherever. It's available at: . Network Scanners Network scanners are run from a host and pound away on other machines, looking for open services. If you can find them, chances are anattacker can too. These are generally very useful for ensuring your firewall works. NSS (Network Security Scanner) NSS is a perl script that scans either individual remote hosts or entire subnets of hosts for various simple network security problems. It is extremely fast. Routine checks that it can perform include the following: sendmail Anon FTP NFS Exports TFTP Hosts.equiv Xhost NSS can be found at: SATAN (Security Administrator's Tool for Analyzing Networks) SATAN is an automated network vulnerability search and report tool that provides an excellent framework for expansion.Satan scans remote hosts for most known holes: FTPD vulnerabilities and writable FTP directories NFS vulnerabilities NIS vulnerabilities RSH vulnerability sendmail X server vulnerabilities SATAN performs these probes automatically and provides this information in an extremely easy to use package. You can obtain SATAN from: Network Scanners (cont.) Strobe Strobe is Super optimised TCP port surveyor. It is a network/security tool that locates and describes all listening tcp ports on a (remote) host or on many hosts in a bandwidth utilisation maximising, and pro- cess resource minimising manner. It is simple to use and very fast, but doesn't have any of the features newer port scanners have. Strobe is available at: . Nmap Nmap is a newer and much more fully-featured host scanning tool. Specifically, nmap supports: Vanilla TCP connect() scanning TCP SYN (half open) scanning TCP FIN, Xmas, or NULL (stealth) scanning TCP ftp proxy (bounce attack) scanning SYN/FIN scanning using IP fragments (bypasses some packet filters) TCP ACK and Window scanning UDP raw ICMP port unreachable scanning ICMP scanning (ping-sweep) TCP Ping scanning Direct (non portmapper) RPC scanning Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap isavailable at: Nmap: the Network Mapper - Free Security Scanner . Portscanner PortScanner is a Network Utility especially designed to "scan" for listening TCP ports. It uses a simple method to achieve its goal, and it is extremely compact taking in account all of the options available. It's opensource and free to use, you can get it at: . Queso Queso is a tool to detect what OS a remote host is running with a pretty good degree of accuracy . Using a variety of valid and invalid tcp packets to probe the remote host it checks the response against a list of known responses for various operating systems, and will tell you which OS the remote end is running. You can get Queso from: . Intrusion Scanners Intrusion scanners are software packages that will actually identify vulnerabilities, and in some cases allow you to actively try and exploit them. Nessus Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.Nessus is one of the best intrusion scanning tools. It has a client/server architecture, the server currently runs on Linux, FreeBSD, NetBSD and Solaris, clients are available for Linux, Windows and there is a Java client. Nessus supports port scanning, and attacking, based on IP addresses or host name(s). It can also search through network DNS information and attack related hosts at your request. Nessus is available from Tenable® - The Exposure Management Company . Saint SAINT is the Security Administrator's Integrated Network Tool. Saint also uses a client/server architecture, but uses a www interface instead of a client program. In its simplest mode, it gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services. Saint produces very easy to read and understand output, with security problems graded by priority (although not always correctly) and also supports add-in scanning modules making it veryflexible. Saint is available from: Products - Trusted Cybersecurity and Risk Management . Cheops Cheops is useful for detecting a hosts OS and dealing with a large number of hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture of a domain, or IP block, what hosts are running and so on. It is extremely useful for preparing an initial scan as you can locate interesting items (HP printers, Ascend routers, etc) quickly. Cheops is available at: Marko.net - Get some help using the Wayback Machine . Ftpcheck / Relaycheck Ftpcheck and Relaycheck are two simple utilities that scan for ftp servers and mail servers that allow relaying. These are available from: . BASS BASS is the "Bulk Auditing Security Scanner" allows you to scan the Internet for a variety of well known exploits. You can get it from: Firewall Scanners There are also a number of programs now that scan firewalls and execute other penetration tests in order to find out how a firewall is configured. Firewalk Firewalking is a tool that employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules in place on a packet forwarding device. System administrators should utilize this tool against their systems to tighten up security. Firewalk is available from: . Conclusion "Security is not a solution, it's a way of life." System Administrators must continuously scan their systems for security holes and fix the hole on detection. This will tighten the security of system and reduce the chance of security breaches. This process is a continuous process. The security vulnerabilities will keep on arising and process of fixing the security holes will never end! After all, "Precaution is better than cure." This article is Copyright (c) 2000 by Kapil Sharma. This material may be distributed only subject to the terms and conditions setforth in the Open Publication License, v1.0 or later (the latest version is presently available at opencontent). Written by: Kapil Sharma Email:
Sep 13, 2000
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More