January 14th, 2003, 03:43 PM
Hey everybody, I'm new to linux and wondered if anyone can tell me some good programs to watch the activity over the network?
January 14th, 2003, 03:47 PM
if you wanna watch what's coming into your own computer a nice neat lil program is ippl... it's available threw freshmeat..
a good sniffer is Ethereal if you wanna watch you're whole network
there's tons of other programs out there.. freshmeat will give you a ton of them, but those were always the ones I enjoyed.
January 14th, 2003, 03:50 PM
thanks man, i'll have to check those out, do you know any other good programs for security in general?
January 14th, 2003, 04:00 PM
I dunno.. personally for me, Security on my homecomputer has never been a problem...
I'd lock down ports, and open what I had too... then i'd run IPPL and snort... and that wasit..
January 14th, 2003, 04:31 PM
Basically, what a sniffer such as these (tcpdump is another one) does is place your network adapter in "promiscuous" mode to capture all traffic flowing through or to it. The catch is this: if you monitor your machine's adapter, it's only going to catch packets coming directly to it (multicast, unicast, and broadcast). With this in mind, you will not see the traffic from another machine on your network unless you/your machine are specified as one of the recipients. To simplify it (even if you are on the same subnet/network): computer A(your machine) will not see traffic sent from computer B directly to computer C. For anyone that finds error in my explanation or has a better one, feel free to post a correction.
As far as security tools go: ethereal is a great protocol analyzer, snort appears to be a good open source IDS, tcpdump is one of the essentials to help troubleshoot, a trojan scanner might be good (don't know any off the top of my head), a good Antivirus program, a good free personal firewall could be Agnitum Outpost or Tiny Personal Firewall (you could also learn to configure IPChains - there's a good tut posted here on AO - I would try a search and you're bound to turn up some good stuff). That should get you started. Feel free to post a response or PM me if you have questions.
Opinions are like
holes - everybody\'s got\'em.
January 14th, 2003, 04:34 PM
Let us start with monitoring tools.
For local activities and anything comming into your computer i use "Xlogmaster"
and ofcourse not to forget :
tail -f /var/log/messages <---- That shows you a few activities on your box locally like who logs on, some firewall logging, changes on interfaces, devices or users (like su)
Also ethereal is nice (packet sniffer) it can monitor anything on your network (except encrypted data), tcpdump is a console sniffer.
Then for IDS (intrusion detection systems) I used to like tripwire UNTIL they went commercial, so now i use AIDE (Advanced Intrusion Detection Enviroment). What it does is actually simple. There are some important system files that never change (size, date, timestamp, attributes etc...) In order to "compromise" a target, the attacker or hostile code sometimes edits these specific files, so what AIDE does is it makes an image of these files and saves them on a diff. location, so later you can compare the active files with the image AIDE has created.
Firewalling in linux is normally using iptables (for kernel 2.4.x) or ipchains (kernel 2.2.x) A firewall is a programm that "filters" packets depending on protocol (tcp, udp, icmp, etc) telling them what todo when it encounters these protocols combined with source ip, destination ip, interface, source ports, destination ports and many more things. Its good to Deny access to ports that you cannot/dont want to close, but also have noone be able to connect to them.
Then antivirus scanners. Not for the sake of infecting you, but your responsibility towards others when sending them files. The virii might not damage your system, but it can still contain virus code that is harmful to others who get files from you (eg. Mail servers, ftp servers, webservers with downloadable stuff)
Make sure that you use strong password policies and high encryption levels.
Avoid using NIS networks, since the idea of sharing passwords over a network is not so cool. Also change your passwords regulary.
Make sure that you have your umasks set tight, so not every user can access any other users directory or files. The folders in /home/* should be changed via the chmod command or use a hardening package (I use suse linux, so i have the harden_suse package that tightens security)
Disable any system accounts that you do NOT need, low uid's etc......
If you use GUI, then deny shell access to users who dont really need them (/etc/passwd) to :
true instead of bash (or any other variety depending on what your needs are).
Disabling inetd is a good idea, if you choose to run servers, then try getting them to run in "standalone" mode, and also if possible, try running services not as ROOT.
Deny any remote root logins, instead login with a normal user and then "su" to root.
Sudo is also a nice tool, it lets a normal users run specific commands with UID 0 (root), for example my policy is that only root can reboot or shutdown the system, but what happens if im not available? I have given a user the chance to be able to reboot or shutdown the system using sudo. Thats all he can do (apart from his normal priveleges).
If you have sensitive data on your computer, then try encrypting it (pgp).
Also a very important issue in security is backups. Make sure you backup things that you dont want to loose. I recomend using AMANDA, dump, or rsync. I know many of you will argure with me on the point of using rsync (i admitt it had major security flaws in the past) but its easy to use over networks, and i can schedule it (using the "at" command or adding it to cronjobs).
Basicly create a security policy, then follow it. Like, who is allowed todo what, which files may travel, and from where to where.
One last thing about firewalling, some people like to set firewalls to react upon certain actions. I highly recomend not to set it to take any automated actions. The reason is if the attacker is spoofing, then action the firewall might take will goto some poor victim, or wherever the spoofed adress is.
I hope i have made sense (forgive my bad english), if you need more help, you are welcome to send me a message. Also remember to "love" google, linux.org, linux.com
Good luck to you.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
January 14th, 2003, 07:00 PM
Thanks for all the info, I haven't had any real security problems in the past with any of my other systems but i just don't want to be open for everyone to be able to access my computer with ease. And being on a broadband system now, i think about security somewhat more then when i was running off a 56k.