Basic Security Testing Information.

[instronics]

System Security Testing.

Hello everyone. Todays tutorial will provide information and tips on testing your security setup and i will also introduce a few applications which are advisable to help you on this quest. Let me remind you that this tutorial will be based on SuSE Linux, although im sure that most of it will work on most Linux systems.


1 – The Basics.

Any system administrator would be able to sleep much better if they could be sure that their systems are secure. A way to get closer to that step would include a regular systems check by administrators, as well as regular security audits. A systems check and the audit should especially be performed after any changes made to the firewall and/or the DMZ.

Even though i will list a few programs and methods to “scan” systems for weaknesses, let me point out that using any of these applications or methods do not replace the work of a system administrator's skills or knowledge. Remember, 4 eyes see better than 2. In general, the subject system security is a two-handed sword. If a system administrator inspects his work/settings/configurations himself, it increases the chance of missing out or overseeing important security settings. He could also be ashamed or scared to admit any security holes overlooked, and therefor just hide or ignore them.

If 3rd party security audits take place, its also a question of trust. How do you know that the people your company has hired to double check your system administrator's configuration are reliable and will truly find any holes, and who knows if they are not already being payed by rival companies or persons to provide any real results concerning your security setups? A huge company with very high skilled and very well payed IT professionals (who work for the company) is only a dream, and even if it did exist, there would be no real security due to the fact, what if a rival payed them of with more money than they are earning already.

The topic system security is always based on a basic paranoia. The border line of who to trust and who not to trust must be drawn by every individual him/herself.

Before i move over to the programs and methods section, allow me to point out a few things first. There are many commercial products out there as well as free products which are used to help perform security audits and everyday administration. For example, the free applications such as saint, nessus, nmap/xnmap are very useful as well as commercial applications such as ISS (Internet Security Scanner). Also under the commercial selections, the eTrust Policy Compliance from the Computer Associates can be very interesting.

With the regular use of applications like saint, nessus, and nmap a certain standard of security can be accomplished and maintained. Its always advisable to do this from a separate machine, preferably a laptop.
Even though many tools/utils may be rated as old, they should never be underestimated. Maybe they lack comfort and a GUI, but they help to determine the deep details of things that are actually going on in the systems themselves. Be sure that Hackers/Crackers know their way around the deep details mentioned.

The following list is only a selection of what tools/utils are in existence.


2 - Free tools/utils:

There are quite a few free tools/utils that help to discover configuration mistakes and other security related weaknesses. It is essential to use the latest versions of these tools in order to get real results. One of the dangers that exist if you do not use the latest versions for example is that most probably many unknown individuals from the Internet will take over this task for free (individuals = volunteers).

A – SuSE SecCheck (SuSE Linux only):

The SuSE Security Check Packet includes scripts that monitor the system itself. It will generate reports and mail it to root@Localhost providing information in critical security related areas.

B – SAINT (All *nix systems):

Saint is the update from Satan and is a packet-to-analasys tool for network weaknesses. This free tool uses a comfortable HTML front end, which can be used and configured with a simple web browser.

C – The NESSUS Project (All *nix systems):

Nessus was born due to the fact that Satan was no longer maintained. This packet has been also been ported to Windows NT. It is an excellent tool.

D – Crack, John the Ripper, and VCU.

The best way to avoid being compromised by the use of password crackers is to get rid of passwords in general. Biometrics is a solution to this, and is slowly becoming more and more popular, but until then passwords have to do their work. On a Unix system the /etc/shadow password system is essential. An efficient way to make sure that your system has strong passwords there is a tool called “crack”, as well as John the Ripper. For windows there is a tool called VCU (Velocity Cracking Utilities) which also is a very powerful tool. With the use of these tools, you can easily find out how safe your passwords really are, and if they should be changed at all.


3 – Commercial Tools/Utils.


A – ISS (Internet Security Scanner):

This tool only exists for Windows NT, which can also be used with Linux with the help of VMWARE. ISS is a pioneer among the security scanners and network intrusion scanners. These sort of tools are very expensive, so that their popularity stays in the background.

B – Cyber Cop Scanner.

The cyber cop scanner used to be named Ballista, and is very similar to the ISS. Cyber Cop also works under Linux.

C – eTrust Policy Compliance for Linux.

Computer Associates is in the process of contributing a lot more time and resources for the Linux OS, and looks very promising indeed. Its only a matter of time until we find out the pricing of this for Linux versions.


4 – Hacker and Cracker tools/utils.

The so far mentioned tools above were created to make life easy for system administrators and IT professionals. Its in the tool's nature that they are abused for malicious reasons. On this point, the ISS has a positive side, it will only work if you have a valid license, and will only work on a target specified within that license, meaning that it cannot be abused easily to target other computers on the Internet. This is only a small advantage compared to the free tools which are available. Real hackers and crackers do not use many ready made tools/utils. They create their own which are usually created as they go along with their deeds. An example of a very dangerous tool is the HISPAHACK SMB-Scanner. Although it runs under windows, its an excellent tool to convince that 'security=share' in samba is suicidal. More information to this can be found under http://hispahack.ccc.de/

Let us now go back into our security world!

For administrators, the exact technical knowledge of hackers or crackers is not all that helpful after all, but a certain level of knowledge must be present. This is why administrators must be up to date, and open source is very essential here too.

Its also very important to understand as a system administrator that the attacker (real attackers) are usually a few steps ahead when it comes to the knowledge about weaknesses. No matter how good an admin is, how much an admin has learnt, there is always someone on the other side that has learned a lot more, and is much more skilled. If a system administrator thinks that he has to be a great hacker in order to defend himself from hackers, then this admin has lost already. A good system administrator is presented by his knowledge of policies, organization. You donut have to be a cracker in order to install a bug fix or a patch. If an admin really administers his systems correctly, then there is no time left to look for new undiscovered weaknesses and holes in programs or applications.

NOTE: ERRORS, BUGS, AND MISTAKES IN SOFTWARE WHICH IS NOT INSTALLED, DOES NOT ENDAGER OUR SYSTEMS.

Indeed there many windows systems which are not affected by the “i love you' virus, due to the fact that some paranoid system administrators do not have the 'windows-scripting-hosts' setup on their systems, since they are not very widely used.


This tutorial is by no means a complete list of what can be used, or is used. I have just mention a few things here to help understand system administrators of what can be used, what should be used, and how to think. I hope this comes in handy to some of you in future.


Cheers everyone

[h@rdb@ll]

Istronics,

Mannn, this is a really good tutorial. Next weekend i will try several options out.
Keep up the good work!!!

See you

[emPtYKnOw]

good post istronics good info. one suggestion however. Although a simple google search would locate all the free tools fairly quickly, it would have been nice to have links in your tutorial directing users to these tools

PeAcE