Monday, September 17, 2007

lockdown an account

# passwd -l webserv
# usermod -s /bin/false webserv

# grep webserv /etc/shadow
# grep webserv /etc/passwd
# login webserv

enable syn_cookies

# echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# echo "net.ipv4.tcp_max_syn_backlog = 1" >> /etc/sysctl.conf
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo "net.ipv4.tcp_syncookies =1 " >> /etc/sysctl.conf

Wednesday, September 12, 2007

useful security tools

  • - web server fingherprint tool
  • logwatch - log file analysis daily
  • swatch - simple logfile watcher
  • portsentry
  • - host intergrity tool
  • ssldump
Forensic Analysis
Permanently delete files or hard disk
  • shred -n 3 -vz filename (-u)
note: random data for 3 pass ( -n 3), be verbose (-v) and write a final pass of zeros over the file after completing the random overwrite passes (z),
if you don't specify -n 3, it will overwrite 25 times by default.
In most cases, when you shredding a file, you would also use -u option to tell shred to truncate the delete the file after overwriting it.

Monday, September 10, 2007

How to setup Nessus 3 under CentOS 5

  • download Nessus server and command line tool 'nessus', it should be binary rpm package. After you registered, it will provide a link to download.
  • For running a GUI client, you need to download NessusClient (a GUI client for Linux/Windows Nessusd), it's rpm package too
  • Automatic plug-in update
  1. run the following command to check whether you registered or not
# /opt/nessus/bin/nessus-fetch --check
You should obtain the following output:
nessus-fetch is properly configured to receive a direct feed or
nessus-fetch is properly configured to receive a registered feed

2. after registeration, you should receive activation code for the Nessus plugin feed through email, follow the instruction in email to activate your installation, you can register online or offline

3. use the following command to auto update plugin
/opt/nessus/sbin/nessus-update-plugins -v
4. make sure option 'auto_update' is set to yes in /opt/nessus/etc/nessus/nessusd.conf (this is the default)
  • generate SSL certification
# cd /opt/nessus/sbin
# ./nessus-mkcert
answer questions to generate SSL keys
# ./nessus-adduser

  • start up NessesClient
# cd /opt/nessus/bin
# ./NessusClient
note: edit server to specify the username and password you typed in above 'nessus-adduser' command.

  • command line mode
# cd /opt/nessus/bin
# ./nessus -q -T html localhost 1241 nessus nessus /tmp/target /tmp/result.html

Thursday, September 6, 2007

Snort related OSS tools

  • snort - IDS
  • snort inline (google search it - IPS)
  • snortsam (IPS works with PF)
  • snortalog (command line log generator)
  • nessus (Linux and Windows, beat commercial ones)
  • nikto - web server scanner
  • acid/base (base is better)
  • aanval (commercial one, but has one sensor free version)
  • apache/php/pcre/mysql/adodb
  • olinkmaster - autoupdate snort rules
  • loghog (google search)
  • swatch (google search)