182 Chapter 3 • System Scanning and Probing SECURITY A LERT! Improper use of detached and differential scans can seriously impact host and network performance. Be very careful when configuring these options, or you may inadvertently conduct a DoS attack against your own network. Exercise: Conducting Detached and Differential Scans with Nessus 1. Make sure that the sendmail daemon is started: /etc/rc.d /init.d/sendmail start www.syngress.com Figure 3.33 Configuring the Nessus Client for a Detached Scan 138_linux_03 6/20/01 9:36 AM Page 182 System Scanning and Probing • Chapter 3 183 2. Make sure that sendmail is in your path. If you are using the BASH shell, issue the following command: echo $PATH lots of output :/usr/sbin/ Another way to do this is to just type which sendmail and examine the full path to the executable.That path should be in the output of the echo $PATH command. 3. If sendmail is not in your path, enter the following: PATH=$PATH:/usr/sbin 4. Now, open your Linux nessus client. 5. Log in to your nessus daemon. NOTE Make sure the nessus daemon is compiled to allow detached scans. Use the /usr/local/sbin/nessusd-d command to learn more about the daemon’s configuration. 6. In the Linux Nessus client, select the plug-ins that you want to use. Configure any plug-ins as necessary. 7. Click on the Scan options tab, and select both the Optimize the test and Detached scan options.You will have to acknowledge that these scans can be dangerous. 8. Enter an e-mail address you can readily check in the Send results to this email address section. 9. When you have verified all settings, click Start The Scan. After some time, you will receive an e-mail report concerning the scan. If you receive no e-mail report, then the scan did not find any vulnerabilities. 10. Now, you are ready to do a differential scan. First, conduct a full scan of a host. www.syngress.com 138_linux_03 6/20/01 9:36 AM Page 183 184 Chapter 3 • System Scanning and Probing 11. Once this scan has completed, click on the KB tab and select the Enable KB saving, Reuse the knowledge bases about all the hosts for the test, and Only show differences with the previous scan buttons. 12. Conduct your scan of the same host again. 13. The scan will not execute any new commands, because you have effec- tively told Nessus to skip these tests, because you already know about the weaknesses. Now, if you update Nessus and it receives additional plug-ins, only these plug-ins will be used for future scans. Be careful, however, with this setting. If you leave it enabled, Nessus will not con- duct these scans on this host, which could lead you into a false sense of security. 14. Disable KB saving for now. 15. To enable continuous scans, prepare your scan, and then select the Scan options tab. Select the Continuous scan button, and then enter an appropriate value, such as 201600 for a weekly scan (every seven days). Next, begin your scan.The initial scan will begin and (eventually) finish, and then it will begin again automatically in seven days, if nessusd is still running and available. www.syngress.com 138_linux_03 6/20/01 9:36 AM Page 184 System Scanning and Probing • Chapter 3 185 Summary In this chapter, you learned how to scan your operating system for viruses.You then learned more about how to stop DDoS attacks. Although applications such as Zombie Zapper are not foolproof, they can still help you prepare against such attacks.You should remain current about DDoS attacks and learn more about related tools that can help you recover from this type of security breach.This way, if a system is compromised, you can recover from the event in a graceful way, rather than simply shutting down your system. You then learned how to scan your system’s ports using tools such as Gnome Service Scan and Nmap.The latter program is somewhat more sophisticated, in that it allows you to learn the version of the operating system you are using, the open ports, and the system’s TCP sequencing abilities. Nmap is an important tool to understand, because it is used in many other applications, including Cheops and Nessus. Although not specifically a security application, Cheops enables you to mon- itor systems on your network, and provides a graphical map.This map is func- tional, in that you can then right-click on host icons to access these services. Finally, you learned how to use Nessus, a powerful vulnerability scanning tool. Nessus provides you with the ability to update its configuration, and is able to conduct detailed tests of any host on your network. You now have a thorough understanding of the tools required to lock down and test your system’s services. In the next chapter, you will learn more about how to enhance host and network logging so that you can discover if your system has been compromised. Solutions Fast Track Scanning for Viruses Using the AntiVir Antivirus Application ; Virus scanners will perform the following tasks: check the system’s boot record; search directories and subdirectories; automatically delete infected files; save scans into a log file; use an internal scheduler, or an external scheduler, such as at or cron; scan NFS-mounted drives; delete infected files; and move infected files to a central,“quarantine” area of your own choosing. www.syngress.com 138_linux_03 6/20/01 9:36 AM Page 185 186 Chapter 3 • System Scanning and Probing ; The AntiVir for Servers binary is a truly impressive command-line virus scanner sold by H+BDEV. It is capable of searching for and deleting macro viruses, boot sector viruses, e-mail viruses, and DDoS daemons. ; An antivirus application is only as useful as its virus definition file.Your application should provide you with frequent updates. Scanning Systems for DDoS Attack Software Using a Zombie Zapper ; Attackers wage denial of service (DoS) attacks by first finding and hacking into insecure systems on the Internet.Then, they install pro- grams such as Tribe Flood Network 2000 (Tfn2k), stacheldraht, and others.The compromised systems now have illicit programs installed on them called zombies. ; Once a zombie is commanded to attack a victim, it will generally con- tinue the attack until it is forced to stop. If you notice large amounts of unknown traffic when you monitor your network or network perimeter, you can use a zombie zapper against the host or hosts generating this traffic. ; Limitations of a zombie zapper can include the following: they are pro- grammed to shut down only certain DDoS servers; it may be blocked by a firewall; the malicious user may have changed the password of the illicit server; or the attack server may have spoofed packets. Scanning System Ports Using the Gnome Service Scan Port Scanner ; Systems administrators find port scanners useful when auditing their own systems. Although a simple port scanner such as GSS does not actu- ally test for flaws in binaries and Web applications, a good port scanner can help you isolate which ports are open, and then take any action that is necessary. ; Port scanning a machine may set off an alarm for the system’s adminis- trator, who might take a dim view of your actions. Unless you have explicit (sometimes, even written) permission from the system adminis- trator, you may cause a serious violation of your security policy. www.syngress.com 138_linux_03 6/20/01 9:36 AM Page 186 System Scanning and Probing • Chapter 3 187 Using Nmap ; Nmap is an advanced Unix-based port scanner. It can be used to audit your network, test your router and switch configurations, test your fire- wall configurations, and identify the nature of suspicious remote systems. ; You can use Nmap as a basic port scanner for a system on your internal network, or you can have it identify the operating system version of a remote system on another firewall-protected network. Nmap is capable of manipulating aspects of TCP to hide its scans from firewalls. ; Nmap’s “interactive mode” allows you to do two things that you should be aware of as a systems administrator: It can conduct multiple Nmap sessions, and it can disguise the fact that it is running on your system. Using Nmapfe as a Graphical Front End ; The Nmap Front End (NmapFE) provides a well-written, stable GUI that allows you to control almost every aspect of Nmap. ; Note that this interface is somewhat unstable, and given to faults that lead to complete crashes (core dumps).This is especially the case in sys- tems that have been upgraded (say, from Red Hat version 7.0 to 7.1). Using Remote Nmap as a Central Scanning Device ; Remote Nmap (Rnmap) enables a client system to connect to a central Nmap server. It is currently in beta, but both the client and the server are quite strong. ; Rnmap has the following features: user authentication, a command-line and GUI client, and available encryption (still in beta form). Rnmap is written in the Python scripting language, which means that your Linux system must have Python installed. Deploying Cheops to Monitor Your Network ; Billed as a graphical network neighborhood, Cheops is related to appli- cations such as HP OpenView. Both Cheops and HP OpenView allow www.syngress.com 138_linux_03 6/20/01 9:36 AM Page 187 188 Chapter 3 • System Scanning and Probing you to create a graphical map of the network, and then manage any host on that map. Although Cheops is not nearly as sophisticated, it still allows you to quickly learn which hosts are up on a particular network segment. ; Cheops issues network broadcasts, and then processes these replies to dis- cover remote hosts. Some older versions of Cheops use an application called Queso to read the replies of remote systems. Queso is similar to Nmap, although not as sophisticated or as recent.As with Nmap, Queso does use stack fingerprinting to guess the operating system of a remote server. ; Cheops is capable of two types of monitoring. First, it can have your Linux system issue simple ping requests to see if a remote host is up. Second, instead of relying on a crude ping request, Cheops allows you to pick a specific service offered by the remote host. Deploying Nessus to Test Daemon Security ; Using vulnerability detection software, you can find out exactly what specific application is listening on that port. A good hacker is well informed concerning the popular servers on the Internet, and can quickly take advantage of a specific daemon that has a security problem. Nessus allows you to proactively scan your system to determine its weaknesses. ; The Nessus client allows you to connect to the Nessus daemon, which is usually on a remote server. Several different clients exist, including those for Windows, Macintosh, and Unix/Linux systems. ; The Nessus project has been quite active, and has a good record for pro- viding regular plug-in updates. ; When you launch the client for the first time, it will take some time to create a public key pair, which will be used to authenticate with any Nessus daemon. ; The compilation option allows the client to “remember” past sessions and to configure a nessus daemon to conduct a scan all by itself.These capabil- ities are respectively called differential and detached scanning.The ability to save sessions allows you to begin sessions that have been interrupted. www.syngress.com 138_linux_03 6/20/01 9:36 AM Page 188 System Scanning and Probing • Chapter 3 189 Q: I have downloaded and compiled AntiVir. However, it says that I am running in “non-key mode,” and won’t allow me to scan any subdirectories off the /directory.Why not? A: You need to obtain the license key from www.hbedv.com.You can either purchase a license, or use the private license, if you are qualified. Once you obtain this key, rerun AntiVir.You will see that the “non-key mode” message no longer appears.This key will also allow you to obtain an update every two months. If you do not want to obtain a license, you can still scan each subdi- rectory manually. Q: Although I can compile and configure TkAntivir, I can’t seem to get it to run. I was able to start it, and saw the “splash screen,” but then I saw nothing. What is wrong? A: Some window manager environments do not support TkAntivir well.Try running TkAntivir in Gnome or KDE. In addition, you need to have suffi- cient resolution (at least 800 x 600) in order for TkAntivir to run. Q: The configuration script for TkAntivir crashes every time I run it.What can I do? A: Make sure that you have the correct libraries and resolution for the program. See the instructions earlier in this chapter, as well as information at the TkAntivir site (www.geiges.de/tkantivir). If your system supports RPM files, try using RPM instead. Q: Is it legal for me to scan other people’s systems using Gnome Service Scan or Nmap? A: While legal issues are rather complex, it is never acceptable to scan systems that are not your own.You should scan only those systems for which you are www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 138_linux_03 6/20/01 9:36 AM Page 189 190 Chapter 3 • System Scanning and Probing directly responsible.You can also scan any system if you have been given explicit permission to do so. Q: When using Rnmap, I keep getting an “Access is denied message.”Why? A: You must add a user using the ./rnmap-adduser command.You can receive this message only if Rnmap is running. Otherwise, you would receive a “Can’t connect to remote host” message. A common mistake is to assume that the GUI interface will remember the password.This is not the case, and you will have to re-enter the password each time you want to connect to the remote Rnmap server. Q: I want to enable KB saving sessions for Nessus, but I can’t see the KB tab. Which client has this tab? A: You must manually compile KB and session-saving support. If you installed Nessus using an RPM, these features are not enabled. www.syngress.com 138_linux_03 6/20/01 9:36 AM Page 190 Implementing an Intrusion Detection System Solutions in this chapter: ■ Understanding IDS Strategies and Types ■ Installing Tripwire to Detect File Changes ■ Updating Tripwire to Account for Legitimate Changes in the OS ■ Configuring Tripwire to Inform You Concerning Changes ■ Deploying PortSentry to Act as a Host- Based IDS ■ Configuring PortSentry to Block Users ■ Optimizing PortSentry to Sense Attack Types ■ Installing and Configuring Snort ■ Running Snort as a Network-Based IDS ■ Configuring Snort to Log to a Database ■ Identifying Snort Add-Ons ; Summary ; Solutions Fast Track ; Frequently Asked Questions Chapter 4 191 138_linux_04 6/20/01 9:38 AM Page 191 [...]... Tripwire database file.You can change this location, if you wish All you have to do is tell the Tripwire binary the location of the database In fact, storing the database on a different device than the hard drive is a good idea.The first thing a reasonably talented hacker will do after obtaining root is find and erase the database In the past, many systems administrators would place the database on a write-protected... nature of the traffic on the network s Databases The most elegant way to store information is in a database A database generally stores the information in a far more logical way, and it allows the information to be searched efficiently After the information is stored in a database, it is then possible to port this information to a Web server, which makes it possible to read IDS information from any Web browser... IDS, mainly because it is easier to install After you are able to get the IDS to load all of the signatures properly, you are on your way to establishing an effective IDS.The challenge in regards to a signature-based IDS is making sure that the rules remain current Similar to an anti-virus application, if you have old signatures, the IDS will not capture and react to the latest attacks s Anomaly-based... information can stay on the Monitor and Storage device, or it can be brought to the Analyzer/Control station.The Monitor and Storage device may have all log files ready to be served up via a Web server.The Analyzer/Control station may be nothing more than a simple Linux host using a Web browser.The administrator at the Analyzer/Control station can then use a Web browser to access the Monitor and Storage device’s... an attack For example, the IDS application can communicate with the firewall and ask it to automatically close a port or block a host.This functionality, however, is not readily available in open source firewalls.You will have to create custom scripts to do this, right now www.syngress.com 203 138 _linux_ 04 2 04 6/20/01 9:38 AM Page 2 04 Chapter 4 • Implementing an Intrusion Detection System IDS Applications... third-party analysis tools to analyze the gathered data Threshold Enforcement When a threshold is met, an IDS can do several things It can send the event to a special alert log file, send an alert to a remote system, send an e-mail, or even reconfigure a host or a firewall Not all IDS applications have this ability, however Many IDS applications can be configured to inform you about sudden increases in traffic,... hardware and software necessary to implement an IDS Don’t forget that the “wetware”—the people who implement the IDS—are an essential component to your success In fact, you and your welltrained support staff are probably the most important part of an IDS.The IDS hardware and software are really nothing more than tools Network-Based IDS Applications and Firewalls No IDS can act as a replacement for a. .. verification software is useful for guarding against Trojan horses, which are malicious applications designed to appear as legitimate applications, such as su, ls, and ps If you have been able to protect your operating system with an application such as Tripwire, all but the most subtle and sophisticated attempts to substitute a Trojan horse for a legitimate application will fail www.syngress.com 138 _linux_ 04. .. the nature of the traffic, including source and destination ports and addresses Most IDS applications require that you establish limits After a limit (threshold) has been exceeded, the IDS application will then send alerts and/or log behavior An IDS generally extends your logging capability by placing additional information into a log file or into a database An IDS often has the ability to send alert... then allows you to secure all configuration files 4 Run Tripwire in database initialization mode.Tripwire will scan your system and use message digests to create signatures for the files you specify.Whenever Tripwire creates its database, it is said to enter database initialization mode 5 You can then set Tripwire to rescan these files and compare their signatures to the signatures stored in the database.This . capability The IDS must be able to store the network packet information it obtains in a carefully organized way that allows you to store data in an organized manner. ■ A command and control device The. rule and signature, which are used interchangeably.Traditionally, the term signature refers to an actual attack that has been identified. Any time, for example, that a port scan occurs, the fact. IDS application will then send alerts and/or log behavior. An IDS generally extends your logging capability by placing additional information into a log file or into a database. Alerting An