You can never be too safe these days. Viruses, spyware, rootkits, remote exploits, you just never know what security issue is going to be your downfall. That’s why it is important as a Linux administrator to have an understanding of some of the best Linux security tools available to you. In this article, you will learn about ten of the best Linux security tools, and resources on how to use them to your advantage.
- Nmap Security Scanner
Nmap, which stands for “Network Mapper” is a free open source utility that allows you to explore and audit a network. From the website: “Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.”
For Nmap installation documents, go here.
There is a very useful tutorial here on the numerous scan types Nmap allows.
This PDF is a great print-out reference that includes all of the major Nmap options.
- Nessus Vulnerability Scanner
Nessus is a vulnerability scanner that probes your network machines against an up-to-date security vulnerability database, alerting you of security holes, with detailed analysis on how to fix each hole. From the Nessus website: “Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.”
See an example scan report here.
For Nessus installation documents, go here.
A nice technical guide to Nessus can be found here.
The Nessus knowledge base is here.
- Clam AntiVirus
ClamAV is a GPL anti virus toolkit. The main purpose of ClamAV is the integration with mail servers, but can also be used to scan files for viruses on the command line. It provides a flexible and scalable multi-threaded daemon, a command line scanner and a virus database that is kept up to date. The most popular use of ClamAV is on a mail server, tied in with a anti-spam application like Spam Assassin.
For installation help, go here.
The Clam AntiVirus wiki can be found here.
This PDF document covers all you need to know about ClamAV.
Snort is one of the greatest weapons you can have in the fight against intrusions. Snort is mainly used in three different ways: as a packet sniffer, a packet logger, or as a complete intrusion detection system (IDS). From the website: “Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.”
The official Snort users manual can be found here.
For a very complete comprehensive list of documents, go here.
Chkrootkit is a tool designed to locally check for signs of a root kit on your Linux machine. “Root kits” are basically files that can hide on your machine after a break in that allow the attacker to gain access to your computer in the future.
This PDF explains adding chkrootkit to your auditing arsenal.
Tripwire is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. Basically, tripwire has the ability to alert you when files have been modified on your system.
A comprehensive guide to implementing tripwire can be found here.
This is a nice howto on setting up tripwire.
- Rootkit Hunter
Rootkit Hunter is a great tool for analyzing and monitoring the security of your systems. Like Chkrootkit, this tool also checks for rootkits that may be hiding on your machine, as well as other tools on your system that may be potentially dangerous.
A detailed guide on downloading and installing Rootkit Hunter can be found here.
From the website: “Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.” If you have a wireless network, or travel with a laptop, this security tool is a must have.
This Kismet readme covers just about all you need to know.
There is also a lot of useful information located within the Kismet forums.
Shorewall is a very powerful and flexible firewall that utilizes iptables and Netfilter. Very flexible configuration allows the firewall to be used in a wide variety of firewall/gateway/router and VPN environments.
The Shorewall Installation document can be found here.
Here is a quick start guide to using Shorewall.
Shorewall Features can be found here.
- Ethereal (Now called Wireshark)
Wireshark is a very popular network protocol anyalizer that has a varaiety of security features including a packet browser, live capture and offline analysis and more. Basically, Wireshark captures packets going across the network and displays them to you with as much detail possible. From the users guide: “You could think of a network packet analyzer as a measuring device used to examine what’s going on inside a network cable, just like a voltmeter is used by an electrician to examine what’s going on inside an electric cable (but at a higher level, of course).”
Here is the Wireshark users guide.
The Wireshark wiki is here.
Now that you’ve gotten a glimpse at ten of the best Linux security tools, it is up to you to install them and put them to use in your network environment.