-
![[Buch Cover]](../covers/netsechacks2.s.gif)
- Weitere Informationen zu diesem Buch:
Tips & Tools for Protecting Your Privacy
Second Edition Oktober 2006
ISBN 978-0-596-52763-1
Weitere Informationen zu diesem Buch
Inhaltsverzeichnis |
Index |
Rezensionen |
Index
[ Symbols ], [ Numbers ], [ A ], [ B ], [ C ], [ D ], [ E ], [ F ], [ G ], [ H ], [ I ], [ J ], [ K ], [ L ], [ M ], [ N ], [ O ], [ P ], [ Q ], [ R ], [ S ], [ T ], [ U ], [ V ], [ W ], [ X ], [ Y ], [ Z ],
Symbols[ Top ]
< > (direction operator), in Snort rules, 373
* flag matching in Snort rules, 375
| character
enclosing hexadecimal vales in Snort rules, 374
logical OR operator, 44
searching on multiple variables, 395
! (logical NOT) operator, 44
applied to IP address or CIDR range in Snort rules, 372
matching flags in Snort rules, 375
+ operator, TCP flag matching in Snort rules, 375
Numbers[ Top ]
802.1X, 240
configuring your AP, 243
A[ Top ]
A (address) records, 175
ac command (process accounting), 272
Accept header, logging requests without, 395
accept option, SnortSam, 381
access point (AP), configuring for 802.1X with PEAP, 243
access.conf file (pam_access module), 43
ACLs (access control lists), 5-8
grsecurity, 29, 34
setting, modifying, and removing, 7
Windows event logs, securing, 73
actions, Snort rules, 371
defining custom, 372
activate and dynamic actions, Snort rules, 371
Active Directory environment
configuration information for your CA, 218
using Group Policy to configure Automatic Updates, 63-66
active responses (OSSEC HIDS), 279
Address Resolution Protocol (see ARP)
address space layouts, randomization with grsecurity, 32
address spoofing
preventing for internal addresses with PacketFilter, 126
(see also ARP; spoofing)
administrative roles, delegating, 11
ADODB (PHP code library), 354, 364
agents, OSSEC HIDS
adding, 275-277
installing Windows agent, 277
AIDE, 422
alerts
generated by Spade, 385
generating to test OSSEC HIDS, 277
IDS sensor, tracking, 363
Snort NIDS, 352, 390
tracking, 353
American Registry for Internet Numbers (ARIN), 426
Analysis Console for Intrusion Databases, 353
analysis programs for logs, 135
anomaly-based IDS, 348, 384
anonymity
SSH connections, using Tor, 95
web browsing, using Tor and Privoxy, 91-94
AP (access point), configuring for 802.1X with PEAP, 243
Apache web server
CA certificate, installing, 213
configuring to listen on specific interface, 17
installing with SSL and suEXEC, 164-169
Apache 1.x, 165-168
Apache 2.x, 168
mod_security, 392
protecting from intrusions, 392-396
verifying signature with GnuPG, 13
append-only (file attribute), 9
preventing removal of, 10
applications, restricting with grsecurity, 33-35
ARIN (American Registry for Internet Numbers), 426
ARP (Address Resolution Protocol)
cache poisoning, 185
creating static ARP table, 186-188
detecting ARP spoofing, 184-186
SniffDet, testing, 225-227
spoof attacks
in switched network, 223
preventing with SSH session timeouts, 149
statelessness, 184
arp command, 186
finding system MAC address, 155
arpd, 402
Arpwatch, 185
detecting ARP flooding and ARP table poisoning, 223
asymmetric encryption, 81
attacks
ARP cache poisoning, 185
ARP flooding and ARP table poisoning, 223
format-string, 28
phishing, guarding against with SpoofGuard, 100-104
preventing with mod_security filtering rules, 394
SSH brute-force attacks, 188-190
stack-smashing, 26
tracking attackers with DShield, 227
auditing
enabling on Windows, 69-71
mod_security features for, 396
user activity with process accounting, 272
authenticated gateway, creating, 147-149
authentication
fine-grained, for wireless networks, 240
MySQL source, using with proftpd, 23
one-time passwords (OTPs), using, 49-52
PAM, controlling login access, 41-46
password, disabling to thwart brute-force SSH attack, 189
RADIUS server, 241
server for captive portal, 244-246
using x.509 certificates
IPsec connection on OpenBSD, 312
IPsec connection under FreeBSD, 308
authenticator, 241
allowing access to RADIUS server, 242
authpf shell (OpenBSD), 147-149
rule templates, 147
automated probes looking for vulnerable PCs, 129
Automatic Updates, configuring using Group Policy, 63-66
customizing policies for users or computers, 65
preventing manual updates by users, 65
AutoRPM (system update package), 56
Autoruns, 71
AutoShareWks Registry key, 78
Avaya Labs, LibSafe technology, 27
AWStats, 135
B[ Top ]
Back Orifice Trojan, 129
ports used by, 137
backdoors
checking for, 3
installed during rootkit attacks, 422
listening services that check for, 15
backing up Windows Event logs, 75-77
bandwidth usage
graphing, 291
tracking for machine with firewall rules, 296
Barnyard
compiling and installing for Sguil, 362
logging Snort alert and log events, 362
using with Snort, 389-392
configuring Barnyard, 390
configuring Snort, 390
installing Barnyard, 389
testing Barnyard, 392
BASE (Basic Analysis and Security Engine), 353-356
configuring, 354
archive database, 355
database tables, creating, 355
logging to database used with BASE, 390
PHP and required libraries, 354
bash shell
restricted, 53
setting up in chroot( ) environment, 20
binaries, disallowing execution of, 2
on Linux, 3
setuid, cautions with sudo utility, 12
SUID or SGID bit, 4
BIND, securing, 169-172
disabling recursion on publicly facing name server, 171
restricting zone transfers, 171
running in sandboxed environment, 169
bindip option, SnortSam, 382
bit-for-bit copy of system disks, 414
BleedingSnort.com, 387
block-policy option (PacketFilter), 124
modifying for specific rules, 126
Blowfish, 99
Boolean operators, 44
booting compromised machine from an alternate media, 414
broadband Internet connections, attack staging with, 128
browsers
Internet Explorer, listing files opened by, 67
Mozilla, testing squid proxy, 320
securing and accelerating with squid proxy over SSH, 320
toolbars monitoring web browsing, 72
brute-force attacks, 188-190
conducting with Nessus, 200
BSDs
authpf shell on OpenBSD, 147-149
firewalling with PacketFilter, 122-128
IPsec connections under FreeBSD, 306-309
IPsec connections under OpenBSD, 309-314
netstat program, listing listening ports, 16
OPIE under FreeBSD, 50
securelevels, 10
S/Key under OpenBSD, 51
starting syslogd, 251
systrace, restricting system calls with, 36
verifying packages under FreeBSD, 421
buffer overflow attacks
0x90 in, 374
avoiding by limiting range of bytes in request strings, 394
kernel-based, preventing with grsecurity, 32
stack-based, preventing, 26
BugTraq mailing list, 234
BusyBox, performing functions of system binaries, 424
C[ Top ]
C library calls supported by Unix, 36
cache poisoning (ARP), 185
canary, using to prevent stack-smashing attacks, 26
capabilities model (Linux), modifying, 10
captive portal, 244-249
authentication server, 244-246
gateway, installing, 246-249
CAs (Certificate Authorities), 209-212
backing up/restoring with Certificate Services, 214-221
creating your own, 210-212
signing certificates, 211
distributing your CA to clients, 213
well-known, 209
(see also certificates)
Cassandra (vulnerability tracking), 235
CERT (Computer Emergency Response Team), 234
Certificate Import Wizard, 84
certificates
Apache SSL installation, 166
Certificate Services
backing up CA, 214-218
decommissioning old CA, 221
restoring CA to different server, 219-221
restoring CA to working server, 218
creating and using with OpenVPN, 341
creating for IMAP and POP, 159
creating for Sguil, 359
creating to use with Sendmail, 161
creating your own CA, 209-212
distributing your CA to clients, 213
EAP/TLS and PEAP, 241
EFS
backing up for recovery agents, 86
backing up for users, 82
generating for Nessus, 197
IPsec connection on OpenBSD, 312
ntop tool, 294
self-signed, creating for stunnel, 325
x.509
authentication for IPsec connection, OpenBSD, 312
authentication on IPsec connection, FreeBSD, 308
certificate-signing request, 211
Certification Authority Backup Wizard, 216-218
Certification Authority Restore Wizard, 218
certpatch tool, 312
cfg_file directive (Nagios), 291
CGI interface, running Perl scripts and PHP programs through, 169
CGI scripts, enabling for user directories, 167
chains (Netfilter), 118
Check Point firewall, using with SnortSam, 382
checkpassword program, 164
check_ssh plug-in (Nagios), 285
checksums
MD5, maintained by RPM for installed files, 420
modification of system MD5 program by attackers, 415
system disk, generating for, 414
chkrootkit, 422-424
compiling and storing on removable read-only media, 422
output from infected machine, 423
running, 423
verifying system binaries for, 424
chmod command, 5
chroot( ) environment, 19
availability of other programs within, 20
BIND, running in, 169
configuring for rssh, 47
enhanced security using grsecurity, 31
MySQL, running in, 176
running sbk_extract, 409
services running in, 3
UID 0, risks of, 19
chroot command, 20
CIDR notation, 140
for network addresses, 351
ranges of IP addresses for Snort rules, 372
ClamAV, 229-233
configuring clamd, 231
using with Snort to detect viruses, 397-400
Classless Inter-Domain Routing (see CIDR notation)
clearing Windows Event logs, 75-77
clocks, keeping in sync on your systems, 207-209
code examples, using, xx
command line, Mac OS X, 113
commands
logging use by users, 272
OSSEC HIDS active responses, 280
running directly through web interface, 286
compiler-based solutions to stack-smashing attacks, 26
compression
LZO, use with OpenVPN, 340
SSH, built-in, 347
Computer Emergency Response Team (CERT), 234
connect time, analyzing for users on system, 272
connect.c program, 95
contactgroups.cfg file (Nagios), 288
contacts.cfg file (Nagios), 288
content option, Snort rules, 374, 379
content type for file upload, 395
cookies
preventing SQL injection, 395
use in cross-site scripting attacks, 395
copying system disks, bit-for-bit, 414
CORE FORCE firewall, 139-147
configuration wizard, 139-143
installing, 139
manual configuration, 143-147
Courier MTA, TLS support, 162
crackers, xv, 129
cross-site scripting (XSS) attacks, 394
cryptographic signature verification, automating, 13
cryptography
EFS, backing up, 80-86
encrypted tunnel, VTun, 329
encrypting email in Mac OS X, 112-115
encrypting email with Thunderbird, 107-112
encrypting IMAP and POP with SSL, 158-160
encrypting temp folder on Windows, 79
encrypting traffic with SSH, 316
encryption algorithms, 80
file encryption on Windows with TrueCrypt, 96-100
keys for protection of Tripwire files, 416
opportunistic encryption with Openswan, 314
public keys, security concerns with, 319
SFS (Self-certifying File System), 179-182
SSL encryption, 324
TLS encryption, setting up for SMTP, 161
TLS-enabled SMTP, using with Qmail, 163
Cscript.exe, 77
curses-based GUI, configuring kernel to enable grsecurity, 29
D[ Top ]
daemon option, SnortSam, 382
daemontools, 172
starting tinydns, 174
data size for packets (Snort, dsize option), 374
databases
Barnyard output to, 391
limited Barnyard support, 389
MySQL
creating for Sguil, 357
NIDS, tracking alerts with BASE, 353
round-robin database (RRD), 291
Snort, configuring to use, 352
Tripwire database, 416, 419
dd command, 414
Debian-based Linux
packaging system, verifying packages, 421
system upgrades, 57
debsums command, 421
debugging, logging information for, 253
default shares (Windows networks), 62
defaultkey option, SnortSam, 382
denial of service (DoS) attacks, preventing on BIND name server, 171
deny policy (PacketFilter), 126
depth and offset options, Snort rules, 374
der and pem formats (CA certificates), 213
destination entries (syslog-ng.conf), 267, 268
device nodes
in chroot( ) environment, 3
created from other programs in chroot( ) environment, 20
for daemons in sandbox environment, 22
preventing creation of with grsecurity, 31
direction to scan, specifying for ClamAV, 398
directories
dividing into read-only and read-write, 2
loose permissions, scanning for, 5
distance between domains, 104
Djbdns, 172-176
installing, 173
setting up authoritative zone, 174
dmesg utility, preventing use by nonroot users, 31
DNS (Domain Name System)
finding domain name owners, 425
HTTP proxy difficulties with, 321
minimal and secure server, setting up, 172-176
Netfilter rules for, 119
PacketFilter rules for DNS server, 127
queries, making through Tor, 96
restricting network clients to internal server, 150
setting server for OpenWRT, 239
setting up BIND as secondary server, 170
SOCKS 4 problems with, 323
testing with SniffDet, 227
TXT records, using in encrypted connections, 314
domain name, scanning remote Windows systems by, 62
domain registrants, finding, 425
domains, top-level, querying, 427
dontblock option, SnortSam, 382
DoS (denial of service) attacks, preventing on BIND name server, 171
Dovecot, 159
downloadonly plug-in (yum), 57
drop option (PacketFilter), 124
drop, sdrop, and reject rules, Snort_inline, 379
dropped packets, 134
DShield, 227
dsize option, Snort rules, 374
Dsniff, 185
dynamic and activate actions, Snort rules, 371
E[ Top ]
EAP (Extensible Authentication Protocol), 241
EAP/TLS, 241
Protected EAP (PEAP), 241
echo action, swatch, 265
effective UID (EUID), changing to 0 in chroot( ) environment, 19
EFS (Encrypting File System), backing up, 80-86
backing up encrypted data and EFS keys, 82-84
backing up recovery agent keys, 85
restoring EFS keys, 84
efsinfo utility, 85
egress filtering, 149
crafting rules, 150
preventing users from bypassing by blocking Tor, 156-157
email
encrypting IMAP and POP with SSL, 158-160
encrypting in Mac OS X, 112-115
encrypting with Thunderbird, 107-112
restricting network clients to use of internal mail server, 151
spoofed, 104
TLS-enabled SMTP, using with Qmail, 163
Windows Firewall, problems with, 136
Encapsulated Security Payload (ESP), 305
encryption algorithms
DSA, 318
RSA, 318
TrueCrypt, 98
Enigmail (Thunderbird), 107-111
downloading, 107
installing, 108
public/private key pair, 109-111
generating new key pair, 111
importing existing key pair, 110
ESP (Encapsulated Security Payload), 305
/etc/rc.conf file, starting jails automatically at boot, 22
/etc/services file, 16
Ethereal protocol analyzer, 297
device name for monitoring, obtaining, 299
remote capture device, using with, 300
Sguil, use with, 357
Ethernet addresses, translation of IP addresses to, 184
Ethernet sniffers, detecting remotely, 221-227
installing SniffDet, 224
shared mediums, 222
switched environments, 222-224
Ettercap, 185
Event IDs, machine reboots after system updates, 65
Event logs (Windows), 254
backing up and clearing, 75-77
mapping entries to syslog, 259
securing, 73
Event Viewer, 73
saving and clearing Event logs, 75
EventLog to Syslog, 254, 261
exec action, swatch, 265
execution of binaries, disallowing, 2
on Linux, 3
Exim MTA, TLS support, 162
exporting EFS keys and certificates
recovery agent, 86
user, 83
exports file (NFS), 180
Extended Log (.log) format, 135
Extensible Authentication Protocol (see EAP)
external commands, configuring for Nagios, 286
F[ Top ]
FAT filesystem, TrueCrypt volumes, 98
fdisk command, 414
Fedora Linux, configuring AutoRPM, 56
FEK (File Encryption Key), 81
FIFO
logging debug information to, 253
restrictions on (grsecurity), 30
file attributes, protecting logs with, 9
file command, 4
File Encryption Key (FEK), 81
file uploads, filter rule that rejects, 395
files
disabling default sharing on Windows, 78
encrypting on Windows with TrueCrypt, 96-100
open
listing with lsof, 17
listing with owning processes on Windows, 66-68
verifying integrity and finding compromised files, 415-419
filesystems
controlling access to, 32
Encrypting File System (EFS), 80-86
image mounted, 413
JFFS2, 239
memory-based, using with ClamAV, 399
NFS, security problems, 178
securing mount points, 2
SFS (Self-certifying File System), 178-182
filter entries (syslog-ng.conf), 268, 269
filtering
mod_security features for, 394
PF (PacketFilter) rules for, 126
setting policy for Netfilter, 118
find command
files ending in .rej, locating, 29
scanning directories for loose permissions, 5
scanning for SUID and SGID binaries, 4
firewall rules, nmap and, 15
firewalling the SSH daemon, 189
firewalls
collecting statistics with ruleset, 295-297
configuring to allow IKE connections on FreeBSD, 307
contributing logs to DShield, 227
CORE FORCE, 139-147
egress filtering, 149
preventing users bypassing by blocking Tor access, 156-157
HTTP tunneling and, 327
Netfilter, 117-122
extending with IP Personality, 190-194
integrated with Snort, 377
MAC filtering, 154-155
PacketFilter (PF), 122-128
creating authenticated gateway, 147-149
testing, 151-154
using SnortSam with, 380-384
Windows Firewall, 128
problems with email, 136
flags option, Snort rules, 374
format-string attacks, 28
FORWARD chain, 118
forwarding traffic with SSH, 316
FPort tool (for Windows), 68
FQDN (fully qualified domain name), 312
fragment reassembly (PacketFilter), 124, 125
FreeBSD
enabling ACLs, 6
(see also BSDs)
FreeBSD Handbook, 122
FreeRADIUS, 241
fsread and fswrite aliases (systrace), 38
FTester (firewall tester), 151
ftp daemon (proftpd), using with MySQL authentication source, 23
FTP, problems with Windows firewall, 130
Full-Disclosure mailing list, 234
fully qualified domain name (FQDN), 312
G[ Top ]
gateways
creating authenticated gateway, 147-149
default gateway for OpenWRT, 239
installing for WiFiDog captive portal, 246-249
SPD file for clients, IPsec connection on FreeBSD, 307
GCC compilers
-fomit-frame-pointer flag, LibSafe and, 28
preventing stack-smashing attacks, 26-28
trampoline functions, PaX and, 33
GeekTools Whois Proxy, 427
getfacl command, 8
gmake, 417
GMP (GNU Multiple Precision math library), 179
GNU make, 417
GnuPG
querying key servers for key ID and downloading result, 14
verifying signature of software, 13
for Windows, 107
GPG, 112
creating public/private key pair, 113
installing, 113
gpg executable, 109
GPGMail, 114
gradm utility, 29
restricting specific applications, 33
graphical analysis console (Sguil), 357
graphics rendering packages (PHP), 354
graphing network trends, 291-293
Group Policy
configuring Automatic Updates, 63-66
customized policies for different users or computers, 65
preventing manual updates by users, 65
specifying additional recovery agents, 82
groups
privileged, GIDs for, 166
resource limits, enforcing, 54
specifying for scripts executed within virtual host, 168
specifying for use of sudo, 12
group-writable permissions for directories, 5
grsecurity, 28-33
configuring kernel options, 30
High security, 32
Low security, 30
Medium security, 31
PaX code, enabling nonexecutable memory pages, 32
restricting applications with, 33-35
GTK-based GUI for grsecurity, 29
guest user, limiting resources for, 55
H[ Top ]
hackers, xv
Handle tool (for Windows), 67
hashing algorithms
PwdHash, 105
TrueCrypt encryption keys, 98
hexadecimal values
searching packets for with Snort, 374
URL encoding with, 394
HFNetChk tool (for Windows), 59-63
checking update status of local system, 60
scanning remote machines, 61
storing scan results, 62
hidden volumes, 97
honeyd, 400, 400-406
changing host MAC addresses for, 405
configuring, 401
running, 403
running Nmap on IP addresses handled by, 404
services emulated by, attempts to access, 406
honeypots, 348, 400
recording activity on, 407-412
$HOST macro (syslog-ng), 271
hostgroups.cfg file (Nagios), 288
hosts, ntop statistics for, 295
hosts.cfg file (Nagios), 286
HTML, use in cross-site scripting attacks, 394
HTTP
monitoring service with Nagios, 290
squid proxy over SSH, running, 320
tunnel connections inside, 327
HTTP headers
HTTP_ACCEPT header, logging requests without, 395
HTTP_USER_AGENT and HTTP_HOST, requiring in requests, 395
HTTP proxy, 93
configuring web browser to use Privoxy, 94
httpd.conf file, limiting range of bytes in request strings, 394
httptunnel
downloading and compiling, 327
web site, 327
I[ Top ]
IBM's ProPolice patches for GCC, 26
ICMP (Internet Control Message Protocol)
disabling redirects on Linux, 303
types and codes, 153
id command, 167
identd daemon
running under grsecurity, 32
systrace policy for, 40
IDN spoofing, 100
IDS (see intrusion detection; NIDS)
ifconfig command
changing MAC address of Ethernet card used for sniffing, 223
finding MAC address of an interface, 155
grsecurity ACLs and, 34
replaced by rootkit, 424
IKE (Internet Key Exchange) negotiations
FreeBSD, controlling with racoon, 306
Linux, controlling with pluto, 302
images (web page), checking with SpoofGuard, 104
IMAP
encrypting with SSL, 158-160
Netfilter rules for, 119
IMAP+SSL access, Netfilter rules for, 119
incident recovery and response, 413-427
finding compromised packages, 420-422
finding the owner of a network, 425-427
image mounted filesystems, 413
rootkits, scanning for, 422-424
verifying file integrity and finding compromised files, 415-419
inetd
inetd.conf entry for SWAT, 326
systrace policy, generating for, 39
initial sequence number (ISN), 127
INPUT chain, 118
instant messaging programs, problems with Windows Firewall, 130
interfaces
collecting statistics on with PacketFilter, 124
finding MAC address, 155
promiscuous mode, 222
Internet
building trustworthy networks on, 301
domain name, finding owner of, 425
Internet Explorer
listing files opened by, 67
SpoofGuard extension, 101-104
Internet Information Services (IIS), corrupted metabase, 218
Internet Key Exchange (see IKE negotiations)
intrusion attempts, tracking with Windows Firewall, 134
intrusion detection, 348-412
detecting and preventing web application intrusions, 392-396
detecting anomalous behavior, 384
distributed stealth sensor network, 388
firewall attackers with SnortSam, 380-384
IDS, types of, 348
network intrusion detection systems (NIDS), 348
recording honeypot activity, 407-412
scanning network traffic for viruses, 397-400
sensor network, managing, 363-370
simulating network of vulnerable hosts, 400-406
Snort NIDS, 349-353
automatic rule updates, 385-388
monitoring with Sguil, 356-363
tracking alerts, 353
writing your own rules, 370-376
Snort_inline, preventing and containing intrusions, 377-380
web application intrusions, 392
inventorying your network, 194
IP addresses
blocking after failed login attempts, 190
delegated by block owners to other parties, 426
direction, specifying for Snort rules, 373
for honeyd responses, 401
nonroutable RFC 1918 address, handling with PacketFilter, 126
owners of large blocks of, 425
pairing with MAC addresses, monitoring, 185
querying number registry for address blocks, 425
remote system, resolving to MAC address, 155
scanning ranges of with nmap, 195
Snort variables for, 351
SnortSam, specifying for, 381
source and destination, in Snort rules, 372
specifying for Sebek server, 410
spoofing of, preventing with egress filtering, 151
tables of, PacketFilter, 123
translation to hardware Ethernet addresses, 184
IP forwarding, disabling on Linux, 303
IP IDs, randomizing for protection, 125
IP Personality, 190-194
IP protocols, blocking on Windows, 138
IP queue support, Linux kernel, 377
ipkg update command, 239
IPsec connections
configuring under FreeBSD, 306-309
configuring under Linux, 301-306
configuring under OpenBSD, 309-314
opportunistic encryption with Openswan, 314
ipsec.conf file, 304
iptables command, 118
allowing a particular MAC address, 154
bandwidth used by particular machine, tracking, 296
configuring kernel to send packets to IP queues, 380
extending with IP Personality, 190
Netfilter rules, constructing, 119
-P (policy) switch, 118
patching for IP Personality, 191
SnortSam, using with, 383
stateful inspection by Netfilter, 120
isakmpd (IPsec key-management daemon), 309
certificate authentication, 312-314
password authentication, 310-312
ISN (initial sequence number), 127
J[ Top ]
jail( ), 19, 21
jail command, 22
JavaScript, use in cross-site scripting attacks, 394
JFFS2 filesystem, 239
K[ Top ]
kernel
FreeBSD, customizing, 122
FreeBSD, enabling IPsec, 306
IP queue support, 377
locking down with grsecurity, 28-33
KerneL IP Security (KLIPS), 302
kernel-module-based rootkits, chkrootkit tests for, 422
key pairs (see public/private key pair)
key servers, 14
keyloggers, lack of protection from using Windows Firewall, 139
keyring, specifying for key IDs, 14
keystrokes, monitoring in real time, 409
KLIPS (KerneL IP Security), 302
Knoppix boot CD, 414
ksh shell, restricted, 53
L[ Top ]
lan_dns NVRAM variable, 239
lastcomm command (process accounting), 272
lastlog files (altered), detection by chkrootkit, 422
lcap utility, 10
ldd command, 20
libdnet, 401
libevent, 92, 401
libgcc package, 247
libipq library (Netfilter), 377
libnet packet injection library, 224, 350, 378
libpcap, 401
Snort and, 349
libraries
C library calls supported by Unix, 36
GMP (GNU Multiple Precision math library), 179
prerequisite for honeyd, 401
LibSafe
preventing stack-based buffer overflows, 27
protection against format-string attacks, 28
web site, 26
limit thresholds (Snort rules), 376
limits.conf file (pam_limits module), 54
Linksys, WRT54G line of wireless routers, 237
Linux
binary formats used by, 4
bypassing noexec option for filesystem mount, 3
capabilities model, modifying, 10
enabling ACLs, 6
/etc/pam.d contents on RedHat Linux system, 44
firewalling with Netfilter, 117-122
Linux (continued )
grsecurity kernel patch, 28
IPsec connections, configuring, 301-306
kernel support for IP queue, 377
LibSafe technology, 27
listening ports and their owning processes, listing, 15
Sebek honeypot monitoring module, 407
starting syslogd, 251
system update package (AutoRPM), 56
tunneling with VTun and SSH, 329
list open files (lsof) utility, 17
listening services, checking for, 15-17
listing ports and owning processes with sockstat, 17
lsof utility, 17
netstat program, 15
netstat program, using on BSD, 16
loadable kernel modules (LKMs), use by rootkit, 424
log entries (syslog-ng.conf), 268, 269
log files, protecting from tampering, 9
log levels for syslog facilities, 269
logging, 250-281
aggregating logs from remote sites, 266-271
Barnyard, used with Snort, 390
centrally monitoring security of servers, 273-281
changing maximum log file size (on Windows), 73
contributing firewall logs to DShield, 227
disabling on Privoxy, 93
filesystem mounting with grsecurity, 32
firewall-testing script, 153
managing Event logs on Windows, 75-77
monitoring logs automatically with swatch, 263-266
named (BIND), 170
parsing logs for failed login attempts, 190
securing Windows event logs, 73
Snort NIDS, 352, 362, 390
SnortSam, 382
SPADE IDS, 385
summarizing logs automatically, 262
synchronizing server clocks for easier log analysis, 207-209
syslog
filtering information into separate files, 252
integrating Windows into, 254-261
running central server, 251
syslogd, 254
tinydns program, 173
Tripwire, 417
user activity with process accounting, 272
Windows Firewall, 134-136
login access, controlling with PAM, 41-46
login keys for SSH, 318, 346
logon event auditing (Windows), 70
logwatch tool, 262
loopback interface
keeping unfiltered (PacketFilter), 126
removing filtering, 119
ls -l command, 3
lsof (list open files) utility, 17
LZO compression, 340
M[ Top ]
MAC (Media Access Control) addresses, 184
changing for hosts when running honeyd, 405
filtering with Netfilter, 154-155
pairing with IP addresses, monitoring, 185
specifying for Sebek server, 410
switched Ethernet networks, 222-224
Mac OS X
encrypting email, 112-115
creating GPG key pair, 113
installing GPG, 113
installing GPGMail, 114
sending/receiving encrypted email, 115
file command, running on a binary, 4
HTTP proxies, built-in support for, 321
SOCKS 5 proxies, support for, 324
TUN/TAP driver, 340
macros (pf.conf file), 122
mail action, swatch, 265
Mail Options (Tripwire), 417
mail server, Netfilter rules for, 119
mail transfer agents (MTAs)
setting up to use TLS, 161
support for TLS, 162
Mail.app, 112
PGP Preferences window, 114
MailDir mailboxes, 159
mailing lists for tracking network vulnerabilities, 234
make, 417
manage_agents program, 277
man-in-the-middle attacks
ARP spoofing, 184
tools for performing, 185
manpages, Tripwire, 417
mark functionality of syslog, 254
masks, ACL, 6
math library, GMP, 179
maximum log size
changing Windows behavior upon reaching, 75
increasing on Windows, 73
mbox mailboxes, 159, 160
MD5 checksums
maintained by RPM for installed files, 420
modification of system program by attackers, 415
system binary, compromise of, 413
Media Access Control (see MAC addresses)
memory
address space protections, grsecurity, 28
filesystem (memory-based), using with ClamAV, 399
nonexecutable pages, 32
tuning use by PacketFilter, 124
virtual memory management (VMM), 87
Microsoft Baseline Security Analyzer, 59-63
Microsoft Exchange server, 136
Microsoft Knowledge Base articles, 60
Microsoft Network Security Hotfix Checker, 63
Microsoft Windows (see Windows)
mknod or mount program in chroot environment, 20
mod_perl and mod_php, incompatibility with suEXEC, 169
mod_security (Apache), 392-396
auditing features, 396
creating filters, 394
filtering features, 394
POST method requests, scanning, 394
request normalization features, 393
URL encoding validation, 394
mod_sql, 24
mod_ssl, 165
modules (Perl), for use with Ftester, 152
monitor port, 185
mounting filesystems
in chroot( ) environment, 20
logging of with grsecurity, 32
securing mount points, 2
Mozilla Foundation, Thunderbird, 107-112
Mozilla, testing squid proxy in, 320
msg option, Snort rules, 373
MX record, 175
MySQL
authentication source, using with proftpd, 23
Barnyard, using with, 389
configuring BASE to connect to database, 354
creating database for Sguil, 357
listening on TCP socket, disabling, 18
securing, 176-178
chroot( )-ed environment, 176
disabling data loading from local files, 178
separate my.conf files for utilities and server, 178
Snort NIDS, using with, 352
SnortCenter database, 364
mysqltcl package, 358
N[ Top ]
Nagios, 283-291
adding hosts to monitor, 286
configuration files, 284, 285
including in main nagios.conf, 291
nagios.cfg, 286
contacts and contact groups, creating, 288
host groups, creating, 288
installing, 283
plug-ins, downloading and installing, 284
services to monitor, configuring, 289
time periods, defining, 290
name server, attacker scans for vulnerable versions of BIND, 171
named (BIND), 169
named policy (systrace), 37
nas package, 240, 243
NAT (network address translation)
provided by Internet gateway, 330
randomizing IP IDs to prevent counting of machines on network, 125
National Vulnerability Database, 235
Nessus security scanner, 197-206
brute-force logins to services, 200
clients, 198
generating certificate for, 197
hosts, scanning, 202
logging into services being tested, 200
options for port scans, 201
reports on scans, 203
versions 2.x, 197
versions 3.x, 203
automatic updates of plug-ins, 204
configuring general settings, 204-206
reports on scans, 206
vulnerability types, selecting, 198
net share command, 78
NetBIOS name, specifying for remote system, 61
Netcat, 400
Netfilter, 117-122
chains, 118
extending with IP Personality, 190-194
integrated with Snort, 377
iptables command, 118
libipq library, 377
MAC filtering, 154-155
restricting network clients to use of internal DNS server, 150
restricting network clients to use of internal email server, 151
rule examples, 119
rule order, 120
saving all rules, 121
setting filtering policy, 118
stateful packet-inspection engine, 120
web site for downloads, 191
NetPacket Perl module, 152
Net::PcapUtils Perl module, 152
Net::RawIP Perl module, 152
Net::SSLeay Perl module, 368
netstat program, 15
BSD version, 16
network address translation (see NAT)
network intrusion detection systems (see intrusion detection; NIDS)
network monitoring, 282-300
collecting statistics with firewall rules, 295-297
contact groups for hosts, 288
contacts for notification messages, 288
graphing trends, 291-293
hosts, 286
real-time statistics with ntop, 293-295
remote monitoring with rpcapd, 297-300
services, 289
services and resources, using Nagios, 283-291
time periods for notification messages, 290
network owner, finding, 425-427
network security checker for Windows, 63
network segment, scanning under Windows, 62
Network Time Protocol (see NTP)
NFS (Network File System)
exports file, creating for SFS, 180
security problems, 178
NIDS (network intrusion detection system), 348
anomaly-based, 384
detecting and preventing web application intrusions, 392-396
scanning for viruses with Snort and ClamAv, 397-400
Snort, 349-353
automatic rule updates, 385-388
firewalling attackers with SnortSam, 380-384
increasing performance with Barnyard, 389-392
managing sensor network, 363-370
monitoring with Sguil, 356-363
preventing and containing intrusions with Snort_inline, 377-380
tracking alerts, 353-356
writing your own rules, 370-376
types of, 348
Nmap
fooling by emulating another operating system, 193
inventorying your network, 194-196
XML output, 196
running before setting up IP Personality, 193
running on IP addresses handled by honeyd, 404
Nmap::Parser Perl module, 196
nobody account (Apache), 166
nodev, noexec, and nosuid flags (mount), 2
nonroutable RFC 1918 IP addresses, 123
NOPASSWD: flag (sudo), 12
notification feature (email), problems with Windows Firewall, 136
notification_period directives (Nagios), 290
NS records, 174
NTFS filesystem, TrueCrypt volumes, 98
ntop tool, 293-295
creating user and group, 294
host's statistics, displaying, 295
self-signed certificate, 294
NTP (Network Time Protocol), 207-209
correcting clock frequency drift for a machine, 208
list of publicly accessible time servers, 207
resolving to multiple time servers, 208
NTsyslog, 254
configuration program, using, 258
downloading and installing, 254
user account, setting up, 255-258
Windows 2003 and, 261
number registries for IP address blocks, 425
NVRAM variables
configuring AP for OpenWRT, 243
configuring OpenWRT router, information on, 240
lan_dns, 239
lan_gateway, 239
O[ Top ]
offset and depth options, Snort rules, 374
Oinkmaster, automatically updating Snort rules, 385-388
one-time passwords (see OTPs)
onion routing, 92
Open Source Vulnerability Database (OSVDB), 234
OpenPGP standard, 107
OpenSSL, 92, 209, 339
installing for Apache, 166
use of libraries by OpenVPN, 339
Openswan, 301-306
configuring, 304
opportunistic encryption with, 302, 314
resources for further information, 305
OpenVPN, 339
compiling and installing, 340
LZO compression, using, 340
OpenVPN (continued )
tunneling with host system virtual TUN or TAP device, 339
web site, 339
OpenWall patch, 28
OpenWRT, 237
DNS server, setting, 239
downloading WRT54G firmware image, 237
NVRAM variables, configuring, 243
updating packages available for installation, 239
WiFiDog gateway package, 246
WPA-PSK or 802.1X, 240
operating system detection
fooling remote OS detection software, 190-194
Nmap, using for, 195
operating systems
emulation by honeyd, 401
MAC addresses with group bit set, 225
OPIE (One-time Passwords in Everything), 50
opportunistic encryption with Openswan, 302, 314
options entry (syslog-ng.conf), 267
origins (access.conf file), 44
OS fingerprinting, 128
OSSEC HIDS, 274-281
active responses, 279
adding agents, 275-277
configuration, 278
installation, 274
installing Windows agent, 277
OSVDB (Open Source Vulnerability Database), 234
OTPs (one-time passwords), 49-52
OPIE under FreeBSD, 50
S/Key under OpenBSD, 51
outbound network traffic, filtering, 149
OUTPUT chain, 118
owner of a network, finding, 425-427
P[ Top ]
p0f (OS fingerprinting tool), 128
packages (compromised), finding, 420-422
packet content, inspecting with Snort rules, 374
packet sniffers
examining SSH connection tunneled through HTTP, 328
rpcapd remote capture device, using with, 297
WinDump, 298
PacketFilter (see PF)
paging file (Windows), clearing at shutdown, 87
Palm OS devices, OTP generator, 51
PAM (pluggable authentication modules), 41-46
pam_access module, 42
limiting access by origin, 42
pam_limits module, 54
pam_stack module, 42
pam_time module, 42
restricting access by time, 44-46
partitions (disk), imaging, 414
passwd program, SUID or SGID bit, 3
passwords
brute-force SSH attacks, 188-190
checking with SpoofGuard, 104
checkpassword program, 164
command execution without password, 12
generating with PwdHash, 105
IPsec connection on OpenBSD, 310-312
nonexpiring, checking on Windows, 88
one-time (OTPs), using for authentication, 49-52
patch notifications, 234
patch utility, applying grsecurity patch to kernel, 29
patching system security holes, automating, 55-57
PaX (grsecurity), 32
paxctl utility, 32
Pcap-formatted files, creating with Barnyard, 391
PCRE, 349, 401
PEAP (Protected EAP), 241
PEAR::Image_Graph PHP module, 354
pem and der formats (CA certificates), 213
Perl
FTester scripts, 151
modules necessary for swatch tool, 264
Nmap::Parser module, 196
Oinkmaster script for automatic Snort rule updates, 385-388
scripts, running through CGI interface, 169
sensor agents for SnortCenter, 368
permissions
access.conf file entry, 43
creating flexible hierarchies with POSIX ACLs, 5-8
Personal Information Exchange (.pfx) file, 83
importing EFS certificate and private key, 84
PF (PacketFilter), 122-128
authenticated gateway, creating, 147-149
blocking access to Tor directory servers, 156
collecting statistics with ruleset, 296
configuring, 122
filtering rules, 126
global options, 123
macros, 122
tables of IP addresses, 123
traffic normalization rules, 125
enabling and loading configuration, 128
limiting connections to sshd, 189
rate limit for stateful rule, 190
using SnortSam, 383
Windows port (see CORE FORCE firewall)
pf.conf file, 148
pfctl command, 122
PGP Preferences window in Mail.app, 114
phishing attacks
guarding against with SpoofGuard, 100-104
mitigating results with PwdHash, 105
PHP, 244
libraries for SnortCenter, 364
programs, running through CGI interface, 169
using with BASE, 354
PIDs (process IDs)
listing for listening services, 15
named (BIND), 170
stunnel PID file, 326
PilOTP, 51
ping program
finding system MAC address, 155
monitoring statistics from web server, 290
pipe action, swatch, 265
PIX firewall, using with SnortSam, 383
PKI (public-key infrastructure), 219
use by EAP/TLS, 241
pluggable authentication modules (see PAM)
pluto, 302
poisoning the ARP cache, 185
policies, systrace, 36
automated generation of, 39
policy (Tripwire), 416, 418
POP, encrypting with SSL, 158-160
POP3
encrypting and forwarding traffic with SSH, 316
Netfilter rules for, 119
port forwarding
honeyd, using with, 406
httptunnel, using, 328
SSH, using as SOCKS proxy, 322
SSH, using for, 316
stunnel, using, 325
port security (Ethernet switches), 224
ports
changing for SSH daemon, 189
closing down manually, 137
commonly used numbers, checking with SpoofGuard, 104
monitor port, 185
open, listing on Windows, 68
scanning for listening services, 15-17
SnortSam port option, 382
specifying for packets in Snort rules, 372
specifying for scanning by ClamAV, 398
specifying for Sebek server, 410
TCP port 80, 119
tracking attackers with DShield, 227
well-known, complete list, 137
portscan and stream4 preprocessors, Snort, 361
POST method requests, scanning by mod_security, 394
Postfix, TLS support, 162
PostgreSQL, 244
Barnyard support of, 389
preprocessors, Snort
clamav, 398
portscan and stream4, 361
pre-shared key (PSK) varieties, WPA, 236
priorities (logging), 252
configuring for syslog-ng, 269
privacy
insuring in remote accesses to shell accounts, 95
protecting on the Internet, 91-94
Privoxy, 93
configuring for Tor, 93
probes for vulnerable PCs, 129
/proc restrictions with grsecurity, 32
process accounting
lastcomm command, 272
summarizing with sa command, 273
processes
increasing security with grsecurity, 28
listing for listening services, 15
listing for open files on Windows, 66-68
listing for running services on Windows, 68
proftpd, using with MySQL authentication source, 23
promiscuous mode (network interfaces), 222
detecting to prevent intrusion, 224
detection with chkrootkit, 422
monitoring with rpcapd, 297
SniffDet ARP test, 225
propagation of viruses, blocking with Snort and ClamAV, 398
Protected EAP (PEAP), 241
protocol analyzers, 293
graphical, 297
(see also Ethereal)
protocols
blocking, 137
for Snort rule application, 370, 372
stateless, 184
proxies
httptunnel connections through web proxy, 328
SSH connections, 95
SSH, using as SOCKS proxy, 322
using with honeyd, 406
whois proxy, geektools.com, 427
ProxyCommand option (SSH), 95
pseudo-TTY interfaces, PPP daemons operating over, 345
psk.txt file (racoon), 307
PTR records, 175
public-key cryptography, 81
OpenPGP standard, 107
Temp folder on Windows, 80
public-key infrastructure (PKI), 219
use by EAP/TLS, 241
public/private key pair
CA (Certificate Authority), 211
creating for GPG, 113
creating for Sendmail, 161
EAP/TLS and PEAP, 241
EFS, 81
backing up for each user, 82
backing up recovery agent keys, 85
exporting private key for storage, 83
reinstalling, 84
restoring, 84
generating for use with SSH server, 318
Nessus, 198
providing for Enigmail, 109-111
security concerns with public keys, 319
SFS server, 180, 181
SSL, creating for Sguil, 359
used for authentication, 189
PwdHash, 105
Remote PwdHash, 106
Python, 401
Q[ Top ]
Qmail
TLS support, 162
TLS-enabled SMTP, using, 163
QT-based GUI for grsecurity, 29
R[ Top ]
race conditions in /tmp
preventing exploitation of, 30
prevention with grsecurity, 28
racoon program, 306-309
client configuration, 307
configuring on the client, 306
gateway configuration, 307
starting at boot, 307
using x.509 certificates for authentication, 308
RADIUS server
IP address, substituting for NVRAM variable, 243
setting up FreeRADIUS, 241
use by 802.1X networks, 241
ranges of IP addresses, scanning with nmap, 195
raw I/O, removing ability for, 10
rc.conf file, starting jails automatically at boot, 22
Readline, 401
records, DNS, 174-176
recovery agents (EFS on Windows), 81
backing up keys, 85
restoring EFS keys, 84
recovery (see incident recovery and response)
Red Hat Linux, AutoRPM, 56
referrer field, checking with SpoofGuard, 104
Registry
disabling default shares, 78
Memory Management key, editing, 88
regular expressions for swatch tool, 265
reject rule, Snort_inline, 379
Remote Access Dial-In User Service (see RADIUS server)
remote machines (Windows), scanning for system updates, 61
remote procedure calls (RPCs), email notifications sent by, 136
Remote PwdHash, 106
replace rule option, Snort_inline, 379
request normalization features, mod_security, 393
resolving hostnames to IP addresses with DNS queries through Tor, 96
resource limits, enforcing, 54
response (see incident recovery and response)
responses, active (OSSEC HIDS), 279
return option (PacketFilter), 124
roaming user profiles, backing up EFS certificates and key pairs, 82
Roo Honeywall CD-ROM distribution, 412
root access, selectively granting, 11
root CA, 214
root privileges
administrative role delegation and, 11
effective UID (EUID) of 0, 19
Linux, modifying capabilities for, 10
services not needing, 21
root user, running nmap as, 195
root-exploitable programs, checking for, 3
rootkits, 415
scanning for, 422-424
code inserted into kernel, 424
round-robin database (see RRDtool)
rpcapd, remote monitoring with, 297-300
RPCs (remote procedure calls), email notifications sent by, 136
RPM
AutoRPM for system updates, 56
finding compromised packages, 420
RRDtool, 291-293
hourly graphs of data, 292
multiple servers on a single graph, 293
RSS feeds, tracking network vulnerabilities, 234
rssh, 46-49
configuring to use chroot( ), 47
supported services, 49
rules
CORE FORCE, 144
egress filtering, 150
Netfilter
examples, 119
ordering, 120
saving all, 121
PacketFilter
DNS server, 127
filtering rules, 126
scrub rules, 125
traffic normalization, 125
rules (continued )
Snort, 351, 352
RULE_PATH variable, 352
updating automatically, 385-388
writing your own, 370-376
ruletype keyword, 372
S[ Top ]
sa command (process accounting), 273
Samba, SWAT configuration tool, 326
sandboxed environments
BIND, running in, 169
restricting services with, 19-23
jail( ), FreeBSD, 21
security enhancement with grsecurity, 31
setting up for rssh, 48
SANS Institute, DShield project, 227
SCP, 46-49
copying binaries and their libraries, 48
enabling in rssh.conf, 47
script kiddies, 129
scrub rules (PacketFilter), 125
searching packets, Snort rule options, 374
Sebek (honeypot monitoring package), 407-412
installing Linux client, 407
installing Windows client, 409
setting up the server, 409
SecFilter keyword, 394
SecFilterSelective keyword, 394
secret-key encryption, 81
sectors offsets for a partition, 414
Secunia, RSS feed on vulnerabilities, 234
securelevels (BSD systems), 10
security advisories, 234
security holes (system), automating patching of, 55-57
security policy
auditing on Windows, 69
setting up for IPsec connections on FreeBSD, 307
Security Policy Database (see SPD)
security scanner (Nessus), 197-206
SecurityFocus, 234
self-signed certificates, 209-212
ntop, 294
Sendmail
scanning mail for viruses with ClamAV, 233
setting up to use TLS, 161
sensor_id (BASE), 391
sensors, IDS
distributed stealth sensor network, 388
managing sensor network with SnortCenter, 363-370
setting up for Sguil, 361
Sguil sensor_agent.tcl script, 362
server clocks, keeping synchronized, 207-209
services
common port numbers, 16
emulated by honeyd, 401, 406
encrypting IMAP and POP with SSL, 158-160
internal, restricting network users to, 150
most commonly attacked, tracking with DShield, 227
preventing from binding to an interface, 17
restricting with sandboxed environments, 19-23
jail( ), FreeBSD, 21
running, listing on Windows, 68
scanning for vulnerabilities with Nessus, 197-206
services.cfg file (Nagios), 289
session cookies, attacks using, 395
session-timeout values, PacketFilter, 124
seteuid( ), 21
setfacl command, 7
setkey utility, 307
setuid( ), 21
SFS (Self-certifying File System), 179-182
building and installing, 179
code, most recent version, 179
key pair, creating and registering with sfskey command, 181
setting up server, 180
user and group for SFS daemons, 179
sfscd (SFS client daemon), 180
SFTP, 46-49
copying binaries and their libraries, 48
enabling in rssh.conf, 47
rssh connection, testing, 49
Sguil, 356-363
client and server, testing, 359
compiling and installing Barnyard, 362
components of, 357
configuring sguild, 358
creating a MySQL database, 357
database tables, creating, 357
log_packets.sh script, setting up, 362
sensor agent script, setting up, 362
sensors, setting up, 361
setting up server, required Tcl packages, 358
SSL, encrypting traffic between GUI and server, 358
shared-medium Ethernet networks, sniffers and, 222
shares (default), disabling on Windows, 78
shell scripts
mysqld_safe, 177
resolving IP address to MAC address, 155
SUID or SGID bits on, 4
shells
authpf (OpenBSD), 147-149
exploit with shell code against SSH daemon, 371
insuring privacy in remote access to accounts, 95
restricted, 52-54
running inside a jail, 22
signatures
signature-based IDS, 348
thresholding Snort rules by ID, 375
Simple WATCHer (see swatch)
single-use passwords (see OTPs)
S/Key, 51
skipinterval option, SnortSam, 382
SMTP (TLS-enabled)
setting up, 161
using with Qmail, 163
SniffDet, 224
testing DNS, 227
testing with ARP queries, 225-227
sniffers
Ethernet sniffers, detecting remotely, 221-227
installing SniffDet, 224
shared mediums, 222
switched environments, 222-224
SNMP interface statistics, 292
snmpget utility, 291
Snort NIDS, 349-353
Barnyard, using to increase performance, 389-392
configuring Snort, 390
configuring, 351
database, 352
database support, enabling output plug-in, 352
preprocessors, 352
rule signatures, 352
downloading and installing, 349
firewalling with SnortSam, 380, 382, 383
configuring SnortSam, 381-384
installing SnortSam, 380
flexible response, 350
managing sensor network, 363-370
monitoring in real time with Sguil, 356-363
preventing and containing intrusions with Snort_inline, 377-380
new rules, 379
sending alerts to a database, 350
testing in sniffer mode, 350
tracking alerts, 353-356
updating rules automatically, 385-388
using with ClamAV to detect viruses, 397-400
writing your own rules, 370-376
actions, 371
inspecting package content, 374
IP addresses of packets, 372
matching TCP flags, 374
messages, human-readable, 373
options, 373
ports, 372
Snort rule documentation, 376
specifying protocols, 372
suppression, 376
thresholding, 375
SnortCenter, 363-370
admin account information, editing, 366
MySQL database, 365
sensor agent, adding to main management console, 369
sensor agents, setting up, 368
setting up, 364
setting up console, 364
SOA records, 174
sockets (open), listing with lsof utility, 17
sockstat command, 16
software authenticity, checking, 13
Software Update Services (SUS), 64
Solaris
Sebek honeypot monitoring module, 407
starting syslogd, 252
TUN/TAP driver, 340
source entries (syslog-ng.conf), 267, 268
Sourcefire VRT Certified Rules, 387
SourceForge patches page for IP Personality project, 190
SPADE IDS, 384
alerts, 385
SPD (Security Policy Database)
FreeBSD, IPsec connections, 307
gateway.spd files for clients, 307
SpoofGuard, 101-104
how it works, 103
installing, 102
spoofing
ARP spoof attacks
combatting with static ARP table, 186-188
detecting, 184-186
preventing with SSH session timeouts, 149
IDN spoofing, 100
preventing IP spoofing with egress filtering, 151
preventing with FilterPacket, 126
spyware, detecting and removing on Windows, 71
SQL database for MySQL authentication, 24
SQL-injection attacks, 395
SSH
authpf shell and, 149
brute-force attacks, protecting against, 188-190
firewalling SSH daemon, 189
check_ssh plug-in, Nagios, 285
-D switch, 322
exploit launched against daemon, monitoring, 371
forwarding and encrypting traffic, 316
keys, automating client logins, 318, 319
login keys, generating for, 346
PPP, using with to create secure VPN tunnel, 345
SOCKS proxy, using as, 322
tunneling connection over HTTP with httptunnel, 328
tunneling through Tor, 95
VTun, using over, 333
SSL
certificates
creating your own CA, 209-212
encrypting IMAP and POP, 158-160
installing Apache with, 164-169
Apache 1.x, 165-168
Apache 2.x, 168
OpenVPN, use by, 339
Sguil, using with, 358, 359
stacks
buffer overflows based on, 26
prevention with grsecurity, 28
PAM modules for, 42
startup
enumerating automatically executed programs on Windows, 71
running commands out of system rc files, 12
startx command, -nolisten tcp option, 19
stateful packet inspection (Netfilter), 120
stateless protocol, 184
states, setting number for PF, 124
statistical monitor IDS, 348
Statistical Packet Anomaly Detection Engine (SPADE), 384
statistics (network), collecting with firewall rules, 295
stealth mode, running IDS sensors in, 388
sticky bit set on directories, scanning for, 5
stratum (NTP server), 207
stream4 preprocessor, enabling for Snort, 361
strings, searching packets for with Snort, 374
stunnel, 159, 324
configuration file, stunnel.conf, 325
forwarding local port to remote port, 325
su utility, 12
subnets, specifying for Snort, 351
successful connections, 134
sudo utility, 11
suEXEC (Apache), 165
enabling and configuring, 166
enabling in Apache 2.x, 168
incompatibility with mod_perl and mod_php, 169
SUID binaries
LibSafe and, 28
setting up rssh to use chroot( ), 47
SUID bit, disabling, 2
SUID files, monitoring on your system, 419
SUID wrapper program, used by Apache, 166
supplicant, 241
suppression (Snort rules), 376
SUS (Software Update Services), 64
swapping, 87
SWAT (Samba's web-based configuration tool), 326
swatch (log file monitor), 263-266
configuring, 264
actions taken for regular expression matches, 265
regular expressions to match log messages, 265
installing, 264
switched Ethernet networks, sniffing in, 222-224
symlink restrictions (grsecurity), 30
symmetric encryption, 81
SYN packets, rate-limiting, 190
sysctl.conf file, Netfilter configuration, 121
Sysinternals
Autoruns program, 71
Handle tool, 67
syslog
aggregating logs from remote sites, 266
Barnyard output to, 391
filtering information into separate files, 252
integrating Windows into, 254-261
Eventlog to Syslog, 261
running central server, 251
syslogd
creating a socket for chroot( )-ed named process to write to, 170
replacing with syslog-ng, 254
syslog.conf file, translating to syslog-ng configuration entries, 268
syslog-ng, 254, 267-271
compiling, 267
configuration file entries, 267
encrypting tunnel for secure traffic between daemons, 271
filters, defining, 269
macros, 271
TCP support, 267
translating syslogd entries from syslog.conf, 268
web site, 267
system binaries
modification by rootkits, 422
performing functions of with BusyBox, 424
verifying for chkrootkit, 424
system calls
definition of, 36
interception by Sebek, 407
restricting, 36
system groups, specifying for use of sudo, 12
system logs, protecting from tampering by intruders, 9
system updates
automating, 55-57
Windows, checking for, 59
system-auth file (PAM), 43
systrace utility, 36
aliases, 38
policies, 36
policy-generation tool, 39
T[ Top ]
tables of IP addresses (PacketFilter), 123
Tcl packages, required for Sguil, 358
tcltls package, 358
Tclx package, 358
TCP
general packet form in test.conf file, 152
packet flags, checking with Snort, 374
support by syslog-ng, 267
tcpdump, 305, 309
TcpFlow, 357, 359
TCP/IP
blocking ports, 138
disguising stack to prevent remote OS detection, 190
temporary files folder, encrypting on Windows, 79
Terminal.app, 113
terminals, specifying in pam_time configuration file, 45
thresholding (Snort rules), 375
including parameters in the rule, 376
throttle action, swatch, 266
Thunderbird, 107-112
Enigmail extension
public/private key pair, 109-111
sending/receiving encrypted email, 111
setting up, 107
time
connect time for users, analyzing, 272
restricting access by, 44-46
synchronizing on network systems, 207-209
time.conf file, 44
timeouts (SSH sessions), setting to guard against ARP spoof attacks, 149
timeperiods.cfg file (Nagios), 290
tinydns program, 172-176
authoritative DNS records, 174
user accounts, 173
TLDs (top-level domains), querying with whois, 427
TLS (Transport Layer Security)
EAP/TLS, 241
setting up for SMTP, 161
using TLS-enabled SMTP with Qmail, 163
VPN connections, 342
Tor (Onion Router), 91-95
blocking user access, 156-157
testing, web page, 94
tor-resolve program, 96
tunneling SSH through, 95
using with Privoxy, 93
ToS (Type-of-Service) field in IP header, 152
traffic analysis, evading on the Internet, 91-94
traffic normalization rules (PacketFilter), 125
trampoline functions, 33
Transport Layer Security (see TLS)
trends on the network, graphing, 291-293
Tripwire, 415-419
compiling from source, 416
configuration file, editing, 418
configuration settings, 416
configuration variables, fine-tuning, 417
cryptographic keys that protect its files, 416
database, 416
database, updating, 419
day-to-day use, 419
installing, 418
policy, 416
policy file, decrypting and editing, 419
stored snapshots of files, 416
subdirectories, 417
vulnerability to file modification by intruders, 416
Trojan horses
distribution in software, 13
inability of Windows Firewall to protect against, 129
ports used, 137
preventing in common directories, 3
TrueCrypt, 96-100
TTYs, PPP daemons operating over pseudo-TTYs, 345
tunnels, secure, 301-347
cross-platform VPN, creating, 339
encrypting traffic automatically with Openswan, 314
forwarding and encrypting traffic with SSH, 316
HTTP, tunnel connections inside, 327
IPsec
setting up under FreeBSD, 306-309
setting up under Linux, 301-306
setting up under OpenBSD, 309-314
PPP and SSH, using to create secure VPN tunnel, 345
squid proxy over SSH, 320
SSH client keys, quick logins with, 318
VTun and SSH, using, 329
vtund.conf, automatically generating, 334
TUN/TAP driver for Solaris or Mac OS X, 340
TXT records, 314
Type-of-Service (ToS) field in IP header, 152
U[ Top ]
UDP
general packet form in test.conf file, 152
use by syslogd, 266
UDP DNS traffic
rule for FilterPacket, 127
rules for Netfilter, 119
UDP ports
blocking, 138
listening services and, 16
UID 0, risks posed in chroot( ) environment, 19
UIDs for privileged accounts and groups, 166
ulimit command, 54
Unicode validation, mod_security, 394
United States Computer Emergency Response Team, 234
Unix
host security, 1
restricted shell environments, 52-54
scanning for viruses with ClamAV, 229-233
secure mount points, 2
sharing files securely, 178-182
system updates, automating, 55-57
VPN, built-in software for, 345
untrusted networks, secure communication over, 301
URL encoding, validation by mod_security, 394
URLs, checking with SpoofGuard, 104
user profiles, backing up EFS certificates and keys, 82
user-defined security filters, 394
usernames, checking with SpoofGuard, 104
users
access.conf file entry, 44
creating for Nessus, 197
resource limits, enforcing, 54
specifying for scripts executed within virtual host, 168
V[ Top ]
virtual host, configuring for suEXEC, 168
virtual memory management (VMM), 87, 399
viruses
scanning for on Unix with ClamAV, 229-233
scanning network traffic for, 397-400
volumes, TrueCrypt, 97-100
VPNs (virtual private networks)
built-in functionality in SSH, 322
cross-platform, creating, 339
FreeBSD, security policies for, 307
IPsec connections under Linux, 304
PPP and SSH, using to create secure tunnel, 345
VTun
tunneling with VTun and SSH, 329, 330, 331, 332, 333
vtund.conf, automatically generating, 334
vulnerabilities, network
keeping up with the latest, 233-235
scanning for, 197-206
vulnerable network hosts, simulating, 400
W[ Top ]
W3C Extended Log (.log) format, 135
Walleye web interface (Sebek), 412
web applications, protecting from intrusions, 392-396
web browsers, 321
CA certificates, installing, 213
configuring to use Privoxy as HTTP proxy, 94
PwdHash, 105
trusted CA relationships, 213
using Privoxy, 93
web page (for this book), xx
web servers
built-in, honeyd, 403
monitoring with Nagios, 290
Netfilter rules for, 119
web sites
spoofed, 100
spotting with SpoofGuard, 101
spoofed, spotting with SpoofGuard, 101-104
Well-known Certificate Authorities, 209
well-known ports, complete list, 137
WEP (Wired Equivalent Privacy), 236
whois command
finding owner of Internet domain, 425
querying new TLDs with, 427
querying number registry for IP address block, 425
WiFiDog, 244-249
authentication server, 244-246
editing configuration file, 247
gateway, installing, 246-249
Windows
auditing, enabling, 69-71
backing up and clearing event logs, 75-77
backing up and restoring CA with Certificate Services, 214-221
changing maximum log file size, 73
checking for nonexpiring passwords, 88
checking servers for applied patches, 59
configuring Automatic Updates using Group Policy, 63-66
default shares, disabling, 78
EFS (Encrypting File System), backing up, 80-86
encrypting temp folder, 79
enumerating automatically executed programs, 71
file encryption with TrueCrypt, 96-100
GnuPG, 107
installing Sebek client, 409
integrating into syslog, 254-261
listing open files and owning processes, 66-68
listing running services and open ports, 68
network security checker, 63
OpenVPN, 339, 343
OSSEC HIDS agent, installing, 277
paging file, clearing at shutdown, 87
remote network monitoring with rpcapd, 297-300
securing system logs, 73
Windows Firewall, 128
allowing programs to bypass, 130
checking whether turned on, 130
disabling file/printer sharing when using at WiFi hotspots, 137
email, problems with, 136
inability to protect against Trojans, 129
logging, 134-136
replacing with CORE FORCE, 139-147
Windows Script Host (WSH), 77
Windows Update web site, 65
WinDump (command-line packet sniffer), 298
WinPcap, rpcapd program, 297
wireless networks, 236-249
commodity wireless routers, turning into security platform, 236-240
deploying captive portal, 244-249
authentication server, 244-246
installing gateway, 246-249
fine-grained authentication, 240
Wireless Vulnerabilities and Exploits project, 235
wl0_wpa_psk NVRAM variable, 240
WPA (WiFi Protected Access), 236
802,1X, 241
configuring AP to support, 243
WPA2, 241
configuring AP to support, 243
WPA-PSK, 240
write action, swatch, 265
WRT54G wireless routers, 237
downloading OpenWRT firmware image, 237
WSH (Windows Script Host), 77
wtmp files (altered), detection by chkrootkit, 422
X[ Top ]
X11
Nessus client, 198
preventing server from listening on TCP port, 18
x.509 certificates
authentication on FreeBSD IPsec connection, 308
authentication on OpenBSD IPsec connection, 312
XML, output from nmap, 196
XSS (cross-site scripting) attacks, 394
Z[ Top ]
Zlib, 92, 401
zone transfers, restricting for DNS servers, 171
Zurück zu Network Security Hacks
