Five top Linux security tools

Source: 51 CTO
First, no program can ensure permanent security of your network or server. Security is a continuous process of continuous improvement, evaluation, and improvement. Fortunately, there are many good tools in linux to help you in this process. In this article, I will recommend five of my favorite security tools to help you prevent them, check and respond to intrusions. Although it is easier to prevent problems that may occur at any time, you still need to check and respond when you encounter problems, which means that before the form threatens your needs, you must first familiarize yourself with their usage.

1. Nmap

To assess whether a machine is vulnerable to attacks, you need to know how many services are exposed to attackers. An excellent tool is Fyodor's network er Nmap. Debian users can obtain it through apt-get install nmap, run it to check what services are running on the server-run even if you think you know it. Obviously, if the ssh port is closed, the ssh password will have no impact on you.

The simplest use of Nmap is to detect hosts on your local network. In this instance, we require nmap to send ICMP echo request packets (ping) to all hosts within a certain IP address range:

$ Nmap-sP 10.0.0.1-254
Starting nmap 3.81 (http://www.insecure.org/nmap)
At
NZDT
Host 10.0.0.25 appears to be up.
MAC Address: 00: 0C: F1: AE: E6: 08 (Intel)
Host 10.0.0.51 appears to be up.
MAC Address: 08: 00: 09: 9A: 1A: AA (Hewlett Packard)
Host 10.0.0.70 appears to be up.
MAC Address: 00: 0F: EA: 64: 4E: 1E (Giga-Byte Tech Co .)
...

However, nmap is most commonly used to detect which service is running. Because TCP uses three handshakes to establish a connection, we can check the ports that are not actually connected to them but are opened again. This is the famous SYN or semi-open scan, this is the default mode when you use root to log on and execute the command. If you run the command as a normal user, nmap tries the full connection to test whether each port is open. (Problem: in semi-open mode, we send the initial SYN Packet and listen for the response. RST indicates that the port is closed, and SYN + ACK indicates that the port is open. If no response is received, nmap indicates that the port is filtered. Some firewalls will discard the data packet and generate a filter status mark. Others will send the RST so that the port looks closed, if a server is listening on a port that you do not want to listen to, check carefully:

# Nmap-sS 10.0.0.89
Starting nmap 3.81 (http://www.insecure.org/nmap)
At
NZDT
Interesting ports on 10.0.0.89:
(The 1637 ports scanned but not shown
Below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
42/tcp open nameserver
80/tcp open http
110/tcp open pop3
...

Fyodor also adds many service fingerprints. You can require nmap to identify a specific service and add the-sV option after the command:

# Nmap-sV 10.0.0.89
Starting nmap 3.81 (http://www.insecure.org/nmap)
At
NZDT
Interesting ports on 10.0.0.89:
(The 1637 ports scanned but not shown
Below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp?
22/tcp open ssh OpenSSH 3.8.1p1
Debian-8.sarge.4 (protocol 2.0)
42/tcp open nameserver?
80/tcp open http Apache httpd 1.3.33
(Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.10-16)
110/tcp open pop3?
...
Other incredible uses are the detection of the operating system. Simply add the-O parameter after the command. If the machine has at least one port opened and at least one port closed, you can obtain the information of the operating system accurately:

# Nmap-O-sS 10.0.0.89
Starting nmap 3.81 (http://www.insecure.org/nmap)
At
NZDT
Interesting ports on 10.0.0.89:
(The 1637 ports scanned but not shown
Below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
...
Device type: general purpose
Running: Linux 2.4.X | 2.5.X | 2.6.X
OS details: Linux 2.5.25-2.6.3 or
Gentoo 1.2 Linux 2.4.19 rc1-rc7), Linux 2.6.3-2.6.8
Uptime 30.906 days (since Mon Oct 2 11:18:59 2006)

Therefore, use nmap to check all machines on your network to see if there are services temporarily installed but forgotten to be deleted, you can also use it to check whether your firewall is correctly configured out of your network range.

2. OpenSSH

When you care about your network, you need a safe way to manage your machine, which means you cannot use telnet or rcp, openSSH is a protocol used by most people to replace telnet/rcp. it encrypts all data during transmission, check whether each data packet is spoofed at the other end of the connection. Debian users can obtain it through apt-get install openssh-server.

First, we recommend that you switch to another port. Only use the password instead of the password, or use the basic rules to review your password, remember, sshd protects data transmission-this means that if your access control is very weak, attackers can use a safe way to control your machine. This should not be what you want, I have seen too many Linux Files leaked through temporary accounts, such as upload/upload. To change the Port, edit the/etc/ssh/sshd_config file, change # Port 22 to Port 12345, and restart the service.

In the following example, we will show you how to replace passwords with passwords. What you need to do here is to allow your client machine user account to read and write any files on the remote machine.

You can ignore the password and do not use the ssh-agent (ssh-add command). log on to the client and enter the following command:

Client % ssh-keygen-t rsa
Generating public/private rsa key pair.
Enter file in which to save the key]
(/Usr/local/sss/jriden/. ssh/id_rsa ):
Enter passphrase (empty for no passphrase): [Note: Enter Password]
MY PASSPHRASE
Enter same passphrase again: MY PASSPHRASE]
Your identification has been saved in
/Usr/local/sss/jriden/. ssh/id_rsa.
Your public key has been saved in
/Usr/local/sss/jriden/. ssh/id_rsa.pub.
The key fingerprint is:
75: 65: 36: 2b: ed: 38: 9f: 4a: 6d: c4: d8: ec: 25: ed: ff: 31
Jriden @ its-dev2
Client % ssh-add
Enter passphrase for/usr/local/sss/jriden
/. Ssh/id_rsa: [Translator's note: enter a secret for your certificate]
MY PASSPHRASE
Identity added:/usr/local/sss/jriden/. ssh/id_rsa
(/Usr/local/sss/jriden/. ssh/id_rsa)
Client %

Now, get ~ /. Ssh/id_rsa.pub, add the content to the server ~ /. Ssh/authorized_keys or ~ In/. ssh/authorized_keys2, ensure that unrelated new lines are removed, which may lead to slow copy and paste:

Client % scp server :~ /Testfile.
The authenticity of host server (130.123.128.86)
Cant be established.
RSA key fingerprint is
97: 7b: e0: 12: c2: f8: 8e: 05: cc: 2b: 74: 50: 9b: 00: 28: 0e.
Are you sure you want to continue connecting
(Yes/no )? Yes
Warning: Permanently added server, 130.123.128.86
(RSA) to the list
Of known hosts.
Testfile
| *************************************** ************ |
81940

The reason for this prompt is that the server is an unknown host, which is a fight between ssh and host spoofing. This prompt will not appear during the next connection.

3. Tcpdump

Tcpdump may be the most famous application to check the original data of network communication. Debian users can obtain it through apt-get install tcpdump, which is the famous pcap file, because pcap is the library for packet capture.

In this example, we dump all communications from source port 53 or target port 53, which means that all DNS communications, I use the-n parameter, if you want to be more detailed, you can use src port 53 or dst port 53. In addition, tcpdump tries to resolve the IP address to the domain name to print a friendly name, the DNS requests will also be shown in our capture:

# Tcpdump-n port 53
Tcpdump: verbose output suppressed,
Use-v or-vv for full protocol
Decode
Listening on eth0, link-type EN10MB (Ethernet ),
Capture size 96 bytes
11:19:58. 302298 IP 192.168.0.8.1037>
192.168.128.1.53: 36224 +?
Www.slashdot.org. (34)
11:19:58. 360227 IP 192.168.128.1.53>
192.168.0.8.1037: 36224 1/5/5
66.35.250.151 (239)
...

In