Free Security Apps for Linux - a comprehensive list

When you hear the words "security apps", as an end user, one always tend to think of virus scanners, rootkit detectors, firewalls, network tools and so on. And Linux does not have a dearth of these tools which make it one of the most secure if not the most secure OS. Of course, how secure you can make your Linux machine will ultimately depend on your choice of Linux distribution and in what way you configure your machine. You can make your Linux box as open or as closed as you want.

ITSecurity - a website related to security has assembled a list of 103 free security apps. A large number of them are for Windows and Mac users but still, a significant percentage of them for Linux have also made it to the list. The applications have been categorized into 13 categories them being, Spyware, antivirus, rootkit, firewall, email, web utility, network, Intrusion detection system, Virtual private network, temporary files, wireless, encryption and a miscellaneous section.

You won't find Linux applications in all the categories. For example, the spyware category contain only Windows apps ;-). But this is a comprehensive list which lists many applications for Linux that I am aware of for the first time. I thought that ClamAV antivirus was the only antivirus solution for Linux but I was wrong, there are many more. Do check out the full list which will throw light on many applications and then some more which may be of use to all Linux enthusiasts.

EnGarde Secure Linux 3.0.14

EnGarde Secure Linux is a Linux distribution developed by Guardian Digital - an open source Internet security company, and is designed with security in mind. Built from grounds-up, this product has been in development since 1999. EnGarde Secure Linux highlights its "Secure by default" tag as the one reason that it should be favored to be used as a Linux server. The developers have considerably reduced its size to include server-only applications and the whole administration of the server from the rebooting to its shutting down as well as configuring and maintaining web servers, database servers and so on can be done remotely from the confines of a web interface.

Guardian Digital has split EnGarde Secure Linux into three branches. Them being

1. The Unstable branch which contain bleeding edge packages and is open only to developers.
2. The community branch which is provided for free and is supported by the open source community. And lastly...
3. The professional branch which is officially supported by Guardian Digital. And which needs to be bought.
   

The main difference between the community branch and the professional branch apart from the fact that one is free and the other is paid version is that Professional branch is much better tested and documented and can avail of the official support of Guardian Digital. Compared to that, the community branch will have to rely on the mailing list for support.

Features of EnGarde Secure Linux are many and are as follows (as quoted from their website) :

• Linux 2.6 kernel for the latest hardware compatibility
• SELinux Mandatory Access Control provides high security by strictly enforcing service separation at the kernel level
• Guardian Digital Secure Network features free access to all system and security updates and allows for quick and easy updating of the entire server
• Broad support for server hardware, including 64-bit AMD architecture and hardware RAID
• Web-based management of all functions, including the ability to build a complete web presence with FTP, DNS, HTTP, SMTP and more
• Secure up-to-date LAMP stack serves virtual websites with Apache v2.0, MySQL 5.0, and PHP 4.4 (PHP 5.0 available as an optional package)
• Latest BIND 9.3 provides secure DNS services
• Completely new WebTool, featuring easier navigation and greater ability to manage the complete system via a secure web browser connection
• RSS feed provides ability to display current news and immediate access to system and security updates
• Integrated firewall with ability to manage individual firewall rules, control port forwarding, and creation of IP blacklists
• Commercial grade Network Intrusion Detection System displays and graphs incoming attacks in real time
• Built-in Host IDS monitors system files for unauthorized changes to ensure system integrity
• Built-in UPS configuration provides ability to manage an entire network of battery-backup devices
• Real-time access to system and service log information
  

Ryan Berens who is an open source advocate at Guardian Digital tells me that EnGarde Secure Linux is a fully functional platform distribution that focuses on integrated security and ease of management. EnGarde Secure Linux has also been released by Guardian Digital as a Live CD so that it can be taken for a test drive without installing on ones machine.

(IN)Secure Magazine - a free security magazine in PDF format

One thing which any operating system worth its name should take seriously is the concept of security. In this internet age when more and more people are getting access to always-on broadband, security is all the more important.

I read in one article in a mainstream media that credit card fraud is becoming rampant and is on the rise. The fraudsters hack into vulnerable machines and access confidential data. While some operating systems struggle to contain the security threats, many others fare better in this department. Linux is inherently considered to be more secure. But the most secure operating system is by far OpenBSD which has seen only two vulnerabilities in its code in 10 years.

(IN)Secure is a magazine which is dedicated to discussing security related aspects of Operating systems. It is a monthly magazine which is freely made available for download in a PDF format. Mirko Zorz is its Chief Editor. The magazine carries security articles related to all operating systems. In the latest (11th edition) of the magazine, you may read an article on iptables titled - "IPtables : An introduction to a robust firewall". I may add that the article was contributed by me and so if you do read the article and find any faults, you may let me know about it rather than troubling Mirko ;-). You can download the 11th issue of the (IN)Secure magazine here (PDF file).

TrueCrypt Tutorial: Truly Portable Data Encryption

TrueCrypt is one of the many disk encryption tools available in Linux and other Unices. Some of the features of truecrypt are as follows (and I quote):

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire hard disk partition or a storage device such as USB flash drive.
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:
  
  1. Hidden volume (steganography).
  2. No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).
• Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: LRW.
  

Lipiec at Polishlinux.org has written a very good tutorial which explains how to setup and use truecrypt in Linux. He explains right from the start which is - download the code, compile, and install it to creating encryption volumes. Just so you know, truecrypt has been made available in deb and rpm formats as well. So if you are using one of the major Linux distributions such as Debian, Ubuntu or Fedora, you can skip the compilation from source step.

Truecrypt is available for Linux and Windows but the developers have provided a easy to use GUI only for Windows platform. Linux users are still made to depend on the command line to setup and manage encrypted volumes using truecrypt.

ClamAV gets acquired by Sourcefire

Remember ClamAV the free anti-virus solution released under a GPL licence ? A long time back, I had written an article on how to install and use ClamAV anti-virus software in Linux which you might find interesting.

Well, ClamAV just got acquired by Sourcefire. Sourcefire claim themselves to be world leaders in intrusion prevention and their flagship product is Snort which is an open source tool which is used by many thousands for detection of intruders on ones servers or rather keeping them at bay.

• The bottom line of the acquisition is that all the members of the core developer team of ClamAV will now be working as the employees of Sourcefire.
• The ClamAV engine and CVD will remain under GPL.
• Sourcefire now owns the ClamAV project and related trademarks, as well as the source code copyrights held by the five principal members of the ClamAV team. Sourcefire will also assume control of the ClamAV project including: the ClamAV.org domain, web site and web site content; and the ClamAV Sourceforge project page.
• As far as end users are concerned, the company claims nothing much has changed.
  

Read the official announcement here.

How to find out if your Linux machine has been hacked ?

It is very rare that your Linux PC which you use as a Desktop will get compromised especially if you do not run any services like a web server, mail server and so on. More over many modern Linux distributions like for example Ubuntu, targeted at the end user ship with all the ports closed by default. And others like PCLinuxOS bundles with it a robust firewall. So it makes the job of an intruder all the more harder to crack into your machine.

But suppose after all the precautions you take, some resourceful cracker succeeds in finding a loophole and hacks into your machine, how do you detect that your machine has been compromised in the first place?

Lars has written a step-by-step process by which he ascertains that a Linux server run by his friend has been compromised by an intruder. His findings throw light on what you can expect and the steps to take when you are suspicious of getting your machine rooted.

The server was running a fairly updated Ubuntu 6.06 LTS. He goes on to conclude that the compromise could have been caused by :

1. An exploit unknown to the public.
2. A user accessing this server from an already compromised host. The attacker could then sniff the the password.
   

Read this very interesting article which throws some light on the actions of a hacker.

SSH tutorial for Linux

SSH stands for Secure SHell. This is similar to telnet but with the difference that while telnet sends all your data including your password as plain text across the network, SSH sends everything in encrypted format. This means that it is well impossible to snoop at your data or passwords while it is in transit across the Internet or network.

Over a period of time, I have written a couple of articles on this blog related to SSH. Today I came across a very well written tutorial on using SSH by Mark Krenz. He explains the concept of SSH, generating public private encryption keys, forwarding an X11 session on top of SSH, TCP forwarding, SOCKS5 proxying and so on. A very good article worth spending ones time to read.

Related articles:

• How to setup SSH keys and why ?
• SSH - Secure SHell explained
• Integrating SSH in GNU/Linux

Howto: Build an selinux policy the Red Hat enterprise way

Red Hat / Fedora has now got GUI tools to help edit and create SElinux policy files. And it is much more simpler to create a custom selinux policy in Red Hat Enterprise Linux.

In this detailed article, Dan Walsh gently walks you through the policy module creation process.

A lot of people think that building a new SELinux policy is magic, but magic tricks never seem quite as difficult once you know how they’re done. This article explains how to build a policy module and gives you the step-by-step process for using the tools to build your own.

Read more on a step by step guide to creating an selinux policy module explained by Dan Walsh.

Update: Also check out this PDF presentation on Managing Red Hat Enterprise Linux 5 which also contain information on SELinux.

Is it possible to hack into a gmail address ? - Really scary

Who doesn't have a gmail id now a days ? In my honest opinion, I am yet to discover a more user friendly web mail host. Gmail is non-intrusive, provides all the advanced and usable features such as POP3, mail search and much more.

But recently at a Black Hat security convention, Robert Graham, the CEO of errata security, surprised attendees by hijacking a Gmail session on camera and reading the victim’s email. He went even further by demonstrating the attack by taking over another journalist’s Gmail account and then sending emails from that account. Really scary.

So how do you protect yourself from somebody sniffing your email while it is in transit and then hacking into your gmail account ? There is one way to make it much harder for sniffing your mails. That is by sending and receiving mails using Gmail's SSL feature. SSL stands for Secure Sockets Layer and is used to provide secure data transfer across the web, for instance ecommerce sites use SSL to transmit your credit card details. Google provides the SSL feature for gmail and all it takes to enable SSL in Gmail is by typing the address https://mail.google.com instead of http://mail.google.com. Make note of the 's' in 'https'. What this does is instead of encrypting only the username and password, Gmail encrypts the whole mail session and this makes it possible to transfer your mails in a secure manner.

So the next time you decide to log on to your gmail account, use https instead of http and you will be fairly safe from getting your mail sniffed in transit.

Cracking a 13 digit alphanumeric password in 160 seconds

The story might seem right out of science fiction. But it is true, with the rapid steep increase in computing power, it is now possible to crack a password from its encrypted state much more quickly with the aid of right kind of tools.

Jeff Attwood writes to indicate that he was able to crack a 13 digit alphanumeric password - the password in question is "Fgpyyih804423" - in just 160 seconds. For the cracking, he made use of an open source tool called Ophcrack - which is a Windows password cracker based on Rainbow tables.

A Rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plain text password from a password hash generated by a hash function. For example in Linux you can store your password encrypted using MD5 or the more powerful SHA1 and SHA256. I may add that while installing Debian, Mandriva or Open SuSE, the installer asks whether you want to encrypt your password in MD5 or the more powerful SHA encryption. Choose SHA because MD5 can be easily broken....

To see your passwords in hash form in Linux, just log in as 'root' and view the /etc/shadow file.

So what this open source tool called Ophcrack does is it uses the rainbow tables to crack the passwords (thankfully only Windows passwords) in real time. They have released a LiveCD based on SlaX Linux distribution which can be used to automate the process to a large extent. The ophcrack developers claim the liveCD cracks passwords automatically, no installation necessary, no admin password necessary (as long as you can boot from CD)- so there.

While Jeff does make it sound scary, with the right precautions, Rainbow password cracking can be made useless. Thomas Ptacek a security expert explains some of the secure password schemes and the precautions you can take to secure your machine from a remote attack based on Rainbow tables.

Review : EnGarde Secure Linux

There are hundreds of Linux distributions targeting a diverse sets of users. While quite a number of these Linux distributions - especially the main stream ones - position themselves as a universal solution to all your Linux expectations, there are some of them which take a specialist role of one form or other, catering to a specific set of Linux users.

One such specialized Linux distribution which is targeted specifically at servers is the EnGarde Secure Linux. As the name indicates, this Linux distribution lays stress on the security aspect because servers should by default be secure out of the box. And EnGarde Secure Linux goes the extra length and pulls all stops to make sure the server is indeed secure. More on that later.

EnGarde Secure Linux is released by its parent company Guardian Digital in two forms - one is the Community edition which is available for free download and the other is the commercial Professional edition. The community edition of EnGarde is full featured, secure and is built entirely from open source and it contain many of the capabilities of the Professional edition. Guardian Digital claims they have over 500 corporate clients across USA, Canada and the rest of the world who use EnGarde Secure Linux.

I decided to install the Community edition of EnGarde Secure Linux on my machine and take it for a spin.

One of the unique aspects of EnGrade Secure Linux is that it ships with only those packages that are absolutely necessary to function as a server. So you won't find software such as a X Windows server or other desktop utilities which is expected in any normal Linux distribution. But EnGarde ships with the necessary databases, web server, mail server and DNS server and you can configure EnGarde to function as any of those or all of them.

Installation of EnGarde Secure Linux

Installation of EnGarde Secure Linux is as such, a trouble free affair and is achieved via its text based installer. On the other hand if you are just interested in trying it out, that is also possible because the ISO also functions as a LiveCD and you can try out all the features that EnGarde has to offer without installing it on your hard disk.

Basically, These are the steps I had to go through in installing EnGarde on my machine.

Fig: Booting from the CD-ROM Check out all of them

Fig: Decide on the partitioning scheme.Check out all of them

• Change root and webTool password - this is applicable only if you are using EnGarde as a LiveCD.
• Decide on whether you want DHCP or static networking
• Choose between running EnGarde in installation or LiveCD mode - Here I chose Installation mode as I wanted to install it on my machine.
• Choose the language - English is default.
• Decide on the partitioning of your hard disk. Here there are two choices. One is the automatic one where the installer will create the necessary partitions (usually /,/var and /home). And the other option is manual where you can decide to partition your hard disk as per your requirement. But either way, it is not possible to dual boot between OSes if you are installing EnGarde on your machine as it wipes out your whole disk. So backup your data before you proceed with your installation - you have been warned. I chose automatic partition option here.
• Decide on the type of hard disk - whether IDE or SCSI.
• Choose the packages - The packages are broadly classified into 6 sections namely Databases, DNS, Firewall, Mail services, Network Intrusion Detection and Web services. I selected all the packages and pressed OK and the installer started copying all the files to the hard disk.
• Next I had to configure the network card and provide information such as the IP address, netmask, the default gateway and the network address.
• Then it prompted me to provide a fully qualified domain name for my machine.
• Lastly I had to enter the IP address of the primary and secondary name server.
  

That was it. EnGarde secure Linux was now fully installed on my machine.

By default around 220 packages are bundled with EnGarde and using the versatile webTool you can also install an additional 300 or so packages all of them cherry picked for use at the server end. EnGarde is available for i686 and x86 64 bit architectures and uses RPM packages managed by apt-get.

Security aspect of EnGarde secure Linux
Engarde implements security by following a number of rules.

1. It locks down the box at the Host level by implementing a number of features such as TCP wrappers, implementing restricted user rights globally and running SELinux policies in enforcing mode.
2. At the network level, EnGarde ships with a plethora of network tools which allow a system administrator to analyse the security level of his machine and take preventive measures. EnGarde ships with a unique webTool through which you can do any and all system administration tasks from a remote location including rebooting or shutting down the server. This means that after installation, you can safely place the server in a locked room and not worry about its physical security.
3. Up to date security patches of software are released on a regular basis (more like every month) enabling system administrators to plug any security holes in the server software they run. This is automated to a certain level via the Guardian Digital Secure Network (GSDN). And you are prompted to register and create a GSDN account (for free) - it is not an option.
   

Webtool in Engarde Secure Linux

At the end of installation, you are notified that the most preferred way of administering the Linux box is via a web browser using the address https://:1023/.

I initially typed the address but missed the 's' in 'https' and was flummoxed but later figured out my mistake and correctly typed the address. That is right, the web tool is accessed via secure http (using SSL).

You log in to the webTool using two different passwords depending on whether you are using EnGarde as a LiveCD or if you have installed it on a machine.

For LiveCD :
The login name is 'admin' and the password is the root password you set while booting the EnGarde Linux CD.

When Installed :

The login name is 'admin' and the password is "lock&%box". And the first time you log into the admin section, you are confronted with an initial configuration screen.

Here the first thing you are prompted to do is register for a GSDN account which is free. EnGarde Secure Linux makes use of the GSDN account to provide up to date automated security fixes to your server. Then specify (or rather change) the root and webTool password, specify the NTP servers as well as your geographic location and lastly fine tune the services you would require to run on your remote server.

Fig: WebTool main page
More screenshots of webtool interface

The web interface can be viewed in three languages at present namely English, Spanish and Italian with work going on to support more languages.

WebTool is the pivot with which you can effectively administer the system remotely from within a web browser.

I was really amazed at the things you can achieve from within the web tool. For instance, you can manage users, manage database servers, manage the web server (Apache), implement DNS, view all the security logs updated in real time, manage mail servers, enable and disable system level services, enable and configure firewall, even run most of the security tools such as Snort bundled with EnGarde and view their output in the web browser. In short the web tool is a one stop shop for troubleshooting and managing your server from a remote location. A very powerful interface indeed.

I can already see the possibilities where choosing EnGarde Secure Linux at the server end could circumvent some hardware limitations. Here is a scenario - Say you are interested in hosting a website on a VPS (Virtual Private Server) account. Now a days, it is possible to get a VPS account for as low as $7/month. While the price is equivalent to any shared hosting price, there is a catch which is that, at that low price, the memory (RAM) allocated to your virtual machine is not more than 64MB and the % of CPU cycles allocated is also limited. You can't possibly run CPanel or Plex in this account as they require at least 256 MB memory be allocated to your server to function efficiently. Since the webTool is integrated with EnGarde Secure Linux and does not utilize much memory, EnGarde turns out to be a viable alternative solution to an automated server not to speak of the importance it gives to security and performance.

To sum up, I found EnGarde Secure Linux to be a unique blend of a robust Linux server topped up with loads of security features coupled with a very powerful webTool which aids in administering the server remotely, all from within a web browser.

Domain name theft - how it is done and steps to prevent it

Let's say you have a sudden insight on a name which is apt for your website and you wish to register this name as a domain name. You fire up your web browser and visit any one of the innumerable sites which help in checking if this particular domain name is available or not and to your absolute delight, nobody has yet registered your domain name.

So you decide to register it as soon as you can take time ... perhaps tomorrow because today you have an official deadline to meet. And the next day when you try to register the same domain name, you find to your dismay that it has already been snapped up by somebody else. How did this happen ? Was this a case of bad luck ? Maybe not. You may be the victim of a rogue company which has picked up your name after they intercepted your search the previous day. In effect the person or entity which has registered your domain name has stolen your domain research. The act of typing the domain name in the wrong place may allow these squatters to register the domain before you.

Jay Westerdal of domaintools.com has written an insightful piece on various precautions you can take while searching for your domain name prior to registering it. These steps help to a certain extent in mitigating domain name theft even before you have laid your hands on it.