This was tough. I went with Nessus.

I couldn't decide between nmap and snort. Used both, liked both :)

And only votes will tell if Kismet is any popular. 'Coz I always thought it was good only to detect wireless networks in my neighbourhood. That's what I used it for anyways ;)

Hey, to detect wireless networks, just do "iwlist wlan0 scan".
U'll need kismet or airsnort to SNIFF wireless networks, not to detect them!

Oops, my bad. I did mean SNIFF. Sorry for being so off the mark :)

tcpdump.

nmap

tough choice
 

I've got snort toiling away on my smoothwall at the moment, really rely on it. And for entirely different purposes I fire up nmapfe almost daily. Probably only because I actually touch nmap daily it gets my vote. Poor ol' snort, doing it's job silently and efficiently... tough choice indeed.

SSH for the forseeable future
 

There ought to be an OpenSSH listing, regardless of what other polls it is listed in.

Nearly any insecure application can be secured by appropriate use of the OpenSSH toolset, and (regardless of what the theorists and ivor-tower scientists say) the PHBs will not throw away a mature application that cost millions of dollars to develop even if it's /trivially/ crackable.

If you ever have to retro-fit thousands of data transfers to comply with HIPAA regulations, SFTP (which is part of OpenSSH) will do the job.

OpenSSH lets you replace rsh, telnet, rlogin, and rcp, for example, without modifying the hundreds (if not thousands) of scripts your users have installed that call these programs.

If you've ever tried to install a vendor product that the PHBs absolutely *insist* must be installed, that calls rsh for installation and operation, you know how WONDERFUL OpenSSH really is!

If you've ever ripped out telnet and discovered that dozens of operator SOPs are utterly reliant on it, you know how WONDERFUL OpenSSH really is!

If you've ever found a compromised end-user machine running on your network that is doing ARP redirection and packet sniffing, you etc. etc. etc.

Real-world, OpenSSH absolutely RULES.

Re: SSH for the forseeable future
 

Medievalist,

Indeed! How could I have overlooked SSH!!! Presently I tunnel gnomemeeting through it, among many other uses. "Greatest app overall" category, perhaps? The grand prize winner in my book!

BTW I discovered a few months back that our local cable ISP was broadcasting about 40 ARP's a second. Looked like about 40% of bandwith consumption, at least on my interface. I alerted the ISP but never heard from them. It started suddenly, went on a few weeks then ended. When I traced the source I found out the given IP (an unassigned one, reserved exclusively to the ISP, BTW) was a spoof, the real source was the IANA black hole server... in one hop. Probably why I never heard back! What ever was that all about?

catworld

Probably somebody on the local leg running something like dsniff.

People who are wise to ARP redirection are generally hip to IP spoofing also. ;)

You need strict host key checking and out-of-band key distribution to prevent man-in-the-middle attacks on SSH when tools as sophisticated as dsniff are in use. USB sticks are cheap now so you can use them for key distribution, and carry one in your pocket all the time.

Quote:

You need strict host key checking and out-of-band key distribution to prevent man-in-the-middle attacks on SSH when tools as sophisticated as dsniff are in use. USB sticks are cheap now so you can use them for key distribution, and carry one in your pocket all the time.

Medievalist,

I must confess to being a newbie at SSH, I've gotten V2 to work exactly once. But at least that was after I distributed the keys via my trusty USB stick that is indeed in my pocket all the times! Problem I encountered thereafter was appending other keys to ~/.ssh/known_hosts. I could only get it to work with one key (each side) in there, and found zip on the net explaining how to append this file properly... so it's V1 for now. : - (

By strict host key checking do you mean use ssh2 only?

Thanks for the fire under my feet though, I'll get v2 working one way or other, post haste!

catworld

Well, I do recommend ssh2 only, but ssh1 is far better than cleartext protocols. I don't think anyone has cracked ssh v1.6 yet... I could be wrong.

"Strict host key checking" is an option that can be enabled in SSH that will not allow connection to a host if the host key is unknown or if it changes. You can read about it (if OpenSSH is installed) with a "man ssh" command.

The format for known_hosts is documented in the (huge) sshd man page. You could make an example of one with multiple keys, though, by doing a "ssh 127.0.01" and allowing the key to be added, then doing a "ssh hostname" (using the hostname of the local machine). I think that should give you a known_hosts file with two entries to look at.