LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Could you advise some useful tools for penetration testing? (https://www.linuxquestions.org/questions/linux-security-4/could-you-advise-some-useful-tools-for-penetration-testing-4175655693/)

RyanTmps 06-14-2019 06:47 AM

Could you advise some useful tools for penetration testing?
 
I need to conduct stress testing of the system. What useful tools could you advise?

TenTenths 06-14-2019 07:24 AM

Stress testing and penetration testing are totally different things.

What's your actual requirement?

sevendogsbsd 06-14-2019 07:25 AM

Stress testing and pen testing are 2 completely different things. Which are you doing? Stress testing involves putting a heavy load on the system and seeing how it operates. Pen testing is breaking into the system or finding vulnerabilities manually.

RyanTmps 06-14-2019 08:41 AM

Quote:

Originally Posted by sevendogsbsd (Post 6005188)
Stress testing and pen testing are 2 completely different things. Which are you doing? Stress testing involves putting a heavy load on the system and seeing how it operates. Pen testing is breaking into the system or finding vulnerabilities manually.

I need to test a productís information security. I have already gathered information, analyzed vulnerabilities, and now I need to conduct stress testing.

ugjka 06-14-2019 08:56 AM

This is very vague and ambiguous. Is it a web server that you need to secure and stress test?

sevendogsbsd 06-14-2019 09:00 AM

Stress testing has nothing to do with security, other than an application's ability to withstand a DDoS or DoS attack. Any application on the Internet better have some sort of network infrastructure in place like a firewall, load balancer, reverse proxy, etc, that can withstand a DDoS or Dos. A determined attack will almost always succeed however, regardless of the infrastructure in place.

You can start by researching tools that can perform DDoS or DoS attacks but be careful: some of them are illegal to use outside of a controlled environment.

If you want to stress test an application for large numbers of users logging in and using the application, this requires specialized software but still has nothing to do with security.

RyanTmps 06-14-2019 09:16 AM

Quote:

Originally Posted by ugjka (Post 6005217)
This is very vague and ambiguous. Is it a web server that you need to secure and stress test?

I need to do it for improving product security. My main goal is to find weak spots of our product. I know that it sounds vague and maybe even suspicious, but I need it only for research purposes.

sevendogsbsd 06-14-2019 09:24 AM

As mentioned before, stress testing an application has nothing to do with application security, other than continuity of operations. Your statement doesn't sound suspicious but it is not descriptive enough to provide assistance because you need to provide more information: are you trying to harden a web server against a DDoS or Dos attack? Ugjka asked this but your response doesn't help us help you.

Is your application a web application or client/server? You already stated "I have already gathered information, analyzed vulnerabilities, and now I need to conduct stress testing". As I mentioned more than once, "stress testing" as I know it, is load testing and requires specialized software that again, has nothing to do with security.

Perhaps you can revise your post title? The title "Could you advise some useful tools for penetration testing?" is misleading because you have apparently already tested for vulnerabilities. Pen testing is not stress testing.

RyanTmps 06-14-2019 09:35 AM

Quote:

Originally Posted by sevendogsbsd (Post 6005233)
As mentioned before, stress testing an application has nothing to do with application security, other than continuity of operations. Your statement doesn't sound suspicious but it is not descriptive enough to provide assistance because you need to provide more information: are you trying to harden a web server against a DDoS or Dos attack? Ugjka asked this but your response doesn't help us help you.

Is your application a web application or client/server? You already stated "I have already gathered information, analyzed vulnerabilities, and now I need to conduct stress testing". As I mentioned more than once, "stress testing" as I know it, is load testing and requires specialized software that again, has nothing to do with security.

Perhaps you can revise your post title? The title "Could you advise some useful tools for penetration testing?" is misleading because you have apparently already tested for vulnerabilities. Pen testing is not stress testing.

Yep, I`m trying to harden a web server against a DDoS or Dos attack

TB0ne 06-14-2019 09:46 AM

Quote:

Originally Posted by RyanTmps (Post 6005237)
Yep, I`m trying to harden a web server against a DDoS or Dos attack

This is like asking, "How high is up?"

What's your budget? Exposure? Number of users? Hardware/software you have in place already? Growth rates? Running a single server with the database and web server on it is far different than having a cluster for both database and web services, with load balancing etc. One can be brought down far easier than the other. And you do know there are services like Cloudflare that specifically do this, right? You can also purchase in-house appliances that do this as well...there are far too many variables to guess at.

Security is a journey, not a destination. You will NEVER reach it; what works today probably won't be too effective in a year.

sevendogsbsd 06-14-2019 09:47 AM

OK, that's better. So, make sure the web server is protected by a firewall as an absolute minimum. If the firewall can sense a DoS attack and drop traffic, obviously configure it to do so. I am not a network engineer so perhaps other folks can advise in that regard. Your web server should be able to also be configured to limit incoming connections and sessions. Search the web for configuration help to limit DoS attacks against a web server, for your particular brand of web server. For example, here is one for Apache: https://geekflare.com/apache-web-ser...ning-security/. I have not evaluated that guide, other than a quick scan.

Keep in mind that a determined attacker will always succeed with a DoS or DDoS. Large corporations with billion dollar budgets get DoS'd. Do what you can to harden your server(s) via configuration and network devices and hope for the best.

TenTenths 06-14-2019 09:53 AM

For true DDoS mitigation you will find it very difficult to do purely in-house.

The reason being that the volume of traffic is already coming down / clogging your pipe before you can decide if it's good or bad.

Now you can mitigate some of it (such as SlowLoris attacks) with on-prem appliances but in general you'll need to engage the services of someone like Cloudflare or Imperva/Incapsula to do your traffic "cleaning" for you.

Expect to spend between a lot and helluva-lot per month for this.

frankbell 06-14-2019 07:04 PM

I agree with TenTenths regarding DDoS attacks. A DDoS attack is designed to overwhelm your website with attempts to connect. There's not much you can do form inside your house, figuratively speaking, to keep a crowd of outsiders from knocking on it.

As regards pentesting, you may find this tutorial from Linux Voice (now part of Linux Magazine) informative: https://www.linuxvoice.com/hacking-a-beginners-guide/

Jan K. 06-15-2019 06:08 AM

Is there a reason Lynis isn't being mentioned here?

To me it sounds like what OP is looking for... https://cisofy.com/lynis/

RickDeckard 06-18-2019 10:50 AM

Quote:

Originally Posted by Jan K. (Post 6005556)
Is there a reason Lynis isn't being mentioned here?

To me it sounds like what OP is looking for... https://cisofy.com/lynis/

Lynis is only a vulnerability scanner best run from a local host. It doesn't stress test.

I'm sure the OP is well aware that his own test could cause a DoS condition. If he has the budget to spend on hardware, perhaps a web app firewall?

Pen testing is more of a red teaming thing rather than blue which is likely where he sits.


All times are GMT -5. The time now is 11:44 PM.