LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-14-2019, 06:47 AM   #1
RyanTmps
LQ Newbie
 
Registered: Jun 2019
Location: Dover, Delaware
Posts: 5

Rep: Reputation: Disabled
Could you advise some useful tools for penetration testing?


I need to conduct stress testing of the system. What useful tools could you advise?
 
Old 06-14-2019, 07:24 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,899

Rep: Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174
Stress testing and penetration testing are totally different things.

What's your actual requirement?
 
2 members found this post helpful.
Old 06-14-2019, 07:25 AM   #3
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Stress testing and pen testing are 2 completely different things. Which are you doing? Stress testing involves putting a heavy load on the system and seeing how it operates. Pen testing is breaking into the system or finding vulnerabilities manually.
 
2 members found this post helpful.
Old 06-14-2019, 08:41 AM   #4
RyanTmps
LQ Newbie
 
Registered: Jun 2019
Location: Dover, Delaware
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sevendogsbsd View Post
Stress testing and pen testing are 2 completely different things. Which are you doing? Stress testing involves putting a heavy load on the system and seeing how it operates. Pen testing is breaking into the system or finding vulnerabilities manually.
I need to test a productís information security. I have already gathered information, analyzed vulnerabilities, and now I need to conduct stress testing.
 
Old 06-14-2019, 08:56 AM   #5
ugjka
Member
 
Registered: May 2015
Location: Latvia
Distribution: Arch, Centos
Posts: 355
Blog Entries: 5

Rep: Reputation: 250Reputation: 250Reputation: 250
This is very vague and ambiguous. Is it a web server that you need to secure and stress test?
 
Old 06-14-2019, 09:00 AM   #6
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Stress testing has nothing to do with security, other than an application's ability to withstand a DDoS or DoS attack. Any application on the Internet better have some sort of network infrastructure in place like a firewall, load balancer, reverse proxy, etc, that can withstand a DDoS or Dos. A determined attack will almost always succeed however, regardless of the infrastructure in place.

You can start by researching tools that can perform DDoS or DoS attacks but be careful: some of them are illegal to use outside of a controlled environment.

If you want to stress test an application for large numbers of users logging in and using the application, this requires specialized software but still has nothing to do with security.
 
Old 06-14-2019, 09:16 AM   #7
RyanTmps
LQ Newbie
 
Registered: Jun 2019
Location: Dover, Delaware
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ugjka View Post
This is very vague and ambiguous. Is it a web server that you need to secure and stress test?
I need to do it for improving product security. My main goal is to find weak spots of our product. I know that it sounds vague and maybe even suspicious, but I need it only for research purposes.
 
Old 06-14-2019, 09:24 AM   #8
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
As mentioned before, stress testing an application has nothing to do with application security, other than continuity of operations. Your statement doesn't sound suspicious but it is not descriptive enough to provide assistance because you need to provide more information: are you trying to harden a web server against a DDoS or Dos attack? Ugjka asked this but your response doesn't help us help you.

Is your application a web application or client/server? You already stated "I have already gathered information, analyzed vulnerabilities, and now I need to conduct stress testing". As I mentioned more than once, "stress testing" as I know it, is load testing and requires specialized software that again, has nothing to do with security.

Perhaps you can revise your post title? The title "Could you advise some useful tools for penetration testing?" is misleading because you have apparently already tested for vulnerabilities. Pen testing is not stress testing.
 
Old 06-14-2019, 09:35 AM   #9
RyanTmps
LQ Newbie
 
Registered: Jun 2019
Location: Dover, Delaware
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sevendogsbsd View Post
As mentioned before, stress testing an application has nothing to do with application security, other than continuity of operations. Your statement doesn't sound suspicious but it is not descriptive enough to provide assistance because you need to provide more information: are you trying to harden a web server against a DDoS or Dos attack? Ugjka asked this but your response doesn't help us help you.

Is your application a web application or client/server? You already stated "I have already gathered information, analyzed vulnerabilities, and now I need to conduct stress testing". As I mentioned more than once, "stress testing" as I know it, is load testing and requires specialized software that again, has nothing to do with security.

Perhaps you can revise your post title? The title "Could you advise some useful tools for penetration testing?" is misleading because you have apparently already tested for vulnerabilities. Pen testing is not stress testing.
Yep, I`m trying to harden a web server against a DDoS or Dos attack
 
Old 06-14-2019, 09:46 AM   #10
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,562

Rep: Reputation: 5678Reputation: 5678Reputation: 5678Reputation: 5678Reputation: 5678Reputation: 5678Reputation: 5678Reputation: 5678Reputation: 5678Reputation: 5678Reputation: 5678
Quote:
Originally Posted by RyanTmps View Post
Yep, I`m trying to harden a web server against a DDoS or Dos attack
This is like asking, "How high is up?"

What's your budget? Exposure? Number of users? Hardware/software you have in place already? Growth rates? Running a single server with the database and web server on it is far different than having a cluster for both database and web services, with load balancing etc. One can be brought down far easier than the other. And you do know there are services like Cloudflare that specifically do this, right? You can also purchase in-house appliances that do this as well...there are far too many variables to guess at.

Security is a journey, not a destination. You will NEVER reach it; what works today probably won't be too effective in a year.
 
2 members found this post helpful.
Old 06-14-2019, 09:47 AM   #11
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
OK, that's better. So, make sure the web server is protected by a firewall as an absolute minimum. If the firewall can sense a DoS attack and drop traffic, obviously configure it to do so. I am not a network engineer so perhaps other folks can advise in that regard. Your web server should be able to also be configured to limit incoming connections and sessions. Search the web for configuration help to limit DoS attacks against a web server, for your particular brand of web server. For example, here is one for Apache: https://geekflare.com/apache-web-ser...ning-security/. I have not evaluated that guide, other than a quick scan.

Keep in mind that a determined attacker will always succeed with a DoS or DDoS. Large corporations with billion dollar budgets get DoS'd. Do what you can to harden your server(s) via configuration and network devices and hope for the best.
 
1 members found this post helpful.
Old 06-14-2019, 09:53 AM   #12
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,899

Rep: Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174Reputation: 1174
For true DDoS mitigation you will find it very difficult to do purely in-house.

The reason being that the volume of traffic is already coming down / clogging your pipe before you can decide if it's good or bad.

Now you can mitigate some of it (such as SlowLoris attacks) with on-prem appliances but in general you'll need to engage the services of someone like Cloudflare or Imperva/Incapsula to do your traffic "cleaning" for you.

Expect to spend between a lot and helluva-lot per month for this.
 
2 members found this post helpful.
Old 06-14-2019, 07:04 PM   #13
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 15,070
Blog Entries: 25

Rep: Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263Reputation: 4263
I agree with TenTenths regarding DDoS attacks. A DDoS attack is designed to overwhelm your website with attempts to connect. There's not much you can do form inside your house, figuratively speaking, to keep a crowd of outsiders from knocking on it.

As regards pentesting, you may find this tutorial from Linux Voice (now part of Linux Magazine) informative: https://www.linuxvoice.com/hacking-a-beginners-guide/

Last edited by frankbell; 06-14-2019 at 07:05 PM.
 
1 members found this post helpful.
Old 06-15-2019, 06:08 AM   #14
Jan K.
LQ Newbie
 
Registered: Apr 2019
Location: Esbjerg
Posts: 24

Rep: Reputation: 6
Is there a reason Lynis isn't being mentioned here?

To me it sounds like what OP is looking for... https://cisofy.com/lynis/
 
Old 06-18-2019, 10:50 AM   #15
RickDeckard
Member
 
Registered: Jan 2014
Location: Acworth, Georgia, USA
Distribution: Arch Hardened, Ubuntu 18.04, Fedora 30
Posts: 154

Rep: Reputation: Disabled
Quote:
Originally Posted by Jan K. View Post
Is there a reason Lynis isn't being mentioned here?

To me it sounds like what OP is looking for... https://cisofy.com/lynis/
Lynis is only a vulnerability scanner best run from a local host. It doesn't stress test.

I'm sure the OP is well aware that his own test could cause a DoS condition. If he has the budget to spend on hardware, perhaps a web app firewall?

Pen testing is more of a red teaming thing rather than blue which is likely where he sits.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: New BlackArch Linux ISO Lands with Over 1,500 Penetration Testing, Hacking Tools LXer Syndicated Linux News 0 08-20-2016 03:42 AM
LXer: BlackArch Linux Now Provides over 1,400 Penetration Testing Tools, New ISO Lands LXer Syndicated Linux News 0 05-01-2016 05:21 PM
LXer: BlackArch Linux Provides Over 1330 Penetration Testing Tools, New ISOs Out Now LXer Syndicated Linux News 0 01-12-2016 03:30 AM
LXer: 8 penetration testing tools that will do the job LXer Syndicated Linux News 0 07-09-2015 05:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration