LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-30-2007, 11:04 AM   #1
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432

Rep: Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849
Smile Security question


I'm currently using rkhunter and chkrootkit to scan my Debian Etch box for rootkits.
Can anyone please recommend another Debian command line security application that you use?
Thank you for any and all replies.

hitest
 
Old 06-30-2007, 11:33 AM   #2
{BBI}Nexus{BBI}
Senior Member
 
Registered: Jan 2005
Location: Nottingham, UK
Distribution: Mageia 6, KDE Neon
Posts: 4,313

Rep: Reputation: 212Reputation: 212Reputation: 212
Quote:
Originally Posted by hitest
I'm currently using rkhunter and chkrootkit to scan my Debian Etch box for rootkits.
Can anyone please recommend another Debian command line security application that you use?
Thank you for any and all replies.

hitest
Tripwire is a nice security addition: http://www.tripwire.com/products/enterprise/ost/
 
Old 06-30-2007, 11:49 AM   #3
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432

Original Poster
Rep: Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849
Smile

Quote:
Originally Posted by {BBI}Nexus{BBI}
Tripwire is a nice security addition: http://www.tripwire.com/products/enterprise/ost/
Thank you, much appreciated. Scanning with tripwire now.
 
Old 06-30-2007, 11:56 AM   #4
Daws
Member
 
Registered: May 2006
Location: UK
Distribution: Debian
Posts: 447

Rep: Reputation: 39
The harden packages are worth a look:

harden - Makes your system hardened
harden-clients - Avoid clients that are known to be insecure
harden-development - Development tools for creating more secure programs
harden-doc - Useful documentation to secure a Debian system
harden-environment - Hardened system environment
harden-nids - Harden a system by using a network intrusion detection system
harden-remoteaudit - Audit your remote systems from this host
harden-servers - Avoid servers that are known to be insecure
harden-surveillance - Check services and/or servers automatically
harden-tools - Tools to enhance or analyze the security of the local system
 
Old 06-30-2007, 12:12 PM   #5
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432

Original Poster
Rep: Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849
Thanks, Daws:-)
 
Old 07-01-2007, 12:25 PM   #6
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432

Original Poster
Rep: Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849
I ran rkhunter on my Debian box and it showed no evidence of rootkit activity.
When I ran chkrootkit I received the following result.

http://i34.photobucket.com/albums/d1...st/sniffer.jpg

Near the bottom of the screenshot it shows that lo is not promiscuous, but it also says something about a PACKET SNIFFER.
What do you think? I'm a bit confused by the scan result.
Thank you for any and all replies:-)
 
Old 07-01-2007, 05:31 PM   #7
makuyl
Senior Member
 
Registered: Dec 2004
Location: Helsinki
Distribution: Debian Sid
Posts: 1,107

Rep: Reputation: 54
Quote:
Originally Posted by hitest
I ran rkhunter on my Debian box and it showed no evidence of rootkit activity.
When I ran chkrootkit I received the following result.

http://i34.photobucket.com/albums/d1...st/sniffer.jpg

Near the bottom of the screenshot it shows that lo is not promiscuous, but it also says something about a PACKET SNIFFER. If your nic was in promiscuous mode it might mean that a sniffer is present. It's not.
What do you think? I'm a bit confused by the scan result.
Thank you for any and all replies:-)
If your nic was in promiscuous mode it might mean that a sniffer is present. It's not. http://en.wikipedia.org/wiki/Promiscuous_mode
The dhcp client often gives a false positive. Nothing to worry about that either. If you want, you can check the md5sum of its binary. If this is a home desktop behind a router you might as well setup a static IP for it and disable dhcp. This would speed up your boot time as well. Something like :
Code:
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback


#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
       address 192.168.1.3
       netmask 255.255.255.0
       network 192.168.1.0
       broadcast 192.168.1.255
       gateway 192.168.1.1
 
Old 07-01-2007, 05:55 PM   #8
hitest
Guru
 
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432

Original Poster
Rep: Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849Reputation: 3849
Quote:
Originally Posted by makuyl
If your nic was in promiscuous mode it might mean that a sniffer is present. It's not. http://en.wikipedia.org/wiki/Promiscuous_mode
The dhcp client often gives a false positive. Nothing to worry about that either. If you want, you can check the md5sum of its binary. If this is a home desktop behind a router you might as well setup a static IP for it and disable dhcp. This would speed up your boot time as well. Something like :
Code:
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback


#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
       address 192.168.1.3
       netmask 255.255.255.0
       network 192.168.1.0
       broadcast 192.168.1.255
       gateway 192.168.1.1
Thank you makuyl, I appreciate the reply! I was getting ready to format this puppy and put Lenny on it:-) I'm very happy with Etch. This unit is sitting behind a router so I think it is relatively secure.
Your explanation makes sense to me as it does say that the NIC is not in promiscuous mode. Good to know I haven't been hacked.
Thanks, again:-)

Last edited by hitest; 07-01-2007 at 06:02 PM.
 
Old 07-02-2007, 09:35 AM   #9
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 475Reputation: 475Reputation: 475Reputation: 475Reputation: 475
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security question thisObject Linux - Software 14 06-25-2007 12:45 PM
security question computer Linux - Newbie 2 08-18-2006 03:53 PM
Security Question (TPM) Croaker Linux - Security 8 01-29-2006 05:08 AM
Security question {newbie question} Radio Linux - Security 3 05-17-2002 07:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration