Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-30-2007, 11:04 AM
|
#1
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432
|
Security question
I'm currently using rkhunter and chkrootkit to scan my Debian Etch box for rootkits.
Can anyone please recommend another Debian command line security application that you use?
Thank you for any and all replies.
hitest
|
|
|
06-30-2007, 11:33 AM
|
#2
|
Senior Member
Registered: Jan 2005
Location: Nottingham, UK
Distribution: Mageia 6, KDE Neon
Posts: 4,313
|
Quote:
Originally Posted by hitest
I'm currently using rkhunter and chkrootkit to scan my Debian Etch box for rootkits.
Can anyone please recommend another Debian command line security application that you use?
Thank you for any and all replies.
hitest
|
Tripwire is a nice security addition: http://www.tripwire.com/products/enterprise/ost/
|
|
|
06-30-2007, 11:49 AM
|
#3
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432
Original Poster
|
Quote:
Originally Posted by {BBI}Nexus{BBI}
|
Thank you, much appreciated. Scanning with tripwire now.
|
|
|
06-30-2007, 11:56 AM
|
#4
|
Member
Registered: May 2006
Location: UK
Distribution: Debian
Posts: 447
Rep:
|
The harden packages are worth a look:
harden - Makes your system hardened
harden-clients - Avoid clients that are known to be insecure
harden-development - Development tools for creating more secure programs
harden-doc - Useful documentation to secure a Debian system
harden-environment - Hardened system environment
harden-nids - Harden a system by using a network intrusion detection system
harden-remoteaudit - Audit your remote systems from this host
harden-servers - Avoid servers that are known to be insecure
harden-surveillance - Check services and/or servers automatically
harden-tools - Tools to enhance or analyze the security of the local system
|
|
|
06-30-2007, 12:12 PM
|
#5
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432
Original Poster
|
Thanks, Daws:-)
|
|
|
07-01-2007, 12:25 PM
|
#6
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432
Original Poster
|
I ran rkhunter on my Debian box and it showed no evidence of rootkit activity.
When I ran chkrootkit I received the following result.
http://i34.photobucket.com/albums/d1...st/sniffer.jpg
Near the bottom of the screenshot it shows that lo is not promiscuous, but it also says something about a PACKET SNIFFER.
What do you think? I'm a bit confused by the scan result.
Thank you for any and all replies:-)
|
|
|
07-01-2007, 05:31 PM
|
#7
|
Senior Member
Registered: Dec 2004
Location: Helsinki
Distribution: Debian Sid
Posts: 1,107
Rep:
|
Quote:
Originally Posted by hitest
I ran rkhunter on my Debian box and it showed no evidence of rootkit activity.
When I ran chkrootkit I received the following result.
http://i34.photobucket.com/albums/d1...st/sniffer.jpg
Near the bottom of the screenshot it shows that lo is not promiscuous, but it also says something about a PACKET SNIFFER. If your nic was in promiscuous mode it might mean that a sniffer is present. It's not.
What do you think? I'm a bit confused by the scan result.
Thank you for any and all replies:-)
|
If your nic was in promiscuous mode it might mean that a sniffer is present. It's not. http://en.wikipedia.org/wiki/Promiscuous_mode
The dhcp client often gives a false positive. Nothing to worry about that either. If you want, you can check the md5sum of its binary. If this is a home desktop behind a router you might as well setup a static IP for it and disable dhcp. This would speed up your boot time as well. Something like :
Code:
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
address 192.168.1.3
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
|
|
|
07-01-2007, 05:55 PM
|
#8
|
Guru
Registered: Mar 2004
Location: Canada
Distribution: Slackware (desktops), Void (thinkpad)
Posts: 7,432
Original Poster
|
Quote:
Originally Posted by makuyl
If your nic was in promiscuous mode it might mean that a sniffer is present. It's not. http://en.wikipedia.org/wiki/Promiscuous_mode
The dhcp client often gives a false positive. Nothing to worry about that either. If you want, you can check the md5sum of its binary. If this is a home desktop behind a router you might as well setup a static IP for it and disable dhcp. This would speed up your boot time as well. Something like :
Code:
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
# automatically added when upgrading
auto lo
iface lo inet loopback
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
address 192.168.1.3
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
|
Thank you makuyl, I appreciate the reply! I was getting ready to format this puppy and put Lenny on it:-) I'm very happy with Etch. This unit is sitting behind a router so I think it is relatively secure.
Your explanation makes sense to me as it does say that the NIC is not in promiscuous mode. Good to know I haven't been hacked.
Thanks, again:-)
Last edited by hitest; 07-01-2007 at 06:02 PM.
|
|
|
07-02-2007, 09:35 AM
|
#9
|
Moderator
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
|
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
|
|
|
All times are GMT -5. The time now is 05:53 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|