Difference between revisions of "Linux applications"
From Gender and Tech Resources
m (→CipherShed) |
m (→Security applications) |
||
Line 103: | Line 103: | ||
=== Intrusion detection === | === Intrusion detection === | ||
+ | ==== Aide ==== | ||
+ | ==== Tripwire ==== | ||
+ | ==== Snort ==== | ||
=== Network monitoring === | === Network monitoring === | ||
+ | ==== nagios ==== | ||
+ | Nagios is a host and service monitor designed to inform you of network problems. The monitoring daemon runs periodic checks on hosts and services specified using external "plugins" which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, SMS, etc.). Current status information, historical logs, and reports can all be accessed via a web browser. Although Nagios is powerful and flexible, it does require some time for it to be installed and configured correctly. | ||
+ | |||
+ | * Website: http://www.nagios.org/ | ||
+ | * Documentation: https://www.nagios.org/documentation/ | ||
+ | * Debian tutorials: http://www.debianhelp.co.uk/nagios.htm | ||
+ | * Mailinglists: http://sourceforge.net/p/nagios/mailman/ | ||
+ | * Available from repository. Requirements: C compiler | ||
+ | |||
+ | ==== tcpdump ==== | ||
+ | Tcpdump is a common computer network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. This program allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface, filter packets that match a certain expression. You can use this tool to track down network problems, to detect "ping attacks" or to monitor network activities. | ||
+ | |||
+ | * Website: http://www.tcpdump.org/ | ||
+ | * Available from repository. Requirements: libpcap | ||
=== Traffic analysis === | === Traffic analysis === | ||
+ | |||
+ | ==== Kismet ==== | ||
+ | Kismet (''GNU GPL'') is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic. | ||
+ | |||
+ | * Website: http://www.kismetwireless.net/ | ||
+ | * Documentation: http://www.kismetwireless.net/documentation.shtml | ||
+ | * Forums: http://www.kismetwireless.net/Forum/General/ | ||
+ | * Available from repository. Requirements: Libpcap, GPSD, Imagemagick, Expat, GMP. Optional: DBUS | ||
+ | ==== Wireshark ==== | ||
+ | |||
+ | Wireshark (GNU GPL v2) is a network packet analyzer. A network packet analyzer captures network packets and tries to display that packet data as detailed as possible. A network packet analyzer can be regarded as a measuring device to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). It is developed and maintained by a global team of protocol experts. It used to be known as Ethereal, and was renamed to Wireshark in May 2006. | ||
+ | |||
+ | * Website: http://www.wireshark.org/ | ||
+ | * Documentation: https://www.wireshark.org/docs/ | ||
+ | * Available from repository. | ||
=== Packet crafting === | === Packet crafting === | ||
+ | ==== hping ==== | ||
+ | |||
+ | Hping3 (''GNU GPL v2'') is a command-line oriented TCP/IP packet assembler/analyser. The interface is inspired from the ping unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. hping3 can handle fragmentation, and almost arbitrary packet size and content, using the command line interface. | ||
+ | |||
+ | * Website: http://www.hping.org/ | ||
+ | * Documentation: http://www.hping.org/documentation.php | ||
+ | * Available from repository. Requirements: libpcap, Tcl/Tk (Optional) | ||
+ | |||
+ | ==== scapy ==== | ||
+ | |||
+ | Scapy (''GNU GPL v2'') is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, etc. It can handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). | ||
+ | |||
+ | * Website: http://www.secdev.org/projects/scapy/ | ||
+ | * Mailinglist: http://news.gmane.org/gmane.comp.security.scapy.general | ||
+ | * Available from repository. Requirements: python. | ||
=== Port scanning === | === Port scanning === | ||
+ | |||
+ | ==== ipscan ==== | ||
+ | Angry IP Scanner (''GNU GPL v2'') is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports. | ||
+ | |||
+ | * Website: http://angryip.org/ | ||
+ | * Documentation: http://angryip.org/documentation/ | ||
+ | * FAQ: http://angryip.org/faq/ | ||
=== Vulnerability scanning === | === Vulnerability scanning === | ||
+ | |||
+ | ==== tiger ==== | ||
+ | |||
+ | Tiger (''GNU GPL'') is a security tool that can be use both as a security audit and intrusion detection system. It is a set of scripts that scan a Un*x system looking for security problems, in the same fashion as Dan Farmer's COPS. It was originally developed to provide a check of UNIX systems on the A&M campus that want to be accessed from off campus (clearance through the packet filter). Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language. | ||
+ | |||
+ | * Website: http://www.nongnu.org/tiger/ | ||
+ | * README: http://cvs.savannah.gnu.org/viewvc/*checkout*/tiger/tiger/README?content-type=text%2Fplain&revision=HEAD | ||
+ | * HOWTO: http://cvs.savannah.gnu.org/viewvc/*checkout*/tiger/tiger/USING?content-type=text%2Fplain&revision=HEAD | ||
+ | * Project page: http://savannah.nongnu.org/projects/tiger | ||
+ | * Available from repository. | ||
=== Log file analysis === | === Log file analysis === | ||
+ | |||
+ | ==== tcptrace ==== | ||
+ | |||
+ | tcptrace (''GNU GPL'') is a tool designed for analysis of TCP dump files. It can tell you detailed information about TCP connections by sifting through dump files. Specifically, tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis. | ||
+ | |||
+ | * Website: http://www.tcptrace.org/ | ||
+ | * Manual: http://www.tcptrace.org/manual.html | ||
+ | * FAQ: http://www.tcptrace.org/faq.html | ||
+ | * Mailinglists: http://www.tcptrace.org/maillist.html | ||
+ | |||
+ | ==== webalizer ==== | ||
+ | The Webalizer (''GNU GPL v2'') is a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser. The results are presented in both column and graphical format for facilitating interpretation. Yearly, monthly, daily and hourly usage statistics are presented, along with the ability to display usage by site, URL, referrer, user agent (browser), search string, entry/exit page, username and country (some information is only available if supported and present in the log files being processed. Processed data may also be exported into most database and spreadsheet programs that support tab delimited data formats. | ||
+ | |||
+ | * Website: http://www.webalizer.org/ | ||
+ | * FAQ: http://www.webalizer.org/faq.html | ||
+ | * Available from repository. Requirements: GD library, Berkeley DB library | ||
+ | |||
+ | ==== awstats ==== | ||
=== Data removal === | === Data removal === | ||
+ | |||
+ | ==== bleachbit ==== | ||
=== Password Management === | === Password Management === | ||
+ | |||
+ | ==== keepassx ==== | ||
=== VPN === | === VPN === | ||
=== (Anti) Forensics === | === (Anti) Forensics === |
Revision as of 20:44, 13 July 2015
Contents
- 1 Installing applications
- 2 Stealth install of applications
- 3 Security applications
Installing applications
Stealth install of applications
- Launch Synaptic on the off-line computer you wish to install software packages on.
- Mark the packages you wish to install.
- Choose File-> Generate package download script.
- Save the script to your USB stick.
- Take the USB stick to an online linux computer and run the script on the USB stick. It will download only the packages required by the offline computer to the USB stick.
- Insert the USB stick into the offline computer.
- Launch Synaptic and click on File-> Add downloaded packages
- Select the directory on your USB stick containing the downloaded *.deb files and click Open. The packages will be installed.
Security applications
Anti-Malware
rkhunter
Rootkit Hunter (GNU GPL) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. Specifically, rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. rkhunter has been written to be as generic as possible, and so should run on most Linux and UNIX systems. It is provided with some support scripts should certain commands be missing from the system, and some of these are Perl scripts.
- Website: http://rkhunter.sourceforge.net/
- FAQ: http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/FAQ
- Mailing list: http://sourceforge.net/p/rkhunter/mailman/
- Available from repository. Requirements: Bourne Again Shell (Bash) and exim
chrootkit
chkrootkit (Free software) is a tool to locally check for signs of a rootkit. It tests the following applications: aliens, asp, bindshell, lkm, rexedcs, sniffer, w55808, wted, scalper, slapper, z2, chkutmp, amd, basename, biff, chfn, chsh, cron, crontab, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, init, killall, ldsopreload, login, ls, lsof, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, tcpdump, top, telnetd, timed, traceroute, vdir, w, and write.
- Website: http://www.chkrootkit.org/
- README: http://chkrootkit.org/README
- FAQ: http://chkrootkit.org/faq/
- Available from repository.
Encryption
gnupg
GnuPG (GNU GPL v3+) stands for GNU Privacy Guard and is a tool for secure communication and data storage. The software has two main uses. The first is to encrypt data to ensure its privacy. The second is to "sign" data so that others can determine it is authentic and unmodified. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC 2440. GnuPG is a command line tool with features for easy integration with other applications. The default public key algorithms are DSA and Elgamal, but RSA is also supported. Symmetric algorithms available are AES (with 128, 192, and 256 bit keys), 3DES, Blowfish, CAST5 and Twofish. Digest algorithms available are MD5, RIPEMD/160, SHA-1, SHA-256, SHA-384, and SHA-512. Compression algorithms available are ZIP, ZLIB, and BZIP2 (with libbz2 installed).
- Website: https://www.gnupg.org/
- Documentation: https://www.gnupg.org/documentation/index.html (includes guides, FAQ's and mailinglists)
- Available from repository.
mcrypt
mcrypt (GPLv2) is a replacement for the old crypt package and crypt command, with extensions. It allows developers to use a wide range of encryption functions, without making drastic changes to their code. It allows users to encrypt files or data streams without having to be cryptographers. The companion to mCrypt is libmcrypt, which contains the actual encryption functions themselves, and provides a standardized mechanism for accessing them.
- Website http://mcrypt.sourceforge.net/
- Available from repository.
steghide
steghide (GNU GPL) is a steganography program that is able to hide data in various kinds of image- and audio-files. Steghide employs an algorithm which is undetectable by color-frequency based statistical tests. Steghide uses a graph-theoretic approach to steganography. The default encryption algorithm is Rijndael with a key size of 128 bits (which is AES - the advanced encryption standard) in the cipher block chaining mode.
- Website: http://steghide.sourceforge.net/
- Documentation: http://steghide.sourceforge.net/documentation.php (english and spanish)
- Manual: http://steghide.sourceforge.net/documentation/manpage.php (english and spanish)
- Mailing lists: http://sourceforge.net/p/steghide/mailman/
- Available from repository. Requirements: libmhash, libmcrypt, libjpeg, zlib
stunnel
Stunnel (GNU GPL v2) is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer). It allows for securing non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code. Stunnel does not contain any crytographic code itself -- instead it relies on external SSL libraries.
- Website: https://www.stunnel.org/index.html
- Documentation: http://www.stunnel.org/docs.html (english and polish)
- HowTo: http://www.stunnel.org/howto.html (Installation and Authentication)
- FAQ: http://www.stunnel.org/faq.html (Troubleshooting and Applications)
- Available from repository as stunnel4.
veracrypt
VeraCrypt is disk encryption software forked from the discontinued TrueCrypt software. VeraCrypt adds enhanced security to the algorithms used for system and partitions encryption, and solves many vulnerabilities and security issues found in TrueCrypt.
- Website: https://veracrypt.codeplex.com/
- Documentation: https://veracrypt.codeplex.com/documentation
ciphershed
CipherShed (will carry an OSI approved license (probably either Apache or BSD)) is free (as in free-of-charge and free-speech) encryption software and was started in June 2014 as a response to the end of life announcement for TrueCrypt. As of October 2014 CipherShed source code is hosted at GitHub. CipherShed is a program that can be used to create encrypted files or encrypt entire drives (including USB flash drives and external HDDs). There’s no complicated commands or knowledge required; a simple wizard guides you step-by-step through every process. After creating an encrypted file or disk drive, the encrypted volume is mounted through CipherShed. The mounted volume shows up as a regular disk that can be read and written to on-the-fly. The encryption is transparent to the operating system and any programs. When finished, the volume can be unmounted, and stored or transported elsewhere, fully secured. Encryption volumes can be moved from OS-to-OS (eg, Windows to Mac) with full compatibility.
- Website: https://ciphershed.org/
- Forum: https://forum.ciphershed.org/
Firewalls/Network Gateways
Firestarter
Firestarter (GNU General Public License) is an Open Source visual firewall program. The software aims to combine ease of use with powerful features, therefore serving both Linux desktop users and system administrators. You can use the firewall creation wizard to create a basic firewall, then streamline it further using the powerful dynamic rules modifiers. Open and close ports with a few clicks, or stealth your services giving access only to a select few. Watch the real-time hit monitor as attackers probe your machine for open ports, in vain. Firestarter makes full advantage of GNOME but also works in most environments. While it protects both the firewall host itself as well as any client hosts connected to a local network from intrusion attempts, it does not impose restrictions on the services that the protected hosts themselves can access.
- Website: http://www.fs-security.com/
- Documentation http://www.fs-security.com/docs.php
- Mailing list http://www.fs-security.com/list.php
gufw
Gufw (GNU GPL v3) is for users bamboozled by firewalls. It has an easy to use interface for setting up inbound and outbound traffic rules for apps/services and ports. It is designed for beginners.
- Website: http://gufw.org/
netfilter
Netfilter (GNU GPL v2) is a framework that provides a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack. Software inside this framework enables packet filtering, network address [and port] translation (NA[P]T) and other packet mangling. iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target).
- Website: http://www.netfilter.org/
- HOWTOs http://www.netfilter.org/documentation/index.html#documentation-howto
- FAQ http://www.netfilter.org/documentation/index.html#documentation-faq
- Mailing lists http://www.netfilter.org/mailinglists.html
Intrusion detection
Aide
Tripwire
Snort
Network monitoring
nagios
Nagios is a host and service monitor designed to inform you of network problems. The monitoring daemon runs periodic checks on hosts and services specified using external "plugins" which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, SMS, etc.). Current status information, historical logs, and reports can all be accessed via a web browser. Although Nagios is powerful and flexible, it does require some time for it to be installed and configured correctly.
- Website: http://www.nagios.org/
- Documentation: https://www.nagios.org/documentation/
- Debian tutorials: http://www.debianhelp.co.uk/nagios.htm
- Mailinglists: http://sourceforge.net/p/nagios/mailman/
- Available from repository. Requirements: C compiler
tcpdump
Tcpdump is a common computer network debugging tool that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. This program allows you to dump the traffic on a network. It can be used to print out the headers of packets on a network interface, filter packets that match a certain expression. You can use this tool to track down network problems, to detect "ping attacks" or to monitor network activities.
- Website: http://www.tcpdump.org/
- Available from repository. Requirements: libpcap
Traffic analysis
Kismet
Kismet (GNU GPL) is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic. Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.
- Website: http://www.kismetwireless.net/
- Documentation: http://www.kismetwireless.net/documentation.shtml
- Forums: http://www.kismetwireless.net/Forum/General/
- Available from repository. Requirements: Libpcap, GPSD, Imagemagick, Expat, GMP. Optional: DBUS
Wireshark
Wireshark (GNU GPL v2) is a network packet analyzer. A network packet analyzer captures network packets and tries to display that packet data as detailed as possible. A network packet analyzer can be regarded as a measuring device to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). It is developed and maintained by a global team of protocol experts. It used to be known as Ethereal, and was renamed to Wireshark in May 2006.
- Website: http://www.wireshark.org/
- Documentation: https://www.wireshark.org/docs/
- Available from repository.
Packet crafting
hping
Hping3 (GNU GPL v2) is a command-line oriented TCP/IP packet assembler/analyser. The interface is inspired from the ping unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features. hping3 can handle fragmentation, and almost arbitrary packet size and content, using the command line interface.
- Website: http://www.hping.org/
- Documentation: http://www.hping.org/documentation.php
- Available from repository. Requirements: libpcap, Tcl/Tk (Optional)
scapy
Scapy (GNU GPL v2) is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, etc. It can handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).
- Website: http://www.secdev.org/projects/scapy/
- Mailinglist: http://news.gmane.org/gmane.comp.security.scapy.general
- Available from repository. Requirements: python.
Port scanning
ipscan
Angry IP Scanner (GNU GPL v2) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports.
- Website: http://angryip.org/
- Documentation: http://angryip.org/documentation/
- FAQ: http://angryip.org/faq/
Vulnerability scanning
tiger
Tiger (GNU GPL) is a security tool that can be use both as a security audit and intrusion detection system. It is a set of scripts that scan a Un*x system looking for security problems, in the same fashion as Dan Farmer's COPS. It was originally developed to provide a check of UNIX systems on the A&M campus that want to be accessed from off campus (clearance through the packet filter). Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language.
- Website: http://www.nongnu.org/tiger/
- README: http://cvs.savannah.gnu.org/viewvc/*checkout*/tiger/tiger/README?content-type=text%2Fplain&revision=HEAD
- HOWTO: http://cvs.savannah.gnu.org/viewvc/*checkout*/tiger/tiger/USING?content-type=text%2Fplain&revision=HEAD
- Project page: http://savannah.nongnu.org/projects/tiger
- Available from repository.
Log file analysis
tcptrace
tcptrace (GNU GPL) is a tool designed for analysis of TCP dump files. It can tell you detailed information about TCP connections by sifting through dump files. Specifically, tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis.
- Website: http://www.tcptrace.org/
- Manual: http://www.tcptrace.org/manual.html
- FAQ: http://www.tcptrace.org/faq.html
- Mailinglists: http://www.tcptrace.org/maillist.html
webalizer
The Webalizer (GNU GPL v2) is a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser. The results are presented in both column and graphical format for facilitating interpretation. Yearly, monthly, daily and hourly usage statistics are presented, along with the ability to display usage by site, URL, referrer, user agent (browser), search string, entry/exit page, username and country (some information is only available if supported and present in the log files being processed. Processed data may also be exported into most database and spreadsheet programs that support tab delimited data formats.
- Website: http://www.webalizer.org/
- FAQ: http://www.webalizer.org/faq.html
- Available from repository. Requirements: GD library, Berkeley DB library