Candidates should be able to receive security alerts from various sources, install, configure and run intrusion detection systems and apply security patches and bugfixes.
Tools and utilities to scan and test ports on a server
Locations and organizations that report security alerts as Bugtraq, CERT, or other sources
Tools and utilities to implement an intrusion detection system (IDS)
Awareness of OpenVAS and Snort
Netcat (nc) is a very versatile network tool. Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool. Netcat's features are numerous; Netcat can, for instance, be used as a proxy or portforwarder. It can use any local source port, or use loose source-routing. It is commonly referred to as the TCP/IP Swiss army knife.
Some of the major features of netcat are:
Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomizer
Built-in loose source-routing capability
Can read command line arguments from standard input
Slow-send mode, one line every N seconds
Hex dump of transmitted and received data
Optional ability to let another program service establish connections
Optional telnet-options responder
With the -z option netcat will perform a portscan on the ports given on the command line. By default netcat will produce no output. When scanning only one port the exit status indicates the result of the scan, but with multiple ports the exit status will allways be "0" if one of the ports is listening. For this reason using the "verbose" option will be useful to see the actual results:
# nc -vz localhost 75-85 nc: connect to localhost port 75 (tcp) failed: Connection refused nc: connect to localhost port 76 (tcp) failed: Connection refused nc: connect to localhost port 77 (tcp) failed: Connection refused nc: connect to localhost port 78 (tcp) failed: Connection refused Connection to localhost 79 port [tcp/finger] succeeded! Connection to localhost 80 port [tcp/http] succeeded! nc: connect to localhost port 81 (tcp) failed: Connection refused nc: connect to localhost port 82 (tcp) failed: Connection refused nc: connect to localhost port 83 (tcp) failed: Connection refused nc: connect to localhost port 84 (tcp) failed: Connection refused nc: connect to localhost port 85 (tcp) failed: Connection refused
The man page of netcat shows some more examples on how to use netcat.
Netcat can easily be used in scripts for a lot of tests you want to run automated.
Fail2ban's main function is to block IP addresses
that belong to hosts that may be trying to breach the system's security.
It determines these by monitoring log files (e.g.
and bans any host IP that does too many login attempts or performs any
other unwanted action within a time frame set by the administrator.
Fail2ban is typically configured to unban a blocked host after a certain
period, so as to not "lock out" any genuine connections. An
unban time of several minutes is usually sufficient to prevent a network connection
from being flooded by malicious attempts, as well as to reduce the likelihood
of a successful dictionary attack.
nmap supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol and Null scan.
If a machine gets infected by a rootkit, some system utilities like top, ps and netstat will usually be replaced by the attacker. The modified versions of these commands aide the attacker by not showing all available processes and listening ports. By performing portscans against our host we can explore which ports are open, and compare this with a list of known services. As an example, here's an example of a TCP portscan against our localhost:
$ nmap -sT localhost Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-04 06:33 CDT Nmap scan report for localhost (127.0.0.1) Host is up (0.0011s latency). Other addresses for localhost (not scanned): 127.0.0.1 Not shown: 993 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 389/tcp open ldap 3000/tcp open ppp Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
By default, nmap will only scan the 1000 most
common ports. Use the
-p 1-65535 or
-p - switch to scan all available ports.
Let's perform the same scan, using the UDP protocol:
$ nmap -sU localhost You requested a scan type which requires root privileges. QUITTING!
Nmap is a very powerful network scanner, but some options require
root privileges. If you would perform the command nmap
localhost both as root and using your own privileges,
nmap would use the
-sS option as root and the
-sT when run with normal user privileges.
Now, let's run the UDP scan again using root privileges trough sudo:
$ sudo nmap -sU localhost [sudo] password for bob: ******** Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-04 06:51 CDT Nmap scan report for localhost (127.0.0.1) Host is up (0.000040s latency). Other addresses for localhost (not scanned): 127.0.0.1 Not shown: 995 closed ports PORT STATE SERVICE 53/udp open domain 68/udp open|filtered dhcpc 111/udp open rpcbind 1900/udp open|filtered upnp 5353/udp open|filtered zeroconf Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds
Nmap is a very versatile and powerful tool, and offers a variety of options regarding its capabilities. Nmap can, for example, be used for active TCP/IP stack fingerprinting to determine the remote OS. You need administrator rights to do this:
[root@lnx1 ~]# nmap -A 192.168.1.183 Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-30 16:03 CET Nmap scan report for 192.168.1.183 Host is up (0.0012s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0) | ssh-hostkey: 1024 65:44:cf:c2:b8:e9:6a:a5:21:18:9f:55:70:1d:d9:57 (DSA) |_2048 87:15:36:b4:28:09:3c:84:fa:ea:9f:b3:9d:33:39:f9 (RSA) MAC Address: 00:0F:60:02:BA:0D (Lifetron Co.) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.51%D=10/30%OT=22%CT=1%CU=34692%PV=Y%DS=1%DC=D%G=Y%M=000F60%TM=5 OS:63386C7%P=x86_64-redhat-linux-gnu)SEQ(SP=109%GCD=1%ISR=103%TI=Z%CI=I%II= OS:I%TS=7)SEQ(SP=107%GCD=1%ISR=104%TI=Z%CI=I%II=I%TS=7)OPS(O1=M5B4ST11NW6%O OS:2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11NW6%O6=M5B4ST11) OS:OPS(O1=M5B4ST11NW6%O2=NNT11%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST11NW OS:6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R= OS:Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y% OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R% OS:O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=4 OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 1 hop Service Info: OS: Linux TRACEROUTE HOP RTT ADDRESS 1 1.16 ms 192.168.1.183
As you can tell from the output, the tested machine was a Debian linux host.
The Open Vulnerability Assessment System (OpenVAS) is an open source framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 30,000 in total (as of April 2013).
Detailed information about OpenVAS can be found at: Openvas - Open vulnerability assessment system community site .
Snort is an open source network intrusion detection system (NIDS) capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user-specified file, a UNIX socket or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet-sniffer like tcpdump, a packet-logger (useful for network traffic debugging, etc), or as a full blown network-intrusion detection system. Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host.
All Snort rules have two logical parts: rule header and rule options.
The rule header contains information about what action a rule takes. It also contains criteria for matching a rule against data packets. The options part usually contains an alert message and information about which part of the packet should be used to generate the alert message. The options part contains additional criteria for matching a rule against data packets. A rule may detect one type or multiple types of intrusion activity. Intelligent rules should be able to apply to multiple intrusion signatures.
The action part of the rule determines the type of action taken when criteria are met and a rule is exactly matched against a data packet. Typical actions are generating an alert or log message or invoking another rule. You will learn more about actions later in this chapter.
The protocol part is used to apply the rule on packets for a particular protocol only. This is the first criterion mentioned in the rule. Some examples of protocols used are IP, ICMP, UDP etc.
The address parts define source and destination addresses. Addresses may be a single host, multiple hosts or network addresses. You can also use these parts to exclude some addresses from a complete network. More about addresses will be discussed later. Note that there are two address fields in the rule. Source and destination addresses are determined based on direction field. As an example, if the direction field is “->”, the Address on the left side is source and the Address on the right side is destination.
In case of TCP or UDP protocol, the port parts determine the source and destination ports of a packet on which the rule is applied. In case of network layer protocols like IP and ICMP, port numbers have no significance.
The direction part of the rule actually determines which address and port number is used as source and which as destination.
Just some examples:
alert icmp any any -> any any (msg: "Ping with TTL=100"; ttl: 100;) alert udp any 1024:2048 -> any any (msg: "UDP ports";) alert tcp 192.168.2.0/24 23 <> any any (content: "confidential"; msg: "Detected confidential";) log udp any !53 -> any any log udp
Detailed information about Snort can be found at: Snort IDS .
When talking about Intrusion Detection Systems (IDS), we can make a distinction between Host Intrusion Detection Systems (HIDS) and Network Intrusion Detection Systems (NIDS). A HIDS alerts when a host is suffering from suspicious activities. A NIDS usually inspects network traffic, preferably at a low level and alerts if suspicious traffic is detected.
Some IDS systems can be configured in a way that they do not only send out an alert, but also prevent access to a certain resource. This resource can either be a TCP/IP or UDP port, a physical port on a network device or complete access to a certain host or network segment trough a router or firewall. Since these systems not only detect, but also prevent they are called Intrusion Prevention Systems (IPS). As well as with IDS systems, we can distinguish HIPS from NIPS systems.
Both intrusion detection and intrusion prevention systems use a system of definitions for detection. These definitions describe certain characteristics that when met, trigger off an alert or countermeasure. If a detection takes place and is correct, we call this a true positive. If a detection takes place but is inaccurate, this is called a false positive.. When the system does not detect something that does not occur, this is called a true negative. When there actually is an event which is not detected by the system, this is called a false negative.
Often, the detection capabilities of the IDS are expanded by using heuristic detection methods. In order for these to be both effective and accurate, the system needs to be trained. During this period, a lot of false positives may be detected which isn't a bad thing. But the system needs to be tweaked so the amount of false positives will be reduced to a minimum. A false negative is equal to having no IDS in place, and is the most undesirable behavior for an IDS.
Security alerts are warnings about vulnerabilities in certain pieces of software. Those vulnerabilities can result in a decrease of your service level because certain individuals are very good at misusing those vulnerabilities. This can result in your system being hacked or blown out of the water.
Most of the time there is already a solution for the problem or someone is already working on one, as will be described in the rest of this section.
BugTraq is a full disclosure moderated mailing-list at securityfocus.com for detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them and how to fix them.
The SecurityFocus website brings together many different resources related to security. One of them is the Bugtraq mailing list. There also is a Bugtraq FAQ.
Use the webform at http://www.securityfocus.com/ to subscribe to any of the SecurityFocus mailing lists.
The CERT Coordination Center (CERT/CC) is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. They study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems and develop information and training to help you improve security at your site.
CERT maintains a website called The CERT Coordination Center
See the us-cert.gov lists and feed page to sign up for the CERT Advisory mailing list or the RSS feeds issued on diverse NCAS publications.
CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as: Incident Handling consulting, Computer Security Information, On-site Workshops, White-hat Audits.
There is a CIAC Website .
The mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of the mailing lists, send requests of the following form: subscribe list-name LastName, FirstName, PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for “list-name” and valid information for “LastName” “FirstName” and “PhoneNumber.” Send to: firstname.lastname@example.org.
You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription or get help.
An open mail relay is a mail server that accepts SMTP connections from anywhere and will forward emails to any domain. This means that everyone can connect to port 25 on that mail server and send mail to whomever they want. As a result your server's IP might end up on anti-spam blacklists.
Testing a mail relay can be done by delivering an email for a recipient to a server that's not supposed to do any relaying for the recipients domain. If the server accepts AND delivers the email it is an open relay.
In the following example we use telnet to connect to a SMTP server running on port 25:
$ telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 linux.mailserver ESMTP Exim 4.80 Wed, 03 Jul 2013 08:08:06 -0500 MAIL FROM: email@example.com 250 OK RCPT TO: root@localhost 250 Accepted DATA 354 Enter message, ending with "." on a line by itself Open Mail Relay test message . 250 OK id=1UuMnI-0001SM-Pe QUIT 221 linux.mailserver closing connection Connection closed by foreign host.
The message is accepted because the mailserver is configured to accept
connections that origin from the local host, and because
root@localhost is a valid email address according
to the SMTP server.
Telnet is not considered very suitable as a remote login protocol because all data is being transmitted in clear text across the network. But the telnet command is very useful for checking open ports. The target port can be given as an argument, as can be seen in the example above.