Install and study chkrootkit security audit toolHere is a quick
guide on how to install chkrootkit, this tool scans your server for
any trace of a rootkit breach. More infor on chkrootkit is
available here: http://www.chkrootkit.org
1. SSH to your server then su- to root (see previous post on how
to disable direct root login)
2. Down load the chkrootkit by typing: wget
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
3. Unpack the chkrootkit you just downloaded by typing: tar
-xvzf chkrootkit.tar.gz
4. Change to new directory by typing: cd chkrootkit*
5. Compile chkrootkit type: make sense
6. Before we schedule cron run chkrootkit and scan your server
by typing: ./chkrootkit
7. Once run you may see the following false positive: "Checking
`bindshell'... INFECTED (PORTS: 465)", this is normal and is not an
infection.
8. Get the current location of the chkrootkit folder, type &
take a note of the location: pwd
8. Lets setup a cron job, type: pico
/etc/cron.daily/chkrootkit.sh
9. Enter the following information, remember to change
/filepath/ with the pwd output, change Servername to your server
name and [email protected] to an email address:
#!/bin/bash cd /filepath/./chkrootkit | mail -s "Daily
chkrootkit from Servername" [email protected]
10. Exit and save the file by pressing: CTRL & X then type
Y
11. We need to change the cron file permissions by typing: chmod
755 /etc/cron.daily/chkrootkit.sh
12. Your chkrootkit scan will now run daily, to test simply cd
to /etc/cron.daily and run ./chkrootkit.sh
Install and study Nessus network vulnerability audit toolNessus
is one of the best vulnerability scanners out there and works on
all major platforms. If you care about the security of the network
then you should take a proactive mindset to defend from possible
attacks. This is a guide on how to install Nessus the client and
server on Ubuntu Linux, no explanation on how to use Nessus is
given (sorry). The steps are similar for other Linux distributions
(adapt), the major difference is that in this tutorial I use
apt-get to install Nessus.
Nessus installationStart by installing Nessus client and server
which are required to have a functional Nessus installation. Do not
worry about creating certificates the installation automatically
takes care of that.sudo apt-get install nessusd nessus
nessus-pluginsNew user configurationBefore we can start using
Nessus its required that you create a new user for Nessus. sudo
nessus-adduserIn a multi-user environment you might want to add
some restrictions on what the users can do. In this occasion I do
not want any restrictions on what Nessus can do.Provide a username
and password.Add a new nessusd user----------------------
Login : (my_nessus_username)Authentication (pass/cert) [pass] :
(press_enter_to_use_a_password)Login password :
(provide_a_password_for_the_username)Login password (again) :
(confirm_the_password)I recommend you do not place any restrictions
on what the new Nessus user can do, hit Ctrl + D. Then you will be
asked to confirm the given user information by pressing y.User
rules----------nessusd has a rules system which allows you to
restrict the hoststhat user_name has the right to test. For
instance, you may wanthim to be able to scan his own host only.
Please see the nessus-adduser(8) man page for the rules
syntax
Enter the rules for this user, and hit ctrl-D once you are done
: (the user can have an empty rules set)
Login : my_nessus_usernamePassword : ***********DN : Rules :
Is that ok ? (y/n) [y] yuser added.Now Nessus has a user to work
with, lets start Nessus.sudo /etc/init.d/nessusd startYou can
launch Nessus from Applications > Internet > Nessus.
Use Nmap port scanner to scan remote machinePort scanning is a
technique used to determine the states of network ports on a host
and to map out hosts on a network. In this article, Ill go over the
very basics of port scanning with the NMAP tool.NMAP OverviewPort
States NMAP will categorize ports as being in one of the following
states: Open The port is accepting TCP connections and UDP packets.
This means that an application is running that is using this port.
Closed The port responds to NMAP probe requests but no application
is using this port Filtered The port state cannot be determined
because packet filters prevent NMAP probes from reaching the port
Unfiltered The port is accessible but NMAP cannot determine if it
is open or closed Open | Filtered NMAP cannot determine if the port
is open or filtered Closed | Filtered NMAP cannot determine if the
port is closed or filteredPort Scanning TechniquesNMAP supports
different methods of port scanning. These methods are called scan
techniques. Each technique is tailored to solving a specific
problem. Often times you will have to run several scans using
different techniques in order to get a more complete picture of the
host(s) you are scanning. TCP SYN scan (-sS) Can be performed on
many thousands of hosts very quickly on a fast network with no
firewalls. It starts to open a connection by sending a SYN packet,
but it never finishes the connection. The response from this packet
is used to determine the port status: 1. A SYN'ACK response
indicates that the port is open and listening2. A RST response
indicates that the port is closed3. A no response or ICMP
unreachable error will result in the port being marked as
filteredTCP SYN scans are difficult to detect since a connection is
never actually opened. This scan type uses RAW sockets and requires
root access under UNIX. This is the default scan. TCP connect scan
(-sT) Uses the OS to establish a TCP connection to the host. This
scan type is slower and has more overhead than a SYN scan. A TCP
connect scan is the default when a SYN scan (RAW sockets) is not
possible. UDP scan (-sU) Sends a data less UDP header to every
specified port. The response from this header is used to determine
the UDP port status: 1. An ICMP Unreachable error response
indicates that the port is closed2. Other ICMP errors indicate that
the port is filtered3. UDP bases services (DHCP, DNS and SNMP) may
respond. This indicates that the port is open.4. If after several
attempts of communication no response is received, the port will be
marked as open|filtered. This could mean that packet filtering may
be blocking communication with an otherwise open port. The version
detection option (-sV) may be used in order to determine if ports
marked as open|filter are actually open.UDP port scanning may be
done at the same time as TCP port scanning in order to speed up the
process. Custom TCP scan (--scanflags) - Custom scans allow
advanced users to create a scan type tailored to specific needs.
This is useful to create scans that will less likely be detected by
intrusion detection systems. IP protocol scan (-sO) This scan scans
a host for the protocols it supports by cycling through the 8 bit
protocol header of an IP packet.NMAP offers the following
additional scans. I list them here for completeness, but will not
discuss them further. TCP Null, FIN and Xmas scans Uses a loophole
in TCP RFC to determine if a port is open or closed. TCP ACK scan
Used to map firewall rulesets. It cannot tell between open and
closed ports. TCP Window scan Used to map firewall rulesets. It can
tell between open and closed ports depending on the host being
scanned. TCP Maimon scan Similar to the TCP Null, Fin and Xmas
scans but exploits a slightly different TCP stack implementation
detail specific to many BSD systems. Idlescan Scans hosts using
packets with a falsified ip address such that the scan appears to
originate from another host. FTP bounce scan Scans for ftp servers
configured as ftp proxies.Installing NMAPNMAP is an open source
application and may be downloaded for free from insecure.org.
Installation is straight forward. To install on Windows using the
executable package:1. Double click the installer file2. Click the I
Agree button to accept the licensing terms 3. Accept the defaults
on the Choose Components dialog box. Click the Next button. 4.
Choose an installation directory (or accept the default). Click the
Install button. 5. Installation of NMAP will proceed. 6. Winpcap is
required component of NMAP. Its installation will start during the
install if NMAP. Read the license agreement and click the I Agree
button. 7. Select an installation directory (or accept the
default). Click the Install button. 8. The installation of Winpcap
will now proceed. Click the Close button on the Winpcap completed
dialog box. 9. Click the Close button on the NMAP completed dialog
box. Running NMAP on WindowsLaunching NMAPNMAP does not have GUI
under windows and must be run from the command line.
NMAP Example Scan 1This is a scan of all port on my laptop
(running Windows XP sp2) from a Windows Server 2003 sp1 machine.
Each of the interfaces on my laptop are fire walled. NMAP is using
a SYN scan, so it reports that all ports scanned are
filtered.Options used: -v for increased verbosity -A for os and
software version detection -p1-65535 to set the range of ports to
scanNotice that this scan took almost an hour to scan all ports on
one host. This scan would take considerably longer if a TCP connect
scan were used.Also notice that at least one open and one closed
port are required in order for OS version detection to work
reliably.Finally, vv may be used for even more detailed output
reporting.C:'Documents and Settings'Administrator>Nmap -v -A
-p1-65535 192.168.1.124
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-23 22:04
Central America Standard TimeInitiating ARP Ping Scan at
22:04Scanning 192.168.1.124 [1 port]Completed ARP Ping Scan at
22:04, 0.17s elapsed (1 total hosts)Initiating Parallel DNS
resolution of 1 host. at 22:04Completed Parallel DNS resolution of
1 host. at 22:04, 0.03s elapsedInitiating SYN Stealth Scan at
22:04Scanning 192.168.1.124 [65535 ports]SYN Stealth Scan Timing:
About 2.04% done; ETC: 22:29 (0:23:58 remaining)SYN Stealth Scan
Timing: About 58.48% done; ETC: 22:46 (0:17:26 remaining)SYN
Stealth Scan Timing: About 88.44% done; ETC: 22:52 (0:05:29
remaining)SYN Stealth Scan Timing: About 96.95% done; ETC: 22:54
(0:01:30 remaining)Completed SYN Stealth Scan at 22:54, 2951.77s
elapsed (65535 total ports)Initiating Service scan at 22:54Warning:
OS detection for 192.168.1.124 will be MUCH less reliable because
we did not find at least 1 open and 1 closed TCP portInitiating OS
detection (try #1) against 192.168.1.124Host 192.168.1.124 appears
to be up ... good.All 65535 scanned ports on 192.168.1.124 are
filteredMAC Address: 00:16:41:17:9D:B1 (USI)Too many fingerprints
match this host to give specific OS detailsNetwork Distance: 1
hop
OS and Service detection performed. Please report any incorrect
results at http://insecure.org/Nmap/submit/ .Nmap finished: 1 IP
address (1 host up) scanned in 2976.652 seconds Raw packets sent:
131095 (5.770MB) | Rcvd: 1 (42B)NMAP Example Scan 2This is a TCP
connect scan of all ports on my laptop from a Windows 2003 Server
SP1 machine. Again all ports are filtered. This scan took almost
two hours to complete.Options used: -v for increased verbosity -sT
for a TCP connect scan -p1-65535 to specify the port rage from 1 to
65535 (all tcp ports) C:'WINDOWS'system32'drivers'etc>Nmap -sT
-p1-65535 192.168.1.124
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-24 00:39
Central America Standard TimeAll 65535 scanned ports on
192.168.1.124 are filteredMAC Address: 00:16:41:17:9D:B1 (USI)
Nmap finished: 1 IP address (1 host up) scanned in 6925.996
seconds
Install a proxy server and scan the user activitiesSquid - Proxy
ServerSquid is a full-featured web proxy cache server application
which provides proxy and cache services for Hyper Text Transport
Protocol (HTTP), File Transfer Protocol (FTP), and other popular
network protocols. Squid can implement caching and proxying of
Secure Sockets Layer (SSL) requests and caching of Domain Name
Server (DNS) lookups, and perform transparent caching. Squid also
supports a wide variety of caching protocols, such as Internet
Cache Protocol, (ICP) the Hyper Text Caching Protocol, (HTCP) the
Cache Array Routing Protocol (CARP), and the Web Cache Coordination
Protocol. (WCCP) The Squid proxy cache server is an excellent
solution to a variety of proxy and caching server needs, and scales
from the branch office to enterprise level networks while providing
extensive, granular access control mechanisms and monitoring of
critical parameters via the Simple Network Management Protocol
(SNMP). When selecting a computer system for use as a dedicated
Squid proxy, or caching servers, ensure your system is configured
with a large amount of physical memory, as Squid maintains an
in-memory cache for increased performance. InstallationAt a
terminal prompt, enter the following command to install the Squid
server: sudo apt-get install squidConfigurationSquid is configured
by editing the directives contained within the
/etc/squid/squid.conf configuration file. The following examples
illustrate some of the directives which may be modified to affect
the behavior of the Squid server. For more in-depth configuration
of Squid, see the References section.
Prior to editing the configuration file, you should make a copy
of the original file and protect it from writing so you will have
the original settings as a reference, and to re-use as necessary.
Copy the /etc/squid/squid.conf file and protect it from writing
with the following commands entered at a terminal prompt:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.originalsudo
chmod a-w /etc/squid/squid.conf.original To set your Squid server
to listen on TCP port 8888 instead of the default TCP port 3128,
change the http_port directive as such: http_port 8888 Change the
visible_hostname directive in order to give the Squid server a
specific hostname. This hostname does not necessarily need to be
the computer's hostname. In this example it is set to weezie
visible_hostname weezie Again, Using Squid's access control, you
may configure use of Internet services proxied by Squid to be
available only users with certain Internet Protocol (IP) addresses.
For example, we will illustrate access by users of the
192.168.42.0/24 subnetwork only: Add the following to the bottom of
the ACL section of your /etc/squid/squid.conf file: acl
fortytwo_network src 192.168.42.0/24Then, add the following to the
top of the http_access section of your /etc/squid/squid.conf file:
http_access allow fortytwo_network Using the excellent access
control features of Squid, you may configure use of Internet
services proxied by Squid to be available only during normal
business hours. For example, we'll illustrate access by employees
of a business which is operating between 9:00AM and 5:00PM, Monday
through Friday, and which uses the 10.1.42.0/42 subnetwork: Add the
following to the bottom of the ACL section of your
/etc/squid/squid.conf file: acl biz_network src 10.1.42.0/24acl
biz_hours time M T W T F 9:00-17:00Then, add the following to the
top of the http_access section of your /etc/squid/squid.conf file:
http_access allow biz_network biz_hours
After making changes to the /etc/squid/squid.conf file, save the
file and restart the squid server application to effect the changes
using the following command entered at a terminal prompt:
sudo /etc/init.d/squid restart
Write a program to hide text data in image file(Steganography)If
youre looking to hide files on your PC hard drive, you may have
read about ways to encrypt folders or change the attributes on a
file so that they cannot be accessed by prying eyes. However, a lot
of times hiding files or folders in that way requires that you
install some sort of software on your computer, which could then be
spotted by someone else.Ive actually written quite a few articles
on how you can hide files and folders in Windows XP and Vista
before, but here Im going to show you a new way to hide files that
is very counter-intuitive and therefore pretty safe! Using a simple
trick in Windows, you can actually hide a file inside of the JPG
picture file!You can actually hide any type of file inside of an
image file, including txt, exe, mp3, avi, or whatever else. Not
only that, you can actually store many files inside of single JPG
file, not just one! This can come in very handy if you need to hide
files and dont want to bother with encryption and all that other
technical stuff.Hide File in PictureIn order to accomplish this
task, you will need to have either WinZip or WinRAR installed on
your computer. You can download either of these two off the
Internet and use them without having to pay anything. Here are the
steps for creating your hidden stash: Create a folder on your hard
drive, i.e. C:\Test and put in all of the files that you want to
hide into that folder. Also, place the image that you will be using
to hide the files in.
Now select all of the files that you want to hide, right-click
on them, and choose the option to add them to a compressed ZIP or
RAR file. Only select the files you want to hide, not the picture.
Name it whatever you want, i,e. Hidden.rar.
Now you should have a folder that looks something like this with
files, a JPG image, and a compressed archive:
Now heres the fun part! Click on Start, and then click on Run.
Type in CMD without the quotes and press Enter. You should now see
the command prompt window open. Type in CD \ to get to the root
directory. Then type CD and the directory name that you created,
i.e. CD Test.
Now type in the following line: copy /b DSC06578.JPG +
Hidden.rar DSC06578.jpg and press Enter. Do not use the quotes. You
should get a response like below:
Just make sure that you check the file extension on the
compressed file, whether it is .ZIP or .RAR as you have to type out
the entire file name with extension in the command. I have heard
that some people say that they have had problems doing this with a
.ZIP extension, so if that doesnt work, make sure to compress to a
.RAR file.And thats it! The picture file will have been updated
with the compressed archive inside! You can actually check the file
size of the picture and see that it has increased by the same
amount as the size of the archive.You can access your hidden file
in two ways. Firstly, simply change the extension to .RAR and open
the file using WinRAR. Secondly, you can just right-click on the
JPG image and choose Open With and then scroll down to WinRAR.
Either way, youll see your hidden files show up that you can then
extract out.
Thats it! That is all it takes to hide files inside JPG picture
files! Its a great way simply because not many people know its
possible and no one even thinks about a picture as having to the
ability to hide files. Write a program to implement RSA
algorithmRSA Algorithm /* C program for the Implementation Of RSA
Algorithm */
#include< stdio.h>#include< conio.h>
int phi,M,n,e,d,C,FLAG;
int check(){int i;for(i=3;e%i==0 && phi%i==0;i+2){FLAG =
1;return;}FLAG = 0;}
void encrypt(){int i;C = 1;for(i=0;i< e;i++)C=C*M%n;C =
C%n;printf("\n\tEncrypted keyword : %d",C);}
void decrypt(){int i;M = 1;for(i=0;i< d;i++)M=M*C%n;M =
M%n;printf("\n\tDecrypted keyword : %d",M);}
void main(){int p,q,s;clrscr();printf("Enter Two Relatively
Prime Numbers\t: ");scanf("%d%d",&p,&q);n =
p*q;phi=(p-1)*(q-1);printf("\n\tF(n)\t=
%d",phi);do{printf("\n\nEnter e\t:
");scanf("%d",&e);check();}while(FLAG==1);d = 1;do{s =
(d*e)%phi;d++;}while(s!=1);d = d-1;printf("\n\tPublic Key\t:
{%d,%d}",e,n);printf("\n\tPrivate Key\t:
{%d,%d}",d,n);printf("\n\nEnter The Plain Text\t:
");scanf("%d",&M);encrypt();printf("\n\nEnter the Cipher
text\t: ");scanf("%d",&C);decrypt();getch();}
/*************** OUTPUT *****************
Enter Two Relatively Prime Numbers : 7 17
F(n) = 96
Enter e : 5 Public Key : {5,119}Private Key : {77,119}Enter The
Plain Text : 19Encrypted keyword : 66Enter the Cipher text : 66
Install wireless Intrusion Detection System (WIDZ) and
detectattacks on Wireless network 802.11The WIDS software can be
installed in standalone mode or in networked mode. This document
contains information about setting up and running WIDS 7.5 in
networked mode. There are prerequisites for running WIDS 7.5 from a
network:1. Each WIDS user must have a network home directory a
personal folder unique to that network user. 2. This folder must be
mapped as a drive letter, e.g. 'H'. 3. This same mapped drive
letter must be common to all the WIDS users. The WIDS 7.5 network
installation consists of the following four steps. A. Install the
software to the network. B. Edit the .ini files in preparation for
the client installations. C. Conduct the client installations. D.
Test the software. A. Install WIDS to the network 1. Create a Wids7
application folder on a network drive, e.g. M:\Wids72. Install the
WIDS software to this application folder. The WIDS 7.5 program file
and its auxiliary files are copied into this network application
folder. The system files needed by WIDS 7.5 install to the
workstation, not to the network server. 3. Copy the Setup.exe and
Custdata.ini files from the WIDS installation CD-ROM to the WIDS
application folder on the network. 4. Grant WIDS users with read,
file scan, write, create,modify, and delete privileges to the
application folderand all the files and subfolders it contains. 5.
Download and install the latest WIDS software updates from the WIDS
website:http://www.wids.org/utility_content.asp?id=22&groupid=4You
can run the update program directly from the website. Install the
update to the central WIDS application folder on the network. B.
Edit the .ini files in preparation for the client installations 1.
Using a standard text editor such as Notepad or WordPad, edit the
Custdata.ini file that you copied from the installation CD to the
WIDS application folder. Modify the Clientand AppPathlines of the
Custdata.ini file as follows: Client=1 AppPath=M:\Wids7 The
Client=1value tells the installation program to omit the
installation of the WIDS files already present in the WIDS network
application folder. The installation program simply installs and
registers the system files necessary for running the WIDS software
on the clientworkstation. The AppPath value is used for the
creation of the WIDS shortcut icons. Substitute M:\Wids7with the
valid pathname ofyour WIDS application folder. 2. Edit the
UserPathline in the Wids.ini file found in the WIDS application
folder. UserPath=H:\Wids7 The drive H:is an arbitrary example. The
letter 'H' should be replaced with whatever drive letter is mapped
asa personal network drive for the WIDS users. Option: If you want
to point the users to a common location for saving WIDS project
files, you can edit the SavePathline in the Wids.ini file as
follows: SavePath=M:\WIDS Project FilesSubstitute M:\WIDS Project
Fileswith a valid pathname of your choice. C. Conduct the client
installationsA streamlined client installation mustbe performed on
each WIDS workstation to install and register the system files
necessary to run WIDS on the client workstation. The application
shortcut icons are created for the workstation. The installation
process understands this isa client installation because of the
Client=1value you indicated inthe Custdata.ini file. D. Test the
software Testing the network installation is a crucial step. Its
possible to load WIDS on a network, run it froma workstation, and
have everything seem OK, when actually WIDS is running in
single-user mode. Its important to test the software from two
workstations, loggingon as two different WIDS users. 1. Start WIDS
from a workstation. 2. Choose the Learning Design option on the
opening screen. The Open Project dialog box appears. 3. Open a
project from the \Samples subfolder located under the application
folder. The Learning Design flowchart appears. 4. Explore the
software, checking to see if any error messages arise. If you
receive any error messages, please check the user rights to the
network application folder and check the wids.ini settings for the
correct UserPathvalue. 5. Log onto a second workstation as a
different WIDS user. 6. Start WIDS. On the opening screen,the
bottom menu choice should indicate that there is no project to
recover. 7. Repeat steps 2-3. Create VPN using IPSEC toolInstalling
IPSec ToolsThe IPsec-Tools software started as a port of the KAME
IPsec utilities to the Linux platform. The most important component
of this software is an advanced Internet Key Exchange daemon that
can be used to automatically key IPsec connections. For our test
environment, we require version 0.7 or later which will need to be
download and compiled manually. To obtain the download url for the
latest version of the IPsec Tools source code archive, please visit
the IPsec Tools Source Forge Web Page.
Fedora Core 6
Fedora Core 6 will have an older version of IPsec Tools already
installed. Before a new version can be installed, you will need to
remove the existing version. To lookup the name of the installed
package, use the rpm and grep utilities as shown below:
rpm -qa | grep ipsec-tools
In this example, the ipsec-tools-0.6.5-6 package is currently
installed. To remove the package, use the rpm utility as shown
below:
rpm -e ipsec-tools-0.6.5-6
Once you have uploaded the latest stable IPsec Tools source code
archive to the Gateway, you can extract the distribution using the
tar utility as shown below:
tar zxvf
Note: If you downloaded a bzip archive instead of a gzip
archive, use jxvf instead of zxvf with the tar command.
Next, change to the newly created directory as shown below:
cd
Before compiling the software, the configure script needs to be
used to set some compile parameters and enable some advanced
options. To view a list of all available options, execute the
configure script with the --help switch as shown below:
./configure --help
The default install prefix for ipsec tools is /usr/local.
Because Linux typically installs software in /usr and expects
configuration files to exist under /etc, you will need to add some
extra options to cope with these differences. The other options
shown below are to enable XAuth, Dead Peer Detection, IKE
Fragmentation and NAT Traversal support. Execute the configure
script as shown below:./configure --prefix=/usr
--sysconfdir=/etc/racoon --enable-hybrid --enable-frag --enable-dpd
--enable-natt
To compile and install the software, use the make command as
shown below:
makemake install
FreeBSD 6.2
Once you have uploaded the latest stable IPsec Tools source code
archive to the Gateway, you can extract the distribution using the
tar utility as shown below:
tar zxvf
Note: If you downloaded a bzip archive instead of a gzip
archive, use jxvf instead of zxvf with the tar command.
Next, change to the newly created directory as shown below:
cd
Before compiling the software, the configure script needs to be
used to set some compile parameters and enable some advanced
options. To view a list of all available options, execute the
configure script with the --help switch as shown below:
./configure --help
The default install prefix for ipsec tools is /usr/local. This
is the normal location for add-on software in FreeBSD so you won't
need any extra options to deal with this. The other options shown
below are to enable XAuth, Dead Peer Detection, IKE Fragmentation
and NAT Traversal support. Execute the configure script as shown
below:
./configure --sysconfdir=/usr/local/etc/racoon --enable-hybrid
--enable-frag --enable-dpd --enable-natt
Note: The last option line is only valid if the NAT Traversal
kernel patch was applied
To compile and install the software, use the make command as
shown below:
makemake install
NetBSD 3.1
Once you have uploaded the latest stable IPsec Tools source code
archive to the Gateway, you can extract the distribution using the
tar utility as shown below:
tar zxvf
Note: If you downloaded a bzip archive instead of a gzip
archive, use jxvf instead of zxvf with the tar command.
Next, change to the newly created directory as shown below:
cd
Before compiling the software, the configure script needs to be
used to set some compile parameters and enable some advanced
options. To view a list of all available options, execute the
configure script with the --help switch as shown below:
./configure --help
The default install prefix for ipsec tools is /usr/local. NetBSD
ships with an older version of ipsec tools installed in the /usr
prefix and expects configuration files to exist under /etc. If you
choose to overwrite the current version you will need to add some
extra options to cope with these differences. You may choose to
install the new version of ipsec tools in a different prefix but
there may be issues associated with having multiple library
versions installed in different paths. The other options shown
below are to enable XAuth, Dead Peer Detection, IKE Fragmentation
and NAT Traversal support. To overwrite the existing version,
execute the configure script as shown below:
./configure --prefix=/usr --sysconfdir=/etc/racoon
--enable-hybrid --enable-frag --enable-dpd --enable-natt
To compile and install the software, use the make command as
shown below:
makemake install
Install and study PGP using Mozilla ThunderbirdInstalling PGP on
WindowsTo complicate matters a little - PGP is the protocol used
for encrypting e-mail by various softwares. To get PGP to work with
Thunderbird we need to install GPG - a free software implementation
of PGP and Enigmail - an extension of Thunderbird that allows you
to use GPG... Confused?! Don't worry about it, all you have to know
is how to encrypt your email with PGP and you need to install both
GPG and Enigmail. Here is how to do it...Installing PGP (GPG) on
Microsoft WindowsThe GNU Privacy Guard (GnuPG) is software which is
required to send PGP encrypted or signed emails. It is necessary to
install this software before being able to do any encryption.Head
to the website of the Gpg4win project. Go to http://gpg4win.org/On
the left side of the website, you will find a 'Download' link.
Click on it.This will take you to a page where you can download the
Gpg4Win. Click on the button which offers you the latest stable
version (not beta) of Gpg4Win.
This will download you an .exe file. Depending on your browser,
you may have to double-click on this downloaded file (which will be
called something like gpg4qin-2.1.0.exe) before something happens.
Windows will ask you if you are sure you want to install this
program. Answer yes.Then complete the installation by agreeing to
the license, choosing appropriate language and accepting the
default options by clicking 'Next', unless you have a particular
reason not to.The installer will ask you where to put the
application on your computer. The default setting should be fine
but make a note of it as we may need this later. Click on 'Next'
when you agree.Installing with the Enigmail extensionAfter you have
successfully installed the PGP software as we described above you
are now ready to install the Enigmail add-on.Enigmail is a
Thunderbird add-on that lets you protect the privacy of your email
conversations. Enigmail is simply an interface that lets you use
PGP encryption from within Thunderbird.Enigmail is based on
public-key cryptography. In this method, each individual must
generate her/his own personal key pair. The first key is known as
the private key. It is protected by a password or passphrase,
guarded and never shared with anyone.The second key is known as the
public key. This key can be shared with any of your correspondents.
Once you have a correspondent's public key you can begin sending
encrypted e-mails to this person. Only she will be able to decrypt
and read your emails, because she is the only person who has access
to the matching private key.Similarly, if you send a copy of your
own public key to your e-mail contacts and keep the matching
private key secret, only you will be able to read encrypted
messages from those contacts.Enigmail also lets you attach digital
signatures to your messages. The recipient of your message who has
a genuine copy of your public key will be able to verify that the
e-mail comes from you, and that its content was not tampered with
on the way. Similarly, if you have a correspondent's public key,
you can verify the digital signatures on her messages.Installation
stepsTo begin installing Enigmail, perform the following steps:Step
1. Open Thunderbird, then Select Tools > Add-ons to activate the
Add-ons window; the Add-ons window will appear with the default Get
Add-ons pane enabled.Step 2. Enter enigmail in the search bar, like
below, and click on the search icon.
Step 3. Simply click on the 'Add to Thunderbird' button to start
the installation.Step 4. Thunderbird will ask you if you are
certain you want to install this add-on. We trust this application
so we should click on the 'Install now' button.
Step 5. After some time the installation should be completed and
the following window should appear. Please click on the 'Restart
Thunderbird' button.
Install SNORT and study its different security
features.Installing SnortQuick Note on OSFor the installation of
Snort, we are going to use Ubuntu 10.04, 32 bit. I don't personally
use Ubuntu often, but anyone reading this tutorial is more likely
to use Ubuntu for their Linux variant and I want people to be
comfortable with their OS. This is important for troubleshooting
issues and for ensuring their deployments stay secure. How many
Windows Server Admins out there deploy a Linux box for one specific
purpose and never keep up-to-date with patches? I've seen too many
and I know a younger me was caught in this trap...Other Operating
SystemsCheck out Snort's website for other operating systems:
http://www.snort.org/docs . Do realize that these guides are not
written with the intent of installing Snorby as the front-end.
Those documents are still stuck in the days of BASE, so ignore that
part if you want Snorby.Installation MethodsThere are two methods
to install Snort on Ubuntu: with apt or from source. The easiest
method is through apt-get. Using apt, you will lose some
functionality and you are at the mercy of the repository and
package managers. If Snort releases a new version, you must wait
until the package manager updates the package and puts it in the
apt repository. The preferred method is compiling from source, but
some users may feel uncomfortable with that method.Important note
on Database SchemaDO NOT run any script that creates a database
schema for snort other than rake snorby:setup. The rake command
creates the database schema for you. Snorby creates the fields
required by Snort; however, Snorby creates additional fields that
are needed.Installing with apt-getTo begin, you'll need root-level
access. Issue the following command:sudo apt-get install snortYou
should see the following prompt:Reading package lists...
DoneBuilding dependency tree Reading state information... DoneThe
following extra packages will be installed: libprelude2 oinkmaster
snort-common snort-common-libraries snort-rules-defaultSuggested
packages: snort-docThe following NEW packages will be installed:
libprelude2 oinkmaster snort snort-common snort-common-libraries
snort-rules-default0 upgraded, 6 newly installed, 0 to remove and
194 not upgraded.Need to get 1,740 kB of archives.After this
operation, 10.4 MB of additional disk space will be used.Do you
want to continue [Y/n]?Input "Y" and hit Enter. Grab some coffee or
a smoke. Right now, it is downloading snort and it's dependencies.
When you return, hopefully you see the screen "Configuring snort".
It is now asking you for your home network IP address range.
Typically this will be one or more of the following: 10.0.0.0/8,
172.16.0.0/12, 192.168.0.0/26. If you do not know, it is probably
safest to enter: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/26Hit your
Enter key and Snort will finish installing. To verify Snort is
running, enter the following at the command prompt: ps aux | grep
snort | grep -v grepIf you see output containing "/usr/sbin/snort",
you have Snort installed!! Continue with Installing Snory. ##
Compiling from Source A good guide for Ubuntu installing is located
on Snort's website [reference:
http://www.snort.org/assets/158/011-snortinstallguide2905.pdf].
This guide follows along with their work. Download Snort from:
http://www.snort.org/snort-downloads. It should come with the file
extension ".tar.gz". We need to uncompress this and install it:
tar-zxvfsnort2.9.0.5.tar.gzcdsnort-2.9.0.5/sudo./configureprefix=/usr/local/snort--enable-ipv6--enable-gre\--enable-mpls--enable-targetbased--enable-decoder-preprocessor-rules\--enable-ppm--enable-perfprofiling--enable-zlib--enable-active-response\--enable-normalizer--enable-reload--enable-react--enable-flexresp3sudomakesudomakeinstallsudomkdir/var/log/snortsudomkdir/var/snortNow,
to change permissions on your Snort
directory:sudogroupaddsnortsudouseraddgsnortsnortsudochownsnort:snort/var/log/snortLoggingLogging
using Barnyard2Again, this is the preferred method. Edit
/etc/snort/snort.conf to make a line that reads like the following
(adapted to your environment):output unified2: filename snort.out,
limit 128And sure any other lines that start with "output
database:" are commented out (that they have a # in front of
it).Logging Snort to a Mysql DatabaseEdit /etc/snort/snort.conf,
and add the following line:output database: alert, mysql, user=root
password=password dbname=snorby host=localhostModify it for your
needs. If Snorby isn't located on this sensor, change the host to
the IP of the server that Snorby is installed.Configuring SnortIf
you're running Ubuntu, you can run sudo dpkg-reconfigure snort and
skip the below, as this command will take you through the
steps.Logging Snort to a Postgres DatabaseEdit
/etc/snort/snort.conf, and add the following line:output database:
alert, postgresql, user=snort dbname=snortModify it for your needs.
If Snorby isn't located on this sensor, change the host to the IP
of the server that Snorby is installed.Clean upWe will be creating
the database for Snort and Snorby soon. Check for the existence of
the file /etc/snort/db-pending-config and if it exists, delete
it.Setting snort variablesThis is declared in
/etc/snort/snort.conf.Important variables: $HOME_NET,
$EXTERNAL_NETThese variables are used in the rules you run.
$HOME_NET should be set to your internal IP schema. In my lab, my
computers get 10.0.0.1 - 10.0.0.255. So I will set this line to:var
$HOME_NET 10.0.0.0/24Typically $EXTERNAL_NET will be set to any.
This is describing the internet