1. Summary
  2. Files
  3. Support
  4. Report Spam
  5. Create account
  6. Log in
Warning: Can't synchronize with the repository (/nfs/sf-svn/r/rk/rkhunter does not appear to be a Subversion repository.). Look in the Trac log for more information.

Post 1
Basics, important sites, HOWTO's, handbooks, hardening, tips
Advisories, alerts, bulletins, disclosure, mailinglists, mailing archives, knowledge bases, other sites
Hardening, distro-specific
Log analysis tools, resources
Daemons, device or application specific
More Brainfood, sites, books

Basics, important sites, HOWTO's, handbooks, hardening, tips

Checklists
UNIX Security Checklist v2.0: http://www.cert.org/tech_tips/unix_security_checklist2.0.html
SANS The Twenty Most Critical Internet Security Vulnerabilities: http://www.sans.org/top20/
SANS SCORE Checklists for W32/Solaris/Cisco IOS/Mac OS/etc etc: http://www.sans.org/score/
SANS Reading room http://www.sans.org/reading_room/
SANS Linux Issues: http://www.sans.org/rr/catindex.php?cat_id=32
SANS Information Security Reading Room: http://www.sans.org/reading_room/whitepapers/awareness/
20 Linux Server Hardening Security Tips: http://www.cyberciti.biz/tips/linux-security.html

Securing
CERT, Tech Tips: http://www.cert.org/tech_tips/
Linux Administrator's Security Guide (LASG): http://www.seifried.org/lasg/
Linux Security Administrator's Guide (SAG, old): http://www.tldp.org/LDP/sag/index.html
The Linux Network Administrator's Guide (NAG): http://www.tldp.org/LDP/nag2/index.html
Securing & Optimizing Linux: The Ultimate Solution: http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf
Securing Optimizing Linux RH Edition (older): http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html
Linux Security HOWTO: http://tldp.org/HOWTO/Security-HOWTO/index.html
Linux Security Quick Reference Guide (PDF): http://www.tldp.org/REF/ls_quickref/QuickRefCard.pdf
Security Quick-Start HOWTO for Linux,: http://tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/

Security Resouces at Linuxguru's: http://www.linuxguruz.com/z.php?id=913

TLPD Networking security HOWTO's: http://www.tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETSECURITY

Compromise, breach of security, detection
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intruder_detection_checklist.html
Detecting and Removing Malicious Code (SF): http://www.securityfocus.com/infocus/1610
Steps for Recovering from a UNIX or NT System Compromise: http://web.archive.org/web/20080822063655/http://www.cert.org/tech_tips/root_compromise.html
Formatting and Reinstalling after a Security Incident (SF): http://www.securityfocus.com/infocus/1692
How to Report Internet-Related Crime (usdoj.gov CCIPS): http://www.usdoj.gov/criminal/cybercrime/reporting.htm
Related, old(er) articles/docs:
Intruder Discovery/Tracking and Compromise Analysis: http://staff.washington.edu/dittrich/talks/blackhat/blackhat/
Intrusion Detection Primer: http://www.linuxsecurity.com/content/view/117463/171/
Through the Looking Glass: Finding Evidence of Your Cracker (LG): http://linuxgazette.net/issue36/kuethe.html
Recognizing and Recovering from Rootkit Attacks: http://www.cs.wright.edu/people/faculty/pmateti/Courses/499/Fortification/obrien.html
See also post #5 under Forensics docs

Advisories, alerts, bulletins, disclosure, mailinglists, mailing archives, knowledge bases, other sites
Bugtraq (running): http://www.mail-archive.com/bugtraq@securityfocus.com/
or http://securepoint.com/lists/html/
or http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/
or RSS: http://www.djeaux.com/rss/insecure-full-bugtraq.rss
Linuxsecurity: http://www.linuxsecurity.com
or RSS (Advisories): http://www.linuxsecurity.com/static-content/linuxsecurity_advisories.rss
or RSS (News articles): http://www.linuxsecurity.com/static-content/linuxsecurity_articles.rss
Securityfocus: http://www.securityfocus.com
or RSS (Vulns): http://www.securityfocus.com/rss/vulnerabilities.xml
Securiteam: http://www.securiteam.com/
CERT KB: http://www.cert.org/kb/
Securitytracker (Advisories): http://www.securitytracker.com/topics/topics.html#advisory
SANS RSS (ISC): http://iscxml.sans.org/rssfeed.xml
Neohapsis (mailinglists/archives): http://www.neohapsis.com
theaimsgroup (mailinglists/archives): http://marc.theaimsgroup.com/
Der Keiler (mailinglists/archives): http://www.der-keiler.de/
Linux Journal: http://www.linuxjournal.com
Experts exchange: http://www.experts-exchange.com
The Linux Documentation Project: http://www.tldp.org
Blacksheep (HOWTO's, whitepapers, etc): http://www.blacksheepnetworks.com/security/
IRIA: http://www.ists.dartmouth.edu/cybersecurity-classroom.php
SEI: http://www.sei.cmu.edu/publications/lists.html
Matt's Unix Security Page: http://www.deter.com/unix/
Jay Beale's docs (Bastille-linux/CIS): http://bastille-linux.sourceforge.net/jay/
The Unix Auditor's Practical Handbook: http://www.nii.co.in/tuaph.html
Aging stuff from Phrack like "Unix System Security Issues": http://www.phrack.com/issues.html?issue=18&id=7#article


Mailinglists distro specific:
RedHat
http://www.redhat.com/support/errata/
http://www.redhat.com/mailman/listinfo
archives http://www.redhat.com/archives/redhat-watch-list/

Debian
Our own markus1982 on a roll! LQ HOWTO: securing debian: http://www.linuxquestions.org/questions/showthread.php?threadid=61670
http://bugs.debian.org/
http://lists.debian.org/ (search for debian-security@…)
http://security.debian.org/

S.u.S.E.
subscribe: http://www.novell.com/company/subscribe/

Mandriva
http://www.mandriva.com/en/community/start

Slackware
http://www.slackware.com/lists/
email majordomo@… with the phrase "subscribe slackware-security" in the body of the email

Other Distrubutions:
Please check at your distrubution domain.

Hardening, distro specific
Debian/Mandriva/Red Hat: Bastille Linux: http://www.bastille-linux.org/
Debian Security HOWTO: http://www.debian.org/doc/manuals/securing-debian-howto/
Debian Security FAQ: http://www.debian.org/security/faq

"Installation of a Secure SuSE Linux Enterprise Server 9":
http://www.suse.de/~thomas/SLES-Hardening/Installation_of_a_Secure_Server_with_SLES9.htm
Novell AppArmor Administration Guide:
http://www.novell.com/documentation/opensuse110/opensuse110_apparmor_admin_23/index.html?page=/documentation/opensuse110/opensuse110_apparmor_admin_23/data/opensuse110_apparmor_admin_23.html
Novell security:
http://www.novell.com/documentation/opensuse110/opensuse110_reference/index.html?page=/documentation/opensuse110/opensuse110_reference/data/opensuse110_reference.html

Slackware: Slackware Administrators Security tool kit: http://sourceforge.net/projects/sastk/
Slackware Security: http://www.slackbook.org/html/security.html

Log analysis tools, resources
Auditd: Linux Audit: http://people.redhat.com/sgrubb/audit/

Tools & Tips for auditing code: http://www.vanheusden.com/Linux/audit.html
Track unlink syscall (rm): TrackFS, libauditunlink, LAUS, LTT (Syscalltrack on 2.4)

  1. FWanalog (Summarizes IPF & IPtables firewall logs)
  2. FWlogsum (Summarizes Checkpoint FW1 logs)
  3. FWlogwatch (Summarizes firewall & IDS logs)
  4. KLogger (WinNT/Win2K keystroke logger)
  5. Linux Event Logger (For Enterprise-Class Systems): http://evlog.sourceforge.net/
  6. Lmon (PERL-based real time log monitoring solution)
  7. LogSentry (Monitors logs for security violations)
  8. Logsurfer (Monitors logs in realtime)
  9. PIdentd (Provides UserID with TCP connects)
  10. Swatch (Monitors syslog messages)
  11. Secure Remote Syslogger (Encrypted streaming syslog)
  12. SnortSnarf (HTMLized Snort Log Reviewer)
  13. Syslog-NG (Replacement for standard syslog facility)
  14. Syslog.Org (Vast info on syslogging)
  15. Throughput Monitor (An event counter per timeframe log analyzer): http://home.uninet.ee/~ragnar/throughput_monitor/

Loganalysis.org (check the library): http://www.loganalysis.org/

EVlog, Linux Event Logging for Enterprise-class systems
Throughput Monitor
Need to add: Snare, LTK etc etc

Daemons, device or application specific
The Linux-PAM System Administrators Guide
Securing Xwindows: http://www.uwsg.indiana.edu/usail/external/recommended/xsecure.html
Installation of a secure webserver (SuSE): #(link gone, do a websearch for "suse_secure_webserver.txt")
Linksys security (LQ notes on): http://www.linuxquestions.org/questions/showthread.php?postid=157007#post157007

Auditing tools at:
Packetstorm: http://www.packetstormsecurity.org/UNIX/audit/
SecurityFocus: http://www.securityfocus.com/tools/category/1

More Brainfood, sites, books
Daryl's TCP/IP primer: http://www.ipprimer.com/overview.cfm

Teach Yourself TCP IP in 14 Days (PDF): http://leitl.org/docs/SAMS_20Teach_20Yourself_20TCP_20IP_20in_2014_20Days.pdf

Uri's TCP resource list: www.private.org.il/tcpip_rl.html
Macmillan's "Maximum Security"
O'Reilly's TCP/IP Network Administration
O'Reilly has a myriad of books some of which can also be found online, just search for "O'reilly and bookshelf", "o'reilly reference bookshelf" or "o'reilly cd bookshelf".


Post 2
Netfilter, firewall, Iptables, Ipchains, DoS, DDoS

Please note the easiest way to troubleshoot Netfilter related problems is to add log (target) rules before any "decision" in a chain.
Please note there's a LOT of firewall scripts on LQ: just search the Linux - Security and Linux - networking fora please.

Netfilter/Iptables
LQ Wiki: http://wiki.linuxquestions.org/wiki/Iptables

IPTables Tutorial: http://iptables-tutorial.frozentux.net/iptables-tutorial.html
IPSysctl Tutorial: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html
Yourwebexperts: http://www.yourwebexperts.com/forum/viewforum.php?f=35
Netfilter.org Packetfiltering HOWTO: http://people.netfilter.org/rusty/unreliable-guides/
Linuxsecurity.com Iptables tutorial: http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html


xxx Iptables Connection tracking: http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
95& because old link named in new http://www.kalamazoolinux.org/presentations/20010417/conntrack.html


Taking care of the New-not-SYN vulnerability: http://archives.neohapsis.com/archives/bugtraq/2003-01/0036.html


Ipchains
TLDP Ipchains http://tldp.org/HOWTO/IPCHAINS-HOWTO.html
Flounder.net Ipchains HOWTO: http://www.flounder.net/ipchains/ipchains-howto.html
Web-browsers, mail clients, FTP clients, IM, P2P ports database for building your own rules: http://www.pcflank.com/fw_rules_db.htm

Firewalls
Basics on firewalling: http://www.tldp.org/HOWTO/Firewall-HOWTO.html
CERT: Home Network Security: http://www.cert.org/tech_tips/home_networks.html
Firewall FAQ: http://www.faqs.org/faqs/firewalls-faq/
Most ports list: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html
Firewall Forensics FAQ (What am I seeing?): http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html
TLDP: Firewall Piercing mini-HOWTO: http://tldp.org/HOWTO/Firewall-Piercing/index.html
Something called the "Home PC Firewall Guide": http://www.firewallguide.com/
Vendor/Ethernet MAC Address Lookup: http://www.coffer.com/mac_find/

xxx Dshield (find out if IP was marked as used in attacks): https://secure.dshield.org/howto.html
95% https://secure.dshield.org/indexd.html
and mention input your ip at top of screen?

Identifying P2P users using traffic analysis: http://www.securityfocus.com/print/infocus/1843

Is "Stealth" important?: http://www.practicallynetworked.com/sharing/securnet.htm#Stealth


Web based portscan services
http://www.linux-sec.net/Audit/nmap.test.gwif.html
http://www.derkeiler.com/Service/PortScan/
http://www.auditmypc.com/


xxx http://crypto.yashy.com/nmap.php
100% http://crypto.yashy.com/ and mention its at the bottom of page


http://www.grc.com/
http://www.pcflank.com

DoS info
Hardening the TCP/IP stack to SYN attacks: http://www.securityfocus.com/infocus/1729
SANS, Help Defeat Denial of Service Attacks: Step-by-Step: http://www.sans.org/dosstep/index.php
SANS, ICMP Attacks Illustrated: (PDF): http://www.sans.org/reading_room/whitepapers/threats/477.php
CERT, Denial of Service Attacks: http://www.cert.org/tech_tips/denial_of_service.html
NWC, Fireproofing Against DoS Attacks (forms of): http://www.networkcomputing.com/1225/1225f38.html

DDoS info
SANS, Consensus Roadmap for Defeating Distributed Denial of Service Attacks: http://www.sans.org/dosstep/roadmap.php?ref=3801
SANS, Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth: http://www.sans.org/reading_room/whitepapers/threats/469.php
SANS, "Defeat Distributed Denial of Service Attacks": http://www.sans.org/dosstep/
Juniper.net, Minimizing the Effects of DoS Attacks (PDF):http:cn.juniper.net/solutions/literature/app_note/350001.pdf
Denial of Service (DoS) Attack Resource Page: http://www.denialinfo.com/dos.html
Denial of Service Attacks - DDOS, SMURF, FRAGGLE, TRINOO: http://web.archive.org/web/20040603043741/http://www.infosyssec.org/infosyssec/secdos1.htm
CISCO, Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks:
http://www.cisco.com/en/US/tech/tk59/technologies_white_paper09186a0080174a5b.shtml
Dave Dittrich's references: http://staff.washington.edu/dittrich/misc/ddos/

Xinetd FAQ: http://www.xinetd.org/faq.html


Post 3
Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software.

Note: vulnerability checking: CIS, SATAN, COPS, Tiger

FAQ: Network Intrusion Detection Systems: http://www.linuxsecurity.com/resource_files/intrusion_detection/network-intrusion-detection.html

Sniffin' the Ether v2.0: http://www.unixgeeks.org/security/newbie/security/sniffer/sniffer.html
Lotek sniffing docs: http://www.l0t3k.org/security/tools/sniffing/

Defeating Sniffers and Intrusion Detection Systems, Phrack: http://www.phrack.org/issues.html?issue=54&id=10#article

The IDS acronym game:

IDS: Intrusion Detection System refers to an application able to examine traffic for attributes and properties that mark "benign", suspicious, restricted, forbidden or outright hostile activities.

NIDS: Network IDS refers to Intrusion Detection, like running "sensors" on various sentry or sniffer hosts while logging and/or logprocessing and alerting is done on a central host (many-to-one topology).
NIDS examples are:
Snort: http://www.snort.org/
Shoki: http://shoki.sourceforge.net/
Prelude: http://www.prelude-ids.org/
OSSIM (Snort+Acid+mrtg+NTOP+OpenNMS+nmap+nessus+rrdtool): http://sourceforge.net/projects/os-sim/
MIDAS: http://midas-nms.sourceforge.net/
Firestorm: http://www.scaramanga.co.uk/firestorm/
Panoptis (DoS, DDoS only):
Defenseworx:
SHADOW:
Pakemon:
Some commercial/non OSS examples: Demarc PureSecure, Cisco Secure IDS (NetRanger), ISS Real Secure, Axent Net Prowler, Recourse ManHunt, NFR Network Flight Recorder, NAI CyberCop Network, Enterasys Dragon and Okena Stormfront/Stormwatch.
Snort also is available commercially these days.

HIDS: Host-based IDS. The HIDS acronym itself is subject to flamewars.
IDS examples are Snort, Shoki, Prelude, Defenseworx, Pakemon, Firestorm and Panoptis (DoS, DDoS only).

IPS: Intrusion Protection System. Passive or active (learning, like the heuristics stuff?) enforcement of rules at the application, system or access level. I suppose we're looking at stuff like Grsecurity, Solar Designer's Open Wall, LIDS, LOMAC, RSBAC, Linux trustees, Linux Extended Attributes, LIDS or Systrace here.
Commercial/non OSS examples: Entercept, ISS RealSecure, Axent Intruder Alert Manager, Enterasys' Dragon, Tripwire, Okena and CA's eTrust.

Docs:
Intrusion Detection Systems: An Introduction: http://www.linuxsecurity.com/content/view/117463/171/

Intrusion Detection FAQ (SANS, handling ID in general): http://www.sans.org/resources/idfaq/index.php
Basic File Integrity Checking (with Aide): http://www.securityfocus.com/infocus/1408

www.networkintrusion.co.uk (IDS, NIDS, File Integrity Checkers)

Snort basics:
Using Snort as an IDS and Network Monitor in Linux (SANS, PDF file): http://www.giac.org/certified_professionals/practicals/gsec/0883.php
Intrusion Detection and Network Auditing on the Internet: http://www.infosyssec.net/infosyssec/intdet1.htm
Snort Stealth Sniffer: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging: http://www.linuxjournal.com/article/6222

Dropping Packets with Snort:
Why not to use Snort's "flexresp": ttp:
www.mcabee.org/lists/snort-users/Mar-03/msg00379.html
Snortsam: http://www.snortsam.net


xxx Snort-inline: http://www.snort.org/dl/contrib/patc...ort-inline.tgz
maybe http://www.snort.org/docs/snort_htmanuals/htmanual_282/node16.html

Guardian: see the Snort tarball, in the contrib dir.
Blockit:

Snort GUI's, management, log reporting and analysis:
Midas: http://midas-nms.sourceforge.net
SnortCenter: http://users.pandora.be/larc/
Snort Unified Logging: Barnyard: (Sourceforge)
Snort Unified Logging: Logtopcap
Snort Unified Logging: Mudpit
Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/
Snort setup Stats ACID: http://web.archive.org/web/20050708084723/http://www.faqs.org/docs/Linux-HOWTO/Snort-Statistics-HOWTO.html
or http://www.linux.com/articles/44259

ACID HOWTO: http://www.andrew.cmu.edu/user/rdanyliw/snort/snortacid.html
ACID FAQ: http://www.andrew.cmu.edu/user/rdanyliw/snort/acid_faq.html
SPADE, Snortsnarf: http://www.silicondefense.com
Sguil: http://sguil.sourceforge.net/
Enabling Automated Detection of Security Events that affect Multiple Administrative Domains (PDF): http://aircert.sourceforge.net/docs/pickel_danyliw_thesis.pdf

Demarc (commercial): http://www.demarc.com
RazorBack: http://www.intersectalliance.com/projects/RazorBack/index.html
Oinkmaster (rulemanagement): http://www.snort.org/dl/contrib/signature_management/oinkmaster/
Snort alert mailer (C or .pe?r?l?): http://rouxdoo.freeshell.org/dmn/snort/


IDS Policy Manager Version (W32): http://www.activeworx.com/
Snort_stat: snort_stat.pl /var/log/snort/alert | /usr/lib/sendmail <human@…>
Swatch: ./swatch -c /root/.swatchrc --input-record-separator="\n\n" --read-pipe="tail -f /var/log/snort/alert" --daemon
Swatch + Hogtail.


Snort vs Abacus Portsentry:
Snort and PortSentry compared: http://www.linux.ie/articles/portsentryandsnortcompared.php

xxx Comparison of IDSs ( NFR NID, Snort, INBOUNDS, SHADOW, Dragon, Tripwire): http://zen.ece.ohiou.edu/~nagendra/compids.html
http://web.archive.org/web/20050827233322/http://zen.ece.ohiou.edu/~nagendra/compids.html

Snort help, mailinglist (archives), honeypots:

xxx Snort: Database support FAQ: http://web.archive.org/web/20021204214240/http://www.incident.org/snortdb/
web archive has issue saying owner's robot.txt blocking incident org
40% http://www.andrew.cmu.edu/user/rdanyliw/snort/snortdb/snortdb_install.html

Snort mailinglists, Aims: http://marc.theaimsgroup.com/

Honeypot & Intrusion Detection Resources: http://www.honeypots.net/
The TCP Flags Playground (Mailinglist, Neohapsis): http://archives.neohapsis.com/archives/snort/2000-03/0386.html

Snort + 802.11 aka Wireless: http://www.loud-fat-bloke.co.uk/w80211.html

Sniffing (network wiretap, sniffer) FAQ: http://web.archive.org/web/20050221103207/http://www.robertgraham.com/pubs/sniffing-faq.html

Apps, network monitoring (index): http://www.mirrors.wiretapped.net/security/info/

An Analysis of a Compromised Honeypot Suggest you download from here: http://honeynet.org/papers/


To add: Firestorm NIDS, Barnyard, Mudpit, Snort GUI's, add-ons etc etc.

Snort on two interfaces, solution one: "-i bond0".
Valid-for: running one Snort instance, multiple promiscuous mode interfaces except the mgmnt one.
Caveat: none
See-also: Documentation/networking/bonding.txt
Do once: "echo alias bond0 bonding >>/etc/modules.conf"
At boot: "ifconfig bond0 up; ifenslave bond0 eth0; ifenslave bond0 eth1"
At boot: start Snort with interface arg "-i bond0"

Snort on two interfaces, solution two: "-i any"
Valid-for: running one Snort instance, all interfaces.
Caveat: you loose promiscuous mode.
See-also:
At boot: start Snort with interface arg "-i any" and a BPF filter to stop it from logging the loopback device.


File Integrity Detection Systems
Checking a filesystem's contents against one or more checksums to determine if a file (remember anything essentially is a file on a Linux FS) has been changed.
Examples are:
Aide: http://www.cs.tut.fi/~rammer/aide.html (for remote mgmnt see also ICU http://www.algonet.se/~nitzer/ICU/ or RFC http://sourceforge.net/projects/rfc/ which handles Aide, Integrit and Afick)
Samhain: http://la-samhna.de/samhain/ (for remote mgmnt see docs)
Osiris: http://osiris.shmoo.com/
Nabou: http://www.daemon.de/en/software/nabou/
Sentinel: http://zurk.sourceforge.net/zfile.html


Integrit: http://integrit.sourceforge.net/
Tripwire (for remote mgmnt see FICC: http://freshmeat.net/projects/ficc/).
Chkrootkit (not only Linux): http://www.chkrootkit.org


xxx Rootkit Hunter (not only Linux): http://rkhunter.sourceforge.net
page exists but shows v 1.3.0
try http://sourceforge.net/project/showfiles.php?group_id=155034


Findkit: http://mirror.trouble-free.net/killall/findkit

Commercial/non OSS examples: Versioner, GFI LANguard System Integrity Monitor, Ionx's Data Sentinel, Tripwire for Servers and Pedestal Software Intact.
File Integrity (SecurityFocus, tools list): http://www.securityfocus.com/tools/category/15


Viruses on Linux/GNU, Antivirus software

Sendmail, Tcpdump, OpenSSH, TCP Wrappers, Aide and some other projects have suffered from people succeeding to inject malicious code, and of those only Sendmail and OpenSSH where at main servers, the rest where mirrors AFAIK. Even though all the apps mentioned are safe to use, and the differences where noted soon, the real problem is you I. have to have the knowledge to read code, and II. the discipline to read the code each time and question any diffs or III. have minimal "protection" in place to cope with like rogue compiled apps "phoning home". Which in essence means to end users any SW provided w/o means to verify integrity of the code and the package should be treated with care, instead of accepting it w/o questioning.


As for the "virus" thingie I wish we, as a Linux community, try to "convert" people away from the typical troubles of Pitiful Operating Systems (abbrev.: POS, aka the MICROS~1 Game Platform) and direct them towards what's important to know wrt Linux: user/filesystem permissions, b0rken/suid/sgid software, worms, trojans and rootkits.

Basic measures should be:
- Using (demanding) source verification tru GPG or minimally md5sums,
- Watch system integrity (Aide, Samhain, Tripwire or any package mgr that can do verification: save those databases off-site, also see Tiger, Chkrootkit),
- Harden your systems by not installing SW you don't need *now*, denying access where not needed and using tools like Bastille-linux, tips from Astaro,
- Patch kernel to protect looking at/writing to crucial /proc and /dev entries and/or use ACL's (see Silvio Cesare's site, Grsecurity, LIDS),
- Watch general/distro security bulletins and don't delay taking action (Slapper, Li0n etc),
- Keep an eye on outgoing traffic (egress logging and filtering),
- Don't compile apps as root but as a non-privileged user,
- Inspect the code if you can,
- Don't use Linux warez,
But most of all: use common sense.

*If you're still not satisfied you've covered it all you could arm yourself with knowledge on forensics stuff like UML, chrooting, disassembly and honeypots.

If you want to find Antivirus software, Google the net for Central Command, Sophos, Mcafee, Kaspersky, H+BEDV, Trend Micro, Frisk, RAV, Clam, Amavis, Spam Assassin, Renattach, Ripmime, Milter or Inflex.
- AV SW is as good as it's signatures/heuristics. Some vendors don't update their Linux sig db's very well, or field SW with lacking capabilities. I've tested some (admittedly a long time ago) on my virus/trojan/LRK/malware libs. Bad (IMHO): Frisk's F-Prot (sigs), Clam (sigs), H+BEDV (libc version). Good (IMNSHO): Mcafee's uvscan (best) and RAV (2nd). Please do test yourself.
- AFAIK only KAV (Kaspersky) has a realtime scanner daemon. I'm in limbo about it's compatibility with recent kernels tho.

Post 4
Chroot, chrooting, jailing, comparimization

Chroot Jails Made Easy with the Jail Chroot Project: http://www.jmcresearch.com/projects/jail/
and http://www.linuxjournal.com/content/creating-chroot-sftp-jails-jailkit
and http://www.sublimation.org/scponly/wiki/index.php/Main_Page

Chrooting MySQL HOWTO (LQ): http://www.linuxquestions.org/questions/showthread.php?&threadid=34338
and http://www.linuxquestions.org/questions/showthread.php?postid=206661#post206661
Apache, PHP, MySQL: http://www.faqts.com/knowledge_base/view.phtml/aid/290/fid/31
SendMail: http://www.sendmail.com/
SendMail article: http://www.linuxjournal.com/article/5753

chroot patch for ssh: http://chrootssh.sourceforge.net/index.php?node=docs

OpenSSH, Scponly: http://www.sublimation.org/scponly/wiki/index.php/Main_Page

How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh:
http://www.cyberciti.biz/tips/rhel-centos-linux-install-configure-rssh-shell.html

OpenSSH, Rssh: http://pizzashack.org/rssh/
OpenSSH Sftp logging patch, contact Mike Martinez: mmartinez@…

another sftp
http://chrootssh.sourceforge.net/docs/chrootedsftp.html

How to chroot an Apache tree with Linux and Solaris: http://penguin.triumf.ca/chroot.html
An Overview of 'chroot jailing' Services in Linux: http://www.palecrow.com/chroot-jail-paper.html

How to break out of a chroot() jail: http://www.bpfh.net/simes/computing/chroot-break.html


Breaking out of a restricted shell:
http://web.archive.org/web/20060411080429/www.securityfocus.com/infocus/1575 scroll down at "Breaking Out of Various Restrictions"

0x05: Why chroot(2) Sucks: http://packetstormsecurity.nl/mag/napalm/napalm-12.txt

Chrooting daemons and system processes HOW-TO: http://www.zdziarski.com/papers/chroot.html

Other SW/HOWTO's unsorted
Jail Install Howto: http://www.jmcresearch.com/projects/jail/howto.html


Debian 3.1 Sarge + BIND9: http://www.howtoforge.com/howto_bind_chroot_debian

Chroot-Bind Howto http://tldp.org/HOWTO/Chroot-BIND-HOWTO.html

A Chroot example: http://hoohoo.ncsa.uiuc.edu/docs/tutorials/chroot-example.html

Chroot Apache with Linux and Solaris: http://web.archive.org/web/20051017013738/penguin.triumf.ca/chroot.html
Chroot login howto: http://www.kegel.com/crosstool/current/doc/chroot-login-howto.html

FreeBSD How to enforce a chroot: http://www.defcon1.org/html/Security/Chroot-Enforce/chroot-enforce.html


Makejail: http://www.floc.net/makejail/

Linux Security Overview (slow to load): http://www.scribd.com/word/fragment/89219022
and the package Jailer:http://packages.debian.org/stable/admin/jailer?

Post 5
Forensics, recovery, undelete

Forensics HOWTO's, docs
Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
Open Web Application Security Project (OWASP): http://www.owasp.org/
Open Source Computer Forensics Manual: http://sourceforge.net/project/showfiles.php?group_id=81003&release_id=171701
OSSTM: Institute for Security and Open Methodologies (formerly ideahamster.org): http://www.isecom.org/projects/osstmm.htm
Forensics Basic Steps: http://staff.washington.edu/dittrich/misc/forensics/


Dd and netcat cloning disks: http://www.linux.com/articles/114093


Security Applications of Bootable Linux CD-ROMs (PDF): http://www.sans.org/reading_room/whitepapers/linux/193.php

Honeypot project (Hone your skills with the SOM): http://project.honeynet.org/scans/
RH8.0: Chapter 11. Incident Response (Red Hat Linux Security Guide): http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-response-invest.html


xxx Wayne's Forensics and Incident Response Resources: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/Security/
page is ok but its ms only??


domain exists but is dead the other links look good enough

Forensics presentation by Weld Pond and Tan: http://www.cs.neu.edu/groups/acm/lectures/Forensics_NU/
Law Enforcement and Forensics Links.: http://www.computerforensics.net/links.htm
Forensics commercial svc's: http://forensic.to/links/pages/Forensic_Sciences/Field_of_expertise/Computer_Investigation/

Forensics CDR's
FIRE (formerly Biatchux +TCT): http://biatchux.dmzs.com/?section=main
The Penguin Sleuth Kit (Knoppix-based +TCT + Sleuthkit): http://penguinsleuth.org


Forensics tools
The Coroners Toolkit (TCT): http://www.porcupine.org/forensics/
tomsrtbt (1 floppy distro): http://www.toms.net/rb/
Trinux, (Pentest/sniff/scan/recovery/IDS/forensics CD): http://sourceforge.net/projects/trinux/
Snarl (Forensics CD based on FreeBSD): http://snarl.eecue.com
Freeware Forensics Tools for Unix: http://online.securityfocus.com/infocus/1503
The @stake Sleuth Kit (TASK): http://sleuthkit.sourceforge.net/

Tools used by CSIRTs to Collect Incident Data/Evidence, Investigate and Track Incidents (list):
PLEASE note warning....Do not run the next link with javascript on please.
http://web.archive.org/web/20040721024453/http://www.uazone.org/demch/analysis/sec-inchtools.html


Helix forensic cd: http://www.e-fense.com/helix/

Knoppix cd v5.1 (click on agreement): http://www.knopper.net/knoppix-mirrors/download.php?lang=en&link=http://www.kernel.org/pub/dist/knoppix/
Knoppix dvd v5.3.1 http://ftp.rz.tu-bs.de/pub/mirror/knoppix/knoppix-dvd/

Precompiled static binaries for Linux (iso): http://www.stearns.org/staticiso/
Forensic Acquisition Utilities for w32: http://users.erols.com/gmgarner/forensics/
CREED (Cisco Router Evidence Extraction Disk),: http://web.archive.org/web/20040214172413/http://cybercrime.kennesaw.edu/creed/
Cisco Configuration Security Auditing Tool: http://ccsat.sourceforge.net/

Miscellaneous links: http://www.linuxlinks.com/Software/Networking/Security/Miscellaneous/index.shtml

Undelete HOWTO's
Recovering a Lost Partition Table: http://www.salingfamily.net/trav/linux/lost_partition.html
or: http://tldp.org/HOWTO/html_single/Partition/#recovering

Linux Partition HOWTO: http://surfer.nmr.mgh.harvard.edu/partition/Partition.html
How to recover lost partitions: http://web.archive.org/web/20050923225705/http://cvs.sslug.dk/hdmaint/hdm_rescue.html

Linux Ext2fs Undeletion mini-HOWTO: http://tldp.org/HOWTO/Ext2fs-Undeletion.html

Linux Partition Rescue mini-HOWTO: http://www.linux-france.org/article/jdanield/howto/t1.html

File Recovery.v.0.81 (using Midnight Commander): http://www.ists.dartmouth.edu/classroom/file-recovery.v0.81.php

Rescue tools for partition table/ext2fs
Gpart: http://www.cgsecurity.org/wiki/Main_Page

Testdisk: http://www.cgsecurity.org/index.html
Parted: http://www.gnu.org/software/parted/parted.html
Recover (app + info): http://recover.sourceforge.net/linux/recover/
R-Linux: http://www.data-recovery-software.net/Linux_Recovery.shtml

Unrm: http://www.securiteam.com/tools/6R00T0K06S.html

Dd-rescue: http://www.garloff.de/kurt/linux/ddrescue/
Also see mc (the Midnight Commander)
TCT (above).

Rescue tools from dd image
Foremost: http://sourceforge.net/projects/foremost/

Rescue tools for FAT/VFAT/FAT32 from Linux
Fatback: http://sourceforge.net/projects/biatchux/

Partition imaging: http://www.partimage.org/Main_Page

For more rescue tools check Freshmeat.net, metalab.unc.edu or other depots for a /Linux/system/recovery/ dir.

II. Runefs: The first inode that can allocate block resources on a ext2 file system is in fact the bad blocks inode (inode 1) -- *not* the root inode (inode 2). Because of this mis-implementation of the ext2fs it is possible to store data on blocks allocated to the bad blocks inode and have it hidden from an analyst using TCT or TASK. To illustrate the severity of this attack the following examples demonstrate using the accompanying runefs toolkit to: create hidden storage space; copy data to and from this area, and show how this area remains secure from a forensic analyst.:

xxx http://www.phrack.org/show.php?p=59&a=6
100% http://web.archive.org/web/20060810091424/http://www.phrack.org/show.php?p=59&a=6

If you've read this far and you aren't a professional system administrator: congrats. LQ doesn't ask you nothing in return but to spread around whatever good security practices you know. If you want to add a section or a link: please email me. License information: see top of thread.

Post 6
Securing networked services

Apache
Web Security Appliance With Apache and mod_security (SF): http://www.securityfocus.com/infocus/1739
Securing Apache Step-by-Step: http://www.securityfocus.com/infocus/1694
Securing apache2: http://www.securityfocus.com/infocus/1786

Suexec
Apache suEXEC Support: http://httpd.apache.org/docs/1.3/suexec.html
HOWTO Install PHP with SuExec: http://gentoo-wiki.com/HOWTO_Install_PHP_with_SuExec
HOWTO Install PHP as CGI with Apache's suEXEC Feature: http://archiv.debianhowto.de/en/php_cgi/c_php_cgi.html
How to set up suexec to work with virtual hosts and PHP (+PHP +public_html patch): http://alain.knaff.lu/howto/PhpSuexec/

Apache modules
Apache mod_security guide: http://www.securityfocus.com/infocus/1739
Secure Your Apache With mod_security: http://www.howtoforge.com/apache_mod_security
Apache mod_ssl: http://www.securityfocus.com/infocus/1356
mod_dosevasive: http://www.nuclearelephant.com/projects/dosevasive/
mod_security: http://www.modsecurity.org
mod_security rulesets: http://www.gotroot.com/mod_security+rules
mod_security rule generator: http://leavesrustle.com/tools/modsecurity/

MySQL
Securing MySQL Step-byStep: http://www.securityfocus.com/infocus/1726
Secure MySQL Database Design: http://www.securityfocus.com/infocus/1667
Database Security Explained: http://www.linuxexposed.com/content/view/181/54/
SQL injection attacks: http://www.sitepoint.com/print/sql-injection-attacks-safe

Detect SQL injection attacks: class_sql_inject: http://www.phpclasses.org/browse/package/1341.html

PHP
PHP and the OWASP Top Ten Security Vulnerabilities: http://www.sklar.com/page/article/owasp-top-ten
Top 7 PHP Security Blunders: http://www.sitepoint.com/print/php-security-blunders
PHP Security Guide: http://phpsec.org/projects/guide/ (PHP Security Library: http://phpsec.org/library/)
PHPsec.org Security Guide considered harmful: http://www.hardened-php.net/php_security_guide_considered_harmful.51.html
PHP: Preventing register_global problems: http://www.modsecurity.org/documentation/php-register-globals.html
Securing PHP Step-by-Step: http://www.securityfocus.com/infocus/1706
PHP Security: http://www.onlamp.com/pub/a/php/2003/07/31/php_foundations.html
Security of PHP: http://www.developer.com/lang/article.php/918141 (PHP Foundations: http://www.onlamp.com/pub/ct/29)
Auditing PHP, Part 1: Understanding register_globals: http://www-128.ibm.com/developerworks/library/os-php1/
Hardened PHP: http://www.hardened-php.net
SuPHP: http://www.suphp.org/Home.html
(http://www.phpsecure.info seems outdated)

Checking PHP
phpcksec: http://tools.desire.ch/phpcksec/
CastleCops Analyzer (Nuke only?): http://nukecops.com/

Exploiting Common Vulnerabilities in PHP Applications
http://www.securereality.com.au/studyinscarlet.txt

Security network testing
Nessus: http://www.nessus.org/
Metasploit Framework: http://metasploit.com/framework/

Application security testing
Open Web Application Security Project (OWASP): http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents

Oracle
OScanner: http://www.cqure.net/wp/oscanner/

OAT (Oracle Auditing Tools): http://www.cqure.net/wp/test/


Samba
SMBAudit (auditing): http://smbdaudit.sourceforge.net/

BIND
Secure BIND Template Version 5.1 05 JAN 2006: http://www.cymru.com/Documents/secure-bind-template.html
Securing an Internet Name Server: http://www.securiteam.com/securitynews/5VP0N0U5FU.html
DNS Security and Vulnerabilities: http://www.l0t3k.org/security/docs/dns/

SSH
General remarks:
Do not allow root account logins with ssh
Do use public key authentication
Restrict access if possible sshd_config: AllowGroups,AllowUsers? and/or TCP wrappers, firewall, Xinetd entry, PAM ACL.
Stop bruteforcing (in no particular order):
Samhain: Defending against brute force ssh attacks: http://la-samhna.de/library/brutessh.html
Sshblack: http://www.pettingers.org/code/SSHBlack.html


xxx Ssh_access: http://www.undersea.net/seanm/softwa...-access.tar.gz
xxx web archive does not like gz endings

Sshd_check (Note its an executable script) http://web.archive.org/web/20060904005419/http://cerberus.cc/open/scripts/sshd_check.sh

Authfail: http://freshmeat.net/projects/authfail/

Denyhosts: http://denyhosts.sourceforge.net/
Sshdfilter: http://www.csc.liv.ac.uk/~greg/sshdfilter/

PAM_abl: http://sourceforge.net/projects/pam-abl/

Fail2ban: http://fail2ban.sourceforge.net/
Blockhosts: http://www.aczoom.com/cms/blockhosts/