The openSUSE distribution is a stable, easy to use and complete multi-purpose distribution.
It is aimed towards users and developers working on the desktop or server. It is great for beginners, experienced users and ultra geeks alike, in short, it is perfect for everybody! The latest release, openSUSE 11.4, features new and massively improved versions of all useful server and desktop applications. It comes with more than 1,000 open source applications.

openSUSE is also the base for SUSE’s award-winning SUSE Linux Enterprise products.

“Popular open source Content Management Systems (CMSs) like Drupal, Joomla! and WordPress, are regularly subject to source code reviews as well as blackbox pentesting. Thus, vulnerabilities in these systems are quickly identified and fixed. And security updates are frequently released. Unfortunately, people tend to install the base CMS, add plugins, build their website and then never upgrade when security patches are available. Furthermore, third party developed plugins usually extend the offender’s attack surface and expose the CMS-based website to new threats.

“During pentests, and facing a CMS based website, I often look for open source security tools that are targeted specifically at the CMS in question. These tools usually excel at fingerprinting the CMS version used by the target, detecting installed plugins/themes, and identifying corresponding vulnerabilities. ”

For further reading, please visit: http://aim4r.blogspot.com/2011/08/hacking-joomla-fast-and-easy-way.html

uCertify has launched Photoshop CS5 Practice test.

IFCONFIG is a command-line tool, which is used for network interface management. Following are some of the options used with the command:

• up: This option is used to activate the specified interface.
• down: This option is used to deactivate the specified interface.
• lo: This option is used to view the loopback interface.

The IFCONFIG command is also used to configure an interface.

Syntax:

IFCONFIG interface options

For example, to configure a Linux computer’s first network interface with an IP address 200.200.200.123 and subnet mask 255.255.255.0, the following command is used:

IFCONFIG eth0 200.200.200.123 netmask 255.255.255.0

The Multi Router Traffic Grapher (MRTG) is free software for monitoring and measuring the traffic load on network links. It allows the user to see traffic load on a network over time in graphical form. MRTG is written in Perl and can run on Windows, Linux, UNIX, Mac OS and NetWare.

MRTG uses the Simple Network Management Protocol (SNMP) to send requests with two object identifiers (OIDs) to a device. The device, which must be SNMP-enabled, will have a management information base (MIB) to look up the OIDs specified. After collecting the information it will send back the raw data encapsulated in an SNMP protocol. MRTG records this data in a log on the client along with previously recorded data for the device. The software then creates an HTML document from the logs, containing a list of graphs detailing traffic for the selected device.

A password cracker is an application program that is used to identify an unknown or forgotten password to a computer or network resources. It can also be used to help a human cracker obtain unauthorized access to resources.

Password crackers use two primary methods to identify correct passwords: brute-force and dictionary searches. When a password cracker uses brute-force, it runs through combinations of characters within a predetermined length until it finds the combination accepted by the computer system. When conducting a dictionary search, a password cracker searches each word in the dictionary for the correct password. Password dictionaries exist for a variety of topics and combinations of topics, including politics, movies, and music groups.

Some password cracker programs search for hybrids of dictionary entries and numbers. For example, a password cracker may search for ants01; ants02; ants03, etc. This can be helpful where users have been advised to include a number in their password.

A password cracker may also be able to identify encrypted passwords. After retrieving the password from the computer’s memory, the program may be able to decrypt it. Or, by using the same algorithm as the system program, the password cracker creates an encrypted version of the password that matches the original.

Some most popular password crackers are as follows:

1. Cain & Abel: Cain and Abel is a multipurpose tool that can be used to perform many tasks such as Windows password cracking, Windows enumeration, and VoIP session sniffing. This password cracker can handle a wide variety of tasks. This password cracking program can perform the following types of tasks: Dictionary attack, Brute force attack, Cryptanalysis attack, Recording VOIP sessions, Decoding scrambled passwords, Uncovering cached password, etc.
2. John the Ripper: John the Ripper is a fast password cracker available for various environments. Its primary purpose is to detect weak Unix/Linux passwords. Initially developed for the Unix operating system, it currently runs on fifteen different platforms. John the Ripper is a fast password cracking tool that is available for most versions of UNIX, Windows, DOS, BeOS, and Open VMS. John the Ripper requires a user to have a copy of the password file.
3. THC Hydra:: THC Hydra is a fast network authentication cracker that supports many different services. Hydra was a software project developed by a German organization called “The Hacker’s Choice” (THC) that uses a dictionary attack to test for weak or simple passwords on one or many remote hosts running a variety of different services. It was designed as a proof-of-concept utility to demonstrate the ease of cracking poorly chosen passwords. The project supports a wide range of services and protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA.
4. Aircrack: Aircrack is the fastest WEP/WPA cracking tool. Aircrack is used for 802.11a/b/g WEP and WPA cracking. Aircrack is also used to attack WPA 1 or 2 networks using cryptographic methods or by brute force.
5. L0phtCrack: L0phtCrack is a password auditing and recovery application. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It was one of the crackers’ tools of choice, although most use old versions because of its low price and availability.
6. Airsnort: Airsnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. Airsnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.
7. SolarWinds SolarWinds is an overplus of network discovery/monitoring/attack tools. They have created dozens of special purpose tools. Some of them are router password decryption, an SNMP brute force cracker, a TCP connection reset program, etc.
8. Pwdump: Pwdump is a Windows password recovery tool. It can extract NTLM and LanMan hashes from a Windows system. It is also used to display password histories. The output data is in L0phtcrack-compatible form and can be written to an output file.
9. RainbowCrack: RainbowCrack is a computer program that generates rainbow tables to be used in password cracking. RainbowCrack differs from “conventional” brute force crackers in that it uses large pre-computed tables called rainbow tables to reduce the length of time needed to crack a password drastically.
10. Brutus: Brutus is a password cracking tool that performs both dictionary and brute force attacks in which passwords are randomly generated from given characters. Brute forcing can be performed on the following authentications: HTTP (Basic Authentication), HTTP (HTML Form/CGI), POP3 (Post Office Protocol v3) FTP (File Transfer Protocol), SMB (Server Message Block), and Telnet.

How does a Password Cracker work?

Generally, Crackers steal a password file from a computer system. This file contains the encrypted value of the password. Crackers firstly try to guess the password, which is also known as password guessing. They then gather all information of the victim such as the date of birth, family person’s name, favorite food, favorite actors/actresses, etc. All these information are easily available on any social networking site like myspace, hi5, orkut, facebook, etc. Crackers also use crack programs against a dictionary to generate the password until the same encrypted value is found. For example, if a victim’s password is welcome99, then they try welcome1, welcome2, welcome3, etc. until the welcome99 is reached. The other ways of password cracking is trying all combinations of keys present on the keyboard and using the rainbow attack for password cracking, which is the fastest method of password cracking. The latter method of password cracking is implemented by calculating all the possible hashes for a set of characters and then storing them in a table known as the Rainbow table. These password hashes are then imported in the tool that uses the Rainbow algorithm and searches the Rainbow table until the password is not fetched.

To successfully share your connection you’ll need to set up the ad-hoc wireless network from scratch. Besides an active wired internet connection at the time of setup, here’s what you’ll need:

Network Manager 0.7 or later release
dnsmasq-base installed; a DNS proxy and DHCP/TFTP server

NetworkManager comes pre-installed with all Ubuntu releases since 8.10 so the only installation requirement should be that of dnsmasq-base; you can install easily by using this command:

sudo aptitude install dnsmasq-base

Once you’ve confirmed installation of both Network Manager and the dnsmasq-base package you’re ready to move on. Access the network management screen by clicking on the Network Manager icon and select “Create New Wireless Network” to begin setting up your ad-hoc wireless network. Enter the network name and choose the wireless security level when prompted to complete the network creation. Once you finalize the settings you should see a new available SSID, enabling you to share your connection with no further customization or network settings needed.

there are 3 types of encryption( Ciphers ) used by ssh idea, 3des & blowfish.

unless explicitly mentioned ssh by default uses idea cipher to encrypt & decrypt.

Bruce Schneier’s block cipher blowfish was designed to be fast & secure, it uses a 128 bit key, although the algorithm allows anything from 32 to 448 bits.

We can explicitly mention the ssh client to use a certain type of encryption by using the following command

# slogin -2 -c blowfish user@some_remote_machine.com

the above command also explicitly mentions the ssh client to use ssh protocol version 2

The protocol version being used depends on the version enabled on the ssh server(sshd) you are connecting to. Older versions of the ssh daemon(sshd) dont support version2 of the ssh protocol.

# ssh -c blowfish user@some_remote_machine.com

the above command also does the same thing.

Port knocking is a method of establishing a connection to a networked computer that has no open ports look up port on webopedia.com look up port on FOLDOC . Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. A remote host generates and sends an authentic knock sequence in order to manipulate the server’s firewall look up firewall on webopedia.com look up firewall on FOLDOC rules to open one or more specific ports. These manipulations are mediated by a port knock daemon, running on the server, which monitors the firewall log file for connection attempts which can be translated into authentic knock sequences. Once the desired ports are opened, the remote host can establish a connection and begin a session. Another knock sequence may used to trigger the closing of the port.
Applicability

Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP look up SMTP on webopedia.com look up SMTP on FOLDOC or HTTP look up HTTP on webopedia.com look up HTTP on FOLDOC . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence. This on-demand IP-based filtering which is triggered by a remote user can offers the advantages of IP-based filtering without the limitation usually associated with maintaining IP rules. Port knocking cannot be used to protect public services – such protection cannot be effective if the knock sequence, or a method to generate it, is made public.

Port knocking can be used whenever there is a need to transfer information across closed ports. The port knock daemon can be implemented to repond in any suitable way to an authentic port knock. The knock may be used to communicate the knock information silently and/or to trigger an action. This is a form of IP over closed ports.

The simplest implementation of port knocking uses a log file to interface with the firewall software. This simple approach makes port knocking highly accessible for home users who would like to harden their *NIX systems. One of the strong advantages of port knocking is that the protected services do not require any modification. Port knocking is easy to set up and presents no performance issues when dealing with a modest number of incoming connections.
Limitations

Port knocking as desribed here is one implementation of a more general idea. It is not necessary for the firewall log file to be involved in the process. A robust implementation interfaces with the server’s IP stack more closely. Nor is it strictly necessary for the knocks to come as a series of connection attempts. For example, the knock may be encapsulated in the data payload of a single packet that is sent to a closed port.

There will be situations in which port knocking is ideally suitable, such as remote administration provided by a latent, on-demand SSH service. In other cases port knocking is not the right answer.

These Programs :

* Work as a key logger.
* Send any Information from Victim’s PC to the Hacker’s PC.
* Run any program on the Victims PC.
* Display any Violating Image on victim’s Screen.
* Open the CD Drive of the Victim’s PC.
* Open any Web page on the Victims Screen.
* Disable any Specific Key or whole Keyboard.
* Shutdown Victim’s PC.
* Start a Song on the Victim’s PC.etc.etc…………..

Back Orifice / Back Orifice 2000

Back Orifice is one of the most common backdoor programs, and one of the most deadly. The name may seem like a joke, but sure, the threat is real. Back Orifice was established in Cult of the Dead Cow group. Back Orifice is an Open Source Program. The main Threat of this software is that by making some changes in the code anybody can make it undetectable to the Anti virus Program running on the Victim’s computer. Apart from the strange title, the program usually gets port 31337, the reference to “Lit” phenomenon is popular among hackers.

Back Orifice uses a client-server model, while the server and client is the victim attacker. What makes Back Orifice so dangerous that it can install and operate silently. There is not required interaction with the user in, meaning you could its on your computer right now, and do not know.

Companies such as Symantec have taken steps to protect computers against programs that they consider dangerous. But even more attacks using Back Orifice 2000. This is due partly to the fact that it is still evolving, as open source. As stated in the documentation the goal is ultimately the presence of the Back Orifice 2000 unknown even to those who installed it.

Back Orifice 2000, developed for Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP.

Where can I download Back orifice 2000?

Back Orifice 2000 can be downloaded at the following address: http://sourceforge.net/projects/bo2k/

I infected! How do I remove it?

Removing Back Orifice 2000 may require that you change the registry settings. To remove it at 7 simple steps, refer to the diagram below.

How do I delete Back orifice 2000

1. Click Start> Run, and type “Regedit”(without the quotes)
2. Follow the path below: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices “
3. Now looking in the right box: “The umgr32 = ‘c: \ windows \ system \ umgr32.exe”
4. Right-click on this entry and click Remove. Now restart your computer.
5. After restarting only open Windows Explorer. Make sure you can see all registered extensions. To do so, select “View Options and configure the appropriate settings.
6. Go to the WINDOWS \ SYSTEM directory, and find “umgr32.exe” file. Once you find it, delete it.
7. Exit Windows Explorer and reboot again.

NetBus / Netbus 2.0 Pro

NetBus was established around the same time that the Back Orifice was in the late 1990’s. NetBus was originally designed as a program prank friends and family, of course anything too malicious. However, the program was released in 1998, and is widely used as a backdoor to manage computer.

Like the Back Orifice, NetBus allows attackers to do virtually everything in the computer victim. It also works well under Windows 9x systems, as well as Windows XP. Unlike Back Orifice, the latest version of NetBus regarded shareware is not free. NetBus is also implementing less stealthy operations, as a direct result of criticism and complaints of abusive use.

Where can I buy and download NetBus?

NetBus can be purchased and downloaded at the following address: http://www.netbus.org/

Ok, I am infected. Now what?

Fortunately, the latest version of NetBus is a valid program. It can be removed just like any other program. Previous issuance NetBus is a bit more tricky, however. If you are not lucky enough attacked with the latest version, the withdrawal process and in the Back Orifice.

How do I remove NetBus?

1. Click Start> Run, and type “Regedit ‘(without the quotes)
2. Follow the path below: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices “
3. Now, in the right box, looking as follows: “[Name_of_Server].”Exe Of course, you have to find the actual name of this file EXE-. Usually This” Patch.exe ‘or’ SysEdit.exe “, but may vary.
4. Reboot and remove all traces of the actual program, which can be left. Additionally, you can set yourself NetBus, and then use its own function disposal.

SubSeven / Sub7

SubSeven or Sub7, has been established for the same purpose was to NetBus pranks. Sub7 actually has more support for pranks, and has more advanced users. Sub7 also widely used by the script kiddies, although that many firewalls and anti-virus software before initialization.

Since Sub7 not supported for several years, the threat is usually very low. Most security programs will not have any problem in ending Sub7 before it has a chance to be started. This shows that the importance to the modernization and security programs is critical, because the money was still there.

Nevertheless, it is widely used by those who have physical access to your firewall, or security programs. If access rights, the tool will work without restrictions.

Where can I buy and download Sub7?

Sub7 not supported more, and hence is not available for download on any legitimate websites. If you were to make a Google search, you would find links to download Sub7. However, this is not the official site, and should be considered dubious and dangerous.

Sounds harmless, How do I remove it?

1. End of the following processes through the curator: “editserver.exe, subseven.exe”
2. Delete the following files: “editserver.exe, subseven.exe, tutorial.txt.”

Why these programs is absolutely legitimate?

All the basis behind these programs is that they are designed to help people, not harm. While some like NetBus really were originally created for pranks, they switched routes to avoid legal problems.

These programs claim to be the legitimate remote desktop program, although they certainly easily used for malicious use. These programs really should be used to aid or customer support departments. Why all adolescents is to copy these programs goes beyond us, but leave the content of their networks, while computer is a good idea

Fail2Ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (for example, iptables or TCP Wrapper). Fail2Ban’s main function is to block selected IP addresses that may belong to hosts that are trying to breach the system’s security. It determines the hosts to be blocked by monitoring log files (e.g. /var/log/pwdfail, /var/log/auth.log, etc.) and bans any host IP that makes too many login attempts or performs any other unwanted action within a time frame defined by the administrator.

Fail2Ban can perform multiple actions whenever an abusive IP is detected. It can update Netfilter/iptables firewall rules, or alternatively TCP Wrappers’ hosts.deny table, to reject an abuser’s IP address, email notifications, or any user-defined action that can be carried out by a Python script.

Snort is an open source network intrusion prevention and detection system that operates as a network sniffer. It logs activities of the network that is matched with the predefined signatures. Signatures can be designed for a wide range of traffic, including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).

The three main modes in which Snort can be configured are as follows:

* Sniffer mode: It reads the packets of the network and displays them in a continuous stream on the console.

* Packet logger mode: It logs the packets to the disk.

* Network intrusion detection mode: It is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user-defined rule set.

Various features of snort

Snort has the following features:

* It detects and alerts people when it finds threats such as buffer overflows, stealth port scans, CGI attacks, SMB probes and NetBIOS queries, NMAP and other port scanners, well-known backdoors and system vulnerabilities, and DDoS clients.

* It develops a new signature to find vulnerabilities.

* It records packets in their human-readable form from the IP address.

* It is used as a passive trap to record the presence of traffic that should not be found on a network, such as NFS or Napster connections.

* It is used to monitor a home DSL connection or a corporate Web site.

Snort Rules

The snort rules are the conditions specified by a Network Administrator to differentiate between normal Internet activities and malicious activities. The snort rules are made up of two basic parts :

* Rule header: This is the part of any rule where the rule’s actions are identified. Alert, Log, Pass, Activate, Dynamic etc. are some important actions used in the snort rules.

* Rule options: This is the part of any rule where the rule’s alert messages are identified.

For example:

If any Network Administrator has written the rule Alert tcp $HOME_NET any -> any 6667 (msg:”IRC port in use”; flow:from_client) , the first portion of the rule specifies the action, which is to examine port 6667 traffic. If a match occurs, a message should be generated that reads, “IRC port is in use”, and the IDS will create a record that an IRC port might have been accessed.

Snort rule header

The Snort rule header contains information about the action a rule going to take. It also contains standard for matching a rule against network data packets. The options part of the Snort rule header consists of additional criteria for matching a rule against data packets. A Snort rule is used to detect one or more types of intrusion attack. Structure of the Snort rule header is as follows:

* The action part of the Snort rule header is used to determine the kind of action taken whenever the criteria are met and a rule is exactly matched against a data packet. Actions like generating an alert or log message or invoking another rule can take place afterwards.

* The protocol part is used to set the rule on network data packets for a particular protocol. This is the first standard described in the Snort rule. Protocols used in Snort rule are: IP, ICMP, UDP etc.

* The address parts are used to define the address of source and destination respectively. Address may be a single host, multiple hosts or network addresses depending upon the criteria and requirement. This part can also used to eliminate some of the addresses from a network. Address of Source and destination are determined on the basis of the direction field in the Snort rule header. If the direction field is set to “->”, then the Address on the left is of the source and the Address on the right is of the destination.

Note: When TCP or UDP protocol is used, then the port section is used to determine the source and destination ports of a packet on which the rule is applied.

* The direction part of the Snort rule is used to determine and differentiate the address and port number of source and destination.

Some common snort rules are as follows:

* OS Fingerprinting:

Alert tcp any any -> any
(msg: “O/S Fingerprint detected”; flags: S12;)

* Trivial File Transfer Protocol attempt:

Alert udp any any -> any 69
(msg “TFTP Connection Attempt)”;)

* Password transfer:

Alert tcp any any -> any
(content: “Password”; msg: “Password Transfer May Be
Occured!”;)

* Automated Unicode Attack By Nimda Virus:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

(msg:”WEB-IIS cmd.exe access”; flow:to_server,established;

content:”cmd.exe”; nocase; classtype:web-application-attack;

sid:1002; rev:6;)

Snort Configuration File:

The Snort Configuration file is used by Snort at the startup. It contains all rules and definition, which a user wants to apply. The user can use any name for the Snort configuration file but generally snort.conf is regarded as the conventional name. -c command line switch is used to specify the name of the configuration file. As shown in the example given below:

/cpt/snort/snort -c /cpt/snort/snort.conf

The above command uses /cpt/snort/snort.conf as the configuration file. A user can execute multiple Snort instances on different network interfaces with different configuration while using the configuration file name as a command line argument to Snort.

Sections of Snort Configuration File

There are six sections present in the Snort Configuration file. Each section carries different properties, which are important for the efficient and proper working of Snort. These sections are as follows:

1. Variable definitions: This section is used to define different variables for Snort configuration. These variables are used in Snort rules and for specifying the location of rule files.

2. Config parameters: This section is used to define different parameters of Snort configuration options.

3. Preprocessor configuration: This section is used to define Preprocessors, which are used to perform actions before a packet is operated by the main Snort detection engine.

4. Output module configuration: This section is used to control the logging of the Snort data.

5. Defining new action types: This section is used to define custom action types in the Snort configuration file.

6. Rules configuration and include files: This section is used to add external Snort rules file. These files are included in the main configuration file by using the include keyword

Snort Decoder:

The Snort decoder is used to verify the network structure packets and confirm that the packets are constructed according to specification. If the packet is different than the specification or uncommon setting, then the Snort will generate the alarm. These alarms are enable by default, however a user can disable the particular type of alert generated by the Snort decoder. The Snort decoder configuration options are as follows:

* config disable_decode_alerts
* config disable_tcpopt_experimental_alerts
* config disable_tcpopt_obsolete_alerts
* config disable_tcpopt_ttcp_alerts
* config disable_tcpopt_alerts
* config disable_tcpopt_ipopt_alerts

Different tools associated with Snort:

* AirSnort:

AirSnort is a Linux-based WLAN WEP cracking tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.

* Snort_inline:

snort_inline is a modified and customized version of Snort. It accepts data packets from iptables and IPFW using libipq(linux) or divert sockets, instead of libpcap. It then uses new rule types (drop, sdrop, reject) to inform iptables/IPFW whether the packet should be dropped, rejected, modified, or allowed to pass based on a snort rule set. This is a kind of Intrusion Prevention System (IPS), which uses existing Intrusion Detection System (IDS) signatures to make decisions on packets that pass through snort_inline.

* SnortSnarf:

SnortSnarf is a program that was designed for use with Snort, a security program used mainly with Linux networks. SnortSnarf converts the data from Snort into Web pages. Snort is an open source network intrusion detection system (NIDS) that monitors network traffic in real time, scrutinizing each packet closely to detect dangerous payloads or suspicious anomalies. SnortSnarf runs on *nix variants, as well as on Win32 systems.

* BASE:

BASE stands for Basic Analysis and Security Engine. It is created on the code from the Analysis Console for Intrusion Databases (ACID) project. BASE provides a Web front-end to query and analyze the alerts coming from a SNORT IDS system, and provides a visual representation of intrusion data. BASE is a Web interface for performing analysis of intrusions that snort has detected on the network. It uses a user authentication and role-base system, so that a user as the security admin can decide what and how much information each user can see.

* sguil:

Sguil is a collection of free software components for Network Security Monitoring (NSM) and event driven analysis of IDS alerts. The sguil client is written in Tcl/Tk and can be run on any operating system that supports Tcl/Tk. Sguil integrates alert data from Snort, session data from SANCP, and full content data from a second instance of Snort running in packet logger mode. It provides a visual representation of intrusion data. Sguil is an implementation of a Network Security Monitoring (NSM) system.

* OSSIM:

OSSIM (Open Source Security Information Management) is a collection of tools designed to aid network administrators in computer security, intrusion detection, and prevention. The goal of this project is to provide a comprehensive collection of tools to grant an administrator a view of all the security-related aspects of their system. OSSIM also provides a strong correlation engine, with detailed low-, mid-, and high-level visualization interfaces as well as reporting of incident managing tools such as Snort. The ability to act as an intrusion-prevention system based on correlated information from virtually any source results in a useful security tool. All this information can be filtered by a network or sensor in order to provide just the information needed by specific users, allowing for a fine grained multi-user security environment.

iptables is a firewall that is a replacement of the IPChains firewall for the Linux 2.4 kernel and later versions. It requires elevated privileges to operate, and it must be executed by user root, otherwise it fails to function. iptables allows a system administrator to configure the tables provided by Xtables (which in turn uses Netfilter) and the chains and rules it stores. iptables has the following features:

* It supports stateful packet inspections.
* It filters the packets according to the MAC address and TCP header flag values.
* It is helpful for preventing attacks using malformed packets.
* It reduces DoS attacks.
* It provides better network address translation.
* It supports the transparent integration of the operating system with Web proxy servers.

iptables command

The iptables command is used to create and configure IP-tables that contains rules for packet filtering. The default filter table contains Input, Output, or Forward chains. Various command parameters are used with the iptables command to perform a specific action on the specified chains. The command syntax of the iptables command is as follows:

iptables [-t table] command [match] [target/jump]

Some of the important parameters are listed below:

Parameter Description
-A Appends the specified IP-table rule.
-D n Deletes the n(th) rule in the specified chain.
-F Deletes (or flushes) every rule in the specified chain. If no chain is specified, it deletes the rules from all chains.
-h Provides help by listing the command structures and summary of command parameters and options.

Note: All the parameters should be provided in uppercase except the -h parameter.

How iptables firewall works?

The Xtables framework, used by ip_tables, ip6_tables and arp_tables, allows the system administrator to define tables containing chains of rules for the treatment of packets. Each table is associated with a different kind of packet processing. Packets are processed by traversing the chains. A rule in a chain can send a packet to another chain, and this can be repeated to whatever level of nesting is desired. Every network packet arriving at or leaving from the computer traverses at least one chain.

The source of the packet determines which chain it traverses initially. There are three predefined chains (INPUT, OUTPUT, and FORWARD) in the “filter” table. Predefined chains have a policy, for example DROP, which is applied to the packet if it reaches the end of the chain. The system administrator can create as many other chains as desired. These chains have no policy; if a packet reaches the end of the chain, it is returned to the chain which called it. A chain may be empty.

Each rule in a chain contains the specification of which packets it matches. It may also contain a target. As a packet traverses a chain, each rule in turn examines it. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target, which may result in the packet being allowed to continue along the chain or it may not.

The packet continues to traverse the chain until either (1) a rule matches the packet and decides the ultimate fate of the packet (for example by calling one of the ACCEPT or DROP targets); or (2) a rule calls the RETURN target, in which case processing returns to the calling chain; or (3) the end of the chain is reached.

Example

The command “iptables -L” is executed by user root to display an abridged view of the firewall configuration.

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all — localhost.localdomain localhost.localdomain
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
REJECT all — anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Redirection Example

This simple example of its use illustrates how to redirect all traffic on the default HTTP port, port 80, to port 8080, allowing the HTTP daemon to run as a non-privileged user, unable to listen on port numbers below 1024.

iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-port 8080

Note: If you launch this command on your computer, it will only work for external IP addresses connecting to your machine. Connections from localhost do not traverse the PREROUTING chain in the “nat” table. If you also want this feature to work, use the following rule:

iptables -t nat -A OUTPUT -o lo -p tcp –dport 80 -j REDIRECT –to-port 8080

It reroutes packets on the loopback (lo) interface from port 80 to port 8080.

Netfilter

Netfilter is a framework that provides a set of hooks within the Linux kernel for intercepting and manipulating network packets.

The best-known component on top of Netfilter is the firewall which filters packets, but the hooks are also used by other components which perform network address translation, stateful tracking and packet enqueueing to user space.

Connection Tracking by Netfilter

One of the important features built on top of the Netfilter framework is connection tracking. Connection tracking allows the kernel to keep track of all logical network connections or sessions, and thereby relate all of the packets which may make up that connection. NAT relies on this information to translate all related packets in the same way, and iptables can use this information to act as a stateful firewall.

Connection tracking classifies each packet as being in a number of different states: new (trying to create a new connection), established (part of an already-existing connection), related (packet initiating a new connection that is related to, but not actually part of an existing connection), invalid (not part of an existing connection) and untracked. A normal example would be that the first packet the conntrack subsystem sees will be classified new, the reply would be classified established and an ICMP error would be related. An ICMP error packet which did not match any known connection would be invalid. untracked is a special state that can be assigned by the administrator to bypass connection tracking for a particular packet.

The connection state is completely independent of any TCP state. If the host answers with a SYN ACK packet to acknowledge a new incoming TCP connection, the TCP connection itself is not yet established but the tracked connection is this packet will match the “established” state.

A tracked connection of a stateless protocol like UDP nevertheless has a connection state.

Furthermore, through the use of plugin modules, connection tracking can be given knowledge of application layer protocols and thus understand that two or more distinct connections are “related”. For example, consider the FTP protocol. A control connection is established, but whenever data is transferred, a separate connection is established to transfer it. When the nf_conntrack_ftp module is loaded, the first packet of an FTP data connection will be classified as “related” instead of “new”, as it is logically part of an existing connection.

iptables can use the connection tracking information to make packet filtering rules more powerful and easier to manage. The “conntrack” match extension allows iptables rules to examine the connection tracking classification for a packet. For example, one rule might allow NEW packets only from inside the firewall to outside, but allow RELATED and ESTABLISHED in either direction. This allows normal reply packets from the outside (ESTABLISHED), but does not allow new connections to come from the outside to the inside. However, if an FTP data connection needs to come from outside the firewall to the inside, it will be allowed, because the packet will be correctly classified as RELATED to the FTP control connection, rather than a NEW connection.

To make sure your password is secure and valid, follow the guidelines in the table below.

Required Action

Benefit Gained
Do not store passwords in a clear text file. Avoids situation where convenience and speedy login are achieved at the expense of security.
Passwords shall be changed or expire in 90 days or less. Reduces likelihood of unauthorized penetration by increasing limiting password useful life.
Do not enable a password to be reused for at least four iterations. Reduces likelihood of unauthorized penetrations by increasing password variability.
Allow only one user per account; never share userIDs or passwords. Provides user accountability.
Never assign a login account a password that is the same string as the userID or that contains the userID. Eliminates this possibility, which is the very first thing any hacker tries once they get a telnet prompt.
Never install a guest or guest account. Prevents penetration via certain well-known vulnerabilities in some user datagram protocol (udp) services.
Deactivate unused accounts monthly. Consider an account unused if no login has occurred in 90 days. Prevents a formerly authorized user from continuing to use the host.
No accounts will be named anonymous, ftp, telnet, www, host, user, bin, nobody, etc. Avoids accounts which are commonly attacked via the password guessing method: e.g., ftp/ftp.
Never set any password equal to the null string, which is equivalent to no password at all. Follows best security practices.
Passwords shall

—Be at least 8 characters in length.
—Contain a combination of alphabetic and numeric characters.
—Contain a nonnumeric in the first and last position.
—Contain no more than three identical consecutive characters in any position from the previous password.

These requirements make it more difficult for a password guesser to obtain passwords. They increase the set of combinations that must be guessed and provide a mixture to defeat a dictionary attack.
Passwords shall not contain any special character. Only use letters and numbers. Special characters in passwords are invalid characters for passwords.
Passwords shall not contain any dictionary word in any language. Prevents dictionary type of attacks.
Passwords shall not contain any proper noun or the name of any person, pet, child, or fictional character. Passwords shall not contain any employee serial number, Social Security number, birth date, phone number, or any information that could be readily guessed about the creator of the password. Helps prevent a password guess based on a hacker’s personal knowledge of the user.
Passwords shall not contain any simple pattern of letters or numbers, such as “qwerty” or “xyz123.” These passwords are favorites a hacker might try early in a dictionary type of attack.
Passwords shall not be any word, noun, or name spelled backwards or appended with a single digit or with a two-digit “year” string, such as 98xyz123. The dictionaries used by hackers are huge, and the Crack V algorithms are clever and thorough.
The manager or owner of the host shall revalidate all userIDs at least annually. Best security practice to clean out userIDs of ex-employees and to verify which userIDs are valid.

itss.gsa.gov

Google Earth is a virtual globe, map and geographic information program that was originally called EarthViewer 3D, and was created by Keyhole, Inc, a company acquired by Google in 2004. It maps the Earth by the superimposition of images obtained from satellite imagery, aerial photography and GIS 3D globe. It is available under three different licenses: Google Earth, a free version with limited functionality; Google Earth Plus (discontinued), which included additional features; and Google Earth Pro ($400 per year), which is intended for commercial use.

Google Earth is in the Medibuntu repository.

Here are the steps:

Add the Medibuntu source:

sudo gedit /etc/apt/sources.list

Append the following:

# Medibuntu Source
deb http://packages.medibuntu.org/ hardy free non-free
deb-src http://packages.medibuntu.org/ hardy free non-free

Next add the GPG key with this command:

wget -q http://packages.medibuntu.org/medibuntu-key.gpg -O- | sudo apt-key add

Update with this command:

sudo aptitude update

Now try this install command:

sudo aptitude install googleearth-4.3

Have any suggestions, changes or know another way to do this? Feel free to say so, in the commonts section below.
Read more: http://ubuntulinuxhelp.com/google-earth-and-chrome-reader-questions/#ixzz0iayFSlTj