Protect yourself by knowing what services you are offering. In order to protect your system from crackers, you have to think like one. The first step in determining the level of risk of the services you are offering to the public is to determine what those services are.

Chances are you've heard of SATAN, the System Administrator Tool for Analyzing Networks. Designed by Dan Farmer and Wietse Venema, SATAN scans systems for the existence of well known, often exploited vulnerabilities.

Todays scanners, such as nmap and SAINT, have become popular tools for determining what ports are open, and potential vulnerabilities for those services.

Using nmap, you can port scan large numbers of hosts in a brief period of time using a variety of scanning methods. A typical execution of the program might go like this: 

dave@mastermind dave$] nmap localhost

Starting nmap V. 2.54BETA1 by This email address is being protected from spambots. You need JavaScript enabled to view it. ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1515 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
23/tcp     open        telnet
25/tcp     open        smtp
80/tcp     open        http
110/tcp    open        pop-3
113/tcp    open        auth
139/tcp    open        netbios-ssn
143/tcp    open        imap2
515/tcp    open        printer

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

Using this information, a cracker can begin to determine what ports are available to compromise the box.

Resources

  • nmap

    nmap is a utility for port scanning large networks using various scanning techniques. nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings. Nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence predictability characteristics, and output to machine parseable or human readable log files.

  • SAINT

    SAINT is the Security Administrator's Integrated Network Tool. In its simplest mode, it gathers as much information about remote hosts and networks as possible by examining such network services as finger, NFS, NIS, ftp and tftp, rexd, statd, and other services. The information gathered includes the presence of various network information services as well as potential security flaws -- usually in the form of incorrectly setup or configured network services, well-known bugs in system or network utilities, or poor or ignorant policy decisions. It can then either report on this data or use a simple rule-based system to investigate any potential security problems.

  • SARA

    The Security Auditor's Research Assistant (SARA) is a third generation Unix-based security analysis tool that is based on the SATAN model, CVE standards support, enterprise-level search module, standalone or daemon mode, free-use open license, and updated twice a month.

  • WebTrends Security Analyzer

    WebTrends Security Analyzer helps you discover and fix the latest known security vulnerabilities on your Internet, intranet and extranet. Systems are analyzed on demand or at scheduled intervals, allowing prioritization and comparative reports to be generated with recommended fixes that resolve possible exploitations.

  • Nessus

    A security scanner is a software which will audit remotely a given network and determine whether bad guys (aka 'crackers') may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port - that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability.

  • Argus

    Argus is a generic IP network transaction auditing tool. Argus runs as an application level daemon, promiscuously reading network datagrams from a specified interface, and generates network traffic status records for the network activity that it encounters.

The ISS Network Security Scanner used to run on Linux, but they have for some reason dropped support for it. I'm sure they would love to know what fellow Linux users are thinking by contacting them. They actually want you to run the NT version through VMWare.