N kinds of weapons for finding vulnerabilities under Linux

The Linux operating system is an open source, free operating system that is not only secure, stable, and low cost, but also rarely found to spread viruses. Therefore, the Linux operating system has always been considered a rival to Microsoft Windows. In recent years, with the increasing popularity of the Linux operating system in China, as more and more servers, workstations and personal computers begin to use Linux software, of course, more and more security enthusiasts have begun to have a strong presence on this operating system. interest of. The purpose of this article is to give users a more detailed and comprehensive understanding of the features and usage of the boutique Hack software under Linux. Today we first understand the N kinds of weapons for finding broilers.
Vulnerability Scanner is a program that automatically detects security weaknesses in remote or local hosts. Like the Windows system, when a hacker gets a list of target hosts, he can use some Linux scanner programs to find vulnerabilities in those hosts. In this way, an attacker can discover the various TCP port assignments, services provided, Web services software versions, and these services and security vulnerabilities. For system administrators, if you can detect and block these behaviors in time, you can greatly reduce the incidence of intrusions. Vulnerability scanners can be divided into two types by standard: Host Scanner and Network Scanner. The host vulnerability scanner refers to the program that runs the detection system vulnerability locally. The network vulnerability scanner refers to the program that remotely detects the target network and host system vulnerabilities based on the Internet. Below, we select some typical software and examples to introduce.
1. Host-based utility scanning software
(1) sXid
sXid is a system monitoring program. After the software is downloaded, use the “make install” command to install. It can scan suid and sgid files and directories in the system, as these directories are likely to be backdoors and can be set to report results via email. The default installation configuration file is /etc/sxid.conf. The comments for this file are easy to understand. It defines how sxid works, how many times the log files are looped, etc. The log file defaults to /var/log/sxid. Log. For security reasons, we can set sxid.conf to be unchangeable after configuring the parameters. Use the chattr command to set the sxid.log file to only add. In addition, we can always check with sxid -k plus the -k option. This check is flexible and neither logs nor emails. As shown in Figure 1.

Figure 1
(2) LSAT
Linux Security Auditing Tool (LSAT) is a local security scanner, found unsafe default configuration, it A report can be generated. LSAT was developed by Triode and is designed primarily for RPM-based Linux distributions. After the software is downloaded, compile as follows:

cndes$ tar xzvf last-VERSION.tgz cndes$ cd lsat-VERSION cndes$ ./configure cndes$ make
Then run as root: root# ./Lsat. By default, it generates a report called lsat.out. You can also specify some options:

-o filename Specifies the name of the file that generated the report -v Detailed output mode -s Does not print any information on the screen, only reports. -r Perform RPM checksum check to find out the default content and permissions changed files
LSAT can check a lot of content, mainly: check for useless RPM installation; check inetd and Xinetd and some system configuration files; check SUID And SGID files; check 777 files; check processes and services; open ports, etc. The common method of LSAT is to use cron to periodically call, and then use diff to compare the difference between the current report and the previous report, you can find the changes in the system configuration. Below is a report fragment in the test:

*********************************** ***** This is a list of SUID files on the system: /bin/ping /bin/mount /bin/umount /bin/su /sbin/pam_timestamp_check /sbin/pwdb_chkpwd /sbin/unix_chkpwd ****** ********************************** This is a list of SGID files/directories on the system: /root/Sendmail.bak /root/mta.bak /sbin/netreport ************************************* *** List of normal files in /dev. MAKEDEV is ok, but there should be no other files: /dev/MAKEDEV /dev/MAKEDEV.afa ***************** *********************** This is a list of world writable files /etc/cron.daily/backup.sh /etc/cron.daily/update_CDV. Sh /etc/megamonitor/monitor /root/e /root/pl/outfile
(3)GNU Tiger
This is the scanning software that can detect the security of this machine, from TAMU Tiger (an old-fashioned scanning software) . The programs that the Tiger program can check are: system configuration error; unsafe permission settings; all user-writable files; SUID and SGID files; Crontab entries; Sendmail and ftp settings; vulnerable passwords or empty passwords; In addition, it exposes weaknesses and produces detailed reports.
(4) Nabou
Nabou is a Perl program that can be used to monitor system changes. It provides file integrity and user account checks, and saves all data in the database. In addition, users can also embed Perl code in the configuration file to define their own functions, perform custom tests, and the operation is very convenient.
(5)COPS
COPS can report system configuration errors and other information, and perform security checks on Linux systems. The detection targets are: permission checking of files, directories and device files; content, format and permissions of important system files; whether there is a SUID file whose owner is root; CRC check and check of important system binary files to see if it is It has been modified; it checks web applications such as anonymous FTP and Sendmai. It should be pointed out that COPS is only a monitoring tool and does not make actual repairs. This software is more suitable for use with other tools, the advantage is that it is good at finding potential vulnerabilities.
(6)strobe
Strobe is a TCP port scanner that records all open ports of a given machine and runs very fast. It was originally used to scan emails that were publicly available on the LAN to get mail user information. Another important feature of Strobe is its ability to quickly identify what services are running on a given machine. The downside is that this amount of information is limited.
(7) SATAN
SATAN can be used to help system administrators detect security and can be used by network-based attackers to search for vulnerable systems. SATAN is a security tool designed for systems and administrators. However, due to its versatility, ease of use, and ability to scan remote networks, SATAN may also be used to locate vulnerable hosts because of curiosity. SATAN includes a checklist of network security issues, finds a particular system or subnet through the network, and reports its findings.