Linux Security Tools

 

System Auditing

• Chkrootkit (YoLinux tutorial) - Scan system for trojans, worms and exploits.
• checkps - detect rootkits by detecting falsified output and similar anomalies. The ps check should work on anything with /proc. Also uses netstat.
• Rootkit hunter - scans for rootkits, back doors and local exploits
• Rkdet - root kit detector daemon. Intended to catch someone installing a rootkit or running a packet sniffer.
• Tripwire : The grand-daddy of file integrity checkers
• RKHunter : An Unix Rootkit Detector
• chkrootkit : Locally checks for signs of a rootkit
• fsaudit - Perl script to scan file systems and search for suspicious looking directories
• - UNIX security checks. Programs and shell scripts which perform security checks. Checks include file and directory permissions, passwords, system scripts, SUID files, ftp configuration check, ...
• SARA - Security Auditor's Research Assistant - network security vulnerability scanner for SQL injections, remote scans, etc. (follow-on to the SATAN analysis tool)
• - Texas A&M University developed tools
• Tiger - Scan a Unix system looking for security problems (Similar to COPS) -
• Tiger Analytical Research Assistant (TARA Pro) - Commercial support
• Netlog - TCP and UDP suspicious traffic logging system
• Drawbridge - Firewall package (Free BSD)
• Dsniff : A suite of powerful network auditing and penetration-testing tools
• P0f : A versatile passive OS fingerprinting tool
• BASE : The Basic Analysis and Security Engine

Network Vulnerability Audits

• Nessus - Remote security scanner - This is my favorite security audit tool!! Checks service exploits and vulnerabilities.
• ISIC - IP Stack Integrity Checker
• Argus - IP network transaction auditing tool. This daemon promiscuously reads network datagrams from a specified interface, and generates network traffic status records
• Argus 2
• SAINT - Finds computers on the network, port scans and does a vulnerability check and outputs a report. - Commercial product.
• InterSect Alliance - Intrusion analysis. Identifies malicious or unauthorized access attempts.
• Linuxforce: AdminForce CGI Auto Audit - CGI script analyzer to find security deficiencies.
• Core Impact : An automated, comprehensive penetration testing product
• Canvas : A Comprehensive Exploitation Framework
• SolarWinds : A plethora of network discovery/monitoring/attack tools
• Yersinia : A multi-protocol low-level attack tool

Wireless Vulnerability Audit Tools

• AirSnort - wireless LAN (WLAN) tool that recovers encryption keys.
• WEPCrack
• Kismet - Wireless Sniffer
• Aircrack : The fastest available WEP/WPA cracking tool

Port Scanners/Network Discovery Tools

• nmap - Port scanner and security scanning and investigation tool
• NmapFe - GUI front-end to NMAP
• KNmap - KDE front-end
• pbnj - Diff nmap scans to find changes to systems on the network.
• nmap3d - nmap post processing to 3-d VRML
• nmap-sql - log scans to database
• portscan - C++ Port Scanner will try to connect on every port you define for a particular host.
• pof - passive OS fingerprinting.
• NetCat - This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections
• Scanrand : An unusually fast stateless network service and topology discovery system
• Web/http scan:
• Nikto - web server scanner. CGI, vulnerability checks. Not a stealthy tool. For security tests.
• Paros Proxy - A web application vulnerability assessment proxy
• Web Scarab - A framework for analyzing applications that communicate using the HTTP and HTTPS protocols
• Whisker/libwhisker : Rain.Forest.Puppy's CGI vulnerability scanner and library
• Burpsuite : An integrated platform for attacking web applications
• SPIKE Proxy : HTTP Hacking

Network Sniffers

• DSniff - network tools for auditing and penetration testing.
• Wireshark - full network protocol sniffer/analyzer
• (Ethereal - legacy. Now Wireshark)
• IPTraf - curses based IP LAN monitor
• TcpDump - network monitor and data acquisition
• VOMIT - Voice Over Misconfigured Internet Telephones - Use TCP dump of VOIP stream and convert to WAV file.
• Cisco Call Manager depends on MS/SQL server and are thus vulnerable to SQL Slammer attacks.
• KISMET - 802.11a/b/g wireless network detector, sniffer and intrusion detection system.
• DISCO - Passive IP discovery and fingerprinting tool. Sits on a segment of a network to discover unique IPs and identify them.
• Yersina - Framework for analyzing and testing the deployed networks and systems. Designed to take advantage of some weakness in different Layer 2 protocols: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).
• EtterCap - Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.
• Ntop : A network traffic usage monitor
• Ngrep : Convenient packet matching & display
• EtherApe : EtherApe is a graphical network monitor for Unix modeled after etherman
• Argus : A generic IP network transaction auditing tool
• Ike-scan : VPN detector/scanner
• Arpwatch : Keeps track of ethernet/IP address pairings and can detect certain monkey business

Password crackers

• John the Ripper - weak password detection. crypt, Kerberos AFS, MS/Windows LM, ...
• lCRACK - password hacker, dictionary, brute force incremental, ...
• THC Hydra : A Fast network authentication cracker which supports many different services
• Aircrack : The fastest available WEP/WPA cracking tool
• Airsnort : 802.11 WEP Encryption Cracking Tool
• RainbowCrack : An Innovative Password Hash Cracker

Honeypots

• Honeyd : Your own personal honeynet

Exploits:

• bobkit
• woot-project

• MetaSploit - Exploit launcher, test and development tool

Intrusion Detection Systems

• SNORT - This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine
• OSSEC HIDS : An Open Source Host-based Intrusion Detection System
• Fragroute/Fragrouter : A network intrusion detection evasion toolkit
• BASE : The Basic Analysis and Security Engine
• Sguil : The Analyst Console for Network Security Monitoring

Encryption Tools

• GnuPG / PGP : Secure your files and communication w/advanced encryption
• OpenSSL : The premier SSL/TLS encryption library
• Tor : An anonymous Internet communication system
• Stunnel : A general-purpose SSL cryptographic wrapper
• OpenVPN : A full-featured SSL VPN solution
• TrueCrypt : Open-Source Disk Encryption Software for Windows and Linux

Log Analysis

• AWStats
• Webalyzer
• Calamaris - parses logfiles from Squid, NetCache, Inktomi Traffic Server, Oops! proxy server, Novell Internet Caching System, Compaq Tasksmart or Netscape/iplanet Web Proxy Server and generates a report
• fwlogwatch - fwlogwatch is a packet filter / firewall / IDS log analyzer written by Boris Wesslowski originally for RUS-CERT. It supports a lot of log formats and has many analysis options. It also features incident report and realtime response capabilities, an interactive web interface and internationalization.
• LogCheck - Logcheck is a simple utility which is designed to allow a system administrator to view the logfiles which are produced upon hosts under their control.
• Logwatch - Logwatch analyzes and reports on system logs. It is a customizable and pluggable log-monitoring system and will go through the logs for a given period of time and make a customizable report. It should work right out of the package on most systems.
• syslog-ng is a flexible and highly scalable system logging application that is ideal for creating centralized and trusted logging solutions.
• LogAnalysis.org has multiple application specific log analyzers
• Swatch can assist with logfile analysis, providing immediate notification if log entries matching a regular expression are spotted, or to review logfiles for unknown data.

Network Monitoring and Management

• Nagios : An open source host, service and network monitoring program
• Argus : A generic IP network transaction auditing tool
• Sguil : The Analyst Console for Network Security Monitoring

AntiVirus

• ClamAV : A GPL anti-virus toolkit for UNIX
• AVG- AVG Internet Security for Linux
• F-PROT AntiVirus for Linux
• Avast!
• McAfee
• Avira AntiVir Personal

Other (no category)

• Bastille : Security hardening script for Linux, Mac OS X, and HP-UX