eAccelerator auto installer for cPanel

eAccelerator description:
"eAccelerator is a free open-source PHP accelerator, optimizer, and dynamic content cache. It increases the performance of PHP scripts by caching them in their compiled state, so that the overhead of compiling is almost completely eliminated. It also optimizes scripts to speed up their execution. eAccelerator typically reduces server load and increases the speed of your PHP code by 1-10 times." (Font: eAccelerator )

eAccelerator auto installer should work perfectly on any cPanel server, there are lots of sanity checks built in to prevent any possible issue or destruction.

Download and run eAccelerator autoinstaller:
# wget http://tutorials.medialayer.com/cPanel/eaccelerator.sh
# chmod 700 eaccelerator.sh
# ./eaccelerator.sh

Note: The php.ini gets backed up before it is modified, you can get it back..

Install DDoS Deflate

When you run this Perl script, it will then run an netstat command check how many times each IP is connected and if there are more then the number of connections you specified then it will automatically run a command in APF for the IP to be banned.

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos

Also read: How TO install APF Firewall

Useful Exim commands

These are some useful Exim commands

--------> REMOVE MAILS BY ID -------->
# /usr/sbin/exim -v -Mrm (MAIL ID HERE)

--------> LIST QUEDED MAILS -------->
# /usr/sbin/exim -bp

# /usr/sbin/exim -bpc

--------> DELETE FROZEN MAILS -------->
# /usr/sbin/exim -bp | awk '$6~"frozen" { print $3 }' | xargs exim -Mrm

# /usr/sbin/exim -qff -v -C /etc/exim.conf &

--------> FREEZE MAILS FROM SENDER -------->
# /usr/sbin/exiqgrep -i -f (MAIL ADDRESS HERE) | xargs exim -Mf

--------> REMOVE MAILS FROM SENDER -------->
# /usr/sbin/exiqgrep -i -f (MAIL ADDRESS HERE) | xargs exim -Mrm

How To Install IonCube Loader

If you need IonCube loader in order to encode scripts. You will need to install IonCube loadar on your box.

Login to your server as root and download the loaderfor your server: http://www.ioncube.com/loader_download.php
# tar -zxvf ioncube_loaders.tar.gz
# cd ioncube

Copy ioncube-install-assistant.php file to a www diretory
# cp ioncube-install-assistant.php /home/username_here/www

Go to: http://www.somedomain.com/ioncube-install-assistant.php

You sould see something like this:

PHP Version 4.3.3
Operating System Linux
Threaded PHP No
php.ini file /usr/local/lib/php.ini
Required Loader ioncube_loader_lin_4.3.so
Change to the folder where you extracted the ioncube
# mv ioncube /usr/local

Edit php.ini file:
# nano /usr/local/lib/php.ini
under [zend] put this line:
zend_extension = /usr/local/ioncube/ioncube_loader_lin_4.3.so
Save and Exit

Restart the server by typing:
# /etc/init.d/httpd restart

It should be fine!

Secure WHM/Cpanel

Login to WHM on your server as root:


Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

On "Server Setup" --------> "Tweak Settings"
- Check the following items...

On "Mail" section:
- Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(according to ELIX - set this to FAIL, which is what I am going to do to reduce server load)

"System" section:
Use jailshell as the default shell for all new accounts and modified accounts

On "Server Setup" --------> "Tweak Security"
- Enable php open_basedir Protection
- Enable mod_userdir Protection
- Disabled Compilers for unprivileged users.

"Server Setup" --------> "Manage Wheel Group Users"
- Remove all users except for root and your main account from the wheel group.

"Server Setup" --------> "Shell Fork Bomb Protection"
- Enable Shell Fork Bomb/Memory Protection

"Resellers" --------> "Reseller Center"
Privileges should be always disabled. Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

"Service Configuration" --------> "FTP Configuration"
- Disable Anonymous FTP

"Account Functions" --------> "Manage Shell Access"
- Disable Shell Access for all users (except yourself)

"Mysql" section --------> "MySQL Root Password"
- Change root password for MySQL

The SysAdmin Song

A funny song that sings the praises of System Administrators. Written by Wes Borg of Three Dead Trolls in a Baggie.

Funny :)

Good SVN Tutorial fo Unix

"In computing, Subversion (SVN) is a version control system (VCS) (...). It allows users to keep track of changes made to any type of electronic data, typically source code, web pages or design documents." (Source: Wikipedia)

Here is a good Tutorial for SVN:
SVN Tutorial

Wammu the mobile phone manager

What is Wammu?

Wammu is mobile phone manager running on Linux, Windows and possibly other platforms. The communication is made by Gammu library.

Wammu Features:
- complete support (can read/edit/delete/copy) for contacts, todo, calendar
- can read/create/save/send/backup smses
- sending files to phone (OBEX and Sony Ericsson phones only)
- sms composer for multi part smses (currently only text and predefined bitmap/sound can be edited)
- display message including pictures and ringtones playback
- support for backup and import in various formats (vCard, vCalendar, vTodo, iCalendar, gammu own backup,...)
- export messages to mail (IMAP4, maildir and mailbox storages are supported)
- searching for phone
- translated into several languages
- rated as best on many software servers

Download Wammu

Wammu Screen Shots:

Wuammu phones supported:

Nokia DCT3 (3210, 3310, 3330, 3390, 3410, 5110, 5110i, 5130, 5190, 5210, 5510, 6110, 6130, 6150, 6190, 8210, 8250, 8290, 8850, 8855, 8890 6210, 6250, 7110, 9110) and compatible
DCT4 (3510, 3510i, 3530, 5100, 6100, 6310, 6310i, 6510, 6610, 7210, 8310, 8910) and compatible

Siemens M20, MC35, SL45

Alcatel One Touch 501, 701, 715, 535, 735

Sony Ericsson phones

Bill Scott - Designing the Rich Web Experience


"Bill Scott served as a Yahoo Ajax Evangelist and engineering manager from 2005-7. In this talk, given at nearly a dozen conferences around the world, Bill taxonomizes the rich interaction patterns that characterize the evolving web -- a must-see for web designers and frontend engineers."

Source: video.yahoo.com | Bill Scott

"Chocli" the best friend of the men

Hi folks, today i have nothing to share with you..

I just would like to tell you that "Chocli" is the best dog i know :)

Kernel Upgrade on CentOS

1. Find your yum.conf file:
# find yum.conf

2. Verify your yum.conf file:
# nano /etc/yum.conf
"Exclude" line should be something like this:
exclude=courier* apache* mod_ssl* httpd* perl mysql* php* spamassassin* exim*
Note:kernel* should not be excluded on "exclude" line

3. Upgrade kernel using:
- If you have 1 proc:
# yum upgrade kernel
- For dual proc use:
# yum upgrade kernel-smp

When upgrade is complete,
Set "default" to 0 in /etc/grub.conf
Rebbot your server:

Rebbot your server:
# shutdown -r now

Related Posts:
How to install YUM on centOS

Using FFmpeg to convert flv on avi files

Change to the path where you have your video files:
cd /path/where/is/the/video

Run ffmpeg command with -i for input and output.avi is the output file in avi or mpg:
# ffmpeg -i input.flv output.avi

Check for FFmpeg documentation

What is FFmpeg?
"FFmpeg is a collection of software libraries that can record, convert and stream digital audio and video in numerous formats. It includes libavcodec, an audio/video codec library used by several other projects, and libavformat, an audio/video container mux and demux library."

How to turn on bind query log

Login to your server as root and you can use this command to turn on bind query logs:
# rndc querylog

To check if querylog is now On you can use this command:
# rndc status

List RedHat or CentOS installed packages

You can list the packages that are installed on a RedHat or CentOS system, running one of this commands:

# rpm -aq
# yum list installed

You should remove packages you dont use for security reasons..

Windows XP SP3

Download Windows XP SP3

Windows XP SP3 pre-release comes with the "Windows vista SP1 update hack" again. So this should improve stability and OS preformance but you have to considere the hack..

You can Download Windows XP SP3 hack. After that, extract, execute the file and update your Windows XP, is should run fine now.

Best sysadmin videos on Youtube

Funny :)

Office Platoon

Punish Your Microsoft Developer: Share the pain. THE PAIN! PAIN!!!!!!

The First Recorder IT Professional Seen at Work

How to find the directory of a process?

You can check this on: /proc/PID/cwd directory or you can use pwdx command to report the current working directory of a process or processes.

Using pwdx:
# pwdx 1234

1234: /folder/

Usign /proc/PID/cwd:
# nano /proc/1234/cwd

This is a good way to check if someone is running processes on hiden folders.

Introducing SSSMenu

SSHMenu Features:
- Allows to add key so that you can run rest of the all session without a problem and password.
- Every connection will use the terminal profile you’ve selected, to set the color scheme, terminal font and other settings.
- Open all connection at a time

(SSHMenu screenshot)

What is SSHMenu?

"SSHMenu is a GNOME panel applet* that keeps all your regular SSH connections within a single mouse click (...) Each menu option will open an SSH session in a new terminal window. You can organise groups of hosts with separator bars or sub-menus. You can even open all the connections on a submenu (in separate windows or tabs) with one click.
Here's a killer feature: imagine if every time you connected to a production server the terminal window had a red-tinted background, to remind you to tread carefully. Using terminal profiles, SSHMenu allows you to specify colours, fonts, transparency and a variety of other settings on a per-connection basis. You can even set window size and position."

Download SSHMenu

RootKit Detectors for Windows

This programs will search-and-destroy the rootkits that may be hiding in your Windows PC/Server. Check this list of free Rootkit Detectors for Windows:

Rootkit Unhooker

Web: www.rku.xell.ru/?l=e.mspx
Price: Free
Summary: Summary: A Russian-authored tool that's the most comprehensive and powerful of those tested here.

F-Secure BlackLight

Web: www.f-secure.com
Price: Free
Summary: A time-limited program that may soon be discontinued and folded into F-Secure Internet Security 2006, BlackLight nonetheless scans carefully and attempts to clean offending files from the system.

Web: www.blogcn.com/user17/pjf/index.html
Price: Free
Summary: Summary: A bit difficult to find due to its authorship, but a remarkably thorough and continually updated tool with some excellent pro-level features.

Web: www.rkdetector.com
Price: Free
Summary: Composed of two separate applications that scan the file system and running processes, respectively, RKDetector suffers from not having the flexibility and breadth of features of the other programs here.

Trend Micro RootkitBuster
Web: www.trendmicro.com
Price: Free
Summary: A spin-off / standalone version of the rootkit scanning technology from one of Trend Micro's commercial programs, which actually works quite well on its own.

Web: www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
Price: Free
Summary: Summary: One of the first rootkit detectors, it's now overshadowed a bit by some of the other programs here but can still do some decent work.


Installing CSF Firewall

Intalling CSF:
# wget http://www.configserver.com/free/csf.tgz
# tar zxf csf.tgz
# cd csf
# sh install.sh
If you are running APF you should disable it. You can do it with this script (inclued on csf.tgz):
# sh disable_apf_bfd.sh

You can modify config option directly on WHM or if you prefer edit /etc/csf/:
# nano /etc/csf

CSF includes:
  • Straight-forward SPI iptables firewall script
  • Daemon process that checks for login authentication failures for:
    • courier imap and pop3
    • ssh
    • non-ssl cpanel / whm / webmail (cPanel servers only)
    • pure-pftd
    • password protected web pages (htpasswd)
    • mod_security failures
  • POP3/IMAP login tracking to enforce logins per hour
  • SSH login notification
  • SU login notification
  • Excessive connection blocking
  • WHM configuration interface (cPanel servers only) or through Webmin
  • WHM iptables report log (cPanel servers only)
  • Easy upgrade between versions from within WHM (cPanel servers only) or through Webmin
  • Easy upgrade between versions from shell
  • A standard Webmin Module to configure csf is included in the distribution ready to install into Webmin - csfwebmin.tgz
  • Pre-configured to work on a cPanel server with all the standard cPanel ports open (cPanel servers only)
  • Auto-configures the SSH port if it's non-standard on installation
  • Block traffic on unused server IP addresses - helps reduce the risk to your server
  • Alert when end-user scripts sending excessive emails per hour - for identifying spamming scripts
  • Suspicious process reporting - reports potential exploits running on the server
  • Excessive user processes reporting
  • Excessive user process usage reporting and optional termination
  • Suspicious file reporting - reports potential exploit files in /tmp and similar directories
  • Directory and file watching - reports if a watched directory or a file changes
  • Block traffic on the DShield Block List and the Spamhaus DROP List
  • Pre-configured settings for Low, Medium or High firewall security (cPanel servers only)
  • Works with multiple ethernet devices
  • Server Security Check - Performs a basic security and settings check on the server (cPanel servers only)
  • Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet
  • Alert sent if server load average remains high for a specified length of time
  • mod_security log reporting (if installed)
  • Email relay tracking - tracks all email sent through the server and issues alerts for excessive usage (cPanel servers only)
  • IDS (Intrusion Detection System) - the last line of detection alerts you to changes to system and application binaries
Supported and Tested Operating Systems
- RedHat v7.3, v8.0, v9.0
- openSUSE v10
- RedHat Enterprise v3, v4, v5 Debian v3.1 (sarge)
- CentOS v3, v4, v5 Unbuntu v6.06 LTS
- Fedora Core v1, v2, v3, v4, v5, v6
- Tested on cPanel (except FCv6)

Use Gmail with your domain

Google provide this service for free, you can use Gmail with your domain. It is great, you can get a very good e-mail service using your domain...

Free package includes the next Applications:
Gmail, Google Talk, Google Calendar, Google Docs, Page Creator and Start Page etc.
- Great uptime rate for email
- Big Email storage Space
- Conference room and resource scheduling
- No preset user account limit
- Mobile access
- Administrator control panel
- IMAP for Gmail

For more information consult Google Apps

Fix jailshell: fork: Resource temporarily unavailable on cPanel

Are your cPanel users getting this error when try to run some command using ssh in their jailshell?

"-jailshell: fork: Resource temporarily unavailable"

Just login as root to WHM (https://SERVERIP:2087), now suspend the account where you are getting this problem and then unsuspend the account..

It should fix the problem..

Securing networked services

Hi, I found this reference information. Good for people who wants to get rich knowlege about sysadmin.. (Part 6)

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

(Part 6) - Securing networked services

Web Security Appliance With Apache and mod_security (SF): http://www.securityfocus.com/infocus/1739
Securing Apache Step-by-Step: http://www.securityfocus.com/infocus/1694
Securing apache2: http://www.securityfocus.com/infocus/1786

Apache suEXEC Support: http://httpd.apache.org/docs/1.3/suexec.html
HOWTO Install PHP with SuExec: http://gentoo-wiki.com/HOWTO_Install_PHP_with_SuExec
HOWTO Install PHP as CGI with Apache's suEXEC Feature: http://archiv.debianhowto.de/en/php_cgi/c_php_cgi.html
How to set up suexec to work with virtual hosts and PHP (+PHP +public_html patch): http://alain.knaff.lu/howto/PhpSuexec/

Apache modules
Apache mod_security guide: http://www.securityfocus.com/infocus/1739
Secure Your Apache With mod_security: http://www.howtoforge.com/book/print/1375
Apache mod_ssl: http://www.securityfocus.com/infocus/1356
mod_dosevasive: http://www.nuclearelephant.com/projects/dosevasive/
mod_security: http://www.modsecurity.org
mod_security rulesets: http://www.gotroot.com/mod_security+rules
mod_security rule generator: http://leavesrustle.com/tools/modsecurity/

Securing MySQL Step-byStep: http://www.securityfocus.com/infocus/1726
Secure MySQL Database Design: http://www.securityfocus.com/infocus/1667
Database Security Explained: http://www.linuxexposed.com/content/view/181/54/
SQL injection attack mitigation: SafeSQL: http://www.phpinsider.com/php/code/SafeSQL/, http://www.webmasterbase.com/article/794
Detect SQL injection attacks: class_sql_inject: http://www.phpclasses.org/browse/package/1341.html

PHP and the OWASP Top Ten Security Vulnerabilities: http://www.sklar.com/page/article/owasp-top-ten
Top 7 PHP Security Blunders: http://www.sitepoint.com/print/php-security-blunders
PHP Security Guide: http://phpsec.org/projects/guide/ (PHP Security Library: http://phpsec.org/library/)
PHPsec.org Security Guide considered harmful: http://www.hardened-php.net/php_secu...armful.51.html
PHP: Preventing register_global problems: http://www.modsecurity.org/documenta...r-globals.html
Securing PHP Step-by-Step: http://www.securityfocus.com/infocus/1706
PHP Security: http://www.onlamp.com/pub/a/php/2003...undations.html
Security of PHP: http://www.developer.com/lang/article.php/918141 (PHP Foundations: http://www.onlamp.com/pub/ct/29)
Auditing PHP, Part 1: Understanding register_globals: http://www-128.ibm.com/developerworks/library/os-php1/
Hardened PHP: http://www.hardened-php.net
SuPHP: http://www.suphp.org/Home.html
(http://www.phpsecure.info seems outdated)

Checking PHP
phpcksec: http://tools.desire.ch/phpcksec/
CastleCops Analyzer (Nuke only?): http://nukecops.com/

Exploiting Common Vulnerabilities in PHP Applications

Security network testing
Nessus: http://www.nessus.org/
Metasploit Framework: http://metasploit.com/projects/Framework/index.html

Application security testing
Open Web Application Security Project (OWASP): http://www.owasp.org/index.php/OWASP...le_of_Contents

OScanner: http://www.cqure.net/wp/?page_id=3
OAT (Oracle Auditing Tools): http://www.cqure.net/wp/?page_id=2

SMBAudit (auditing): http://smbdaudit.sourceforge.net/

Secure BIND Template Version 5.1 05 JAN 2006: http://www.cymru.com/Documents/secur...-template.html
Securing an Internet Name Server: http://www.securiteam.com/securitynews/5VP0N0U5FU.html
DNS Security and Vulnerabilities: http://www.l0t3k.org/security/docs/dns/

General remarks:
Do not allow root account logins with ssh
Do use public key authentication
Restrict access if possible sshd_config: AllowGroups,AllowUsers and/or TCP wrappers, firewall, Xinetd entry, PAM ACL.
Stop bruteforcing (in no particular order):
Samhain: Defending against brute force ssh attacks: http://la-samhna.de/library/brutessh.html
Sshblack: http://www.pettingers.org/code/SSHBlack.html
Ssh_access: http://www.undersea.net/seanm/softwa...-access.tar.gz
Sshd_check: http://cerberus.cc/open/scripts/sshd_check.sh
Authfail: http://www.bmk.bz/?p=33
Denyhosts: http://denyhosts.sourceforge.net/
Sshdfilter: http://www.csc.liv.ac.uk/~greg/sshdfilter/
PAM_abl: http://www.hexten.net/sw/pam_abl/index.mhtml
Fail2ban: http://fail2ban.sourceforge.net/
Blockhosts: http://www.aczoom.com/cms/blockhosts/

Original Source: Linuxquestions.org

Forensics, recovery, undelete

Hi, I found this reference information. Good for people who wants to get rich knowlege about sysadmin.. (Part 5)

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

Part5 - Forensics, recovery, undelete

Forensics HOWTO's, docs
Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
Open Web Application Security Project (OWASP): http://www.owasp.org/
Open Source Computer Forensics Manual: http://sourceforge.net/project/showf...ease_id=171701
OSSTM: Institute for Security and Open Methodologies (formerly ideahamster.org): http://www.isecom.org/projects/osstmm.htm
Forensics Basic Steps: http://staff.washington.edu/dittrich/misc/forensics/ or http://staff.washington.edu/dittrich...forensics.html
Dd and netcat cloning disks: http://www.rajeevnet.com/hacks_hints...s_cloning.html
Security Applications of Bootable Linux CD-ROMs: http://rr.sans.org/linux/sec_apps.php
Honeypot project (Hone your skills with the SOM): http://project.honeynet.org/scans/
RH8.0: Chapter 11. Incident Response (Red Hat Linux Security Guide): http://www.redhat.com/docs/manuals/l...se-invest.html
Forensics and Incident Response Resources: http://is-it-true.org/pt/ptips8.shtml
Forensics presentation by Weld Pond and Tan: http://www.cs.neu.edu/groups/acm/lectures/Forensics_NU/
Law Enforcement and Forensics Links.: http://www.computerforensics.net/links.htm
Forensics commercial svc's: http://forensic.to/links/pages/Foren...Investigation/

Forensics CDR's
FIRE (formerly Biatchux +TCT): http://biatchux.dmzs.com/?section=main
The Penguin Sleuth Kit (Knoppix-based +TCT + Sleuthkit): http://luge.cc.emory.edu/psl.html

Forensics tools
OSSTM Tools listing: http://www.isecom.org/projects/operationaltools.htm
The Coroners Toolkit (TCT): http://www.porcupine.org/forensics/ or http://www.fish.com/forensics/
tomsrtbt (1 floppy distro): http://www.toms.net/rb/
Trinux, (Pentest/sniff/scan/recovery/IDS/forensics CD): http://www.trinux.org/
Snarl (Forensics CD based on FreeBSD): http://snarl.eecue.com
Freeware Forensics Tools for Unix: http://online.securityfocus.com/infocus/1503
The @stake Sleuth Kit (TASK): http://sleuthkit.sourceforge.net/
Tools used by CSIRTs to Collect Incident Data/Evidence, Investigate and Track Incidents (list): http://www.uazone.org/demch/analysis/sec-inchtools.html
Freeware Forensics Tools (reflist, Linux w32).: http://www.theiia.org/itaudit/index....=forum&fid=325
TUCOFS - The Ultimate Collection of Forensic Software, : http://www.tucofs.com/tucofs/tucofs.asp?mode=mainmenu
Response kits (precompiled static binaries for Linux, Slowaris and wintendo): http://www.incident-response.org/irtoolkits.htm
Precompiled static binaries for Linux (iso): http://www.stearns.org/staticiso/
Forensic Acquisition Utilities for w32: http://users.erols.com/gmgarner/forensics/
CREED (Cisco Router Evidence Extraction Disk),: http://cybercrime.kennesaw.edu/creed/
...else check Zone-h.org, Packetstorm, Wiretapped.net, whatever.

Undelete HOWTO's
Recovering a Lost Partition Table: http://tsaling.home.attbi.com/linux/lost_partition.html
Linux Partition HOWTO: http://surfer.nmr.mgh.harvard.edu/pa...Partition.html
How to recover lost partitions: http://cvs.sslug.dk/hdmaint/hdm_rescue.html
Linux Ext2fs Undeletion mini-HOWTO: http://www.linuxdoc.org/HOWTO/mini/E...ndeletion.html
Linux Partition Rescue mini-HOWTO: http://www.linux-france.org/article/...ini-HOWTO.html
File Recovery.v.0.81 (using Midnight Commander): http://www.ists.dartmouth.edu/text/I...very.v0.81.php

Rescue tools for partition table/ext2fs
Gpart: http://www.stud.uni-hannover.de/user/76201/gpart/
Testdisk: http://www.cgsecurity.org/index.html
Parted: http://www.gnu.org/software/parted/parted.html
Recover (app + info): http://recover.sourceforge.net/linux/recover/
R-Linux: http://www.r-tt.com/RLinux.shtml
Unrm: http://www.securiteam.com/tools/Unrm...for_Linux.html
Dd-rescue: http://www.garloff.de/kurt/linux/ddrescue/
Also see mc (the Midnight Commander)
TCT (above).

Rescue tools from dd image
Foremost: http://sourceforge.net/projects/foremost/

Rescue tools for FAT/VFAT/FAT32 from Linux
Fatback: http://sourceforge.net/projects/biatchux/

Partition imaging
: http://www.partimage.orgPartimage.
* For more rescue tools check Freshmeat.net, metalab.unc.edu or other depots for a /Linux/system/recovery/ dir.

II. Runefs: The first inode that can allocate block resources on a ext2 file system is in fact the bad blocks inode (inode 1) -- *not* the root inode (inode 2). Because of this mis-implementation of the ext2fs it is possible to store data on blocks allocated to the bad blocks inode and have it hidden from an analyst using TCT or TASK. To illustrate the severity of this attack the following examples demonstrate using the accompanying runefs toolkit to: create hidden storage space; copy data to and from this area, and show how this area remains secure from a forensic analyst.: http://www.phrack.org/show.php?p=59&a=6

Original Source: Linuxquestions.org

Chroot, chrooting, jailing, comparimization

Hi, I found this reference information. Good for people who wants to get rich knowlege about sysadmin.. (Part 4)

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

Part4 - Chroot, chrooting, jailing, comparimization

Chroot Jails Made Easy with the Jail Chroot Project: http://www.linuxorbit.com/modules.ph...page&artid=538
Chrooting MySQL HOWTO (LQ): http://www.linuxquestions.org/questi...threadid=34338
and http://www.linuxquestions.org/questi...661#post206661
Apache, PHP, MySQL: http://www.faqts.com/knowledge_base/...aid/290/fid/31
SendMail: http://www.sendmail.net/000705securitygeneral.shtml
SendMail: http://www.linuxjournal.com/article.php?sid=5753
Snort: http://www.norz.org/software/snortstart.html

OpenSSH for chrooted sessions on Linux: http://mail.incredimail.com/howto/openssh/
OpenSSH, Scponly: http://www.sublimation.org/scponly/
Using scponly for secure file transfers: http://www.sancho2k.net/filemgmt_dat...s/scponly.html
OpenSSH, Rssh: http://pizzashack.org/rssh/
OpenSSH Sftp logging patch, contact Mike Martinez: mmartinez@reeusda.gov

How to chroot an Apache tree with Linux and Solaris: http://penguin.epfl.ch/chroot.html
An Overview of 'chroot jailing' Services in Linux: http://www.incidents.org/protect/borland.php
How to break out of a chroot() jail: http://www.bpfh.net/simes/computing/chroot-break.html
Breaking out of a restricted shell: http://online.securityfocus.com/infocus/1575, down at "Breaking Out of Various Restrictions"
Tech-Babble: Virtual Server Myth: http://www.pair.com/pair/current/ins...ualserver.html
0x05: Why chroot(2) Sucks: http://packetstormsecurity.nl/mag/napalm/napalm-12.txt
Chuvakin A.,: http://www.linuxsecurity.com/feature..._story-99.html
Chrooting daemons and system processes HOW-TO: http://www.networkdweebs.com/chroot.html

Other SW/HOWTO's unsorted
http://www.enteract.com/~robt/Docs/A...l-freebsd.html for BIND

Original Source: Linuxquestions.org

Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software

Hi, I found this reference information for people who wants to get rich knowlege about sysadmin.. (Part 3)

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software

Note: vulnerability checking: CIS, SATAN, COPS, Tiger

FAQ: Network Intrusion Detection Systems: http://www.robertgraham.com/pubs/net...detection.html
Sniffin' the Ether v2.0: http://www.unixgeeks.org/security/ne...r/sniffer.html
Lotek sniffing docs: http://www.l0t3k.org/security/documents/sniffing/
Defeating Sniffers and Intrusion Detection Systems, Phrack, http://www.phrack.org/show.php?p=54&a=10

The IDS acronym game:

IDS: Intrusion Detection System refers to an application able to examine traffic for attributes and properties that mark "benign", suspicious, restricted, forbidden or outright hostile activities.

NIDS: Network IDS refers to Intrusion Detection, like running "sensors" on various sentry or sniffer hosts while logging and/or logprocessing and alerting is done on a central host (many-to-one topology).
NIDS examples are:
Snort: http://www.snort.org/
Shoki: http://shoki.sourceforge.net/
Prelude: http://www.prelude-ids.org/
OSSIM (Snort+Acid+mrtg+NTOP+OpenNMS+nmap+nessus+rrdtool): http://sourceforge.net/projects/os-sim/
MIDAS: http://midas-nms.sourceforge.net/
Firestorm: http://www.scaramanga.co.uk/firestorm/
Panoptis (DoS, DDoS only):
Some commercial/non OSS examples: Demarc PureSecure, Cisco Secure IDS (NetRanger), ISS Real Secure, Axent Net Prowler, Recourse ManHunt, NFR Flight Recorder, NAI CyberCop Network, Enterasys Dragon and Okena Stormfront/Stormwatch.
Snort also is available commercially these days.

HIDS: Host-based IDS. The HIDS acronym itself is subject to flamewars.
IDS examples are Snort, Shoki, Prelude, Defenseworx, Pakemon, Firestorm and Panoptis (DoS, DDoS only).

IPS: Intrusion Protection System. Passive or active (learning, like the heuristics stuff?) enforcement of rules at the application, system or access level. I suppose we're looking at stuff like Grsecurity, Solar Designer's Open Wall, LIDS, LOMAC, RSBAC, Linux trustees, Linux Extended Attributes, LIDS or Systrace here.
Commercial/non OSS examples: Entercept, ISS RealSecure, Axent Intruder Alert Manager, Enterasys' Dragon, Tripwire, Okena and CA's eTrust.

Intrusion Detection Systems: An Introduction: http://www.linuxsecurity.com/feature...story-143.html
Intrusion Detection FAQ (SANS, handling ID in general): http://www.sans.org/resources/idfaq/index.php
Basic File Integrity Checking (with Aide): http://online.securityfocus.com/infocus/1408
www.networkintrusion.co.uk (IDS, NIDS, File Integrity Checkers)

Snort basics:
Using Snort as an IDS and Network Monitor in Linux (SANS, PDF file): http://www.giac.org/practical/gsec/James_Kipp_GSEC.pdf
Snort: IDS Installation with Mandrake 8.2, Snort, Webmin, Roxen Webserver, ACID, mysql: http://www.linux-tip.net/workshop/id.../ids-snort.htm
ArachNIDS (Snort/Dragon/Defenseworx/Pakemon/Shoki rule, research and info library): http://whitehats.com/ids/
Intrusion Detection and Network Auditing on the Internet: http://www.infosyssec.net/infosyssec/intdet1.htm
Snort Stealth Sniffer: Paranoid Penguin: Stealthful Sniffing, Intrusion Detection and Logging: http://www.linuxjournal.com/article.php?sid=6222

Dropping Packets with Snort:
Why not to use Snort's "flexresp": http://www.mcabee.org/lists/snort-us.../msg00379.html
Snortsam: http://www.snortsam.net
Hogwash: http://hogwash.sourceforge.net
Snort-inline: http://www.snort.org/dl/contrib/patc...ort-inline.tgz
Guardian: see the Snort tarball, in the contrib dir.

Snort GUI's, management, log reporting and analysis:
Midas: http://midas-nms.sourceforge.net
SnortCenter: http://users.pandora.be/larc
Snort Unified Logging: Barnyard: (Sourceforge)
Snort Unified Logging: Logtopcap
Snort Unified Logging: Mudpit
Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/
HOWTO Build Snort with ACID: http://www.sfhn.net/whites/snortacid.htm
ACID HOWTO: http://www.andrew.cmu.edu/~rdanyliw/...snortacid.html
ACID FAQ: http://www.andrew.cmu.edu/~rdanyliw/snort/acid_faq.html
SPADE, Snortsnarf: http://www.silicondefense.com
Sguil: http://sguil.sourceforge.net/
Enabling Automated Detection of Security Events that affect Multiple Administrative Domains: http://www.incident.org/thesis/book1.html
Demarc (commercial): http://www.demarc.com
RazorBack: http://www.intersectalliance.com/pro...ack/index.html
Oinkmaster (rulemanagement): http://www.snort.org/dl/contrib/sign...nt/oinkmaster/
Snort alert mailer (C or .pe?r?l?): http://rouxdoo.freeshell.org/dmn/snort/
Pig Sentry: http://web.proetus.com/tools/pigsentry/
IDS Policy Manager Version (W32): http://www.activeworx.com/
Snort_stat: snort_stat.pl /var/log/snort/alert | /usr/lib/sendmail
Swatch: ./swatch -c /root/.swatchrc --input-record-separator="\n\n" --read-pipe="tail -f /var/log/snort/alert" --daemon
Swatch + Hogtail.

Snort vs Abacus Portsentry:
Snort and PortSentry compared: http://www.linux.ie/articles/portsen...rtcompared.php

Comparison of IDSs ( NFR NID, Snort, INBOUNDS, SHADOW, Dragon, Tripwire): http://zen.ece.ohiou.edu/~nagendra/compids.html

Snort help, mailinglist (archives), honeypots:
Snort: database support FAQ: http://www.incident.org/snortdb/
Snort mailinglists, Aims: http://marc.theaimsgroup.com/
Snort IDS forum at Whitehats.com: http://whitehats.com/cgi/forum/messa...?bbs=forum&f=4
Baby steps with a honeypot: http://www.lucidic.net/whitepapers/mcooper-4-2002.html
Honeypot & Intrusion Detection Resources: http://www.honeypots.net/
The TCP Flags Playground (Mailinglist, Neohapsis): http://archives.neohapsis.com/archiv...0-03/0386.html

Snort + 802.11 aka Wireless: http://www.loud-fat-bloke.co.uk/w80211.html

Sniffing (network wiretap, sniffer) FAQ: http://www.robertgraham.com/pubs/sniffing-faq.html
Apps, network monitoring (index): http://www.mirrors.wiretapped.net/se...ng-README.txt.

An Analysis of a Compromised Honeypot (Snort+Ethereal): http://www.securityfocus.com/infocus/1676
To add: Firestorm NIDS, Barnyard, Mudpit, Snort GUI's, add-ons etc etc.

Snort on two interfaces, solution one: "-i bond0".
Valid-for: running one Snort instance, multiple promiscuous mode interfaces except the mgmnt one.
Caveat: none
See-also: Documentation/networking/bonding.txt
Do once: "echo alias bond0 bonding >>/etc/modules.conf"
At boot: "ifconfig bond0 up; ifenslave bond0 eth0; ifenslave bond0 eth1"
At boot: start Snort with interface arg "-i bond0"

Snort on two interfaces, solution two: "-i any"
Valid-for: running one Snort instance, all interfaces.
Caveat: you loose promiscuous mode.
At boot: start Snort with interface arg "-i any" and a BPF filter to stop it from logging the loopback device.

File Integrity Detection Systems:
Checking a filesystem's contents against one or more checksums to determine if a file (remember anything essentially is a file on a Linux FS) has been changed.
Examples are:
Aide: http://www.cs.tut.fi/~rammer/aide.html (for remote mgmnt see also ICU http://www.algonet.se/~nitzer/ICU/ or RFC http://sourceforge.net/projects/rfc/ which handles Aide, Integrit and Afick)
Samhain: http://la-samhna.de/samhain/ (for remote mgmnt see docs)
Osiris: http://osiris.shmoo.com/
Nabou: http://www.daemon.de/en/software/nabou/
Sentinel: http://zurk.sourceforge.net/zfile.html
Viper(DB): http://panorama.sth.ac.at/viperdb/
Integrit: http://integrit.sourceforge.net/
Tripwire (for remote mgmnt see FICC: http://freshmeat.net/projects/ficc/).
Chkrootkit (not only Linux): http://www.chkrootkit.org
Rootkit Hunter (not only Linux): http://rkhunter.sourceforge.net
Findkit: http://mirror.trouble-free.net/killall/findkit

Commercial/non OSS examples: Versioner, GFI LANguard System Integrity Monitor, Ionx's Data Sentinel, Tripwire for Servers and Pedestal Software Intact.
File Integrity (SecurityFocus, tools list): http://www.securityfocus.com/tools/category/7

Viruses on Linux/GNU,

Sendmail, Tcpdump, OpenSSH, TCP Wrappers, Aide and some other projects have suffered from people succeeding to inject malicious code, and of those only Sendmail and OpenSSH where at main servers, the rest where mirrors AFAIK. Even though all the apps mentioned are safe to use, and the differences where noted soon, the real problem is you I. have to have the knowledge to read code, and II. the discipline to read the code each time and question any diffs or III. have minimal "protection" in place to cope with like rogue compiled apps "phoning home". Which in essence means to end users any SW provided w/o means to verify integrity of the code and the package should be treated with care, instead of accepting it w/o questioning.

As for the "virus" thingie I wish we, as a Linux community, try to "convert" people away from the typical troubles of Pitiful Operating Systems (abbrev.: POS, aka the MICROS~1 Game Platform) and direct them towards what's important to know wrt Linux: user/filesystem permissions, b0rken/suid/sgid software, worms, trojans and rootkits.

Basic measures should be:
- Using (demanding) source verification tru GPG or minimally md5sums,
- Watch system integrity (Aide, Samhain, Tripwire or any package mgr that can do verification: save those databases off-site, also see Tiger, Chkrootkit),
- Harden your systems by not installing SW you don't need *now*, denying access where not needed and using tools like Bastille-linux, tips from Astaro,
- Patch kernel to protect looking at/writing to crucial /proc and /dev entries and/or use ACL's (see Silvio Cesare's site, Grsecurity, LIDS),
- Watch general/distro security bulletins and don't delay taking action (Slapper, Li0n etc),
- Keep an eye on outgoing traffic (egress logging and filtering),
- Don't compile apps as root but as a non-privileged user,
- Inspect the code if you can,
- Don't use Linux warez,
But most of all: use common sense.

*If you're still not satisfied you've covered it all you could arm yourself with knowledge on forensics stuff like UML, chrooting, disassembly and honeypots.

If you want to find Antivirus software, Google the net for Central Command, Sophos, Mcafee, Kaspersky, H+BEDV, Frisk, RAV, Clam, Amavis, Spam Assassin, Renattach, Ripmime, Milter or Inflex.
- AV SW is as good as it's signatures/heuristics. Some vendors don't update their Linux sig db's very well, or field SW with lacking capabilities. I've tested some (admittedly a long time ago) on my virus/trojan/LRK/malware libs. Bad (IMHO): Frisk's F-Prot (sigs), Clam (sigs), H+BEDV (libc version). Good (IMNSHO): Mcafee's uvscan (best) and RAV (2nd). Please do test yourself.
- AFAIK only KAV (Kaspersky) has a realtime scannerdaemon. I'm in limbo about it's compatibility with recent kernels tho.

Links to check out:
LAVP/Mini-FAQ Linux/Unix AV SW,
NIST (list of AV vendors),

Original Source: Linuxquestions.org

Netfilter, firewall, Iptables, Ipchains, DoS, DDoS

Hi, I found this reference information for people who wants to get rich knowlege about sysadmin.. (Part 2)

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS

*Please note the easiest way to troubleshoot Netfilter related problems is to add log (target) rules before any "decision" in a chain.
** Please note there's a LOT of firewall scripts on LQ: just search the Linux - Security and Linux - networking fora please.

LQ search, iptables+howto: http://www.linuxquestions.org/questi...der=descending
IPTables Tutorial: http://iptables-tutorial.frozentux.n...-tutorial.html
IPSysctl Tutorial: http://ipsysctl-tutorial.frozentux.n...-tutorial.html
Linuxguruz.org: http://www.linuxguruz.org/iptables/
Netfilter.org Packetfiltering HOWTO: http://www.netfilter.org/unreliable-...ltering-HOWTO/
Linuxsecurity.com Iptables tutorial: http://www.linuxsecurity.com/resourc...-tutorial.html
Iptables Connection tracking: http://www.cs.princeton.edu/~jns/sec...conntrack.html
Taking care of the New-not-SYN vulnerability: http://archives.neohapsis.com/archiv...3-01/0036.html

TLDP Ipchains HOWTO: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
Flounder.net Ipchains HOWTO: http://www.flounder.net/ipchains/ipchains-howto.html

Web-browsers, mail clients, FTP clients, IM, P2P ports database for building your own rules: http://www.pcflank.com/fw_rules_db.htm

Other resources/misc stuff
Basic introduction to building ipchains rules: www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
Explanation of the Ipchains logformat: logi.cc/linux/ipchains-log-format.php3
Ipchains log decoder: dsl081-056-052.dsl-isp.net/dmn/decoder/decode.php
Basics on firewalling: www.linuxdoc.org/HOWTO/Firewall-HOWTO.html
linux-firewall-tools: http://www.linux-firewall-tools.com/linux/
CERT: Home Network Security: http://www.cert.org/tech_tips/home_networks.html
Firewall FAQ: http://www.faqs.org/faqs/firewalls-faq/
Assigned ports > 1024: http://www.ec11.dial.pipex.com/port-num4.shtml
Port designations: http://www.chebucto.ns.ca/~rakerman/port-table.html
Firewall Forensics FAQ (What am I seeing?): http://www.robertgraham.com/pubs/firewall-seen.html
Linux Firewall and Security Site: http://www.linux-firewall-tools.com/linux/
Auditing Your Firewall Setup (old, still usefull), : http://www.enteract.com/~lspitz/audit.html
TLDP: Firewall Piercing mini-HOWTO: http://www.tldp.org/HOWTO/mini/Firew...cing/x189.html
Something called the "Home PC Firewall Guide": http://www.firewallguide.com/
Vendor/Ethernet MAC Address Lookup: http://www.coffer.com/mac_find/
Netfilter Iptabes/Ipchains Log Format: http://logi.cc/linux/netfilter-log-format.php3
Dshield (find out if IP was marked as used in attacks): http://www1.dshield.org/ipinfo.php
Port search (Snort): http://www.snort.org/ports.html
Neohapsis Port search: http://www.neohapsis.com/neolabs/neo-ports/
P2P ports (IPMasq): http://www.tsmservices.com/masq/cfm/main.cfm
Is "Stealth" important?: http://www.practicallynetworked.com/...et.htm#Stealth
Infosyssec's Firewall Security and the Internet (badly updated site): http://www.infosyssec.net/infosyssec/firew1.htm

Webbased portscan services:

DoS info
Hardening the TCP/IP stack to SYN attacks: http://www.securityfocus.com/infocus/1729
SANS, Help Defeat Denial of Service Attacks: Step-by-Step: http://www.sans.org/dosstep/index.htm
SANS, ICMP Attacks Illustrated: http://rr.sans.org/threats/ICMP_attacks.php
CERT, Denial of Service Attacks: http://www.cert.org/tech_tips/denial_of_service.html
NWC, Fireproofing Against DoS Attacks (forms of): http://www.nwc.com/1225/1225f38.html

DDoS info
SANS, Consensus Roadmap for Defeating Distributed Denial of Service Attacks: http://www.sans.org/ddos_roadmap.htm
SANS, Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth: http://rr.sans.org/threats/spoofed.php
SANS, Understanding DDOS Attack, Tools and Free Anti-tools with Recommendation: http://rr.sans.org/threats/understan...nding_ddos.php
Juniper.net, Minimizing the Effects of DoS Attacks: http://arachne3.juniper.net/techcent...te/350001.html
CISCO, Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks: http://www.cisco.com/warp/public/707/newsflash.html
Dave Dittrich's references: http://staff.washington.edu/dittrich/misc/ddos/
Xinetd Sensors: http://www.gate.net/~ddata/xinetd-sensors.html
Xinetd FAQ: http://synack.net/xinetd/faq.html

Original Source: Linuxquestions.org

Basics, important sites, HOWTO's, handbooks, hardening, tips

Hi, I found this reference information for people who wants to get rich knowlege about sysadmin.. (Part 1)

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips

Basics, important sites, HOWTO's, handbooks, hardening, tips

UNIX Security Checklist v2.0: http://www.cert.org/tech_tips/unix_s...cklist2.0.html
SANS, The Twenty Most Critical Internet Security Vulnerabilities: http://www.sans.org/top20/
SANS SCORE Checklists for W32/Solaris/Cisco IOS/Mac OS/etc etc: http://www.sans.org/score/
SANS http://www.sans.org/infosecFAQ/linux/linux_list.htm
SANS, Reading room, Linux Issues: http://www.sans.org/rr/catindex.php?cat_id=32

CERT, Security improvements: http://www.cert.org/security-improvement/
CERT, Tech Tips: http://www.cert.org/tech_tips/
Linux Administrator's Security Guide (LASG): http://www.seifried.org/lasg/
Linux Security Administrator's Guide (SAG, old): http://www.tldp.org/LDP/sag/index.html
The Linux Network Administrator's Guide (NAG): http://www.tldp.org/LDP/nag2/index.html
Securing & Optimizing Linux: The Ultimate Solution (PDF): http://www.tldp.org/LDP/solrhe/Secur...ution-v2.0.pdf
Securing Optimizing Linux RH Edition (older): http://tldp.org/LDP/solrhe/Securing-...-Edition-v1.3/
Linux Security HOWTO: http://tldp.org/HOWTO/Security-HOWTO/index.html
Linux Security Quick Reference Guide (PDF): http://www.tldp.org/REF/ls_quickref/QuickRefCard.pdf
Security Quick-Start HOWTO for Linux,: http://tldp.org/HOWTO/Security-Quickstart-Redhat-HOWTO/
Security links at Linuxguru's: http://www.linuxguruz.org/z.php?id=914
TLPD Networking Security HOWTO's: http://www.tldp.org/HOWTO/HOWTO-INDE...ml#NETSECURITY

Compromise, breach of security, detection
Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
Detecting and Removing Malicious Code (SF): http://www.securityfocus.com/infocus/1610
Steps for Recovering from a UNIX or NT System Compromise: http://www.cert.org/tech_tips/root_compromise.html
Formatting and Reinstalling after a Security Incident (SF): http://www.securityfocus.com/infocus/1692
How to Report Internet-Related Crime (usdoj.gov CCIPS): http://www.usdoj.gov/criminal/cybercrime/reporting.htm
Related, old(er) articles/docs:
Intruder Discovery/Tracking and Compromise Analysis: http://staff.washington.edu/dittrich...khat/blackhat/
Intrusion DetectionPrimer: http://www.linuxsecurity.com/feature...e_story-8.html
Through the Looking Glass: Finding Evidence of Your Cracker (LG): http://www.linuxgazette.com/issue36/kuethe.html
Recognizing and Recovering from Rootkit Attacks: http://www.cs.wright.edu/people/facu...on/obrien.html
See also post #5 under Forensics docs

Advisories, alerts, bulletins, disclosure, mailinglists, mailing archives, knowledge bases, other sites
Bugtraq (running): http://www.mail-archive.com/bugtraq@securityfocus.com/
or http://msgs.securepoint.com/cgi-bin/...q-current.html
or http://www.der-keiler.de/Mailing-Lis...focus/bugtraq/
or RSS: http://www.djeaux.com/rss/insecure-full-bugtraq.rss
Linuxsecurity: http://www.linuxsecurity.com
or RSS (Advisories): http://www.linuxsecurity.com/static-...advisories.rss
or RSS (News articles): http://www.linuxsecurity.com/static-...y_articles.rss
Securityfocus: http://www.securityfocus.com
or RSS (Vulns): http://www.securityfocus.com/rss/vulnerabilities.xml
Securiteam: http://www.securiteam.com/
CERT KB: http://www.cert.org/kb/
Securitytracker (Advisories): http://www.securitytracker.com/topics/topics.html
SANS RSS (ISC): http://iscxml.sans.org/rssfeed.xml

Neohapsis (mailinglists/archives): http://www.neohapsis.com
theaimsgroup (mailinglists/archives): http://marc.theaimsgroup.com/
Der Keiler (mailinglists/archives): http://www.der-keiler.de/

Linux Gazette: http://www.linuxgazette.com
Experts exchange: http://www.experts-exchange.com
The Linux Documentation Project: http://www.tldp.org
Blacksheep (HOWTO's, whitepapers, etc): http://www.blacksheepnetworks.com/security/
IRIA: http://www.ists.dartmouth.edu/IRIA/k...base/index.htm
E-secure-db Security Information Darabase: http://www.e-secure-db.us/dscgi/ds.p...ollection-1586
Linuxmag, Hardening Linux Systems: http://www.linux-mag.com/2002-09/guru_01.html
SEI: http://www.sei.cmu.edu/publications/lists.html
Matt's Unix Security Page: http://www.deter.com/unix/
Jay Beale's docs (Bastille-linux/CIS): http://www.bastille-linux.org/jay/se...icles-jjb.html
The Unix Auditor's Practical Handbook: http://www.nii.co.in/tuaph.html
Aging stuff from Phrack like "Unix System Security Issues": www.fc.net/phrack/files/p18/p18-7.html

Mailinglists distro specific:

Our own markus1982 on a roll! LQ HOWTO: securing debian:
http://lists.debian.org/ (search for debian-security@lists.debian.org)

(subscribe: mailto:suse-security-subscribe@suse.com)


Conectiva Linux
mailto:seguranca@distro.conectiva.com.br (subscribe for URL above URL; security-mailinglist Lingua Franca is Portugese, but on updates-mailinglist it's Engish. The last one always has the packages updates announced on security-mailinglist.

mailto:slackware-security@slackware.com (subscribe for URL above)

# We need to incorporate more distro's here.

Hardening, distro specific
Debian/Mandrake/Red Hat: Bastille Linux: http://www.bastille-linux.org/
Debian Security HOWTO: http://www.debian.org/doc/manuals/se...-debian-howto/
Debian Security FAQ: http://www.debian.org/security/faq
Mandrake: msec-*.rpm: http://www.linux-mandrake.com/
SuSE: http://www.suse.de/~marc/
Slackware: Slackware Administrators Security tool kit: http://sourceforge.net/projects/sastk/
Slackware: http://members.cox.net/laitcg/new/system-hardening.txt

Log analysis tools, resources
Auditd: Linux Audit: http://people.redhat.com/sgrubb/audit/
Auditd: CAPP rules example: http://www.math.ias.edu/doc/audit-1.0.3/capp.rules
Tools & Tips for auditing code: http://www.vanheusden.com/Linux/audit.html
Track unlink syscall (rm): TrackFS, libauditunlink, LAUS, LTT (Syscalltrack on 2.4)
# FWanalog (Summarizes IPF & IPtables firewall logs)
# FWlogsum (Summarizes Checkpoint FW1 logs)
# FWlogwatch (Summarizes firewall & IDS logs)
# KLogger (WinNT/Win2K keystroke logger)
# Linux Event Logger (For Enterprise-Class Systems): http://evlog.sourceforge.net/
# Lmon (PERL-based real time log monitoring solution)
# LogSentry (Monitors logs for security violations)
# Logsurfer (Monitors logs in realtime)
# PIdentd (Provides UserID with TCP connects)
# Swatch (Monitors syslog messages)
# Secure Remote Syslogger (Encrypted streaming syslog)
# SnortSnarf (HTMLized Snort Log Reviewer)
# Syslog-NG (Replacement for standard syslog facility)
# Syslog.Org (Vast info on syslogging)
# Throughput Monitor (An event counter per timeframe log analyzer): http://home.uninet.ee/~ragnar/throughput_monitor/
Loganalysis.org (check the library): http://www.loganalysis.org/
Counterpane, Log Analysis Resources: http://www.counterpane.com/log-analysis.html
EVlog, Linux Event Logging for Enterprise-class systems
Throughput Monitor
Need to add: Snare, LTK etc etc

Daemons, device or application specific:
The Linux-PAM System Administrators Guide
Securing Xwindows: http://www.uwsg.indiana.edu/usail/ex...d/xsecure.html
How to Build, Install, Secure & Optimize Xinetd: #(link gone, see: http://web.archive.org/web/200410121...netd/index.php)
Installation of a secure webserver (SuSE): #(link gone, do a websearch for "suse_secure_webserver.txt")
Linksys security (LQ notes on): http://www.linuxquestions.org/questi...007#post157007

Auditing tools at:
Packetstorm: http://www.packetstormsecurity.org/UNIX/audit/
SecurityFocus: http://www.securityfocus.com/tools/category/1

Original Source: Linuxquestions.org