securing-howto/en/sec-tools.sgml

<!-- CVS revision of this document "$Revision: 1.4 $"  -->

<chapt id="sec-tools">Security tools in Debian

<p>FIXME: More content needed.

<p>Debian provides also a number of security tools that can make a
Debian box suited for security purposes. This purposes include
protection of information systems through firewalls (either packet or
application-level), intrusion detection (both network and host based),
vulnerability assessment, antivirus, private networks, etc.

<p>Since Debian 3.0 (<em>woody</em>), the distribution features
cryptographic software integrated into the main distribution. OpenSSH
and GNU Privacy Guard are included in the default install, and strong
encryption is now present in web browsers and web servers, databases,
and so forth. Further integration of cryptography is planned for
future releases. This software, due to export restrictions in the US,
was not distributed along with the main distribution but included only
in non-US sites.

<sect id="vuln-asses">Remote vulnerability assessment tools
<p>The tools provided by Debian to perform remote vulnerability assessment
are:
<footnote>
Some of them are provided
when installing the <package>harden-remoteaudit</package> package.
</footnote>
<list>
<item>nessus
<item>raccess
<item>whisker 
<item>nikto (whisker's replacement)
<item>bass (non-free)
<item>satan (non-free)
<!-- Will never be available, I uploaded it but their license is not proper
<item>saint (non-free)
-->
<!-- Might be available in the future since it holds the same license as satan
<item>sara (non-free)
-->
</list>

<p>By far, the most complete and up-to-date tools is
<package>nessus</package> which is composed of a client
(<package>nessus</package>) used as a GUI and a server
(<package>nessusd</package>) which launches the programmed
attacks. Nessus includes remote vulnerabilities for quite a number of
systems including network appliances, ftp servers, www servers,
etc. The latest security plugins are able even to parse a web site and
try to discover which interactive pages are available which could be
attacked. There are also Java and Win32 clients (not included in
Debian) which can be used to contact the management server. 

<p>Notice that if you are using woody, the Nessus packages are really
out of date (see bug <url id="http://bugs.debian.org/183524"
name="#183524">). It is not difficult to backport the packages available in
unstable for woody, but if you find it difficult to do so you might
want to consider using the backported packages provided by one of the
co-maintainers and available at <url
id="http://people.debian.org/~jfs/nessus/"> (these versions might not
be as up-to-date as the versions available at <em>unstable</em>).

<p><package>Whisker</package> is a web-only vulnerability assessment scanner
including anti-IDS tactics (most of which are not <em>anti-IDS</em> anymore).
It is one of the best cgi-scanners available, being able to detect 
WWW servers and launch only a given set of attacks against it. The database
used for scanning can be easily modified to provide for new information.

<p><package>Bass</package> (Bulk Auditing Security Scanner) 
and <package>Satan</package> (Security Auditing Tool for Analyzing Networks)
must be thought of more like "proof of concept" programs than 
as tools to be used
while performing audits. Both are quite ancient and are not kept up-to-date.
However, SATAN was the first tool to provide vulnerability assessment in
a simple (GUI) way and Bass is still a very high-performance assessment tool.

<sect>Network scanner tools
<p>Debian does provide some tools used for remote scanning of hosts 
(but not vulnerability assessment). These tools are, in some cases,
used by vulnerability assessment scanners as the first type of 
"attack" run against remote hosts in an attempt to 
determine remote services available. Currently Debian provides:
<list>
<item>nmap
<item>xprobe
<item>queso
<item>knocker
<item>isic
<item>icmpush
<item>nbtscan (for NetBIOS audits)
<item>fragrouter
<item>strobe (from the <package>netdiag</package> package)
<item>hping2 (<em>Note:</em> out of date)
</list>

<!--
Ettercap is not included since its a sniffing tool not a remote probe 
-->

<p>While as <package>queso</package> and <package>xprobe</package> provide
only remote operating system detection (using TCP/IP fingerprinting),
<package>nmap</package> and <package>knocker</package> do both operating
system detection and port scanning of the remote hosts. On the other
hand, <package>hping2</package> and <package>icmpush</package> can be
used for remote ICMP attack techniques.

<p>Designed specifically for Netbios networks, <package>nbtscan</package>
can be used to scan IP networks and retrieve name information from 
SMB-enabled servers, including: usernames, network names, MAC
addresses...

<p>On the other hand, <package>fragrouter</package> can be used to
test network intrusion detection systems and see if the NIDS can be
eluded by fragmentation attacks.

<p>FIXME: Check <url id="http://bugs.debian.org/153117" name="Bug
#153117"> (ITP fragrouter) to see if it's included.


<p>FIXME add information based on
<url id="http://www.giac.org/practical/gcux/Stephanie_Thomas_GCUX.pdf"
name="Debian Linux Laptop for Road Warriors"> which describes how to
use Debian and a laptop to scan for wireless (803.1) networks. (Link not
there any more).

<sect>Internal audits
<p>Currently, only the <package>tiger</package> tool used in Debian can
be used to perform internal (also called white box) audit of hosts in
order to determine if the file system is properly set up, which processes
are listening on the host, etc.

<sect>Auditing source code
<p>Debian provides three packages that can be used to audit C/C++ source code
programs and find programming errors that might lead to potential security
flaws:
<list>
<item>flawfinder
<item>rats
<item>splint
</list>

<sect id="vpn">Virtual Private Networks

<p>A virtual private network (VPN) is a group of two or more computer
systems, typically connected to a private network with limited public
network access, that communicate securely over a public network. VPNs
may connect a single computer to a private network (client-server), or
a remote LAN to a private network (server-server). VPNs often include
the use of encryption, strong authentication of remote users or hosts,
and methods for hiding the private network's topology.

<p>Debian provides quite a few packages to set up encrypted virtual
private networks:

<list>

<item><package>vtun</package>
<item><package>tunnelv</package>
<item><package>cipe</package>
<item><package>vpnd</package>
<item><package>tinc</package>
<item><package>secvpn</package>
<item><package>pptpd</package>
<item><package>freeswan</package>

</list>

<p>The FreeSWAN package is probably the best choice overall, since it
promises to interoperate with almost anything that uses the IP
security protocol, IPsec (RFC 2411). However, the other packages
listed above can also help you get a secure tunnel up in a hurry. The
point to point tunneling protocol (PPTP) is a proprietary Microsoft
protocol for VPN. It is supported under Linux, but is known to have
serious security issues.

<p>For more information see the <url
id="http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html"
name="VPN-Masquerade HOWTO"> (covers IPsec and PPTP), <url
id="http://www.tldp.org/HOWTO/VPN-HOWTO.html" name="VPN HOWTO">
(covers PPP over SSH), and <url
id="http://www.tldp.org/HOWTO/mini/Cipe+Masq.html" name="Cipe
mini-HOWTO">, and <url
id="http://www.tldp.org/HOWTO/mini/ppp-ssh/index.html" name="PPP
and SSH mini-HOWTO">.

<p>Also worth checking out is
<url id="http://yavipin.sourceforge.net/" name="Yavipin">, but no Debian
GNU packages seem to be available yet.

<sect1>Point to Point tunneling

<p>If you want to provide a tunneling server for a mixed environment
(both Microsoft operating systems and Linux clients) and IPsec is not
an option (since it's only provided for Windows 2000 and Windows XP),
you can use <em>PoPToP</em> (Point to Point Tunneling Server),
provided in the <package>pptpd</package> package.

<p>If you want to use Microsoft's authentication and encryption with
the server provided in the <package>ppp</package> package, note the
following from the FAQ:

<example>
It is only necessary to use PPP 2.3.8 if you want Microsoft compatible
MSCHAPv2/MPPE authentication and encryption. The reason for this is that
the MSCHAPv2/MPPE patch currently supplied (19990813) is against PPP
2.3.8. If you don't need Microsoft compatible authentication/encryption
any 2.3.x PPP source will be fine.
</example>

<p>However, you also have to apply the kernel patch provided by the
<package>kernel-patch-mppe</package> package, which provides the
pp_mppe module for pppd.

<p>Take into account that the encryption in ppptp forces you to store
user passwords in clear text, and that the MS-CHAPv2 protocol contains
<url id="http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/"
name="known security holes">.

<sect>Public Key Infrastructure (PKI)

<p>Public Key Infrastructure (PKI) is a security architecture
introduced to provide an increased level of confidence for exchanging
information over insecure networks. It makes use of the concept of
public and private cryptographic keys to verify the identity of the
sender (signing) and to ensure privacy (encryption).

<p>When considering a PKI, you are confronted with a wide variety of
issues:

<list>

<item>a Certificate Authority (CA) that can issue and verify
certificates, and that can work under a given hierarchy

<item>a Directory to hold user's public certificates

<item>a Database (?) to maintain Certificate Revocation Lists (CRL)

<item>devices that interoperate with the CA in order to print out
smart cards/USB tokens/whatever to securely store certificates

<item>certificate-aware applications that can use certificates issued
by a CA to enroll in encrypted communication and check given
certificates against CRL (for authentication and full Single Sign On
solutions)

<item>a Time stamping authority to digitally sign documents

<item>a management console from which all of this can be properly used
(certificate generation, revocation list control, etc...)

</list>

<p> Debian GNU/Linux has software packages to help you with some of
these PKI issues. They include <prgn>OpenSSL</prgn> (for certificate
generation), <prgn>OpenLDAP</prgn> (as a directory to hold the
certificates), <prgn>gnupg</prgn> and <prgn>freeswan</prgn> (with
X.509 standard support). However, as of the Woody release (Debian
3.0), Debian does not have any of the freely available Certificate
Authorities such as pyCA, <url id="http://www.openca.org"
name="OpenCA"> or the CA samples from OpenSSL. For more information
read the <url id="http://ospkibook.sourceforge.net/" name="Open PKI
book">.

<sect>SSL Infrastructure

<p>Debian does provide some SSL certificates with the distribution so
that they can be installed locally. They are found in the
<package>ca-certificates</package> package. This package provides a
central repository of certificates that have been submitted to Debian
and approved (that is, verified) by the package maintainer, useful for
any OpenSSL applications which verify SSL connections.

<p>FIXME: read debian-devel to see if there was something added to this.

<sect>Antivirus tools

<p>There are not many anti-virus tools included with Debian GNU/Linux,
probably because GNU/Linux users are not plagued by viruses. The UN*X
security model makes a distinction between privileged (root) processes
and user-owned processes, therefore a "hostile" executable that a
non-root user receives or creates and then executes cannot "infect" or
otherwise manipulate the whole system. However, GNU/Linux worms and
viruses do exist, although there has not (yet, hopefully) been any
that has spread in the wild over any Debian distribution. In any case,
administrators might want to build up anti-virus gateways that protect
against viruses arising on other, more vulnerable systems in their
network.

<p>Debian GNU/Linux currently provides the following tools for
building antivirus environments:

<list>

<item><url id="http://clamav.elektrapro.com/" name="Clam Antivirus">,
provided in Debian <em>sarge</em> (future 3.1 release). Packages are
provided both for the virus scanner (<package>clamav</package>) for
the scanner daemon (<package>clamav-daemon</package>) and for the data
files needed for the scanner. Since keeping an antivirus up-to-date is
critical for it to work properly there are two different ways to get
this data: <package>clamav-freshclam</package> provides a way to
update the database through the Internet automatically and
<package>clamav-data</package> which provides the data files directly
<footnote>If you use this last package and are running an official
Debian, the database will not be updated with security updates. You
should either use <package>clamav-freshclam</package>,
<prgn>clamav-getfiles</prgn> to generate new
<package>clamav-data</package> packages or update from the
maintainers location:
<example>
  deb http://people.debian.org/~zugschlus/clamav-data/ /
  deb-src http://people.debian.org/~zugschlus/clamav-data/ /
</example>
</footnote>

<item><package>mailscanner</package> an e-mail gateway virus scanner
and spam detector. Using <package>sendmail</package> or
<package>Exim</package> as its basis, it can use more than 17
different virus scanning engines (including <package>clamav</package>)

<item><package>libfile-scan-perl</package> which provides File::Scan,
 a Perl extension for scanning files for viruses. This modules can be
 used to make platform independent virus scanners.

<item><url id="http://www.sourceforge.net/projects/amavis"
name="Amavis Next Generation">, provided in the package
<package>amavis-ng</package> and available in <em>sarge</em>, which is
a mail virus scanner which integrates with different MTA (Exim,
Sendmail, Postfix, or Qmail) and supports over fifteen virus scanning
engines (including clamav, File::Scan and openantivirus).

<item><url id="http://packages.debian.org/sanitizer"
name="sanitizer">, a tool that uses the <package>procmail</package>
package, which can scan email attachments for viruses, block
attachments based on their filenames, and more.

<item><url id="http://packages.debian.org/amavis-postfix"
name="amavis-postfix">, a script that provides an interface from a
mail transport agent to one or more commercial virus scanners (this
package is built with support for the <prgn>postfix</prgn> MTA only).

<item><package>exiscan</package>, an e-mail virus scanner written in
Perl that works with Exim.

<item><package>sanitizer</package>, a scanner for mail that can remove
potentially dangerous attachments.

<item><package>blackhole-qmail</package> a spam filter for Qmail with
built-in support for Clamav.

</list>

<p>Some gateway daemons support already tools extensions to build
antivirus environments including <package>exim4-daemon-heavy</package>
(the <em>heavy</em> version of the Exim MTA), <package>frox</package>
(a transparent caching ftp proxy server),
<package>messagewall</package> (an SMTP proxy daemon) and
<package>pop3vscan</package> (a transparent POP3 proxy).

<p>As you can see, Debian does not currently provide antivirus
scanning software in the main official distribution (3.0 at the time
of this writing) but it does provide multiple interfaces to build
gateway antivirus. The <package>Clamav</package> scanner 
will be provided in the next official release.

<p>Some other free software antivirus projects which might be included
in future Debian GNU/Linux releases:

<list>

<item><url id="http://sourceforge.net/projects/openantivirus/" name="Open
Antivirus"> (see 
<url
id="http://bugs.debian.org/150698" name="Bug #150698 (ITP oav-scannerdaemon"> 
and <url id="http://bugs.debian.org/150695" name="Bug #150695 (ITP oav-update">
).

</list>

<p><!-- FIXME: Not finding this package in Debian, maybe oav-update
replaced it? -->There is also a <package>virussignatures</package>
package, which provides signatures for all packages, this package
provides a script to download the latest virus signatures from <url
id="http://www.openantivirus.org/latest.php">.

<p>FIXME: check if scannerdaemon is the same as the open antivirus scanner 
daemon (read ITPs).

<p>However, Debian will <em>never</em> provide commercial antivirus
software such as: Panda Antivirus,
<!-- 
<url
id="http://www.pandasoftware.com/com/linux/linux.asp" name="Panda
Antivirus">,
<url
id="http://www.networkassociates.com/us/downloads/evals/"
name="NAI Netshield (uvscan)">, -->
NAI Netshield,
<url id="http://www.sophos.com/"
name="Sophos Sweep">, <url id="http://www.antivirus.com"
name="TrendMicro Interscan">, or <url id="http://www.ravantivirus.com"
name="RAV">. For more pointers see the <url
id="http://www.computer-networking.de/~link/security/av-linux_e.txt"
name="Linux antivirus software mini-FAQ">. This does not mean that
this software can be installed properly in a Debian system.

<p>For more information on how to set up an a virus detection system
read Dave Jones' article <url
id="http://www.linuxjournal.com/article.php?sid=4882" name="Building
an E-mail Virus Detection System for Your Network">.

<sect id="gpg-agent">GPG agent

<p>It is very common nowadays to digitally sign (and sometimes
encrypt) e-mail. You might, for example, find that many people
participating on mailing lists sign their list e-mail. Public key
signatures are currently the only means to verify that an e-mail was
sent by the sender and not by some other person.

<p>Debian GNU/Linux provides a number of e-mail clients with built-in
e-mail signing capabilities that interoperate either with
<package>gnupg</package> or <package>pgp</package>:

<list>
<item><package>Evolution</package>.
<item><package>mutt</package>.
<item><package>kmail</package>.

<item><package>sylpheed</package>. Depending on how the stable version
of this package evolves, you may need to use the <em>bleeding edge
version</em>, <package>sylpheed-claws</package>.

<item><package>gnus</package>, which when installed with the
<package>mailcrypt</package> package, is an <prgn>emacs</prgn>
interface to <prgn>gnupg</prgn>.

<item><package>kuvert</package>, which provides this functionality
independently of your chosen mail user agent (MUA) by interacting with
the mail transport agent (MTA).

</list>

<p>Key servers allow you to download published public keys so that you
may verify signatures. One such key server is <url
id="http://wwwkeys.pgp.net">. <package>gnupg</package> can
automatically fetch public keys that are not already in your public
keyring. For example, to configure <prgn>gnupg</prgn> to use the above
key server, edit the file <file>~/.gnupg/options</file> and add the
following line:

<footnote>
For more examples of how to configure <prgn>gnupg</prgn> check
<file>/usr/share/doc/mutt/examples/gpg.rc</file>.
</footnote>
<example>
keyserver wwwkeys.pgp.net
</example>

<p>Most key servers are linked, so that when your public key is added
to one server, the addition is propagated to all the other public key
servers. There is also a Debian GNU/Linux package
<package>debian-keyring</package>, that provides all the public keys
of the Debian developers. The <prgn>gnupg</prgn> keyrings are
installed in <file>/usr/share/keyrings/</file>.

<p>For more information:

<list>

<item><url ID="http://www.gnupg.org/faq.html" name="GnuPG FAQ">.

<item><url ID="http://www.gnupg.org/gph/en/manual.html" name="GnuPG
Handbook">.

<item><url
ID="http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto.html"
name="GnuPG Mini Howto (English)">.

<item><url ID="http://www.uk.pgp.net/pgpnet/pgp-faq/"
name="comp.security.pgp FAQ">.

<item><url ID="http://www.cryptnet.net/fdp/crypto/gpg-party.html"
name="Keysigning Party HOWTO">.

</list>