[ISN] Linux Security Week - February 19th 2001 (fwd)

Dave Dittrich dittrich at cac.washington.edu
Tue Feb 20 02:01:24 PST 2001

Of special note here is the paper on netfilter (the Linux 2.4 kernel
host based firewalling facilities.)

Dave Dittrich Computing & Communications
dittrich at cac.washington.edu Client Services
http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Mon, 19 Feb 2001 00:24:20 -0500
Subject: [ISN] Linux Security Week - February 19th 2001
From: newsletter-admins at linuxsecurity.com


| LinuxSecurity.com Weekly Newsletter |

| February 19th, 2001 Volume 2, Number 8n |

| |

| Editorial Team: Dave Wreski dave at linuxsecurity.com |

| Benjamin Thomas ben at linuxsecurity.com |


Thank you for reading the LinuxSecurity.com weekly security
newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security

If you still haven't set up an intrusion detection system, this may be
your issue. A few good articles were released to help you with that
task. Some of them include "Intrusion Detection Systems, Part IV:
Logcheck," "Monitoring Unix Logins," and "monitord - Network Security
Monitor" Other articles covering simlar topics are also included.

Linux Kernel 2.4 Firewalling Matures: netfilter
In yet another set of advancements to the kernel IP packet filtering
code, netfilter allows users to set up, maintain, and inspect the packet
filtering rules in the new 2.4 kernel. This document explains those
changes and tips on how to get started.


This week, advisories were released for sysctl(), OpenSSH, proftpd,
xfree86-1, libkrb, and bind. The vendors include Debian, FreeBSD,
LinuxPPC, Mandrake, NetBSD, Red Hat, Smoothwall, and Trustix.


# FREE SECURITY BOOKS # Guardian Digital has just announced an offer for 2
free security books with the purchase of any secure Linux Lockbox. The
Lockbox is an Open Source network server appliance engineered to be a
complete secure e-business solution. It can be used as a commerce server,
web server, DNS, mail, and database server. Please see Guardian Digital's
website for details.


HTML Version available:


| Host Security News: | <<-----[ Articles This Week ]-----------------+


* Avoiding security holes when developing an application - Part 1
February 18th, 2001

This article is the first one in a series about the main security
holes that can usually to appear within an application. Along these
articles, we'll show the ways to avoid them by changing a little the
development habits. It doesn't take more than two weeks before a
major application, part of most Linux distributions, presents a
security hole, allowing, for instance, a local user to become root.


* Monitoring Unix Logins
February 16th, 2001

In today's article, I'd like to take a look at utmp, wtmp, and
lastlog. These three files are read and updated whenever a user logs
in to your FreeBSD system. However, you can't read these files
directly, so we'll also look at the various utilities you can use to
garner the information contained within these files.


* Netfilter for IP Masquerade
February 15th, 2001

As of 2.4, ipchains is a thing of the past. The replacement for
ipchains is Netfilter's iptables. What does this mean to the end
user? Typically it means little beyond the fact that suddenly their
ipmasq script doesn't work. So, for starters let's get into setting
up ipmasq under 2.4.x kernels. Connection tracking is a new feature
of netfilter that allows you to accept or deny a packet based on the
state of the connection rather than the strict allow/deny of
ipchains. NAT of course stands for Network Address Translation, the
key feature behind IP Masquerade. The other entries in this menu are
optional, enable them as you please and recompile the kernel if


* Intrusion Detection Systems, Part IV: Logcheck
February 15th, 2001

The last in this four part series on IDS, looks at Logcheck: a
software package that is designed to automatically run and check
system log files for security violations and unusual activity. In the
last three articles in this series, we looked at the concept of an
Intrusion Detection System (IDS) and its implementation on your
network. We discussed some of the top-notch tools like Tripwire and
Snort, that you could use as your Swiss army knife in detecting
intrusions into your network.


* Securing BSD Daemons
February 13th, 2001

Let's continue where we left off by taking a closer look at
/etc/inetd.conf. Remember that inetd is the internet super-server
which listens for requests on behalf of other daemons; it reads
/etc/inetd.conf to determine which ports you wish it to listen on.



| Network Security News: |


* Artificial Intelligence to detect Intrusions
February 17th, 2001

This site, in German, talks about an artificial intelligence project
to detect intrusions. "Electronic intrusion detection is much
trickier than human intrusion detection. Humans can search for the
intruder by opening doors, looking into closets, etc. The intruder
cannot turn into a company's General Manager or turn into a copy
machine all of a sudden (spoofing or trojan horse).


* Jay Beale: Education Is Primary Defense for Secure Machines
February 16th, 2001

It was with no small amount of irony that Jay Beale, lead developer
for Bastille Linux, was hired by MandrakeSoft last Fall to help the
French Linux company bolster the security of its Linux-Mandrake
distribution. Now, after a few months in the employ of MandrakeSoft,
Beale has some definite ideas about how he will be securing
Linux-Mandrake and all of the other Linux distributions as well.


* monitord - Network Security Monitor
February 15th, 2001

A lightweight (distributed?) network security monitor for
TCP/IP+Ethernet LANs. It will capture certain network events and
record them in a relational database. The recorded data will be
available for analysis through a CGI based interface. The main
purpose of this project is to build a lightweight (and possibly
distributed) network security monitor, designed for TCP/IP+Ethernet


* Secure Remote Log Servers Using SCP
February 14th, 2001

A few months ago, I challenged myself with a problem. I wanted to
implement centralized system logging that would securely store logs
in a location that would prevent any tampering or mischief.


* Linux Intrusion Detection Poster
February 14th, 2001

SysAdmin Magazine has the contents of their recent Linux Intrusion
Detection Poster available online. "No matter how security minded you
are, no matter how many updates and patches you apply, there's
always a chance that someone will crack one of your systems. It's an
unpleasant reality, but it's a fact: no system is 100% secure unless
it's turned off, but how useful is that?



| Cryptography News: |


* Name change doesn't impress Carnivore's critics
February 15th, 2001

The FBI's name change for its Internet wiretapping program, from
Carnivore to DCS1000, wasn't the alteration one of the application's
most vocal critics wanted to see. "The only thing we've seen come
out of the FBI or the Justice Department is the new name, which is a
matter of public relations more than anything else," David Sobel,
general counsel of the Electronic Privacy Information Center. "But I
haven't seen any changes that are a response to the criticisms of


* Crypto-Gram February 15th, 2001
February 15th, 2001

Though more smart cards are in use in the United States than ever
before, experts now say the technology may take at least four years
to permeate the business or consumer sectors here and attain similar
status as the ever-popular credit card.



| General News: |


* There's no going back after CPRM, warns Schneier
February 17th, 2001

CPRM copy control poses "a serious threat to civil liberties", writes
cryptography expert Bruce Schneier. In an analysis of the CPRM
specs that the 4C Entity has proposed for inclusion in the ATA hard
drive specification in his latest Cryptogram newsletter, Schneier
warns of their social cost. He also comprehensively debunks the
spin that CPRM - as it was first thrown at the ATA committee - was
only ever intended for removable media.


* Intrusion detection rules drafted
February 16th, 2001

The National Institute of Standards and Technology released Monday
new draft guidance on intrusion-detection systems, outlining all the
factors agencies need to consider when integrating these security
systems into their networks. The guidance is part of a series of
special publications NIST has put out to assist agencies in the
information security arena.


* Full Disclosure? Full Complicity!
February 13th, 2001

The term "full disclosure" is marvelously ambiguous, and therein lies
much of the problem. It essentially means to "widely disseminate as
much information about system vulnerabilities and attack tools as
possible so that potential victims are as knowledgeable as those who
attack them." Admittedly, this concept has a certain appeal.


Distributed by: Guardian Digital, Inc. LinuxSecurity.com

To unsubscribe email newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.

ISN is hosted by SecurityFocus.com
To unsubscribe email LISTSERV at SecurityFocus.com with a message body of

More information about the Linux mailing list