4Jan/100
hostmap – hosts discovery tool
hostmap ist ein Open Source Tool von
Alessandro `jekil` Tanasi das zu einer IP-Adresse alle dazugehörigen Hostnamen und die konfigurierten virtuellen Hosts ausgibt. hostmap ist in Ruby geschrieben und somit plattformunabhängig.
Eine genaue Erklärung der verschiedenen Scan-Techniken und Möglichkeiten findet man in der offiziellen Dokumentation: hier
Einfaches Beispiel, mit dem Parameter -t definiert man das Ziel (target):
r-o-f:~/hostmap-0.2.1# ruby hostmap.rb -t 64.13.134.52
hostmap 0.2.1 codename fissatina
Coded by Alessandro `jekil` Tanasi <alessandro@tanasi.it>
[2010-01-04 13:18] Found new hostname scanme.nmap.org
[2010-01-04 13:18] Found new domain nmap.org
[2010-01-04 13:18] Found new hostname scanme.insecure.org
[2010-01-04 13:18] Found new domain insecure.org
[2010-01-04 13:24] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[2010-01-04 13:24] Found new nameserver ns1.titan.net
[2010-01-04 13:24] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
Results for 64.13.134.52
Served by name server (probably)
ns1.titan.net
Served by mail exchange (probably)
No results found.Hostnames:
scanme.insecure.org
scanme.nmap.org
hostmap 0.2.1 codename fissatina
Coded by Alessandro `jekil` Tanasi <alessandro@tanasi.it>
[2010-01-04 13:18] Found new hostname scanme.nmap.org
[2010-01-04 13:18] Found new domain nmap.org
[2010-01-04 13:18] Found new hostname scanme.insecure.org
[2010-01-04 13:18] Found new domain insecure.org
[2010-01-04 13:24] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
[2010-01-04 13:24] Found new nameserver ns1.titan.net
[2010-01-04 13:24] Skipping DNS Zone transfer because it is disabled by default, you must enable it from from command line.
Results for 64.13.134.52
Served by name server (probably)
ns1.titan.net
Served by mail exchange (probably)
No results found.Hostnames:
scanme.insecure.org
scanme.nmap.org
Der Parameter --without-bruteforce beschleunigt den Scan deutlich, die Wahrscheinlichkeit einige Hostsnicht zu erkennen steigt dadurch.
Wer seine Homepage bei einem Webhostinganbieter hostet, kann mit diesem Tool auch überprüfen welche Webseiten bzw. Dienste noch über dessen Server laufen.
Offizielle Homepage: http://hostmap.lonerunners.net
sourceforge: http://sourceforge.net/projects/hostmap/
2Jan/100
FirePassword – Firefox Passwörter auslesen
FirePassword ist ein kostenloses Windows Konsolen-Tool das die Benutzernamen und Passwörter aus dem Firefox Passwort-Manager ausliest. Seit der Version 3.5 (released 27.12.09) wird auch Windows 7 unterstützt. Firefox muss dabei nicht wie bei vielen ähnlichen Tools gestartet sein, auch können Benutzernamen und die dazugehörigen Passwörtern aus verschiedenen Profilen von anderen Computern und Betriebssystemen entschlüsselt werden.
Bei den Firefox Versionen 0.x bis 1.x wurden die Passwörter im Profilordner verschlüsselt in der signons.txt im Profilordner gespeichert, ab Version 1.5.x & 2.x in signons2.txt un ab der Version 3.x in der signons3.txt. Seit der Version 3.5.x werden die Benutzer und Zugangsdaten verschlüsselt in der SQLite Datenbank signons.sqlite abgelegt.
FirePassword kann unter Windows ohne weitere Parameter aus einem Command Promt aufgerufen werden:
Tool Homepage: http://securityxploded.com
30Dez/090
WAFP – Web Application Finger Printer V 0.01-26c3 released
WAFP (Web Application Finger Printer) ist ein Open Source Tool, das Dateien von einem definierten Web-Server downloaded und deren Checksumme gegen eine mitgelieferte SQLite3 Datenbank vergleicht. Auf diese Weise kann man mittlerweile über 600 verschiedene detaillierte Versionsnummern von Web-Applikationen herausfinden.
Beispiel:
r-o-f:~/.../wafp.rb http://www.root-on-fire.com
Collecting and fetching the files we need to identify the product ...
........................................................................................................................................................
Identified Product: wordpress (120.00 %)
Collecting the files we need to fetch ...
Fetching needed files (#833), calculating checksums and storing the results to the database:
..........................................................................................................................................................
Checking gathered/stored checksums (#833) against the selected product (wordpress) versions (#130) checksums:
....................................................................................................................................
found the following matches (limited to 10):
+-------------------------------------------------------------+
wordpress-2.8.6-beta1 446 / 450 (99.11%)
wordpress-2.8.6 446 / 450 (99.11%)
wordpress-2.8.4 444 / 450 (98.67%)
wordpress-2.8.5 444 / 450 (98.67%)
wordpress-2.8.5-beta1 444 / 450 (98.67%)
wordpress-2.8.3 444 / 450 (98.67%)
wordpress-2.8.2 443 / 450 (98.44%)
wordpress-2.8.1-RC1 443 / 450 (98.44%)
wordpress-2.8.1 443 / 450 (98.44%)
wordpress-2.8.1-beta2 874 / 900 (97.11%)
+-------------------------------------------------------------+
WAFP 0.01-26c3 - - - - - - - - - http://mytty.org/wafp/
Collecting and fetching the files we need to identify the product ...
........................................................................................................................................................
Identified Product: wordpress (120.00 %)
Collecting the files we need to fetch ...
Fetching needed files (#833), calculating checksums and storing the results to the database:
..........................................................................................................................................................
Checking gathered/stored checksums (#833) against the selected product (wordpress) versions (#130) checksums:
....................................................................................................................................
found the following matches (limited to 10):
+-------------------------------------------------------------+
wordpress-2.8.6-beta1 446 / 450 (99.11%)
wordpress-2.8.6 446 / 450 (99.11%)
wordpress-2.8.4 444 / 450 (98.67%)
wordpress-2.8.5 444 / 450 (98.67%)
wordpress-2.8.5-beta1 444 / 450 (98.67%)
wordpress-2.8.3 444 / 450 (98.67%)
wordpress-2.8.2 443 / 450 (98.44%)
wordpress-2.8.1-RC1 443 / 450 (98.44%)
wordpress-2.8.1 443 / 450 (98.44%)
wordpress-2.8.1-beta2 874 / 900 (97.11%)
+-------------------------------------------------------------+
WAFP 0.01-26c3 - - - - - - - - - http://mytty.org/wafp/
Homepage: http://mytty.org/wafp/
Präsentation von Richard Sammet auf dem 26C3: hier
14Dez/090
SmokePing – Network Latency visualisieren
SmokePing ist ein Open Source Tool dass die Latenz-Zeit misst und mittels RRDtool grafisch darstellt. Bei jeder Messung verschickt SmokePing mehrere Testpakete und erstellt aus den Messwerten ein Diagramm. Standardmäßig werden innerhalb von 5 Minuten 20 ICMP-Pakete verschickt und die verschiedenen Round Trip Times nach Antwort Zeit gespeichert und sortiert. Der mittlere Wert davon wird dann in der Grafik farbig dargestellt und die anderen 19 Zeiten werden sukzessiv grau schattiert im Hintergrund abgebildet. Wenn es zu einem Packetverlust (packet loss) kommt, also ein oder mehrere Testpakete nicht zurückkommen, ändert sich die Farbe des Mittelwerts auf dem Graphen je nach Anzahl der verlorenen Pakete.
Diese Messungen bzw. Grafiken können ein Anzeichen für Probleme im Netzwerk sein, wenn es z.B. regelmäßig zu einem Paketverlust kommt oder die Round Trip Time stark schwankt.
Der Funktionsumfang von SmokePing kann mit den mitgelieferten Plugins (probe) erweitert werden, z.B.: DNS Antwortzeiten messen, FTP Bandbreite mittels Dateiübertragung messen, Web-Proxy-Filter auf Funktionalität überprüfen, HTTP und HTTPS RRT messen usw...
SmokePing kann bei debian über den Paketmanager in der Version 2.3.6-3 installiert werden, die aktuelle Version 2.4 steht auf der Homepage zum Download bereit. Seit der Version 2.4 gibt es ein Browser basiertes Traceroute Tool (smoketrace), das es Benutzern erlaubt, einen grafischen Traceroute zu machen.
Beispiel: Ping-Check
Beispiel: DNS-Check
11Dez/090
Lynis – Security Informationen über den eigenen Server / System
Lynis ist ein OpenSource Tool, das Security Informationen über einen Unix basierten Server bzw. System erfasst und bewertet. Zusätzlich zu den Security Aspekten gibt es auch Informationen über die installierten Pakete und eventuelle Fehlkonfigurationen aus. Lynis zeigt nur die Probleme an, beheben muss man sie aber selber, es nimmt also keinerlei Änderungen am System vor.
Das Tool muss nicht installiert werden und kann so auch von einem USB Stick etc. gestartet werden.
Folgende Punkte werden u.a. überprüft:
- Mögliche Authentifizierungsmethoden
- abgelaufene SSL-Zertifikate
- veraltete Software
- Benutzerkonten ohne Passwort
- falsche Dateiberechtigungen
- Firewall Überprüfung
- Boot Loader
I. Download und Überprüfung
r-o-f:~# wget http://www.rootkit.nl/files/lynis-1.2.8.tar.gz
r-o.f:~# sha1sum lynis-1.2.8.tar.gz
818b2c795c470142ee38e787c9a4bee5c412b789 lynis-1.2.8.tar.gz
r-o.f:~# sha1sum lynis-1.2.8.tar.gz
818b2c795c470142ee38e787c9a4bee5c412b789 lynis-1.2.8.tar.gz
Die SHA1 hashes findet man auf der Projekt Homepage.
II. Erster Aufruf
Nach dem Entpacken kann man Lynis einfach ohne Parameter aufrufen und erhält die möglichen Optionen:
[+] Initializing program
------------------------------------
Valid parameters:
--auditor "<name>" : Auditor name
--check-all (-c) : Check system
--check-update : Check for updates
--no-colors : Don't use colors in output
--no-log : Don't create a log file
--profile <profile> : Scan the system with the given profile file
--quick (-Q) : Quick mode, don't wait for user input
--quiet (-q) : No output, except warnings
--reverse-colors : Optimize color display for light backgrounds
--tests "<tests>" : Run only tests defined by <tests>
--tests-category "<category>" : Run only tests defined by <category>
--view-manpage (--man) : View man page
--version (-V) : Display version number and quit
------------------------------------
Valid parameters:
--auditor "<name>" : Auditor name
--check-all (-c) : Check system
--check-update : Check for updates
--no-colors : Don't use colors in output
--no-log : Don't create a log file
--profile <profile> : Scan the system with the given profile file
--quick (-Q) : Quick mode, don't wait for user input
--quiet (-q) : No output, except warnings
--reverse-colors : Optimize color display for light backgrounds
--tests "<tests>" : Run only tests defined by <tests>
--tests-category "<category>" : Run only tests defined by <category>
--view-manpage (--man) : View man page
--version (-V) : Display version number and quit
III. Nach Updates suchen
Zuerst sollte man nach verfügbaren Updates suchen:
r-o-f:~/lynis-1.2.8# ./lynis --check-update
== Lynis ==
Version : 1.2.8
Release date : 8 December 2009
== Databases ==
Current Latest Status
-----------------------------------------------------------------------------
Malware : 2008062700 2008062700 Up-to-date
File perms : 2008053000 2008053000 Up-to-date
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
== Lynis ==
Version : 1.2.8
Release date : 8 December 2009
== Databases ==
Current Latest Status
-----------------------------------------------------------------------------
Malware : 2008062700 2008062700 Up-to-date
File perms : 2008053000 2008053000 Up-to-date
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
IV. Systemüberprüfung
Man muss Lynis mit root Rechten starten!
Beispielscan:
r-o-f:~/lynis-1.2.8# ./lynis -c
[ Lynis 1.2.8 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See LICENSE file for details about using this software.
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Clearing log file (/var/log/lynis.log)... [ DONE ]
---------------------------------------------------
Program version: 1.2.8
Operating system: Linux
Operating system name: Linux
Operating system version: 2.6.26-2-686
Kernel version: 2.6.26-2-686
Hardware platform: i686
Hostname: r-o-f
Auditor: [Unknown]
Profile: ./default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
---------------------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Checking profile file (./default.prf)...
- Program update status... [ NO UPDATE ]
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
- Checking /bin... [ FOUND ]
- Checking /sbin... [ FOUND ]
- Checking /usr/bin... [ FOUND ]
- Checking /usr/sbin... [ FOUND ]
- Checking /usr/local/bin... [ FOUND ]
- Checking /usr/local/sbin... [ FOUND ]
- Checking /usr/local/libexec... [ NOT FOUND ]
- Checking /usr/libexec... [ NOT FOUND ]
- Checking /usr/sfw/bin... [ NOT FOUND ]
- Checking /usr/sfw/sbin... [ NOT FOUND ]
- Checking /usr/sfw/libexec... [ NOT FOUND ]
- Checking /opt/sfw/bin... [ NOT FOUND ]
- Checking /opt/sfw/sbin... [ NOT FOUND ]
- Checking /opt/sfw/libexec... [ NOT FOUND ]
- Checking /usr/xpg4/bin... [ NOT FOUND ]
- Checking /usr/css/bin... [ NOT FOUND ]
- Checking /usr/ucb... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Boot and services
------------------------------------
- Checking boot loaders
- Checking presence GRUB... [ OK ]
- Checking for password protection... [ WARNING ]
- Checking presence LILO... [ NOT FOUND ]
- Checking presence YABOOT... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Kernel
------------------------------------
- Checking default run level... [ 2 ]
- Checking CPU support (NX/PAE)
CPU does not seem to support PAE or No eXecute [ NO ]
- Checking kernel version [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 46 active modules
- Checking Linux kernel configuration file... [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Memory and processes
------------------------------------
- Checking /proc/meminfo... [ FOUND ]
- Searching for dead/zombie processes... [ OK ]
- Searching for IO waiting processes... [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Users, Groups and Authentication
------------------------------------
- Search administrator accounts... [ OK ]
- Checking consistency of group files (grpck)... [ WARNING ]
- Checking non unique group ID's... [ OK ]
- Checking non unique group names... [ OK ]
- Checking password file consistency... [ OK ]
- Query system users (non daemons)... [ DONE ]
- Checking NIS+ authentication support [ NOT ENABLED ]
- Checking NIS authentication support [ NOT ENABLED ]
- Checking sudoers file [ NOT FOUND ]
- Checking PAM password strength tools [ SUGGESTION ]
- Checking PAM configuration files (pam.conf) [ FOUND ]
- Checking PAM configuration files (pam.d) [ FOUND ]
- Checking PAM modules [ FOUND ]
- Checking LDAP module in PAM [ NOT FOUND ]
- Checking accounts without expire date [ SUGGESTION ]
- Checking user password aging [ DISABLED ]
- Checking Linux single user mode authentication [ WARNING ]
- Determining default umask
- Checking umask (/etc/profile) [ SUGGESTION ]
- Checking umask (/etc/login.defs) [ SUGGESTION ]
- Checking LDAP authentication support [ NOT ENABLED ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells...
Result: found 12 shells (valid shells: 4).
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point... [ OK ]
- Checking /tmp mount point... [ OK ]
- Checking for old files in /tmp... [ OK ]
- Checking /tmp sticky bit... [ OK ]
- ACL support root file system... [ DISABLED ]
- Checking Locate database... [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Storage
------------------------------------
- Checking usb-storage driver (modprobe config)... [ NOT DISABLED ]
- Checking firewire ohci driver (modprobe config)... [ NOT DISABLED ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Check running NFS daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: name services
------------------------------------
- Checking default DNS search domain... [ NONE ]
- Checking /etc/resolv.conf options... [ NONE ]
- Searching DNS domain name... [ UNKNOWN ]
- Checking nscd status... [ NOT FOUND ]
- Checking BIND status... [ NOT FOUND ]
- Checking PowerDNS status... [ NOT FOUND ]
- Checking ypbind status... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Ports and packages
------------------------------------
- Searching package managers...
- Searching dpkg package manager... [ FOUND ]
- Querying package manager...
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Networking
------------------------------------
- Checking configured nameservers...
- Testing nameservers...
Nameserver: 194.177.151.10... [ OK ]
Nameserver: 192.92.138.35... [ OK ]
- Minimal of 2 responsive nameservers... [ OK ]
- Checking default gateway... [ DONE ]
- Checking promiscuous interfaces... [ OK ]
- Checking waiting connections... [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: e-mail and messaging
------------------------------------
- Checking Exim status... [ RUNNING ]
- Checking Postfix status... [ NOT FOUND ]
- Checking Qmail smtpd status... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module... [ NOT FOUND ]
- Checking pf configuration... [ NOT FOUND ]
- Checking host based firewall [ NOT ACTIVE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/apache2)... [ FOUND ]
Info: Configuration file found (/etc/apache2/apache2.conf)
- Searching Apache virtual hosts...
- Searching nginx process... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon... [ FOUND ]
- Searching SSH configuration... [ FOUND ]
- Checking defined SSH options... [ DONE ]
- SSH option: PermitRootLogin... [ WARNING ]
- SSH option: Protocol... [ OK ]
- SSH option: StrictModes... [ OK ]
- SSH option: AllowUsers... [ NOT FOUND ]
- SSH option: AllowGroups... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Databases
------------------------------------
- MySQL process status... [ NOT FOUND ]
- PostgreSQL processes status... [ NOT FOUND ]
- Oracle processes status... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: PHP
------------------------------------
- Checking PHP... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Logging and files
------------------------------------
- Checking for a running syslog daemon... [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NONE ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ DONE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Insecure services
------------------------------------
- Checking inetd status... [ ACTIVE ]
- Checking inetd.conf... [ FOUND ]
- Checking inetd (telnet)... [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Banners and identification
------------------------------------
- Checking banners...
- /etc/motd... [ FOUND ]
- /etc/issue... [ FOUND ]
- /etc/issue contents... [ WEAK ]
- /etc/issue.net... [ FOUND ]
- /etc/issue.net contents... [ WEAK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ DONE ]
- Checking atd status [ RUNNING ]
- Checking at users [ DONE ]
- Checking at jobs [ NONE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Accounting
------------------------------------
- Checking accounting information... [ NOT FOUND ]
- Checking auditd [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Time and Synchronization
------------------------------------
- Checking running NTP daemon... [ FOUND ]
- Checking NTP client in crontab file... [ NOT FOUND ]
- Checking NTP client in cron.d files... [ NOT FOUND ]
- Checking for a running NTP daemon or client... [ OK ]
- Checking NTP daemon... [ FOUND ]
- Checking valid association ID's... [ FOUND ]
- Checking high stratum ntp peers... [ WARNING ]
- Checking unreliable ntp peers... [ NOTICE ]
- Checking selected time source... [ OK ]
- Checking time source candidates... [ OK ]
- Checking falsetickers... [ OK ]
- Checking NTP version... [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Cryptography
------------------------------------
- Checking SSL certificate expiration... [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Virtualization
------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ NOT FOUND ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: file integrity
------------------------------------
- Checking AFICK... [ NOT FOUND ]
- Checking AIDE... [ NOT FOUND ]
- Checking Osiris... [ NOT FOUND ]
- Checking Samhain... [ NOT FOUND ]
- Checking Tripwire... [ NOT FOUND ]
- Checking presence integrity tool... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: Malware scanners
------------------------------------
- Checking chkrootkit... [ NOT FOUND ]
- Checking Rootkit Hunter... [ NOT FOUND ]
- Checking ClamAV scanner... [ NOT FOUND ]
- Checking ClamAV daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] System Tools
------------------------------------
- Starting file permissions check...
/etc/lilo.conf [ NOT FOUND ]
/root/.ssh [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Home directories
------------------------------------
- Checking shell history files... [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile...
- kernel.core_uses_pid (1) [ DIFFERENT ]
- kernel.ctrl-alt-del (0) [ OK ]
- kernel.sysrq (0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (0) [ OK ]
- net.ipv4.conf.all.bootp_relay (0) [ OK ]
- net.ipv4.conf.all.forwarding (0) [ OK ]
- net.ipv4.conf.all.log_martians (1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (0) [ OK ]
- net.ipv4.conf.all.proxy_arp (0) [ OK ]
- net.ipv4.conf.all.rp_filter (1) [ DIFFERENT ]
- net.ipv4.conf.all.send_redirects (0) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (1) [ OK ]
- net.ipv4.tcp_syncookies (1) [ DIFFERENT ]
- net.ipv4.tcp_timestamps (0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (0) [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Hardening
------------------------------------
- Installed compiler(s)... [ FOUND ]
- Installed malware scanner... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
================================================================================
-[ Lynis 1.2.8 Results ]-
Tests performed: 145
Warnings:
----------------------------
- [09:35:24] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]
- [09:35:31] Warning: grpck binary found errors in one or more group files [test:AUTH-9216] [impact:M]
- [09:35:32] Warning: No password set for single mode [test:AUTH-9308] [impact:L]
- [09:36:01] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
- [09:36:13] Warning: Found one or more stratum 16 peers [test:TIME-3116] [impact:L]
Suggestions:
----------------------------
- [09:35:24] Suggestion: Run grub-md5-crypt and create a hashed password. After that, add a line below the line saying timeout=<value>: password --md5 <password hash> [test:BOOT-5121]
- [09:35:31] Suggestion: Run grpck manually and check your group files [test:AUTH-9216]
- [09:35:31] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
- [09:35:32] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
- [09:35:32] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
- [09:35:32] Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308]
- [09:35:32] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
- [09:35:32] Suggestion: Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [test:AUTH-9328]
- [09:35:44] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
- [09:35:44] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
- [09:36:11] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
- [09:36:13] Suggestion: Check ntpq peers output [test:TIME-3116]
- [09:36:13] Suggestion: Check ntpq peers output for unreliable ntp peers and correct/replace them [test:TIME-3120]
- [09:36:20] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
- [09:36:20] Suggestion: Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]
================================================================================
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Hardening index : [42] [######## ]
================================================================================
Lynis 1.2.8
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
================================================================================
[ Lynis 1.2.8 ]
################################################################################
Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
welcome to redistribute it under the terms of the GNU General Public License.
See LICENSE file for details about using this software.
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
################################################################################
[+] Initializing program
------------------------------------
- Detecting OS... [ DONE ]
- Clearing log file (/var/log/lynis.log)... [ DONE ]
---------------------------------------------------
Program version: 1.2.8
Operating system: Linux
Operating system name: Linux
Operating system version: 2.6.26-2-686
Kernel version: 2.6.26-2-686
Hardware platform: i686
Hostname: r-o-f
Auditor: [Unknown]
Profile: ./default.prf
Log file: /var/log/lynis.log
Report file: /var/log/lynis-report.dat
Report version: 1.0
---------------------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Checking profile file (./default.prf)...
- Program update status... [ NO UPDATE ]
[+] System Tools
------------------------------------
- Scanning available tools...
- Checking system binaries...
- Checking /bin... [ FOUND ]
- Checking /sbin... [ FOUND ]
- Checking /usr/bin... [ FOUND ]
- Checking /usr/sbin... [ FOUND ]
- Checking /usr/local/bin... [ FOUND ]
- Checking /usr/local/sbin... [ FOUND ]
- Checking /usr/local/libexec... [ NOT FOUND ]
- Checking /usr/libexec... [ NOT FOUND ]
- Checking /usr/sfw/bin... [ NOT FOUND ]
- Checking /usr/sfw/sbin... [ NOT FOUND ]
- Checking /usr/sfw/libexec... [ NOT FOUND ]
- Checking /opt/sfw/bin... [ NOT FOUND ]
- Checking /opt/sfw/sbin... [ NOT FOUND ]
- Checking /opt/sfw/libexec... [ NOT FOUND ]
- Checking /usr/xpg4/bin... [ NOT FOUND ]
- Checking /usr/css/bin... [ NOT FOUND ]
- Checking /usr/ucb... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Boot and services
------------------------------------
- Checking boot loaders
- Checking presence GRUB... [ OK ]
- Checking for password protection... [ WARNING ]
- Checking presence LILO... [ NOT FOUND ]
- Checking presence YABOOT... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Kernel
------------------------------------
- Checking default run level... [ 2 ]
- Checking CPU support (NX/PAE)
CPU does not seem to support PAE or No eXecute [ NO ]
- Checking kernel version [ DONE ]
- Checking kernel type [ DONE ]
- Checking loaded kernel modules [ DONE ]
Found 46 active modules
- Checking Linux kernel configuration file... [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Memory and processes
------------------------------------
- Checking /proc/meminfo... [ FOUND ]
- Searching for dead/zombie processes... [ OK ]
- Searching for IO waiting processes... [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Users, Groups and Authentication
------------------------------------
- Search administrator accounts... [ OK ]
- Checking consistency of group files (grpck)... [ WARNING ]
- Checking non unique group ID's... [ OK ]
- Checking non unique group names... [ OK ]
- Checking password file consistency... [ OK ]
- Query system users (non daemons)... [ DONE ]
- Checking NIS+ authentication support [ NOT ENABLED ]
- Checking NIS authentication support [ NOT ENABLED ]
- Checking sudoers file [ NOT FOUND ]
- Checking PAM password strength tools [ SUGGESTION ]
- Checking PAM configuration files (pam.conf) [ FOUND ]
- Checking PAM configuration files (pam.d) [ FOUND ]
- Checking PAM modules [ FOUND ]
- Checking LDAP module in PAM [ NOT FOUND ]
- Checking accounts without expire date [ SUGGESTION ]
- Checking user password aging [ DISABLED ]
- Checking Linux single user mode authentication [ WARNING ]
- Determining default umask
- Checking umask (/etc/profile) [ SUGGESTION ]
- Checking umask (/etc/login.defs) [ SUGGESTION ]
- Checking LDAP authentication support [ NOT ENABLED ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Shells
------------------------------------
- Checking shells from /etc/shells...
Result: found 12 shells (valid shells: 4).
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] File systems
------------------------------------
- Checking mount points
- Checking /home mount point... [ OK ]
- Checking /tmp mount point... [ OK ]
- Checking for old files in /tmp... [ OK ]
- Checking /tmp sticky bit... [ OK ]
- ACL support root file system... [ DISABLED ]
- Checking Locate database... [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Storage
------------------------------------
- Checking usb-storage driver (modprobe config)... [ NOT DISABLED ]
- Checking firewire ohci driver (modprobe config)... [ NOT DISABLED ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
- Check running NFS daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: name services
------------------------------------
- Checking default DNS search domain... [ NONE ]
- Checking /etc/resolv.conf options... [ NONE ]
- Searching DNS domain name... [ UNKNOWN ]
- Checking nscd status... [ NOT FOUND ]
- Checking BIND status... [ NOT FOUND ]
- Checking PowerDNS status... [ NOT FOUND ]
- Checking ypbind status... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Ports and packages
------------------------------------
- Searching package managers...
- Searching dpkg package manager... [ FOUND ]
- Querying package manager...
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Networking
------------------------------------
- Checking configured nameservers...
- Testing nameservers...
Nameserver: 194.177.151.10... [ OK ]
Nameserver: 192.92.138.35... [ OK ]
- Minimal of 2 responsive nameservers... [ OK ]
- Checking default gateway... [ DONE ]
- Checking promiscuous interfaces... [ OK ]
- Checking waiting connections... [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Printers and Spools
------------------------------------
- Checking cups daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: e-mail and messaging
------------------------------------
- Checking Exim status... [ RUNNING ]
- Checking Postfix status... [ NOT FOUND ]
- Checking Qmail smtpd status... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: firewalls
------------------------------------
- Checking iptables kernel module... [ NOT FOUND ]
- Checking pf configuration... [ NOT FOUND ]
- Checking host based firewall [ NOT ACTIVE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: webserver
------------------------------------
- Checking Apache (binary /usr/sbin/apache2)... [ FOUND ]
Info: Configuration file found (/etc/apache2/apache2.conf)
- Searching Apache virtual hosts...
- Searching nginx process... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] SSH Support
------------------------------------
- Checking running SSH daemon... [ FOUND ]
- Searching SSH configuration... [ FOUND ]
- Checking defined SSH options... [ DONE ]
- SSH option: PermitRootLogin... [ WARNING ]
- SSH option: Protocol... [ OK ]
- SSH option: StrictModes... [ OK ]
- SSH option: AllowUsers... [ NOT FOUND ]
- SSH option: AllowGroups... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] SNMP Support
------------------------------------
- Checking running SNMP daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Databases
------------------------------------
- MySQL process status... [ NOT FOUND ]
- PostgreSQL processes status... [ NOT FOUND ]
- Oracle processes status... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] LDAP Services
------------------------------------
- Checking OpenLDAP instance... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: PHP
------------------------------------
- Checking PHP... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Squid Support
------------------------------------
- Checking running Squid daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Logging and files
------------------------------------
- Checking for a running syslog daemon... [ OK ]
- Checking Syslog-NG status [ NOT FOUND ]
- Checking Metalog status [ NOT FOUND ]
- Checking RSyslog status [ FOUND ]
- Checking RFC 3195 daemon status [ NOT FOUND ]
- Checking minilogd instances [ NONE ]
- Checking logrotate presence [ OK ]
- Checking log directories (static list) [ DONE ]
- Checking open log files [ DONE ]
- Checking deleted files in use [ DONE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Insecure services
------------------------------------
- Checking inetd status... [ ACTIVE ]
- Checking inetd.conf... [ FOUND ]
- Checking inetd (telnet)... [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Banners and identification
------------------------------------
- Checking banners...
- /etc/motd... [ FOUND ]
- /etc/issue... [ FOUND ]
- /etc/issue contents... [ WEAK ]
- /etc/issue.net... [ FOUND ]
- /etc/issue.net contents... [ WEAK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Scheduled tasks
------------------------------------
- Checking crontab/cronjob [ DONE ]
- Checking atd status [ RUNNING ]
- Checking at users [ DONE ]
- Checking at jobs [ NONE ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Accounting
------------------------------------
- Checking accounting information... [ NOT FOUND ]
- Checking auditd [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Time and Synchronization
------------------------------------
- Checking running NTP daemon... [ FOUND ]
- Checking NTP client in crontab file... [ NOT FOUND ]
- Checking NTP client in cron.d files... [ NOT FOUND ]
- Checking for a running NTP daemon or client... [ OK ]
- Checking NTP daemon... [ FOUND ]
- Checking valid association ID's... [ FOUND ]
- Checking high stratum ntp peers... [ WARNING ]
- Checking unreliable ntp peers... [ NOTICE ]
- Checking selected time source... [ OK ]
- Checking time source candidates... [ OK ]
- Checking falsetickers... [ OK ]
- Checking NTP version... [ FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Cryptography
------------------------------------
- Checking SSL certificate expiration... [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Virtualization
------------------------------------
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Security frameworks
------------------------------------
- Checking presence AppArmor [ NOT FOUND ]
- Checking presence SELinux [ NOT FOUND ]
- Checking presence grsecurity [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: file integrity
------------------------------------
- Checking AFICK... [ NOT FOUND ]
- Checking AIDE... [ NOT FOUND ]
- Checking Osiris... [ NOT FOUND ]
- Checking Samhain... [ NOT FOUND ]
- Checking Tripwire... [ NOT FOUND ]
- Checking presence integrity tool... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Software: Malware scanners
------------------------------------
- Checking chkrootkit... [ NOT FOUND ]
- Checking Rootkit Hunter... [ NOT FOUND ]
- Checking ClamAV scanner... [ NOT FOUND ]
- Checking ClamAV daemon... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] System Tools
------------------------------------
- Starting file permissions check...
/etc/lilo.conf [ NOT FOUND ]
/root/.ssh [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Home directories
------------------------------------
- Checking shell history files... [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Kernel Hardening
------------------------------------
- Comparing sysctl key pairs with scan profile...
- kernel.core_uses_pid (1) [ DIFFERENT ]
- kernel.ctrl-alt-del (0) [ OK ]
- kernel.sysrq (0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_redirects (0) [ DIFFERENT ]
- net.ipv4.conf.all.accept_source_route (0) [ OK ]
- net.ipv4.conf.all.bootp_relay (0) [ OK ]
- net.ipv4.conf.all.forwarding (0) [ OK ]
- net.ipv4.conf.all.log_martians (1) [ DIFFERENT ]
- net.ipv4.conf.all.mc_forwarding (0) [ OK ]
- net.ipv4.conf.all.proxy_arp (0) [ OK ]
- net.ipv4.conf.all.rp_filter (1) [ DIFFERENT ]
- net.ipv4.conf.all.send_redirects (0) [ DIFFERENT ]
- net.ipv4.icmp_echo_ignore_broadcasts (1) [ OK ]
- net.ipv4.icmp_ignore_bogus_error_responses (1) [ OK ]
- net.ipv4.tcp_syncookies (1) [ DIFFERENT ]
- net.ipv4.tcp_timestamps (0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_redirects (0) [ DIFFERENT ]
- net.ipv6.conf.all.accept_source_route (0) [ OK ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
[+] Hardening
------------------------------------
- Installed compiler(s)... [ FOUND ]
- Installed malware scanner... [ NOT FOUND ]
[ Press [ENTER] to continue, or [CTRL]+C to stop ]
================================================================================
-[ Lynis 1.2.8 Results ]-
Tests performed: 145
Warnings:
----------------------------
- [09:35:24] Warning: No password set on GRUB bootloader [test:BOOT-5121] [impact:M]
- [09:35:31] Warning: grpck binary found errors in one or more group files [test:AUTH-9216] [impact:M]
- [09:35:32] Warning: No password set for single mode [test:AUTH-9308] [impact:L]
- [09:36:01] Warning: Root can directly login via SSH [test:SSH-7412] [impact:M]
- [09:36:13] Warning: Found one or more stratum 16 peers [test:TIME-3116] [impact:L]
Suggestions:
----------------------------
- [09:35:24] Suggestion: Run grub-md5-crypt and create a hashed password. After that, add a line below the line saying timeout=<value>: password --md5 <password hash> [test:BOOT-5121]
- [09:35:31] Suggestion: Run grpck manually and check your group files [test:AUTH-9216]
- [09:35:31] Suggestion: Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc [test:AUTH-9262]
- [09:35:32] Suggestion: When possible set expire dates for all password protected accounts [test:AUTH-9282]
- [09:35:32] Suggestion: Configure password aging limits to enforce password changing on a regular base [test:AUTH-9286]
- [09:35:32] Suggestion: Set password for single user mode to minimize physical access attack surface [test:AUTH-9308]
- [09:35:32] Suggestion: Default umask in /etc/profile could be more strict like 027 [test:AUTH-9328]
- [09:35:32] Suggestion: Default umask in /etc/login.defs could not be found and defaults usually to 022, which could be more strict like 027 [test:AUTH-9328]
- [09:35:44] Suggestion: Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [test:STRG-1840]
- [09:35:44] Suggestion: Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [test:STRG-1846]
- [09:36:11] Suggestion: Enable auditd to collect audit information [test:ACCT-9628]
- [09:36:13] Suggestion: Check ntpq peers output [test:TIME-3116]
- [09:36:13] Suggestion: Check ntpq peers output for unreliable ntp peers and correct/replace them [test:TIME-3120]
- [09:36:20] Suggestion: Harden the system by removing unneeded compilers. This can decrease the chance of customized trojans, backdoors and rootkits to be compiled and installed [test:HRDN-7220]
- [09:36:20] Suggestion: Harden the system by installing one or malware scanners to perform periodic file system scans [test:HRDN-7230]
================================================================================
Files:
- Test and debug information : /var/log/lynis.log
- Report data : /var/log/lynis-report.dat
================================================================================
Hardening index : [42] [######## ]
================================================================================
Lynis 1.2.8
Copyright 2007-2009 - Michael Boelen, http://www.rootkit.nl/
================================================================================
Blogroll
- /var/bergercity/
- aptgetupdate.de
- Caschys Blog
- Gerds Blog
- infoblog.li
- Linux und Ich
- root1024
- scareware.de
- SECURITY-BLOG.EU
- TIMBOBS BLOG
- Webmaster, Security und Technik
- YAFIB
Sonstiges
Kalender
Random Posts
- FirePassword - Firefox Passwörter auslesen
- Netzwerk Pakete mit Nping generieren
- Netzwerk und Service Discovery mit Fing
- INGATE verschenkt 55 VServer
- Nmap 5.0 – Howto Teil 6: Debugging & ausführliche Ausgabe
- HTTPS Everywhere - automatischer SSL Aufruf
- WAFP - Web Application Finger Printer V 0.01-26c3 released
- (IN)SECURE Magazine - Ausgabe 24 veröffentlicht
- Nmap 5.1 BETA2 released - Weihnachtsgrüße von Nmap
- Nmap 5.0 - Howto Teil 1: Ziele richtig definieren