security

[cascamorto]

some good emerges to be quite secure on the net?

(keep in mind my box is already behind a router with a fisical integrated firewall)
_________________
The real world isn't what you thought it was going to be?
re-emerge it with gentoo linux!

[tukachinchila]

chkrootkit
rkhunter
nmap
nessus
snort
aide

If you haven't seen this already, have a look at this document for a great hardening tutorial: http://www.gentoo.org/doc/en/gentoo-security.xml

[RockCrusha]

net-misc/arpstar



_WestAnnex_

[Jerri]

net-analyzer/ethereal

[Jerri]

RockCrusha, how common or these arp poisning attacks... to be honest, I have never heard of them before. then again, i'm no security expert, probably the furthest thing from :)

[RockCrusha]

Jerri-

well if you've never heard of them before, they're more common than you think , and way easier to perform than you'd hope. Ever heard of Ettercap or Cain&Abel?

Anytime you share a LAN segment with another host, you can be victimized by ARP poisoning attacks if you aren't using static ARP(which basically no one is)

If you have a wireless access point, or connect to a public one (say via Panera Bread, Starbucks, or Holiday inn) any other user connected to that AP can play man-in-the-middle on even your ssh and ssl connections. Or if you wanted to read the person down the hall at work or in your dorm at school's email, AIM traffic, ssh traffic, whatever traffic, ARP poisoning is a great way to go. Use online banking from work or home? Tools such as Ettercap and Cain&Abel can snag your bank login/password so fast you'll never know it even happened.

Basically ARP poisoning is one of the ways you sniff traffic on a switched network. it's ridiculous that it is so easy to execute this kind of attack, and IMO any Linux box without ArpStar is asking to get hozed.

Not only interceptions, ARP poisoning can be a form of DoS...just poison their cache to point to their own MAC address or nowwhere for their default gateway. Done!

Anytime you share a LAN segment, you need to be aware that ARP poisoning can occur. Basically, if this doesn't concern you, it should...greatly.

-RockCrusha

[Jerri]

shit... thanks for the post :)

/me runs to patch his kernel

[abrand15]

When trying to emerge arpstar, it fails ... here is the output:

[Swi+ch]

looks like you're using a 2.4 kernel. Right now arpstar is only supported on 2.6 kernels.

Swi+ch
Westannex

[abrand15]

thanks ... I thought that I saw in the FAQ that 2.4 was supported.

are their any plans of back porting it to the 2.4 kernel?
_________________
UNIX IS user-friendly. It's just picky about who its friends are.
----
Do pencils miss spell words? No. Do cars make people drive drunk? No. Do utensils make people fat? No. Guns don't kill people either.

[Swi+ch]

Well originally it was planned to work for 2.4 and 2.6. We did have a working version for 2.4 a while ago. But some kernel changes caused us to choose the 2.6 kernel tree over the 2.4 kernel tree. Basically, right now we're just getting started and are stretched a little thin especially with the other projects we're working on. Any reason you're still using a 2.4 kernel? And this is not a request to start a huge discussion about the pros/cons of 2.4/2.6. Just wondering if there's a reason you're still using 2.4 since 2.6 went stable a loooong time ago. Also, all of us use 2.6 kernels and don't really know many people who use 2.4 anymore. It just didn't seem like a big priority. But I guess if there's a huuuge outcry for a 2.4 version of arpstar we'd get it done.

Swi+ch
Westannex

dig your avatar btw

[abrand15]

no real reason, just have not taken the time lately to update that machine ... it is my IBM ThinkPad and I don't use it that often ... my servers are running 2.6

[59729]

Could someone help me out to understand this a bit

my setup:
lan(running windows) <-> gentoo (nat masq) <-> world

This is what I want to try (all from the gentoo box)
1. Try to use arpoison just some basic stuff thats possible from my server on my server and perhaps on the lan if possible
2. Apply arpstar
3. do number 1 again

So basically I just want to see if its possible to perhaps, if I write mail on my windows box and send it catch it and try to do the same thing with arpstar. I have no interrest trying to do this against other people but I would like to know how an attack works so I know why I use the protection in the first place..

[Swi+ch]

well lappen you want to try the experiment a different way. Your setup has you trying to poison from your gateway. This is possible but not very interesting or useful. Cause if an attacker already owns the gateway he can already perform a man-in-the-middle attack without arp poisoning. A normal attack would have a different machine (not your normal machine and not your gateway) as the attacker.

So on the lan you would have

machine 1: gateway
machine 2: your regular box...your email box
machine 3: attacker

Then the experiment runs as follows. Use the attacker machine to arp poison the gateway against the email machine. Then the traffic from the email machine on the way out to the internet goes through the attacker before hitting the gateway. Use ettercap or cain and able. Then for a real comparison you need to clear the arp caches on the machine so the setup is the same. otherwise the machines may still be poisoned or the neighbor cache info may still be in the kernel. you gotta flush this out for a proper experiment. then put the arpstar module in and repeat.

oh and since your machines on your lan are using windows you're probably going to have some half-routing going on. The arpstar module only works on linux machines. so your gentoo box will be immune but the windows side will be poisoned. so you should be able to see 1/2 of the traffic but not all of it. there's not much arpstar can do to help windows boxes. if you want an in-depth look at how it works and also the windows/half-routing problem check out the pdf on our site.

http://arpstar.sourceforge.net/docs/arpstar.pdf



Swi+ch
Westannex