"A scanner is a program that automatically detects security weaknesses in a remote or localhost.". Scanners are important to Internet security because they reveal weaknesses in the network. System administrators can strengthen the security of networks by scanning their own networks. The primary attributes of a scanner should be:
There are various tools available for Linux system scanning and intrusion detection. I will explain some of the very famous tools available. I have divided the scanners into three categories:
Host
scanners
Host scanners
are software you run locally on the system to probe for problems.
Cops
COPS is a collection of security tools that are designed specifically to aid
the typical UNIX systems administrator, programmer, operator, or consultant
in the oft neglected area of computer security. COPS is available at: http://www.fish.com/cops
Tiger
Tiger is a
UNIX Security Checker. Tiger is a package consisting of Bourne Shell scripts,
C code and data files which is used for checking for security problems on a
UNIX system. It scans system configuration files, file systems, and user configuration
files for possible security problems and reports them. You can get it from:
http://www.giga.or.at/pub/hacker/unix
check.pl
Check.pl a
perl script that looks through your entire filesystem, (or just the directory
you tell it to) for suid, sgid, sticky, and writeable files. You should run
it as a regular user maybe once a week to check for permission problems. It
will output a list of questionable files to stdout which you can redirect wherever.
It's available at: http://opop.nols.com/proggie.html.
Network
scanners
Network scanners are run from a host and pound away on other machines, looking
for open services. If you can find them, chances are an attacker can too. These
are generally very useful for ensuring your firewall works.
NSS (Network
Security Scanner):
NSS is a
perl script that scans either individual remote hosts or entire subnets of hosts
for various simple network security problems. It is extremely
fast. Routine checks that it can perform include the following:
1: sendmail
2: Anon FTP
3: NFS Exports
4: TFTP
5: Hosts.equiv
6: Xhost
NSS can be found at: http://www.giga.or.at/pub/hacker/UNIX
SATAN (Security
Administrator's Tool for Analyzing Networks):
SATAN is an automated network vulnerability search and report tool that provides
an excellent framework for expansion.Satan scans remote hosts for most known
holes:
1: FTPD vulnerabilities and writable FTP directories
2: NFS vulnerabilities
3: NIS vulnerabilities
4: RSH vulnerability
5: sendmail
6: X server vulnerabilities SATAN performs these probes automatically and provides
this information in an extremely easy to use package.
you can obtain
SATAN from : http://www.fish.com/satan/
Strobe:
Strobe is Super optimised TCP port surveyor. It is a network/security tool that
locates and describes all listening tcp ports on a (remote) host or on many
hosts in a bandwidth utilisation maximising, and pro- cess resource minimising
manner. It is simple to use and very fast, but doesn't have any of the features
newer port scanners have.
Strobe is available at: ftp://suburbia.net/pub/.
Nmap:
Nmap is a newer and much more fully-featured host scanning tool.
Specifically, nmap supports:
Nmap is available at: http://www.insecure.org/nmap/index.html.
Network
Superscanner:
http://members.tripod.de/linux_progz/
Portscanner:
PortScanner is a Network Utility especially designed to "scan" for listening
TCP ports. It uses a simple method to achieve its goal, and it is extremely
compact taking in account all of the options available. It's opensource and
free to use, you can get it at: http://www.ameth.org/~veilleux/portscan.html.
Queso:
Queso is a tool to detect what
OS a remote host is running with a pretty good degree
of accuracy . Using a variety of valid and invalid tcp packets to probe the
remote host it checks the response against a list of known responses for various
operating systems, and will tell you which OS the remote end is running. You
can get Queso from: http://www.apostols.org/projectz/queso/.
Intrusion
Scanners
Intrusion scanners are software packages that will actually identify vulnerabilities,
and in some cases allow you to actively try and exploit them.
Nessus:
Nessus is very fast, reliable and has a modular architecture that allows you
to fit it to your needs.Nessus is one of the best intrusion scanning tools.
It has a client/server architecture, the server currently runs on Linux, FreeBSD,
NetBSD and Solaris, clients are available for Linux, Windows and there is a
Java client. Nessus supports port scanning, and attacking, based on IP
addresses or host name(s). It can also search through network DNS information
and attack related hosts at your request. Nessus is available from http://www.nessus.org/.
Saint:
SAINT is the Security Administrator's Integrated Network Tool. Saint also uses
a client/server architecture, but uses a www interface instead of a client program.
In its simplest mode, it gathers as much information about remote hosts and
networks as possible by examining such network services as finger, NFS, NIS,
ftp and tftp, rexd, statd, and other services. Saint produces very easy to read
and understand output, with security problems graded by priority (although
not always correctly) and also supports add-in scanning modules making it very
flexible. Saint is available from: http://www.wwdsi.com/saint/.
Cheops:
Cheops is useful for detecting a hosts OS and dealing with a large number of
hosts quickly. Cheops is a "network neighborhood" on steroids, it builds a picture
of a domain, or IP block, what hosts are running and so on. It is extremely
useful for preparing an initial scan as you can locate interesting items (HP
printers, Ascend routers, etc) quickly. Cheops is available at:
http://www.marko.net/cheops/.
Ftpcheck
/ Relaycheck:
Ftpcheck and Relaycheck are two simple utilities that scan for ftp servers and
mail servers that allow relaying. These are available from: http://david.weekly.org/code/.
BASS:
BASS is the "Bulk Auditing Security Scanner" allows you to scan the Internet
for a variety of well known exploits. You can get it from: http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz
Firewall
scanners:
There are also a number of programs now that scan firewalls and execute other
penetration tests in order to find out how a firewall is configured.
Firewalk:
Firewalking is a tool that employs traceroute-like techniques to analyze IP
packet responses to determine gateway ACL filters and map networks. Firewalk
the tool employs the technique to determine the filter rules in place on a packet
forwarding device. System administrators should utilize this tool against their
systems to tighten up security. Firewalk is available from: http://www.packetfactory.net/Projects/Firewalk/.
Conclusion:
"Security is not a solution, it's a way of life". System Administrators must continuously scan their systems for security holes and fix the hole on detection. This will tighten the security of system and reduce the chance of security breaches. This process is a continuous process. The security vulnerabilities will keep on arising and process of fixing the security holes will never end! After all, "Precaution is better than cure".