Text: "Linux Security Cookbook", by Barrett, Silverman ,et al

• Organizations/Projects
• UNIX/Linux Resources
• Applications and Tools
• Security Tools
• Security Discussion and Guides
• Network Security Articles
• Security and I.T. Podcasts
• Tutorials
• Google Hacks
• Directory Service Links
• General Resources
• Online Reference
• Just for Fun
• Course Notes

Organizations/Projects

The Apache Group - Creators of the world's most popular Web server, which just happens to be free.

Kernel.org - The home of GNU/Linux kernel hackers.

The Linux Home Page - The Mothership.

The SANS Security Policy Project - A great resource for developing your own security policies and guidelines from the SANS (SysAdmin, Audit, Network, Security) Institute.

How to Write Security Policy - Reference Library - Another guide from "The Security Portal for Information System Security Professionals" at http://www.infosyssec.net

The Internet Storm Center - An interesting site that tracks worm and virus activity, including trends over time.

The Honeynet Project - A group that is using networks of Honeypots to track and record cracking activity on the public Internet.

UNIX/Linux Resources

The Linux Documentation Project - This is your new best friend.  How to perform almost any task in Linux (also most UNIXes.)

Webmin - The home of Webmin, the GUI management console that runs on just about every UNIX-based operating system you can name.  (Plus, it's free.)

Freshmeat - The latest in open-source, free software is available here.

DistroWatch - A good site to keep track of/compare/contrast the different distributions of Linux.

Linux Weekly News - A good overview of what's happening in the Linux/Open Source world.

Distro Watch - Confused by all the different varieties of Linux?  This site can help.

Linux Partitioning Mini-FAQ - A good, practical guide to partitioning your hard drive for Linux.

The Art of UNIX Programming - Despite the title, this is an essay on how to think like a UNIX guru.

UNIX as Literature - What kind of people are attracted to UNIX?

SysAdmin Magazine - This magazine is an invaluable tool for any serious UNIX system administrator.  Each month covers a different topic from Backup/Recovery to Security.  The articles and code apply to just about any version of UNIX (or Linux or BSD) without modification.  Their Web site has selected articles and downloadable code for the tools featured in their magazine.  (I have back issues available for loan in my office.)

The System Administrator's Guild - (SAGE) - A special technical group of the USENIX organization, designed to "advance the status of computer system administration as a profession, establish standards of professional excellence and recognize those who attain them, develop guidelines for improving the technical and managerial capabilities of members of the profession, and promote activities that advance the state of the art or the community."  (You have to be a member of USENIX to join SAGE. See below.)

USENIX - "USENIX is the Advanced Computing Systems Association. Since 1975 the USENIX Association has brought together the community of engineers, system administrators, scientists, and technicians working on the cutting edge of the computing world." (From their Web page.)  Student memberships are available for as low as $30/year.

Sysadmin Talk - This online Web discussion forum is brand-new, so I don't know much about it.  It looks interesting, though, so I threw it in here.

Colorado Linux Users and Enthusiasts (CLUE) - A local Linux user's group here in Denver.  They have regular monthly meetings, with guest speakers and workshops on a variety of topics of interests to both newcomers to Linux and "old hands".  For newbies, CLUE holds regular installfests , where experts are available to help you install and configure Linux for your hardware.

Applications and Tools (NOTE: Some of these sites may not be accessible from the Westwood LAN)

Ethereal - This is a free, open-source network analyzer that is available in UNIX and Win32 versions.

OpenSSH - An open-source implementation of Secure Shell (SSH), includes both server and client.

OpenSSL - An open-source implementation of SSL (Secure Socket Layer), which allows you to set up secure, encrypted network connections.

The OpenOffice Project - Building a free, open source competitor to Microsoft Office.  (Okay, it's free, but there's a version for Windows as well.)

Kerberos - This industry standard authentication protocol was originally designed by MIT and includes servers and clients for multiple platforms.  (Plus, it's free.)

PAM - Short for Pluggable Authentication Modules, PAM allows amazing flexibility for authentication and authorization.  Instead of rewriting your software to use a new authentication system, just add the appropriate PAM.  You can even authenticate your UNIX box against Active Directory using PAM!

WebDAV - Short for Web Distributed Authoring and Versioning, this uses HTTP to share out file systems in a simple, cross-platform way.  (Microsoft's 'Web Folders' feature is actually a WebDAV client and Apple uses WebDAV to serve their iDisk network storage.)

Multi-Routing Traffic Grapher - A nifty network utility that allows you to monitor traffic in and out of any of your network devices and display the results as a dynamically updated Web page.

Big Brother - Web-based network and server-monitoring tool (free for non-commercial use).

Qmail - A very good secure mailer.  The author has a cash bounty for anyone who can document a security hole in qmail and nobody has collected since 1997.  A nice replacement for sendmail, as it's easier to configure and more secure.

Life with qmail - Free documentation on installing, configuring and administering qmail, an open-source mail server.

Apt HOWTO - From the Debian home page, a comprehensive guide to software package management.

LinuxMafia Knowledgebase - A very good resource for Linux admins, put together by Rick Moen, a true old-school UNIX hacker. There's a good section on security here.

Keeping Accurate Time on Linux - Just what it says. Setting up a time server.

Building an Advanced Mail Server Part 3 - Adding virus scanning and spam filtering to qmail.

Security Tools and Applications

The Linux-PAM Administrator's Guide - What a system-administrator needs to know about the Linux-PAM library. It covers the correct syntax of the PAM configuration file and discusses strategies for maintaining a secure system.

Exploits - A collection of information about computer software exploits. Hard to describe.

Knoppix Security Toolkit Distribution - Based on Knoppix, this live CD contains almost 2 gigabytes worth of tools for encryption, IDS, forensics and vulnerability assessment.

Local Area Security Linux - Another live, bootable CD, based on DS Linux. Comes in two sizes - 185 megabytes and 215 megabytes- and it can run entirely in RAM. Very good, compact toolkit and a nice complement to Knoppix STD.

Whoppix - Short for White Hat Knoppix. This live CD is chock-full of hacking and cracking tools, including the Metasploit framework. Very good for vulnerability assessment. (Includes Windows tools, Linux tools and cross platform tools.)

Shellcode.org - Shellcode is the software that computer exploits use once they breack the remote host's defenses. More for the programmer-inclined, but might be worth a look.

Exploit Labs - Another hacker/cracker site.

Top 75 Network Security Tools - Just what the name implies. Some are commercial, some open-source, some for Windows, some for UNIX, etc.

PHLAK - Professional Hacker's Linux Assault Kit - A Linux-based live CD that offers a lot of tools for system rescue, security assessment and forensics.

Bastille Linux - Not, as the name implies, another Linux distro, but a set of perl scripts that can be used to harden a given installation of Linux.

The Metasploit Project - An attempt to put together a cross-platform system penetration testing, IDS signature development and exploit research.

Security Discussion Sites and Guides

Securing Debian HOWTO - From the Debian site. Although specific to this distro, there's a lot of stuff here that can be applied to other platforms.

Apache Authentication Part 1 - Beginning with the basics of authenticating to an Apache server, using htpasswd.

Apache Authentication Part 2 - Switching from htpasswd to using a database to handle authentication.

Apache Authentication Part 3 - Using MySQL for managing authentication information.

Apache Authentication Part 4 - Automating maintenance of your password lists.

SSL Certificates HOWTO - How to manage a certificate authority (CA), issue and sign certificates.

Johnny iHackStuff - An interesting site with a lot of documentation on assessing your site's vulnerabilities.

Phrack - An online magazine for systems crackers and hackers

PacketStorm - A listing of DOS, DDOS and other vulnerability assessment tools.

SecurityForest - A very good site for news and discussion of security issues and vulnerabilities. It's a Wiki, so anyone can set up an account and contribute. In addition, they keep a pretty extensive collection of exploit code that you can download for your own use.

Professional Security Testers - Another interesting site, this one is a rich source of documentation, training and software for doing penetration testing and vulnerability assessment.

CERT - Home of the Computer Emergency Response Team

Security Focus - Home of the Bugtraq database

Cryptogram - If you are interested in a career in security, you need to know about Bruce Schneier.

InfosecWriters.com - A site for security specialists who wish to share their experiences and expertise.

An Illustrated Guide to Cryptographic Hashes - A nice explanation of software like SHA and MD5.

2600: The Hacker Quarterly - A magazine devoted to covering security issues of interest to hackers and crackers. You can purchase their merchandise (t-shirts, videos, back issues) online here.

Windows Password Recovery - A nicely written discussion of this topic using Linux tools exclusively.

Articles on Network Security

Six Things a First-Time Squid Administrator Should Know - a good article from O'Reilly on administering the Squid proxy server.

Constructive Paranoia at the end of 2003 - An article by top Unix hacker Rick Moen discussing some techniques and guidelines for securing your systems.

5 IDS Mistakes Companies Make - An essay on some common problems companies have implementing and managing their Intrusion Detection Systems.

Secure Cooking with Linux, Part 1 - Some tips and tricks from the book "Linux Security Cookbook", from O'Reilly Press.

Secure Cooking with Linux, Part 2 - More tips and tricks.

Complete Snort-Based Architecture - A detailed guide to setting up the network monitoring software Snort.

What Countermeasures Really Mean - A discussion of security management.

Are Your Servers Secure? - A nice, readable article about system security from the Linux Gazette.

RSA 2005 Conference and Expo Special Report - From Linux Gazette.

Know Your Enemy: Tracking Botnets - An excellent, very readable article from The HoneyNet Project, describing the results of their research monitoring the Internet for Botnet (networks of zombie PCs) activity.

A Sense of Proportion - An essay discussing security incident response. Very good.

Security Links - An enormous (.5 MB) set of links to all sorts of online security resources, courtesy of Peter Gutman.

Godzilla Crypto Tutorial - Another gift from Peter Gutman, this is a set of 704 slides in eight parts of a tutorial on cryptography and cryptanalysis.

DoxPara Research - Very cool site by Dan Kaminsky, the Yoda of network hacking. Includes code, documentation and presentations.

Security and Hacking Podcasts

CISSP Study Guide Podcast - I haven't heard enough of this to evaluate it properly, but it looks like a good place to start if you're planning on getting your Certified Information Systems Security Professional certification.

Sploitcast - I just recently discovered this one. The hosts are knowledgable and entertaining.

The Security Catalyst - I just recently discovered this one so I haven't heard a lot of it yet, but it's gotten good reviews on iTunes.

Hak.5 - More of a general hacking discussion but they also cover some security and cracking topics. (NOTE: This is a video podcast.)

The Linux Link Tech Show - This one is a lot of fun. The discussion ranges over a wide field of Linux and/or OSS topics and the hosts are usually drunk.

Hack TV - Another video podcast. This is focused specifically on hacking and cracking. The quality is uneven since some of the material is submitted by viewers. It's worth skimming through to get to the good stuff.

The Broken - Another video podcast. Fun since they don't take themselves very seriously. Covers hacking, cracking and hardware mods. Quality is kind of uneven but worth a look.

The Show with zefrank - Another video podcast. Not tech-related but hilariously smart and funny. Each episode (Mon. - Fri.) is about 3 minutes long and is equal parts satire, madness and genius.

Democracy:Internet TV - Not a podcast, but an open-source, cross-platform Internet video client. You can subscribe to a wide variety of video podcasts, search for and download videos from YouTube and Google Video, watch HD video fullscreen and play nearly any media format. It's free and available for Windows, Linux and Mac OS X.

Tutorials

Netcat - a PDF with a quick run-through of Netcat's abilities.

Nmap - The premier port-scanning tool.

Ethereal Capture Filters - A nice guide.

Nemesis - The official documentation from the developer.

Metasploit - The official documentation for this exploit framework.

Nessus - A nice introduction to the best free vulnerability scanner ever.

Digital Certificates - A guide to using CA.pl, a front-end script for openssl for creating and managing digital certificates. NOTE: This script is limited in what it does, so for extra control use the openssl command directly.

OpenSSL Command Line HOWTO - A nice guide to all the nifty crypto stuff you can do with openssl, including some things that surprised me, like using it to launch a server to test your certificates!

Attack Trees - The original article from Bruce Schneier describing this risk analysis technique.

Google Hacks (Courtesy of johnny.ihackstuff.com)

Plug the search terms in these files into Google to see how many people leave themselves wide open and vulnerable on the Internet.

Hacking Footholds - Information that could be used to gain a foothold on a vulnerable site

Online Shopping Info - Queries that can reveal online shopping information like customer data, suppliers, orders, etc.

Sensitive Info - Not passwords, but certainly information you don't want to leave laying around.

Juicy Info - Interesting stuff

Login Pages - Front pages for Web-based administration software.

Passwords - 'Nuff said.

Vulnerable Network Data - Firewall logs, honeypot logs, network information, IDS logs, etc.

Vulnerable Servers - Reveals servers with specific vulnerabilities.

Directory Service Links

Kerberos/LDAP Mini-HOWTO - A quick and dirty guide to getting Kerberos working with OpenLDAP, an open source directory service.

LDAP Authentication - From the Debian Wiki, a nice collection of information and links for integrating LDAP directory services into your network.

LDAP Implementation HOWTO - From the Linux Documentation Project.

Installing an OpenLDAP Server (part 1) - From Linux.com

Installing an OpenLDAP Server (part 2) - Explains how schemas work and how to migrate your current data to your LDAP server.

OpenLDAP Authentication Setup - A fairly comprehensive overview of the types of authentication available with an OpenLDAP-based server.

Open-IT: LDAP Tools - A nice collection of articles and tutorials describing how to work with LDAP-based directory services.

LDAP-based User Management for Linux - How to consolidate your user information and setup single-sign-on for your users with LDAP.

OpenLDAP Quick-Start Guide - As the title suggests, a fast way to get an OpenLDAP server up and running. (Covers version 2.1)

OpenLDAP - Set up your own industry standard directory service (or just an e-mail address book) using this free, open-source software.  Integrates nicely with Active Directory, eDirectory, NDS and Sun's iPlanet Directory Server.

General Resources

CPUniverse - If you were thinking of going into contracting or consulting, this is a great site. Affiliated with Contract Professional magazine (not a free subscription but well worth the cost) this site has tips on the hottest skill areas, what it's like to work in different parts of the country and even how to negotiate a contract and handle your tax situation. There's even a free weekly e-mail newsletter.

SoftPro Books - This is an excellent source for computer and networking books. You can order online or go to one of their local stores. (They have one at Yosemite and Arapahoe in Englewood and another in Boulder.) You can usually get 10-20% off the list price and if you join their 'frequent shoppers' club (it's free) you can get additional savings. 

GoCertify - A nice site that has information on just about every technical certification you can get -- who offers it, what you need to get it, where you can get training and where/how you can take the test.

BrainBench - Another certification site, but this one does their own online certification exams in a wide variety of technical subjects.

Safari - As technical professionals, one of the things you will need to have is a reference library. Safari, from O'Reilly Press, offers online access to thousands of technical books and manuals with the ability to search, print and bookmark content. I already have shelves of books both at home and in my office as well as technical journals at hand, but Safari has been a tremendous help to me when I need to get up to speed on a topic quickly. It's by subscription (I don't get any kickbacks from this) and they start at $15/month.

Online References

Google - One of the best search engines out there for the technically inclined. 

FAQs Online - Here's the one-stop shop for looking up Internet FAQs (Frequently Asked Questions) and RFCs (Requests For Comments). 

Just for Fun

User Friendly - Yet another comic strip that looks at the funny side of computing.

Computer Stupidities - This site collects actual dialogues between real users and real tech support folk. The range of misunderstandings and confusion is frequently hilarious.

Peter's Evil Overlord List - Thinking about a career as an Evil Overlord? Think you have what it takes to be the next Darth Vader? Check out this site for a collection of SuperVillain Do's and Don'ts including 'My ventilation shafts will be too small to crawl through'.

The Voice Actor Page - Want to know who does the voice of Larry 3000 on Time Squad?  Find the answer to this and many more questions about the men and women who do the talking for your favorite cartoon characters.  Search alphbetically by show title or actor name.  (By the way, Larry is voiced by none other than Mark Hamill.) 

Computer Features - A funny look at some features you may need on your computers.

What NOT to Do During "The Return of the King" - Very funny and somewhat nasty.

DISCLAIMER: The views expressed on this site are those of the author and are not necessarily those of his employer, Westwood Technical College or its affilliates. This material is intended to supplement the class lectures and text and is not required to complete the course.

You can e-mail me here .