# security

## cascamorto

some good emerges to be quite secure on the net?

(keep in mind my box is already behind a router with a fisical integrated firewall)

----------

## tukachinchila

chkrootkit

rkhunter

nmap

nessus

snort

aide

If you haven't seen this already, have a look at this document for a great hardening tutorial: http://www.gentoo.org/doc/en/gentoo-security.xml

----------

## RockCrusha

net-misc/arpstar 

 :Wink: 

_WestAnnex_

----------

## Jerri

net-analyzer/ethereal

----------

## Jerri

RockCrusha, how common or these arp poisning attacks... to be honest, I have never heard of them before.  then again, i'm no security expert, probably the furthest thing from :)

----------

## RockCrusha

Jerri-

well if you've never heard of them before, they're more common than you think  :Wink: , and way easier to perform than you'd hope.  Ever heard of Ettercap or Cain&Abel?

Anytime you share a LAN segment with another host, you can be victimized by ARP poisoning attacks if you aren't using static ARP(which basically no one is)

If you have a wireless access point, or connect to a public one  (say via Panera Bread, Starbucks, or Holiday inn) any other user connected to that AP can play man-in-the-middle on even your ssh and ssl connections.  Or if you wanted to read the person down the hall at work or in your dorm at school's email, AIM traffic, ssh traffic, whatever traffic, ARP poisoning is a great way to go.  Use online banking from work or home?  Tools such as Ettercap and Cain&Abel can snag your bank login/password so fast you'll never know it even happened.

Basically ARP poisoning is one of the ways you sniff traffic on a switched network.  it's ridiculous that it is so easy to execute this kind of attack, and IMO any Linux box without ArpStar is asking to get hozed.  

Not only interceptions, ARP poisoning can be a form of DoS...just poison their cache to point to their own MAC address or nowwhere for their default gateway.  Done!

Anytime you share a LAN segment, you need to be aware that ARP poisoning can occur.  Basically, if this doesn't concern you, it should...greatly.

-RockCrusha

----------

## Jerri

shit... thanks for the post :)

/me runs to patch his kernel

----------

## abrand15

When trying to emerge arpstar, it fails ... here is the output:

```

baseball portage # ACCEPT_KEYWORDS="~x86" emerge -v arpstar

Calculating dependencies ...done!

>>> emerge (1 of 1) net-misc/arpstar-0.5.5 to /

>>> md5 src_uri ;-) arpstar-0.5.5.tar.gz

 * Determining the location of the kernel source code

 * Found kernel source directory:

 *     /usr/src/linux

 * Found sources for kernel version:

 *     2.4.28-gentoo-r7

 * Checking for suitable kernel configuration options

>>> Unpacking source...

>>> Unpacking arpstar-0.5.5.tar.gz to /var/tmp/portage/arpstar-0.5.5/work

>>> Source unpacked.

 * Preparing arpstar module

make -C /usr/src/linux SUBDIRS=/var/tmp/portage/arpstar-0.5.5/work modules

make[1]: Entering directory `/usr/src/linux-2.4.28-gentoo-r7'

make -C  /var/tmp/portage/arpstar-0.5.5/work CFLAGS="-D__KERNEL__ -I/usr/src/lin

ux-2.4.28-gentoo-r7/include -Wall -Wstrict-prototypes -Wno-trigraphs -O2 -fno-st

rict-aliasing -fno-common -fomit-frame-pointer -pipe -mpreferred-stack-boundary=

2 -march=i686  -DMODULE -DMODVERSIONS -include /usr/src/linux-2.4.28-gentoo-r7/i

nclude/linux/modversions.h" MAKING_MODULES=1 modules

make[2]: Entering directory `/var/tmp/portage/arpstar-0.5.5/work'

make[2]: *** No rule to make target `modules'.  Stop.

make[2]: Leaving directory `/var/tmp/portage/arpstar-0.5.5/work'

make[1]: *** [_mod_/var/tmp/portage/arpstar-0.5.5/work] Error 2

make[1]: Leaving directory `/usr/src/linux-2.4.28-gentoo-r7'

make: *** [default] Error 2

!!! ERROR: net-misc/arpstar-0.5.5 failed.

!!! Function linux-mod_src_compile, Line 417, Exitcode 2

!!! Unable to make                                  KDIR=/usr/src/linux  .

!!! If you need support, post the topmost build error, NOT this status message.

```

What am I doing wrong or missing?

thanks

----------

## Swi+ch

looks like you're using a 2.4 kernel. Right now arpstar is only supported on 2.6 kernels. 

Swi+ch

Westannex

----------

## abrand15

thanks  ...  I thought that I saw in the FAQ that 2.4 was supported.

are their any plans of back porting it to the 2.4 kernel?

----------

## Swi+ch

Well originally it was planned to work for 2.4 and 2.6. We did have a working version for 2.4 a while ago. But some kernel changes caused us to choose the 2.6 kernel tree over the 2.4 kernel tree. Basically, right now we're just getting started and are stretched a little thin especially with the other projects we're working on. Any reason you're still using a 2.4 kernel? And this is not a request to start a huge discussion about the pros/cons of 2.4/2.6. Just wondering if there's a reason you're still using 2.4 since 2.6 went stable a loooong time ago. Also, all of us use 2.6 kernels and don't really know many people who use 2.4 anymore. It just didn't seem like a big priority. But I guess if there's a huuuge outcry for a 2.4 version of arpstar we'd get it done. 

Swi+ch

Westannex

dig your avatar btw

----------

## abrand15

no real reason, just have not taken the time lately to update that machine ... it is my IBM ThinkPad and I don't use it that often ... my servers are running 2.6

 *Quote:*   

> dig your avatar btw

 

thanks!  :Smile: 

----------

## 59729

Could someone help me out to understand this a bit

my setup:

lan(running windows) <-> gentoo (nat masq) <-> world

This is what I want to try (all from the gentoo box)

1. Try to use arpoison just some basic stuff thats possible from my server on my server and perhaps on the lan if possible

2. Apply arpstar

3. do number 1 again 

So basically I just want to see if its possible to perhaps, if I write mail on my windows box and send it catch it and try to do the same thing with arpstar. I have no interrest trying to do this against other people but I would like to know how an attack works so I know why I use the protection in the first place..

----------

## Swi+ch

well lappen you want to try the experiment a different way. Your setup has you trying to poison from your gateway. This is possible but not very interesting or useful. Cause if an attacker already owns the gateway he can already perform a man-in-the-middle attack without arp poisoning. A normal attack would have a different machine (not your normal machine and not your gateway) as the attacker.

So on the lan you would have

machine 1: gateway

machine 2: your regular box...your email box

machine 3: attacker

Then the experiment runs as follows. Use the attacker machine to arp poison the gateway against the email machine. Then the traffic from the email machine on the way out to the internet goes through the attacker before hitting the gateway. Use ettercap or cain and able. Then for a real comparison you need to clear the arp caches on the machine so the setup is the same. otherwise the machines may still be poisoned or the neighbor cache info may still be in the kernel. you gotta flush this out for a proper experiment. then put the arpstar module in and repeat. 

oh and since your machines on your lan are using windows you're probably going to have some half-routing going on. The arpstar module only works on linux machines. so your gentoo box will be immune but the windows side will be poisoned. so you should be able to see 1/2 of the traffic but not all of it. there's not much arpstar can do to help windows boxes. if you want an in-depth look at how it works and also the windows/half-routing problem check out the pdf on our site. 

http://arpstar.sourceforge.net/docs/arpstar.pdf

Swi+ch

Westannex

----------

