Interview with Bob Toxen, Author of "Real World Linux Security"
by Mirko Zorz - Monday, 16 December 2002.
I wrote 60 pages on IP Tables in RWLS 2/e that includes "Tips and Techniques" for easy rule set creation and debugging, a detailed comparison of IP Tables with IP Chains, and complete IP Tables scripts for SOHO and medium organizations that want a DMZ.

Logcheck (my enhanced version)

Logcheck takes the tedium out of properly checking your systems' log files for attacks and illness. I find it better than other tools, such as LogWatch, that either do not catch enough problems or do not discard unimportant events. I recommend that anyone running LogWatch immediately replace it with Logcheck.

My enhancements including fitting each IP Chains/IP Tables entry on a single line, being able to page the System Administrator for major problems, and not repeating "Attack" entries in the "Violations" section and not repeating "Violation" entries in the "Unusual" section. This encourages one to read all sections, knowing that it does not contain repeated data.

This version is on the CD-ROM that comes with the book and has been submitted back to Logcheck's original author.

My own Adaptive Firewall

It runs on top of IP Chains/Tables ("The Cracker Trap"). It locks an attacking system out of one's network within a fraction of a second.


Fyodor's wonderful tool allows a thorough analysis of a firewall, network, or system very quickly and easily. Both SysAdmins and crackers use it daily. I even use it to see if an e-commerce site has made an effort to harden its server before I trust it with my credit card number.

Arpwatch (my enhanced version)

This wonderful tool allows the SysAdmin to know when someone connects a new system to the network or changes the IP address of an existing system within seconds. This is critical to ensure that users do not install "rogue" systems without authorization.

It also is useful to detect if any systems become compromised. In the latter case, the better crackers will change the system's IP address to an unused one to make it harder to track down which system was compromised. With Arpwatch, one will know which system was changed unless the cracker changes both the IP address and MAC address simultaneously. In this latter case one still will know that a rogue system has appeared suddenly.

Arpwatch was created by Craig Leres of Lawrence Berkeley Labs and I have enhanced it extensively to be more useful for large networks with multiple subnets and to properly detect bogons. Bogons are systems whose IP address is incorrect for the network that they are on. Bogons indicate systems that are incorrectly configured or compromised.


This wonderful program allows fast real-time analysis of packets traversing a system or network. It allows localizing a network or firewall problem, verifying that a VPN actually is encrypting its data, etc.

How long did it take you to write "Real World Linux Security, 2/e" and what was it like?

It took about three months of 90-hour weeks to finish the manuscript and a few months of "normal weeks" for the post-manuscript production to produce the finished book. This was on top of about six months of 120-hour weeks to create the manuscript for the first edition and three months for production.

What was it like? Pure hell. I worked mostly at night because I am more creative then and there were no interruptions for email or phone calls. My friends thought I abandoned them because they never saw me and I kept sending my girlfriend away for weekends, camping, to visit her mother in Washington, DC, and elsewhere. My good friend, Stan Bootle calls it "Writer's Widow".


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th