Our interest in security was to stay in control of the system to make improvements to it as well as the technical challenge. We never damaged anyone's data though the SysAdmins spent lots of time to try to get us out. They never caught Doug, Ross, or I, however hard they tried.

It was wrong for us to do this without permission and, instead, we should have found a sympathetic professor to arrange for us to get legitimate access. One of us (not the three named above) was arrested, spent a night in jail, and had to fight to avoid conviction due to our activities. This was my only less than white hat activity.

What are your favourite security tools and why?

IP Chains/IP Tables

This is the "Killer App" that allowed Linux to be a good Enterprise-class firewall. I find it far easier to configure than Cisco's Pix, cheaper, and more versatile; IP Tables offers all of the features that most organizations need.

I wrote 60 pages on IP Tables in RWLS 2/e that includes "Tips and Techniques" for easy rule set creation and debugging, a detailed comparison of IP Tables with IP Chains, and complete IP Tables scripts for SOHO and medium organizations that want a DMZ.

Logcheck (my enhanced version)

Logcheck takes the tedium out of properly checking your systems' log files for attacks and illness. I find it better than other tools, such as LogWatch, that either do not catch enough problems or do not discard unimportant events. I recommend that anyone running LogWatch immediately replace it with Logcheck.


My enhancements including fitting each IP Chains/IP Tables entry on a single line, being able to page the System Administrator for major problems, and not repeating "Attack" entries in the "Violations" section and not repeating "Violation" entries in the "Unusual" section. This encourages one to read all sections, knowing that it does not contain repeated data.

This version is on the CD-ROM that comes with the book and has been submitted back to Logcheck's original author.

My own Adaptive Firewall

It runs on top of IP Chains/Tables ("The Cracker Trap"). It locks an attacking system out of one's network within a fraction of a second.

Nmap

Fyodor's wonderful tool allows a thorough analysis of a firewall, network, or system very quickly and easily. Both SysAdmins and crackers use it daily. I even use it to see if an e-commerce site has made an effort to harden its server before I trust it with my credit card number.

Arpwatch (my enhanced version)

This wonderful tool allows the SysAdmin to know when someone connects a new system to the network or changes the IP address of an existing system within seconds. This is critical to ensure that users do not install "rogue" systems without authorization.