Port Scan Attack Detector (psad) is a collection of four lightweight daemons written in Perl and C that are designed to work with Linux firewalling code (iptables and ipchains) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding nmap options, email alerting, and automatic blocking of offending IP addresses via dynamic configuration of ipchains/iptables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP, UDP, and ICMP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via nmap. Psad also uses packet TTL, IP id, TOS, and TCP window sizes to passively fingerprint the remote operating system from which scans originate. Changelog available here.
d7a51a9b37459d1e7b9266ee1171778d3a2e269bf9de66ba2599737bdca8985f
Zeppoo is a tool that attempts to detect if a rootkit is installed on your system. It also makes it possible to detect hidden tasks, modules, syscalls, some corrupted symbols and also hidden connections.
dbf88e370062012c000c72efb6861868f3358a70bba9a93e31b6710b5c36f592
Safebreaker is a demonstration next-generation packet-sniffing backdoor, that doesn't require libpcap. It offers a full terminal support, comes with a tls encryption for the connection, and the authentication parameters are configurable.
f6f72ee772f76cad2c257e301e9e32dd81ea91eb20dff6bdc36e59f08553c705
Rule Set Based Access Control (RSBAC) is an open source security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) and provides a flexible system of access control implemented with the help of a kernel patch. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.
49564170333dbf003f860c1e66e5f5f83f678fceffa79f6f9f053ff7448ddbf5
Sysmask is a security package for Linux systems that can prevent arbitrary malicious codes from causing permanent damage. It protects the system against daemon exploits and user accounts against viruses and worms, whether known or unknown, without requiring the recompilation of existing software.
f82e69f16be11017058cec85631b2a4a7ff659f7f6aa7888ef96daeb0029b2a2
Rule Set Based Access Control (RSBAC) is an open source security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) and provides a flexible system of access control implemented with the help of a kernel patch. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.
ad3bde38f32450a92f280a3745a2f90eae456aebd5c544bb0b850d38c1ceabb4
The Openwall Linux kernel patch is a collection of security hardening features for the Linux kernel which can stop most 'cookbook' buffer overflow exploits. The patch can also add more privacy to the system by restricting access to parts of /proc so that users may not see what others are doing. Also tightens down file descriptors 0, 1, and 2, implements process limits and shared memory destruction.
34d3033f6db61c7bbe1fe293e31ddc2ee847c21790e3d749333de4c2579842ee
A new grsecurity patch has been released. It implements a detection/prevention/containment strategy. It prevents most forms of address space modification, confines programs via its Role-Based Access Control system, hardens syscalls, provides full-featured auditing, and implements many of the OpenBSD randomness features. It was written for performance, ease-of-use, and security. The RBAC system has an intelligent learning mode that can generate least privilege policies for the entire system with no configuration. All of grsecurity supports a feature that logs the IP of the attacker that causes an alert or audit.
d80c1d589b8a6fe3b0dea9563ee2453231d8f4854c17e5ed4f2d970790a7f67d
StMichael is a LKM that attempts to provide a level of protection against kernel-module rootkits. StMichael is designed to be loaded early in the system boot process, and is intended to be present and running on its host system prior to the introduction of malicious kernel modules. StMichael provides this protection by monitoring various portions of the kernel, and optionally the entire kernel text itself, for modifications that may indicate the presence of a malicious kernel module. If rootkit-like activity is detected, StMichael will attempt to recover the kernel's integrity by rolling back the changes made to a previously known-good state.
adc3452e7d816d4e5d6ed1c7456dfebf7c3df08482f47ee327c38bfe49184643
StMichael is a LKM that attempts to provide a level of protection against kernel-module rootkits. StMichael is designed to be loaded early in the system boot process, and is intended to be present and running on its host system prior to the introduction of malicious kernel modules. StMichael provides this protection by monitoring various portions of the kernel, and optionally the entire kernel text itself, for modifications that may indicate the presence of a malicious kernel module. If rootkit-like activity is detected, StMichael will attempt to recover the kernel's integrity by rolling back the changes made to a previously known-good state.
ff8ec12f68893b5afc4a6cec3000fa2633c142ce110705b622d4881cffa2bcf2
The MultiAdmin security framework kernel module provides a means to have multiple root users with unique UIDs. This bypasses collation order problems with NSCD, allows you to have files with unique owners, and allows you to track the quota usage for every real user. It also implements a sub-admin, a partially restricted root user who has full read-only access to most subsystems, but write rights only to a limited subset, for example writing to files or killing processes only of certain users.
957b10088337e470560b609a317b3ab5fdb11a700127616b1b2fcee47da5c7fc
Rule Set Based Access Control (RSBAC) is an open source security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) and provides a flexible system of access control implemented with the help of a kernel patch. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions.
709c2120927045704957078c0776486d8398633b96d537bc6a4998e4443abb39
ZoneMinder is a suite of applications intended for use in video camera security applications, including theft prevention and child or family member monitoring. It supports capture, analysis, recording, and monitoring of video data coming from one or more cameras attached to a Linux system. It also features a user-friendly Web interface which allows viewing, archival, review, and deletion of images and movies captured by the cameras. The image analysis system is highly configurable, permitting retention of specific events, while eliminating false positives. ZoneMinder supports both directly connected and network cameras and is built around the definition of a set of individual 'zones' of varying sensitivity and functionality for each camera. This allows the elimination of regions which should be ignored or the definition of areas which will alarm if various thresholds are exceeded in conjunction with other zones. All management, control, and other functions are supported through the Web interface.
f8d0ee7e19eb17ff793cd0cc92629919233f1e52e07d5dbc73e02b7a611bd360
Zeppoo is a tool that attempts to detect if a rootkit is installed on your system. It also makes it possible to detect hidden tasks, modules, syscalls, some corrupted symbols and also hidden connections.
1439e67ba34b17d65f91964b263fe41d50d6bfb583255b37e624438d716f2378
The MultiAdmin security framework kernel module provides a means to have multiple root users with unique UIDs. This bypasses collation order problems with NSCD, allows you to have files with unique owners, and allows you to track the quota usage for every real user. It also implements a sub-admin, a partially restricted root user who has full read-only access to most subsystems, but write rights only to a limited subset, for example writing to files or killing processes only of certain users.
6b1f37152a2e647d2824a80fabe12edbd436668efa9a9c487f1fb91aca7ba41a
ZoneMinder is a suite of applications intended for use in video camera security applications, including theft prevention and child or family member monitoring. It supports capture, analysis, recording, and monitoring of video data coming from one or more cameras attached to a Linux system. It also features a user-friendly Web interface which allows viewing, archival, review, and deletion of images and movies captured by the cameras. The image analysis system is highly configurable, permitting retention of specific events, while eliminating false positives. ZoneMinder supports both directly connected and network cameras and is built around the definition of a set of individual 'zones' of varying sensitivity and functionality for each camera. This allows the elimination of regions which should be ignored or the definition of areas which will alarm if various thresholds are exceeded in conjunction with other zones. All management, control, and other functions are supported through the Web interface.
05051baab9e687ca9f2e4419a71d68de854a4b78a3b8b96e7d6b8fa54889d1a2
A linux 2.6 kernel module that is designed to prevent the loading of other modules.
055c2a5b157b462bf26ea721be183b42a661947a9b402b31d72bbf81adac0469
A linux 2.6 kernel module that is designed to prevent the loading of other modules.
055c2a5b157b462bf26ea721be183b42a661947a9b402b31d72bbf81adac0469
ext2hide allows the user to save and restore an arbitrary number of files to and from the reserved space in an ext2/3 filesystem's primary and backup superblocks. Using ext2hide, you can use this reserved section to store an arbitrary number of files, where they will be completely invisible to normal filesystem utilities, but still residing in permanent storage on disk. This can be useful for passwords, public keys, anything you like.
28d9964bdab102eea6b6c1594f8550726e219a353d4a4bd160db6749cad6a0f3
Zeppoo is a tool that attempts to detect if a rootkit is installed on your system. It also makes it possible to detect hidden tasks, modules, syscalls, some corrupted symbols and also hidden connections. Written in Python.
6091818f7426a5e029c832d85512c1f168ec3b68502639dc5bcf2d8a99281eda
Sysmask is a security package for Linux systems that can prevent arbitrary malicious codes from causing permanent damage. It protects the system against daemon exploits and user accounts against viruses and worms, whether known or unknown, without requiring the recompilation of existing software.
d6a8d99407835d5ef5f471f4db9dc3295c0a351b03cabd88fa7aa8ca2167387a
kpatch.sh is a shell script illustrating runtime kernel memory patching. For demonstration purposes it shows how to break the kguard module. kpatch does not create any files on the system it runs on. So it is even possible to patch the kernel memory without creating any file on the target machine. It only requires basic shell utilities to work.
77e4718157cc4f9e826de98706d17c057cab2c807f183a07e878800815c4d68e
Dazuko is a kernel module which provides 3rd-party applications with an interface for file access control. Useful for on-demand virus scanning, as a file-access monitor/logger or external security implementations. It operates by intercepting file-access calls and passing the file information to a 3rd-party application. The 3rd-party application then has the opportunity to tell the kernel module to allow or deny the file-access. The 3rd-party application also receives information about the file, such as type of access, process ID, user ID, etc.
120a967d446d552ad485f6197f5c9d9cd8b5369ae74104c98641c8e3492031ce
The MultiAdmin security framework kernel module provides a means to have multiple root users with unique UIDs. This bypasses collation order problems with NSCD, allows you to have files with unique owners, and allows you to track the quota usage for every real user. It also implements a sub-admin, a partially restricted root user who has full read-only access to most subsystems, but write rights only to a limited subset, for example writing to files or killing processes only of certain users.
e230d05121b93e48db1cedcdc60023126e1672458257223a7e065e75221f888f
A new grsecurity patch has been released for the 2.6.14.6 Linux kernel series. It implements a detection/prevention/containment strategy. It prevents most forms of address space modification, confines programs via its Role-Based Access Control system, hardens syscalls, provides full-featured auditing, and implements many of the OpenBSD randomness features. It was written for performance, ease-of-use, and security. The RBAC system has an intelligent learning mode that can generate least privilege policies for the entire system with no configuration. All of grsecurity supports a feature that logs the IP of the attacker that causes an alert or audit.
eaa8d0841c436461c0a8176a81ccbfc192d61cc0a8137702536776b170a512d3