From Things and Stuff Wiki
Jump to navigation Jump to search


See also Cryptography

to do; clear up mess

  • The cypherpunk revolution - How the tech vanguard turned public-key cryptography into one of the most potent political ideas of the 21st century. [1]

  • EZCrypt - We provide you with the power to encrypt the data BEFORE it gets stored on our site. All encryption/decryption is done on the client end using AES-CBC 128bit with a hash key generated on each paste. The server will only store the encrypted data without the hash key, so only you have the power to decrypt it.
  • Gitian is a secure source-control oriented software distribution method. This means you can download trusted binaries that are verified by multiple builders.


  • id0-rsa - Below are some problems related to computer security (specifically poorly implemented security). Do Them. You are free to use any language and environment you like to complete them. The problems require familiarity with programming, but not necessarily with applied cryptography or computer security in general. An understanding of how some of the algorithms and tools in the problems work will be of use, so as a starting point you can find some resources to help you begin here. If this topic is new to you, you may want to start with the Tutorial Problems.

  • OverTheWire: Wargames - The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.

  • Codebashing - Game-like AppSec Training for Enterprise Developers

  • Darknet - a group of like-minded individuals founded around 1999 sharing knowledge in password cracking, cracking, cryptography, programming (C++, VB, Delphi, C, Pascal, Assembly, Python, PERL, Bash and so on), network security, Linux, Windows, UNIX and more.
  • SANS Internet Storm Center - created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.

  • ForensicsWiki - a Creative Commons-licensed wiki devoted to information about digital forensics (also known as computer forensics).

  • SANS Information Security Policy Templates - a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already, including policy templates for twenty-seven important security requirements





  • Me and my Shadow - Through your computer, mobile phone, and other digital devices, you leave behind hundreds of digital traces (also called data traces) every day: bits of information about you that are created, stored, and collected. When your digital traces are put together to create stories about you or profiles of you, these become your digital shadows. These can give others huge insight into your life; and they can also be totally wrong. Either way, once they're out there, they are almost impossible to control....
  • Data Detox Kit - Take control of your digital privacy, security, and wellbeing, learn about tackling misinformation, control your health data, find resources for youth and families, and browse our Alternative App Centre and workshop materials. Meet our partners to get a glimpse into the global impact of the Data Detox Kit.
  • Holistic security - a strategy manual to help human rights defenders maintain their well-being in action. The holistic approach integrates self-care, well-being, digital security, and information security into traditional security management practices.





Use KeePassXC.

  • KeePassX - an application for people with extremly high demands on secure personal data management. It has a light interface, is cross platform and published under the terms of the GNU General Public License. KeePassX saves many different information e.g. user names, passwords, urls, attachments and comments in one single database. For a better management user-defined titles and icons can be specified for each single entry. Furthermore the entries are sorted in groups, which are customizable as well. The integrated search function allows to search in a single group or the complete database.

KeePassX offers a little utility for secure password generation. The password generator is very customizable, fast and easy to use. Especially someone who generates passwords frequently will appreciate this feature. Qt

The complete database is always encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key. Therefore the saved information can be considered as quite safe. KeePassX uses a database format that is compatible with KeePass Password Safe. This makes the use of that application even more favourable. Originally KeePassX was called KeePass/L for Linux since it was a port of Windows password manager Keepass Password Safe. After KeePass/L became a cross platform application the name was not appropriate anymore and therefore, on 22 March 2006 it has been changed.

  • KeePassXC - a community fork of KeePassX, the cross-platform port of KeePass for Windows. Every feature works cross-platform and was thoroughly tested on multiple systems to provide users with the same look and feel on every supported operating system. This includes the beloved Auto-Type feature. KeePassX is an amazing password manager, but hasn't seen much active development for quite a while. Many good pull requests were never merged and the original project is missing some features which users can expect from a modern password manager. Hence, we decided to fork KeePassX to continue its development and provide you with everything you love about KeePassX plus many new features and bugfixes. [12]


  • Pass - each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities. pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It's capable of temporarily putting passwords on your clipboard and tracking password changes using git. You can edit the password store using ordinary unix shell commands alongside the pass command. There are no funky file formats or new paradigms to learn. There is bash completion so that you can simply hit tab to fill in names and commands, as well as completion for zsh and fish available in the completion folder. The very active community has produced many impressive clients and GUIs for other platforms as well as extensions for pass itself.


  • Enpass - password manager for iOS, Android, Windows, Linux, Mac


  • Vault by HashiCorp - Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.



  • passwdqc - a password/passphrase strength checking and policy enforcement toolset, including an optional PAM module (pam_passwdqc), command-line programs (pwqcheck and pwqgen), and a library (libpasswdqc). On systems with PAM, pam_passwdqc is normally invoked on password changes by programs such as passwd(1). It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable.pwqcheck and pwqgen are standalone password/passphrase strength checking and random passphrase generator programs, respectively, which are usable from scripts. libpasswdqc is the underlying library, which may also be used from third-party programs.





  • Ophcrack - a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.


  • New acoustic attack steals data from keystrokes with 95% accuracy [18] - "For example, a Twitch streamer enters responses into their stream-chat with a live mic. Later, the streamer enters their Twitch password. Someone employing this technique could reasonably be able to learn the audio from the first scenario, and apply the findings in the second scenario."


  • - an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance.

  • - This module implements PAM over U2F and FIDO2, providing an easy way to integrate the YubiKey (or other U2F/FIDO2 compliant authenticators) into your existing infrastructure.


  • - sometimes a hardware token, authentication token, USB token, cryptographic token, software token, virtual token, or key fob) may be a physical device that an authorized user of computer services is given to ease authentication. The term may also refer to software tokens.

Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

Some may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or Bluetooth wireless interface to enable transfer of a generated key number sequence to a client system.

    • - an open source USB key to enable secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware (such as computer viruses) and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are available as open source, free software and open hardware which enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, Linux, and Mac OS X.

  • RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis - Many computers emit a high-pitched noise during operation, due to vibration in some of their electronic components. Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away. Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.

  • USB Dongle Authentication - List of websites and whether or not they support One Time Passwords (OTP) or Web Authentication (WebAuthn) respectively FIDO2, U2F.Also see the list of dongles and the protocol they support.Add your own favorite site by submitting a pull request on the GitHub repo.


  • fprint - aims to plug a gap in the Linux desktop: support for consumer fingerprint reader devices. Previously, Linux support for such devices has been scattered amongst different projects (many incomplete) and inconsistent in that application developers would have to implement support for each type of fingerprint reader separately. For more information on where we came from, see ?/Project history. We're trying to change that by providing a central system to support all the fingerprint readers we can get our hands on. The software is open source and in the long term we're shooting for adoption by distributions, integration into common desktop environments, etc.
  • - Library for fingerprint readers


  • - a digital credential that is used as an authentication method for a website or application. The passkeys standard is a type of passwordless authentication, promoted by the World Wide Web Consortium and the FIDO Alliance. They are often stored by the operating system or web browser and synchronized between devices from the same ecosystem using the cloud, however they can also be confined to a single device such as a physical security key.

Passkeys are designed to be more convenient and phishing-resistant than conventional authentication methods. They are normally secured using possession (of the device or security key), and often utilize biometrics as an additional security factor, neither of which require the user to memorize a password.


See also Distros, *nix#Permissions

  • - the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services. There are various methods of hardening Unix and Linux systems. This may involve, among other measures, applying a patch to the kernel such as Exec Shield or PaX; closing open network ports; and setting up intrusion-detection systems, firewalls and intrusion-prevention systems. There are also hardening scripts and tools like Lynis, Bastille Linux, JASS for Solaris systems and Apache/PHP Hardener that can, for example, deactivate unneeded features in configuration files or perform various other protective measures.

Hardening activities include:

  • Keeping security patches updated
  • Installing firewall
  • Closing certain ports
  • Not allowing file sharing among programs
  • Installing virus and spyware protection
  • Using containers or virtual machines
  • Creating strong passwords
  • Keeping a backup
  • Disabling cookies
  • Using encryption when possible

  • - Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings
  • - There are several kernel hardening features that have appeared in other hardened operating systems that would improve the security of Ubuntu, and Linux in general. They have been controversial, so this page attempts to describe them, including their controversy and discussion over the years, so as much information is available to make an educated decision about potential implementations.

  • Linux Audit - The Linux security blog about Auditing, Hardening, and Compliance

cat /proc/sys/kernel/random/entropy_avail

  • haveged - an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers. Current development of haveged is directed towards improving overall reliablity and adaptability while minimizing the barriers to using haveged for other tasks.

Linux Security Modules

  • - a framework that allows the Linux kernel to support a variety of computer security models while avoiding favoritism toward any single security implementation. The framework is licensed under the terms of the GNU General Public License and is standard part of the Linux kernel since Linux 2.6. AppArmor, SELinux, Smack, TOMOYO Linux and Yama are the currently accepted modules in the official kernel.






See also Virtualisation

  • User-Mode Linux - a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions, and poke around in the internals of Linux, all without risking your main Linux setup.

User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software.


  • Firejail - a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license. Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To start the sandbox, prefix your command with “firejail”.


  • - Many container runtime tools like systemd-nspawn, docker, etc. focus on providing infrastructure for system administrators and orchestration tools (e.g. Kubernetes) to run containers. These tools are not suitable to give to unprivileged users, because it is trivial to turn such access into to a fully privileged root shell on the host. Bubblewrap could be viewed as setuid implementation of a subset of user namespaces. Emphasis on subset - specifically relevant superset CVEs, bubblewrap does not allow control over iptables. The original bubblewrap code existed before user namespaces - it inherits code from xdg-app helper which in turn distantly derives from linux-user-chroot.



  • Firewalld - provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly. With the firewalld D-Bus interface it is simple for services, applications and also users to adapt firewall settings. The interface is complete and is used for the firewall configuration tools firewall-cmd, firewallctl, firewall-config and firewall-applet.

Uncomplicated Firewall

  • Gufw - a firewall powered by UFW (Uncomplicated Firewall).


  • Shorewall - a gateway/firewall configuration tool for GNU/Linux. iptables made easy.


  • pfSense - a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. The pfSense project was started in September 2004 by Chris Buechler and Scott Ullrich, with a growing development team. Chris is a long time contributor to the m0n0wall project. m0n0wall is a great embedded firewall, but one of the great things about its design is also a limitation to expandability.


  • OPNsense - an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. OPNsense started as a fork of pfSense® and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project.


  • Zeroshell - a small open-source Linux distribution for servers and embedded systems which aims to provide network services. Its administration relies on a web-based graphical interface; no shell is needed to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.

Smoothwall Express

  • Smoothwall Express - a Free firewall that includes its own security-hardened GNU/Linux operating system and an easy-to-use web interface. Supports LAN, DMZ, and Wireless networks, plus Extrnal. External connectivity via: Static Ethernet, DHCP Ethernet, PPPoE, PPPoA using various USB and PCI DSL modems. Portforwards, DMZ pin-holes. Outbound filtering. Timed access. Simple to use Quality-of-Service (QoS). Traffic stats, including per interface and per IP totals for weeks and months. IDS via automatically updated Snort rules. UPnP support. List of bad IP addresses to block. Web proxy for accelerated browsing. POP3 email proxy with Anti-Virus. IM proxy with realtime log viewing. Responsive web interface using AJAX techniques to provide realtime information. Realtime traffic graphs.


  • IPFire - the professional and hardened Linux firewall distribution that is secure, easy to operate and coming with great functionality so that it is ready for enterprises, authorities, and anybody else. IPFire was designed with both modularity and a high-level of flexibility in mind. You can easily deploy many variations of it, such as a firewall, a proxy server or a VPN gateway. IPFire employs a Stateful Packet Inspection (SPI) firewall, which is built on top of netfilter (the Linux packet filtering framework). With IPFire 2.15, the graphical user interface has been completely rewritten and massively extended with new functionality. It is now possible to manage groups of hosts or services. That makes it simpler to create many similar rules for a great number of hosts, networks or services.

IPCop Firewall

  • IPCop Firewall is a Linux firewall distribution. It is geared towards home and SOHO users. The IPCop web-interface is very user-friendly and makes usage easy.

Endian Firewall Community

  • Endian Firewall Community - EFW, a "turn-key" linux security distribution that makes your system a full featured security appliance with Unified Threat Management (UTM) functionalities. The software has been designed for the best usability: very easy to install, use and manage and still greatly flexible. The feature suite includes stateful packet inspection firewall, application-level proxies for various protocols (HTTP, FTP, POP3, SMTP) with antivirus support, virus and spam-filtering for email traffic (POP and SMTP), content filtering of Web traffic and a "hassle free" VPN solution (based on both OpenVPN and IPsec).

Untangle NG Firewall

  • Untangle NG Firewall - takes the complexity out of network security—saving you time, money and frustration. Get everything you need in a single, modular platform that fits the evolving needs of your organization without the headaches of multiple point solutions. Enjoy the flexibility to deploy Untangle’s award-winning NG Firewall software on third party hardware, as a virtual machine, or as a turnkey appliance.

Leopard Flower personal firewall

  • - Leopard Flower personal firewall for Linux gives the user control over which applications are allowed to use the network. It comes with a GUI.


  • FireHOL - a language (and a program to run it) which builds secure, stateful firewalls from easy to understand, human-readable configurations. The configurations stay readable even for very complex setups. FireQOS is a program which sets up traffic shaping from an easy-to-understand and flexible configuration file. Both programs abstract away the differences between IPv4 and IPv6. so you can concentrate on the rules you want. You can apply rules for IPv4 or IPv6, or both, as you need.

Firewall Builder

  • Firewall Builder - makes it easy to configure your firewalls. Our application is trusted by thousands of users to help them manage their production firewalls. With features like shared objects, drag-and-drop GUI, and search-and-replace, tasks that used to be time-consuming and frustrating are now simple and straightforward. Firewall Builder supports a wide range of firewall platforms, including Cisco ASA & PIX, Linux iptables, BSD pf and many more. The easy-to-use GUI, multiple platform support, and make-it-easy features let you forget about typing commands and instead focus on what traffic your firewall policies should allow or deny.

csf / lfd

csf -r
  # restart CSF

csf -d
  # quick deny an ip

csf -d
  # deny access from an ip range

csf -dr
  # remove from the deny list

csf -a
  # quick allow / whitelist an ip (bypass auto blocking)

csf -ar
  # remove ip from whitelist


  • OpenSnitch - a GNU/Linux port of the Little Snitch application firewall.


  • PeerGuardian - a privacy oriented firewall application. It blocks connections to and from hosts specified in huge blocklists (thousands or millions of IP ranges). Its origin seeds in targeting aggressive IPs while you use P2P.PeerGuardian Linux:Actively developed. However the team is very small and with few spare time. Contributors are welcome!


  • TinyWall - free software to harden and control the advanced firewall built into modern Windows systems.


  • DAG: Dwall - All-purpose firewall generator - an all-purpose firewall tool to generate an iptables firewall out of a simple configuration. It contains about 80 predefined services and comes with a simple 3 zone firewall example. In essence the sysadmin only needs to define the different zones and define what traffic is allowed from one zone to another (if any).


  • Cilium - brings API-aware network security filtering to Linux container frameworks like Docker and Kubernetes. Using a new Linux kernel technology called BPF, Cilium provides a simple and efficient way to define and enforce both network-layer and application-layer security policies based on container/pod identity.We believe in a future where Linux has deep network visibility and control for microservice at the API layer, making applications more secure than ever before. If this goal excites you too, we invite you to join us by contributing ideas, code, and documentation to Cilium.


Web application firewall / WAF

  • - a specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. By inspecting HTTP traffic, it can prevent attacks exploiting a web application's known vulnerabilities, such as SQL injection, cross-site scripting (XSS), file inclusion, and improper system configuration.

  • - a complete rewrite of the ModSecurity platform. When it was first devised the ModSecurity project started as just an Apache module. Over time the project has been extended, due to popular demand, to support other platforms including (but not limited to) Nginx and IIS. In order to provide for the growing demand for additional platform support, it has became necessary to remove the Apache dependencies underlying this project, making it more platform independent.

As a result of this goal we have rearchitected Libmodsecurity such that it is no longer dependent on the Apache web server (both at compilation and during runtime). One side effect of this is that across all platforms users can expect increased performance. Additionally, we have taken this opportunity to lay the groundwork for some new features that users have been long seeking. For example we are looking to natively support auditlogs in the JSON format, along with a host of other functionality in future versions.

  • OWASP ModSecurity Core Rule Set – a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories, including: SQL Injection (SQLi); Cross Site Scripting (XSS); Local File Inclusion (LFI); Remote File Inclusion (RFI); PHP Code Injection; Java Code Injection; HTTPoxy; Shellshock; Unix/Windows Shell Injection; Session Fixation; Scripting/Scanner/Bot Detection; Metadata/Error; Leakages

  • - open-appsec is a machine learning security engine that preemptively and automatically prevents threats against Web Application & APIs. This repo include the main code and logic.

Port knocking

  • - a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization exists, where only a single "knock" is needed, consisting of an encrypted packet. The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.

  • Knock
    • - a port-knocking server/client. Port-knocking is a method where a server can sniff one of its interfaces for a special "knock" sequence of port-hits. When detected, it will run a specified event bound to that port knock sequence. These port-hits need not be on open ports, since we use libpcap to sniff the raw interface traffic.




  • LSAT - a post install security auditor for Linux/Unix. It checks many system configurations and local network settings on the system for common security/config errors and for packages that are not needed. It (for now) works under Linux (x86: Gentoo, RedHat, Debian, Mandrake; Sparc: SunOS (2.x), Redhat sparc, Mandrake Sparc; Apple OS X)


  • Lynis - a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007.

DDOS mitigation

  • - (D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

Intrusion detection / integrity verification

  • - a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.

While there are several types of IDS, ranging in scope from single computers to large networks,[1]. the most common classifications are network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). A system that monitors important operating system files is an example of a HIDS, while a system that analyzes incoming network traffic is an example of a NIDS. It is also possible to classify IDS by detection approach: the most well-known variants are signature-based detection (recognizing bad patterns, such as malware) and anomaly-based detection (detecting deviations from a model of "good" traffic, which often relies on machine learning). Some IDS have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an intrusion prevention system.

  • - an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates.[1] This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.

  • - an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.

  • Intrusion Detection - This section will deal with how to get early warning, how to be alerted after the fact, and how to clean up from intrusion attempts.


  • fail2ban - scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.



  • samhain - host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host. Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).


  • Nikto2 - an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.


  • Tiger - a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language. Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge, it can be used as an audit tool and a host intrusion detection system tool. Free Software intrusion detection is currently going many ways, from network IDS (with Snort), to the kernel (LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), not mentioning file integrity checkers (many of these: aide, integrit samhain, tripwire...) and logcheckers. But few of them focus on the host-side of intrusion detection fully. Tiger complements this tools and also provides a framework in which all of them can work together. Tiger it is not a logchecker, nor it focused in integrity analysis. It does "the other stuff", it checks the system configuration and status. Read the manpage for a full description of checks implemented in Tiger. A good example of what Tiger can do is, for example, check_findeleted, a module that can determine which network servers running in a system are using deleted files (because libraries were patched during an upgrade but the server's services not restarted).


Rootkit Hunter


  • chkrootkit - locally checks for signs of a rootkit


  • AIDE - Advanced Intrusion Detection Environment, a file and directory integrity checker. It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info.


  • Zeek - Network Security Monitor


  • CrowdSec - open-source and participative IPS able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global CTI database to protect the user network.





  • - a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.

  • - also called a bidding-down attack or version rollback attack, is a form of cryptographic attack on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. an encrypted connection) in favor of an older, lower-quality mode of operation (e.g. cleartext) that is typically provided for backward compatibility with older systems.





  • CodeQL - Discover vulnerabilities across a codebase with CodeQL, our industry-leading semantic code analysis engine. CodeQL lets you query code as though it were data. Write a query to find all variants of a vulnerability, eradicating it forever. Then share your query to help others do the same. CodeQL is free for research and open source.


  • VED (Vault Exploit Defense): A threat detection and prevention system - In the beginning of the hacker's era, a long-term battle for control of the “CORE” in memory has been waged since Aleph One published the paper Smashing The Stack For Fun And Profit on Phrack Issue 49 in 1996. Attackers mostly targeted user space over the next decade, but as the popularity of userland mitigation became more widespread, more attackers began to shift the “CORE” to the kernel. We've been through the dark age of Linux kernel security when “one null-pointer dereference can pwned them all”. Brad Spengler, one of PaX/Grsecurity authors disclosed the situation of linux kernel security to the public by Washington Post, which led to some reactions from the megacopr of the world: Google, Red Hat, ARM and Intel launched a project called KSPP (Kernel Self-protection project) tends to solve the problem. Unfortunately, KSPP is pretty much collapsed currently due to a serveral reasons, while Linux has moved into more critical infrastructures, such as power, energy, internet of Vehicle, ICS (Industrial Control system), etc. But the issues of Linux kernel security remains unresolved.

  • - uses eBPF to trace security-sensitive kernel behaviors and detect anomalies that could indicate an exploit or rootkit. It provides two main detections: wCFI (Control Flow Integrity) traces the kernel call stack to detect control flow hijacking attacks. It works by generating a bitmap of valid call sites and validating each return address matches a known callsite. PSD (Privilege Escalation Detection) traces changes to credential structures in the kernel to detect unauthorized privilege escalations.

Scanning - a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.


  • OpenVAS - OpenVAS - Open Vulnerability Assessment System - a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Networks' commercial vulnerability management solution from which developments are contributed to the Open Source community since 2009.


  • Nessus Professional™ Vulnerability Scanner - deployed by millions of users worldwide to identify vulnerabilities, policy-violating configurations and malware that attackers use to penetrate your or your customer's network.

  • - Simplify the security assessment process with hosted vulnerability scanners


  • - a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server.





See Network, Development#Testing



  • w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend.


  • sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.



  • Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.




Disk cleanup




  • - also called secret splitting) refers to methods for distributing a secret among a group, in such a way that no individual holds any intelligible information about the secret, but when a sufficient number of individuals combine their 'shares', the secret may be reconstructed. Whereas insecure secret sharing allows an attacker to gain more information with each share, secure secret sharing is 'all or nothing' (where 'all' means the necessary number of shares). In one type of secret sharing scheme there is one dealer and n players. The dealer gives a share of the secret to the players, but only when specific conditions are fulfilled will the players be able to reconstruct the secret from their shares. The dealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group of fewer than t players can. Such a system is called a (t, n)-threshold scheme (sometimes it is written as an (n, t)-threshold scheme).

  •'s_secret_sharing - an efficient secret sharing algorithm for distributing private information (the "secret") among a group so that the secret cannot be revealed unless a quorum of the group acts together to pool their knowledge. To achieve this, the secret is mathematically divided into parts (the "shares") from which the secret can be reassembled only when a sufficient number of shares are combined. SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen the quorum number of shares.Shamir's secret sharing is used in some applications to share the access keys to a master secret.


  • ONVIF - The mission of ONVIF is to provide and promote standardized interfaces for effective interoperability of IP-based physical security products. The cornerstones of ONVIF are: Standardization of communication between IP-based physical security products Interoperability regardless of brand Openness to all companies and organizations

  • - Node.js based ONVIF Camera/NVT software that turns a Raspberry Pi, Windows, Linux or Mac computer into an ONVIF Camera and RTSP Server. It implements the key parts of Profile S and Profile T ( It has special support for the Raspberry Pi Camera and Pimoroni Pan-Tilt HAT.