Security Distro Roundup

There have been some interesting computer security related ISO images released recently.

As already mentioned in an earlier blog post, Metasploit project has made the Metasploitable server image available. It is a vulnerable server image based on the Ubuntu Server 8.04 and comes with various vulnerable applications and configuration flaws by default. Check the Metasploit blog post for further information and download the image [torrent] for hours of legal exploitation fun.

Guy Bruneau from SANS ISC released recently ISO images (32-bit and 64-bit) for a properly preconfigured DNS Sinkhole server. Check the ISC Diary blog post by the author himself for the full description, but in essence DNS Sinkhole is a stand alone server image based on Slackware Linux operating system. You have a choice of using the Bind DNS Server or the PowerDNS server.

The magic with DNS sink holing lies in the blacklists. The Bruneaus DNS Sinkhole server parses its blacklist from three different sources (namely the Malware Domain Blocklist,  ZeuS Tracker and Malware Threat Center SRI) and then replies to all DNS queries involving any of the blacklisted malware domains with a non-routed or simply non-existing internal network address thus disabling effectively any communication to these domains.

IPFire is a recently released Linux firewall / internet gateway server image. It is a stateful inspection firewall based on the Linux netfilter framework and complete with filters for bad packets and full IDS integration by the Guardian IPS add-on. IPFire can also act as a VPN endpoint for secure remote access and it can be deployed as a proxy for FTP, HTTP and DNS traffic or as a DHCP server for local clients.

Kind of reminds me of Devil-Linux which is an older Linux firewall distribution, which by now has also expanded to a multiserver distribution which can practically be used to implement any (or all?) common DMZ or LAN servers securely.

Via another recent SANS ISC blog post comes a very interesting paper [PDF] about creating a Live CD specifically for incident response purposes. The paper was written by Bert Hayes for his SANS Gold certification process and it offers a very detailed instructions on how to compile a Knoppix based Live CD to be used when remotely investigating possibly compromised systems. The paper is complete with detailing how to set up secure connectivity to a remote administration point (called Mothership), but it is maybe worth to note that the actual Live CD should be run locally on the system being investigated. There is no ISO image available for the Live CD yet and it seems like the project is still work in progress as new tools are planned to be integrated to the compilation.

In the other custom distribution related news we have the recent release of the Ubuntu Customization Kit (UCK), which is a tool for customizing any of the available Ubuntu distributions and which allows you to add and remove packages, tweak various configuration items and boot maneuvers and then create Live CD ISO images of these customized systems.