Open Source Security, Part 2: 10 Great Apps

Open source security products do not generally carry the same following as their business suite andoperating system brethren. However, the same reasons for supporting open source products in general also apply to open source security applications.

Open source security applications are free, or at least much less costly than their proprietary counterparts.Even when the cost of paid support is factored in, they provide much more bang for the buck.

Having many more eyes watching the code and a community of developers backing up users, open sourcesecurity applications provide a wide range of options and made-to-order uses.

In Part 1 of this two-part series, LinuxInsider detailed a company’s attempt to gain credibility for their open source security product. For Part 2, LinuxInsider spoke with several chief security officers of leading companies to compile a list of the serious open source security applications they use. Our list is not ranked in preference or based on our own testing. Instead, we relied on one of the strongest endorsements available: word of mouth.


Kismet is a console-based 802.11 layer2 wireless network detector, sniffer andintrusion detection system. Kismet identifies networks by passively sniffing and can decloak hidden ornon-beaconing networks.

It can automatically detect network IP blocks by sniffing TCP (transmission control protocol), UDP (user datagram protocol), ARP (address resolution protocol) and DHCP (dynamic host configuration protocol) packets. Also, it can logtraffic in Wireshark/TCPDump compatible format. It runs on Linux, OpenBSD, FreeBSD, Solaris, and/or other Unix variants, OS X for Mac and Windows. It has a command-line interface.


Snort is a network intrusion detection and prevention system long known for its trafficanalysis and packet logging strengths on IP networks. Through protocol analysis, content searching andvarious pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans andother suspicious behavior.

Snort uses a flexible rule-based language to describe traffic that it should collect or pass and a modulardetection engine. Snort is one of the most widely deployed intrusion prevention systems for detecting and preventing attacks on corporate assets. Snort can be configured foruse by individuals and small businesses as well.

It runs on Linux, OpenBSD, FreeBSD, Solaris, and/or other Unix variants, OS X for Mac and Windows. It has acommand-line interface.

Secure Shell

SSH (Secure Shell) allows users to log into or execute commands on a remote machine. Itprovides secure encrypted communications between two untrusted hosts over an insecure network. Plus, itreplaces other insecure telnet/rlogin/rsh alternatives.

Many Unix users run the open source OpenSSH server and client. Some Windows users prefer the free PuTTYclient, which is also available for many mobile devices. Other Windows users prefer the terminal-basedport of OpenSSH that comes with Cygwin.

SSH runs on Linux, OpenBSD, FreeBSD, Solaris, and/or other UNIX variants, OS X and Windows. It has acommand-line interface.

PGP Encryption

PGP is a free encryption program for securing data from eavesdroppers and other risks.GnuPG is based on the open source implementation of the PGP standard. PGP is the executableversion and has a license fee for some uses.

It runs on Linux, OpenBSD, FreeBSD, Solaris, and/or other UNIX variants, OS X and Windows. It has both command-line and graphical user interfaces (GUI).


RKHunter is a scanning tool that checks for evidenceof pieces of malware such as rootkits, backdoors and local exploits. It runs many tests, including MD5(Message-Digest algorithm 5) hash comparisons, default filenames used by rootkits, wrong file permissions for binaries. It also huntsfor suspicious strings in LKM (loadable kernel module) and KLD (dynamic kernel linker facility) modules.

It runs Linux, OpenBSD, FreeBSD, Solaris, and/or other Unix variants and has a command-line interface.


ClamAV is an antivirus scanner that focuses on integration with mail servers forattachment scanning. It provides a flexible and scalable multi-threaded daemon, a command line scannerand a tool for automatic updating via the Internet. Clam AntiVirus is based on a shared librarydistributed with the Clam AntiVirus package that runs with other software. The virus database is kept upto date.

It runs on Linux, OS X, OpenBSD, FreeBSD, Solaris and/or other Unix variants and Windows. It has acommand-line interface.


TrueCrypt is an open source disk encryption system. It can encrypt entire file systemsand access data on the fly without user intervention beyond entering the passphrase initially. A specialfeature hides a volume for an added layer of secrecy to sensitive content. Decrypting the primary leveldoes not affect this second hidden volume.

It runs on Linux and Windows and has both command-line and GUI Interface.


The Bastille Hardening Program locks down the operating system by proactivelyconfiguring it for increased security and decreasing its susceptibility to compromise. Bastille alsoassesses a system’s current state of hardening. It granularly reports on each of the security settingswith which it works.

Bastille currently supports the Red Hat (Fedora Core, Enterprise, and Numbered/Classic), Suse, Debian,Gentoo and Mandrake distributions, along with HP-UX and Mac OS X. Bastille’s forte is its focus on lettingthe system’s user/administrator decide what to harden beyond the default mode.

It interactively questions the user about security goals and options, explains the topics of thosequestions, and builds a policy based on the user’s answers. In its assessment mode, it builds a report onall available security settings and which settings have been tightened.

IP Filter

IP Filter is a security package for providing network addresstranslation or firewall services. It can be used as a loadable kernel module or incorporated intothe Unix kernel.

The package includes scripts to install and patch system files. IP Filter is distributed with FreeBSD,NetBSD and Solaris.

It runs on Linux and OpenBSD, FreeBSD, Solaris and/or other Unix variants and uses a command-lineinterface.


SpamAssassin is a spam-filtering product sponsored by the Apache SpamAssassin Project. It uses a wide variety of local and network tests to identify spam signatures.This makes it harder for spammers to identify one aspect around which they can craft their messages.

Antispam tests and configuration are stored in plain text, making it easy to configure and add new rules.It uses an abstract API (application programming interface) to enable integration anywhere in the e-mail stream. The core distribution consistsof command line tools to perform filtering along with a set of Perl modules which allow SpamAssassin to beused in a wide range of products.

It runs on Linux and OS X and uses a command-line interface.

Open Source Security, Part 1: Securing Credibility

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Enterprise

LinuxInsider Channels