This is an archived course. Information may be out of date, some links are broken and email addresses have been removed.

04 Linux Security Terms

Some useful terms

A firewall is a device that will selectively intercept packets, and forward, drop, or reject them according to configuration. An IDS is a system that looks for patterns that might be attacks among the network traffic, and notifies you when it thinks it sees something attack-like. A honeypot is a system that's deliberately left hackable and then watched. People do this either to learn about black-hat methods and behaviour, or to lure them away from the rest of your network. Tripwire is an integrity checker. It makes sure that the files that were there last week haven't been monkeyed with, and are still the same files today.

Ipchains is a packet filter. It decides whether to forward, drop, or reject packets based upon the ports and IP addresses alone. Iptables lets you do more than that because it allows stateful filtering. It can keep track of sessions that originate from inside the firewall, and allow all traffic in a session to pass through, but block traffic trying to come in from outside that's not part of a session. With the strings patch to iptables, you can even filter based on the contents of the packet -- blocking Nimda and Code Red attempts at the firewall, for example.

(Malware = viruses, trojans, worms... basically, it's software designed specifically to harm computers.)

War driving is a relatively recent phenomenon, since wireless networks started getting popular. Since most people that install a wireless LAN don't bother to (or can't) dampen the signal enough that you can't access it outside their building, it's easy to steal bandwidth. All you have to do is get a laptop with a wireless card, install Aerosniff (like a packet sniffer, but for wireless rather than for Ethernet), and literally drive around town looking for areas with wireless traffic. Once you find one, it's generally trivial to steal their bandwidth. Hence, war driving.

War driving derives from war dialing, the practice of having a computer automatically dial a (usually large) range of telephone numbers, looking for numbers attached to modems - potential targets. "War dialing" comes from the movie 80's movie "War Games" wherein Matthew Broderick's character has his computer set up to do this.


There's a lot of confusion between "hackers" and "crackers" and "h@><0rs" and "black hats" and such.

"Hacker" originally meant a programmer, or someone interested in the limits and makeup of systems.

It got co-opted by the press to mean "bad illegal breaker of systems". It still retains both meanings. Call a geek a hacker, and they could be complimented, offended, or anywhere in between. But most people on the street think of the popular "bad geek" meaning.

I use "black hat" preferentially, because it makes a distinction between the good hackers and the malicious hackers. A white hat hacker, white-hat for short, is one that shares the interests in programming and/or testing the limits of systems, but purely for the joy on knowledge and making those systems better, patching holes, fixing bugs, etc. A black hat is someone who uses the same knowledge and interests for their own gain at the expense of others. (There are grey hats, too, who do both.) If you go to DefCon, Rubi-Con, Black Hat, or SANS (all security conventions), you'll occasionally see people literally walking around wearing appropriately colored hats. It's a way of declaring your affiliation.

Zone transfer

A DNS server is responsible for maintaining the records for a particular group of computers (i.e., This is called a zone. The zone might also include the domains,,, and But it doesn't have to.

Now, for the sake of redundancy, you usually have two DNS servers looking after a zone. This is in case one blows up or something. The initial server is called the primary zone server, and the second server (bet you can't guess its name) is the secondary zone server.

A zone transfer happens when the one machine synchronizes and updates its DNS database with another.

Request For Comments (RFC)

An RFC (Request For Comments) is a standards document. These are the docs that define how protocols work. When you hear people trumpeting about how their programs are standards-compliant, these are the standards. You can read the RFCs online at:

They can be tough going, but if you really really want to know the canonical "how something works", this is where you go. And some of them have a sense of humor, too. Every year on April 1st, there's a great one. Check out the packet over carrier pigeon RFC at:

Network Address Translation (NAT)

 Internet <--- [ NAT-enabled firewall ] -------- [ local network ]
        public addresses         private addresses
The NAT-enabled firewall talks to the Internet using public (and publically attackable) addresses, but the machines on the local network all have addresses from private network space that shouldn't be routable on, or reachable from, the Internet. When a privately addressed machine wants to reach something on the Internet, the firewall checks its other firewall rules to make sure that what it wants to do is permissible, and then passes along the packets, rewriting the return address to something from the public block, and optionally rewriting the originating port (if it has to squeeze everybody onto one public address, it will use the ports to tell which packet is in response to which request).

Copyright (c) 2002 by Raven Alder. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at