Appendix F

Appendix F. What's on the CD-ROM

IN THIS APPENDIX

        Bastille

        Ethereal

        Fragrouter: Network Intrusion Detection Evasion Toolkit

        Libnet Packet Assembly System

        MRTG

        Nmap: The Network Mapper

        Npasswd

        Ntop

        OpenSSH

        OpenSSL

        Scotty/Tkined

        Snort

        Sudo

        TITAN

        YASSP

        Zlib

Bastille

The Bastille Hardening Program is intended to tighten security on Linux and UNIX machines. It presently works well under Red Hat and Mandrake Linux; in its latest versions (as of 1.1.0), it can be easily enhanced to run under other distributions and UNIX systems by adding rvalues for the $GLOBAL_ variables.

Ethereal

Ethereal is a network traffic analyzer, or sniffer, for UNIX and UNIX-like operating systems. It uses GTK+, a graphical user interface library, and libpcap, a packet capture and filtering library.

Fragrouter: Network Intrusion Detection Evasion Toolkit

Fragrouter routes network traffic to elude most network intrusion detection systems.

Libnet Packet Assembly System

An API, libnet helps with the construction and handling of network packets. It provides a portable framework for low-level network packet writing and handling. (Use libnet in conjunction with libpcap, and you can write some really cool stuff.) Libnet includes packet creation at the IP layer and at the link layer as well as a host of supplementary and complementary functionality. Libnet is very handy for writing network tools and network test code. See the man page and sample test code for more detailed information.

MRTG

The Multi Router Traffic Grapher (MRTG) monitors the traffic load on network links. MRTG generates HTML pages containing GIF images, which provide a live visual representation of this traffic.

Nmap: The Network Mapper

Nmap's design allows system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering. Nmap supports several scanning techniques such as UDP, TCP connect(), TCP SYN (half open), FTP proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, and Null scan. (See the Scan Types section for more details.)

Nmap also offers a number of advanced features, such as remote OS detection via TCP/IP fingerprinting, stealth scanning, dynamic delay and retransmission calculations, parallel scanning, detection of down hosts via parallel pings, decoy scanning, port filtering detection, direct (non-portmapper) RPC scanning, fragmentation scanning, and flexible target and port specification.

Npasswd

Npasswd replaces the passwd command for UNIX. It subjects user passwords to stringent "guessability" checks to decrease the chance that users will choose vulnerable passwords.

Ntop

Ntop shows the current network usage. It displays a list of hosts that are using the network and reports information concerning the IP and non-IP traffic generated by each host. Ntop can be started either in a terminal window in interactive mode or in Web mode. In the latter case, users will need a Web browser to run the program. Ntop sorts the traffic information according to host and protocol. Whenever ntop is started in Web mode (-w flag), multiple remote users can access the traffic information.

OpenSSH

Ssh (Secure Shell) logs into another computer over a network, to execute commands in a remote machine and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. It can replace rlogin, rsh, rcp, and rdist.

OpenSSL

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. Open SL also maintains a full-strength general purpose cryptography library. A worldwide community of volunteers manages the project, using the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

Scotty/Tkined

Scotty is a Tcl extension to build network management applications using Tcl (and Tk). The scotty extension provides new Tcl commands to send and receive ICMP packets, query the Domain Name System (DNS), access UDP sockets from Tcl, probe and use some selected SUN RPCs, retrieve and serve documents via HTTP, send and receive SNMP messages (SNMPv1, SNMPv2USEC, SNMPv2C), write special purpose SNMP agents in Tcl, parse and access SNMP MIB definitions, and schedule jobs. For some OSI-folks, scotty has some optional code to parse and access GDMO MIB definitions, and to invoke CMIP operations based on the osimis/isode toolkit.

A network editor, Tkined allows users to draw maps showing their network configuration. The most important feature of Tkined is its programming interface, which allows network management applications to extend the capabilities of Tkined. Most applications for Tkined are written using scotty.

Snort

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis and content searching/matching in order to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine with a modular plug-in architecture. Snort has real-time alerting capability as well, incorporating alerting mechanisms for syslog, user-specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Sudo

Sudo allows a sysadmin to give limited root privileges to users and to log root activity. The basic philosophy behind sudo is to approve as few privileges as possible but still allow people to get their work done.

TITAN

TITAN is a collection of programs, each of which either fixes or tightens one or more potential security problems in the setup or configuration of a UNIX system. Conceived and created by Brad Powell, TITAN was written in Bourne shell. Thanks to TITAN's simple modular design, anyone who can write a shell script or program can easily add to it, and completely understand the internal workings of the system.

TITAN does not replace other security tools, but, when used in combination with them, it can make the transformation of a new, out-of-the-box system into a firewall or security-conscious system significantly easier. In a nutshell, TITAN helps improve the security of the system it runs on.

YASSP

YASSP is bundle of packages to secure Solaris. The default behavior turns off most of the services, which is a suitable scenario for an external (exposed) server such as a firewall, a Web server or an FTP server. These services can be easily turned back on via a configuration file.

YASSP performs OS security tuning at various levels: turning off (networked) services, changing file owner/mode, enabling logging, tuning the network stack, changing the system parameters, and providing a coherent default environment so that administrators know what they can expect and where.

Zlib

Zlib 1.1.3 is a general-purpose data compression library. All of its code is thread safe. The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format), and rfc1952.txt (gzip format).