D.4 Software Resources | Practical Unix & Internet Security, 3rd Edition

This section describes some of the tools and packages available on the Internet that you might find useful in maintaining security at your site. Many of these tools are mentioned in this book. Although this software is freely available, some of it is restricted in various ways by the authors (e.g., it may not be permitted to be used for commercial purposes or be included on a CD-ROM, etc.) or by the U.S. government (e.g., if it contains cryptography, there may be constraints on export or use in certain locales). Carefully read the documentation files that are distributed with the packages. If you have any doubt about appropriate use restrictions, contact the author(s) directly.

Although we have used most of the software listed here, we can't take responsibility for ensuring that the copy you get will work properly and won't cause any damage to your system. As with any software, test it before you use it!

Some software distributions carry an external PGP signature. This signature helps you verify that the distribution you receive is the one packaged by the author. It does not provide any guarantee about the safety or correctness of the software, however.

Because of the additional confidence that a digital signature can add to software distributed over the Internet, we strongly encourage authors to take the additional step of including a standalone signature. We also encourage users who download software to check several other sources if they download a package without a signature.

And we remind you: even if a tool is signed, it does not mean that it is correct, nor does it mean that the author intended it to be benign . Be careful!

D.4.1 chrootuid

The chrootuid daemon, by Wietse Venema, simplifies the task of running a network service at a low privilege level and with restricted filesystem access. The program can be used to run web and other network daemons in a minimal environment: the daemons have access only to their own directory tree and run with an unprivileged user ID. This arrangement greatly reduces the impact of possible security problems in daemon software.

You can get chrootuid from:

ftp://ftp.porcupine.org/pub/security/index.html

ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/chrootuid/

D.4.2 COPS (Computer Oracle and Password System)

The COPS package is a collection of short shell files and C programs that perform checks of your system to determine whether certain weaknesses are present. Included are checks for bad permissions on various files and directories, and malformed configuration files. The system has been designed to be simple and easy to verify by reading the code, and simple to modify for special local circumstances.

The original COPS paper was presented at the summer 1990 USENIX Conference in Anaheim, CA. It was entitled "The COPS Security Checker System" and was written by Dan Farmer and Eugene H. Spafford.

Copies of the COPS tool can be obtained from:

ftp://ftp.cerias.purdue.edu/pub/tools/unix/ scanners /cops

In addition, any of the public Usenix repositories for comp.sources.unix will have COPS in Volume 22.

D.4.3 ISS (Internet Security Scanner)

ISS, written by Christopher William Klaus, is the Internet Security Scanner. When ISS is run from another system and directed at your system, it probes your system for software bugs and configuration errors commonly exploited by attackers . You can get the freeware version of ISS from:

ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/iss/

There is a commercial version of ISS that is not available on the Net. It has many more features than the freeware version. The freeware version has not been updated in nearly a decade .

D.4.4 Kerberos

Kerberos is a secure network authentication system that is based on private key cryptography. The Kerberos source code and papers are available from the Massachusetts Institute of Technology. Contact:

MIT Software Center

W32-300

20 Carlton Street

Cambridge, MA 02139

(617) 253-7686

You can use anonymous FTP to transfer files over the Internet from:

ftp://athena-dist.mit.edu/pub/kerberos

D.4.5 nmap

nmap is the port scanner of choice for both attackers and defenders. It can perform a wide variety of TCP, UDP, and ICMP scans (including various "stealth scans " that attackers might use to disguise their activities), and has a sophisticated ability to " fingerprint " operating systems and determine their vendor and version remotely.

You can get nmap from:

http://www. insecure .org/

D.4.6 Nessus

Nessus is a first-rate vulnerability scanner, better than many commercial products. You can get it from:

http://www.nessus.org/

D.4.7 OpenSSH

OpenSSH is a free software implementation of the Secure Shell protocol (Versions 1 and 2) for cryptographically secured remote terminal emulation, command execution, and file transfer. It is developed and maintained by the OpenBSD project, but the "portable" version compiles and runs on most Unix systems (as well as several other operating systems). Disable the telnet daemon before you connect your Unix system to a network; install OpenSSH (or another SSH server) if you need to be able to connect to your system over the network.

You can get OpenSSH from:

http://www.openssh.org/

D.4.8 OpenSSL

OpenSSL is a free software implementation of the Secure Sockets Layer (Versions 2 and 3) and Transport Layer Security (Version 1) protocols. It provides libraries for these protocols that are commonly required by other server software (such as web servers). It also provides a command-line tool for generating cryptographic certificate requests , certificates, signatures, and random numbers .

You can get OpenSSL from:

http://www.openssl.org/

D.4.9 portmap

The portmap daemon, written by Wietse Venema, is a replacement program for Sun Microsystems' portmapper program. Venema's portmap daemon offers access control and logging features that are not found in Sun's version of the program. It also comes with the source code, allowing you to inspect the code for problems or modify it with your own additional features, if necessary.

You can get portmap from:

ftp://ftp.porcupine.org/pub/security/index.html

ftp://ftp.cerias.purdue.edu/pub/tools/unix/ netutils /portmap/

D.4.10 portsentry

The portsentry program is a proactive defense against port scans that may precede an attack. portsentry listens on unused TCP/IP ports and takes action when outsiders attempt to establish connections to one or more monitored ports. Actions can include adding the scanning host to /etc/ hosts .deny , adding the scanning host to a packet-filtering firewall, or running other arbitrary commands.

You can get portsentry from:

http://www.psionic.com/products/trisentry.html

D.4.11 SATAN

SATAN, by Wietse Venema and Dan Farmer, is the Security Administrator Tool for Analyzing Networks. ^[1] Despite the authors' strong credentials in the network security community (Venema was from Eindhoven University in the Netherlands and is the author of the tcpwrapper package and several other network security tools; Farmer is the author of COPS), SATAN was a somewhat controversial tool when it was released. Why? Unlike COPS, Tiger, and other tools that work from within a system, SATAN was really the first generally available tool that probed the system from the outside, as an attacker would. The unfortunate consequence of this approach is that someone (such as an attacker) could run SATAN against any system, not only those that she already had access to. According to the authors (c. 1995):

^[1] If you don't like the name SATAN, it comes with a script named repent that changes all references from SATAN to SANTA, the Security Administrator Network Tool for Analysis.

SATAN was written because we realized that computer systems are becoming more and more dependent on the network, and at the same time becoming more and more vulnerable to attack via that same network.

SATAN is a tool to help systems administrators. It recognizes several common networking- related security problems, and reports the problems without actually exploiting them.

For each type or problem found, SATAN offers a tutorial that explains the problem and what its impact could be. The tutorial also explains what can be done about the problem: correct an error in a configuration file, install a bugfix from the vendor, use other means to restrict access, or simply disable service.

SATAN collects information that is available to everyone with access to the network. With a properly-configured firewall in place, that should be near-zero information for outsiders.

The controversy over SATAN's release was largely overblown. SATAN scans were usually easy to spot, and the package is not easy to install and run.

From a design point of view, SATAN was interesting in that the program used a web browser as its presentation system. The source may be obtained from:

ftp://ftp.porcupine.org/pub/security/index.html

Source, documentation, and pointers to defenses may be found at:

ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/satan/

Tools developed and released commercially and by the computer underground since the time of SATAN are much more complex and use similar interfaces. SATAN is thus mostly of interest from a historical point of view.

D.4.12 Snort

Snort is a powerful open source packet sniffer and network intrusion detection system. Its IDS ruleset is regularly updated, enabling it to parse the TCP/IP packets that it monitors in real time and to report suspicious traffic.

You can get Snort from:

http://www.snort.org

D.4.13 Swatch

Swatch, by Todd Atkins of Stanford University, is the Simple Watcher. It monitors log files created by syslog , and allows an administrator to take specific actions (such as sending an email warning, paging someone, etc.) in response to logged events and patterns of events.

You can get Swatch from:

http://www.oit.ucsb.edu/~eta/swatch/

ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/swatch

D.4.14 TCP Wrappers

TCP Wrappers is a system written by Wietse Venema that allows you to monitor and filter incoming requests for servers started by inetd . You can use it to selectively deny access to your sites from other hosts on the Internet or, alternatively, to selectively allow access.

You can get TCP Wrappers from:

ftp://ftp.porcupine.org/pub/security/index.html

ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/tcp_wrappers/

D.4.15 Tiger

Tiger, written by Doug Schales of Texas A&M University, is a set of scripts that scan a Unix system looking for security problems in a manner similar to that of COPS. Tiger was originally developed to provide a check of the Unix systems on the A&M campus that users wanted to be able to access off-campus. Before the packet filtering in the firewall would be modified to allow off-campus access to the system, the system had to pass the Tiger checks.

You can get Tiger from:

ftp://savannah.nongnu.org/projects/tiger/

D.4.16 trimlog

David Curry's trimlog is designed to help you manage log files. It reads a configuration file to determine which files to trim, how to trim them, how much they should be trimmed , and so on. The program helps keep your logs from growing until they consume all available disk space.

You can get trimlog from:

ftp://ftp.cerias.purdue.edu/pub/tools/unix/logutils/trimlog/

D.4.17 Tripwire

Tripwire, written by Gene H. Kim and Gene Spafford of Purdue University, is a file integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Added or deleted files are flagged and reported , as are any files that have changed from their previously recorded state in the database. Run Tripwire against system files on a regular basis. If you do so, the program will spot any file changes when it next runs, giving system administrators information to enact damage-control measures immediately.

You can get the freeware version of Tripwire from:

http://www.tripwire.org/

There is a commercial suite of Tripwire products, including Tripwire for Apache web servers and for network devices. The commercial version also has a console to manage Tripwire in an enterprise. Trial versions of this software can also be downloaded from that site.

D.4.18 wuarchive ftpd

The wuarchive FTP daemon from Washington University offers many features and security enhancements, such as per-directory message files shown to any user who enters the directory, limits on the number of simultaneous users, and improved logging and access control. These enhancements are specifically designed to support anonymous FTP.

You can get the daemon from:

http://www.wu-ftpd.org