Weekly Solaris Security Roundup -  2000/07/09 to 2000/07/16

Name:
Email:

Security Portal
Weekly Newsletter

Weekly Solaris Security Roundup Archive

By Seán Boran, sean AT boran.com, for Security Portal


The Rundown

CERT updated the FTP and Kerberos advisories, Sun's Java Webserver has a known weakness that users are not fixing, many security tools have new versions - notably snort, OpenSSH, saint and nmap. Interesting articles on DNS, SKIP, Snort, OpenSSH and RiskAnalysis have been published.

The tip of the week presents ntop, a graphical network usage monitoring tool


CERT Advisories & Sun Security Bulletins

No Sun advisories this week. CERT updated two advisories:

CERT Advisory CA-2000-13 Two Input Validation Problems in FTPD The vulnerability found in WU-FTPD last week also affects BSD and other derivatives. Solaris FTPD does not seem to be affected.
CERT Advisory CA-2000-11 MIT Kerberos Vulnerable to Denial-of_Service Attacks


News

SecurityFocus:

Installing djbdns (DNSCache) for Secure Name Service part 2, by Jeremy Rauch
This article discusses installing Dan Bernstein's alternative to BIND.

Fortifying My Doghouse while Thieves Steal My Computer, by John Johnson
Risk Analysis is necessary to ensure that countermeasures are appropriate to the threats posed and the possible cost of those threats being realised.

UnixReview.com have a brief summary of some tools: Top Open-Source Security Tools For UNIX

Sun:

Mastering Security on the Internet for Competitive Advantage
SunScreen SKIP 3.07 Overview

BSD Today:

Configuring your Apache webserver installation
Basic information on configuring, tweaking, enabling modules and installing the Apache HTTP server.

Security Tools News:

SSH:
- New OpenSSH Portable 2.1.1p3 released, alot of minor fixes have been added since the p2 release last week. See also the changelog.
- A new article on SSH: OpenSSH's Cinderella Story

eEye has ported nmap to NT (I know this is hardly Sun/UNIX news, but interesting all the same - get ready to be scanned by even more Windows script kiddies!)

chkrootkit 0.15 is a tool to detect root kits.

Snort Intrusion detection tool:
- Snort HOWTO intro article available at LinuxSecurity
- Robin Anderson' Presentation on distributed snort and associated scripts (presented at SANS July 2000) www.gl.umbc.edu/~robin/security.html
- Snort 1.6.2.2 released
- But it might be wise to wait another week as there are more some bug fixes being integrated over the next few days.
- Changes: Version 1.6.2.2 has some minor tweaks to the configuration script to normalize building across all Linux platforms. There is also a fix to the SMB Alerting code so that it follows the same code formatting as the rest of the alerting modules in the program..... The 1.6.x series has some big enhancements, the largest of which is IP defragmentation. There is also support for unixODBC, MySQL, and PostgreSQL databases in the database plugin module, and several new runtime security options.

PScan: A limited problem scanner for C source files
httptunnel v3.0.3, reates a bidirectional data channel through an HTTP proxy, from your isolated computer behind a restrictive firewall, to a system on the Internet you have access to.
Saint (which is a modern version of Satan) has been updated to V2.1.1
Netsaint: An interesting network monitor, currently at version 0.0.6


Mailing lists, Bugtraq

Bugtraq vulnerabilities this week - Solaris:

none, but check out the Java Web server note below.

Bugtraq vulnerabilities this week - Applications that run on Solaris:

2000-07-12: Deerfield WorldClient 2.1 Directory Traversal Vulnerability
2000-07-12: Sun Java Web Server Vulnerability
A weakness in example scripts delivered with Sun's java webserver, on all platforms, was published in an Advisory "Malicious HTML Tags Embedded in Client Web Requests" by CERT/CC and posted to the Bugtraq mailing list on February, 2000. Sun Microsystems released an FAQ in specific to their Java Webserver on February 15, 2000. An advisory detailing specifics not mentioned in the Sun FAQ was released by Foundstone, Inc. on July 12, 2000 to the Bugtraq mailing list.

2000-07-11: WFTPD Denial of Service Vulnerability
2000-07-11: Apache::ASP source.asp Example Script Vulnerability
2000-07-09: LPRng Incorrect Installation Permissions Vulnerability
2000-07-08: Guild FTPD File Existence Disclosure Vulnerability
2000-07-08: Savant Web Server Buffer Overflow Vulnerability

FOCUS-Sun discussions this week:

07/14/00 TTauthority
07/14/00 Commercial POP3 server Recommendations
07/13/00 ssh root logins
07/13/00 X security
07/13/00 Dtlogin AND utmp AND Pam_radius_auth
07/13/00 closing network ports
07/13/00 ssh2
07/13/00 rootless NIS passwd maps
07/13/00 filesystem integrity
07/11/00 Max. No of processes
07/11/00 Solaris based Internet gateway scanning
07/07/00 Restricting FTP home directory (chroot) Thread1 Thread2 Thread3

Yassp (the Solaris hardening tool) Developers' list:

No new betas this week. Discussions:
Post installation doc
Any reason not use OpenSSH instead of ssh 1.2.30 ?
ssh 1.2.30
Corrections to README

See also: Main site, DL archiveHardening Solaris Article.


Tip of the Week

What's ntop?

ntop is a tool that shows the network usage, similar to what the popular top Unix command does [for processes]. ntop is based on libpcap and it has been written in a portable way in order to run on virtually every Unix platform and on Win32 as well...
ntop comes with two applications: the 'classical' ntop that sports an embedded web server, and intop (interactive ntop) is basically a network shell based on the ntop engine.

If you're wondering who's using what bandwidth on a server or local network, ntop is a useful tool that is simple to install and has a pretty good GUI. It was first presented to the public in Spring, and several papers have been written about it, for example Improving Network Security Using Ntop which discusses using it as an IDS sniffer.

A binary package of an older Solaris7 version is available on sunfreeware.com, the latest version's source doesn't (yet) compile for me on Solaris8. The Solaris7 package does run however on Solaris8 however, but doesn't have the interactive interface.

Ntop runs as root, and listens for http connections on port 3000. On connecting with the browser, several statistic tables, graphics etc. show the network usage. It's not advised to run it on sensitive systems, until the security and availability issues have been fully understood.

I hope to get the newest ntop tested over the next few weeks, results will be posted here.

Do you have any security tips/scripts you'd like to share with others? Send suggestions to sean AT boran.com.


References and Resources

Sun Resources: Security Co-ordination Team, Security bulletins, General Sun Security, Solaris Security Datasheets, Java Security.

Patches

Sun security patches, Public patches. If you have a maintenance contract, login to Sunsolve and get both the PatchDiag tool and it's reference database.
If you don't, use the SecurityFocus Solaris Patch Calculator.

Web Publications, resources

Security Portal papers: Hardening Solaris, Review of the Sunscreen EFS3 firewall, All about SSH - Part I, All about SSH - Part II.

SecurityFocus: Sun section, Vulnerability database.

SANS

BigAdmin SunFreeware
Solaris Guide Freeware4sun
Solaris Central BSD Today, Daemonnews
Solaris-System (x86) Forum IT Security Cookbook
Sunwhere index of resources Tools: tcpd, rdist, fwtk/smap
Nessus, Nmap, snort, Yassp.
Sunworld security columns
Solaris Security FAQ

General discussion resources

Personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html Newsgroups: comp.unix.solaris, comp.sys.sun.admin, comp.sys.sun.hardware,  alt.solaris.x86

Sun-managers Mailing list: This high quality list has been around for many years and is an invaluable resource to Sun system administrators.
Send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".
Archives: Calagry1, Calgary2

SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help ..., using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. ... In addition, important announcements related to breaking vulnerabilities will be posted.