Weekly Security Tools Digest
2000/11/04 to 2000/11/10

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to favourite free tools this week include: Nessus, SSH, PGP, Linux International Kernel Patch, Security-Script, OpenLDAP.

Documents: Nmap, tutorials on state computer crime laws for different states.

Tools for Windows include Natas, WSendTo and PsLogList.

Firewalls for Linux/Unix/BSD & Cross-platform: 16 firewalls or tools related to firewalls.

Tools for Linux/Unix/BSD & Cross Platform: 19 updates this week.


Favourite Tools

Nessus 1.0.6
Renaud Deraison
http://www.nessus.org

• Changes: the version 1.0.6 has been released. This new version includes several enhancements: the detached scans can send their result to a given email address (experimental), diff scans (experimental). A bug which would prevent, under rare circumstances, a scan to finish has been fixed. The NASL plugins can have no timeout. This version also includes a minor change in the LaTeX report, support for Sun Workshop 5 compiler, support for IRIX 6.2, support for HP/UX 10.20. A problem in report saving (saving as HTML would produce an XML file) has been fixed. A problem in the random number generator has also been fixed. See also:
http://www.nessus.org/doc/detached_scan.html
http://www.nessus.org/doc/diff_scan.html

 

Nmap
Fyodor
http://www.nmap.org

• Changes: the primary documentation is in man page form (HTML translation at http://www.insecure.org/nmap/nmap_manpage.html). I also wrote an article about Nmap and port scanning in general which is available at http://www.insecure.org/nmap/nmap_doc.html. It is an HTMLized and updated version of the original Phrack article where Nmap was first introduced. Note that some of the Nmap flags mentioned in the article have been changed (and others added). The man page should be completely up to date. Users have contributed translations of the man page to Spanish, French, Russian, Italian, Portuguese, and Lithuanian.

 

SSH

This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. OpenSSH also features an independent implementation of the SSH2 protocol.
• Changes: the version 2.3.0p1 has been released. This version use askpass 1.0.3 in Redhat RPMs, fixes up missed diff hunks (mainly RCS idents). The UPGRADING document has been removed in favor of a link to the better maintained FAQ on www.openssh.com. Multiple dependency on gnome-libs from Pekka Savola have been fixed and the X11-askpass is not needed in RPM spec file if building without it.

 

PGP

WinPT is the GnuPG version of PGPtray. It allow encrypting, decrypting, signing, verifying of documents as well as importing and exporting public keys.

 

Linux International Kernel Patch 2.2.17.9
Alexander Kjeldaas
http://www.kerneli.org

Due to previous regulations on export and use of crypto, especially in the US, the Linux source distribution has not contained crypto up to this point. The International Kernel Patch has tried to remedy this situation by providing the missing functionality in the form of a unified patch to the Linux kernel source. Lately, some US export restrictions have been lifted, and it is therefore possible that crypto will be part of the Linux kernel source code in the future. However, until that happens, this is where you can get crypto support in your Linux kernel.
• International kernel patch 2.2.17.9 released.
• Changes: cryptoapi.c and loop_gen.c were fixed, the API is simpler, and bug fixes.

 

Security-script v0.1.2
Peter Halliday
http://halliday.wl.vg/scripts

Security-script is a port of FreeBSD's /etc/security script. It check many aspects of your system's security and then emails you with the results. Checks include finding setuid of files and directories, uid's of 0, the count of the firewall wall rules set up to deny or reject, checks for failed logins, and checks for rejected connections.
• Changes: Many new checks were added including the following: check for users without a shell, users who may need to be added to the /etc/ftpusers, proper security entries for the /etc/ftpaccess file, and a few other checks as well. Plus a few bug fixes.

 

OpenLDAP 2.0.7
The OpenLDAP Foundation
http://www.openldap.org

The OpenLDAP Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and open source LDAP suite of applications and development tools.
• Changes: this release includes several fixes: lldap TLS data ready bug (ITS#821), lldap abandon unsent op bug (ITS#837), lldap URL search w/o host bug (ITS#843), lldap referral handling bugs (ITS#799 ITS#817), lldap UTF-8 bug (ITS#860), ldappasswd old passwd encoding bug, slapd DN whitespace compression (ITS#852), slapd spasswd mutex bug, slapd ACL nameuid bug, slapd SASL layering bug, slapd unknown authc method bug (ITS#831 ITS#844), slapd TLSVerifyClient config bug, and tools passwd clearing bug. Several part of OpenLDAP have been updated: lldap TLS/SASL error reporting, llber large element handling, slapadd error reporting, slapd chroot handling (ITS#810), slapd subschema subentry, slapd manageDSAit support (ITS#851), slapd root DIT support, slapd/back-sql and getaddrinfo error handling (ITS#845 ITS#845 ITS#863). lldap SASL/EXTERNAL (TLS) support (ITS#865) and slapd additional syntax/matching rule support have been added. The Build Environment also includes changes: fixed make comment bug (ITS#811), fixed $(DESTDIR) install (ITS#806), added proxy check to passwd test and fixed slurpd tempdir perms (ITS#840). The documentation has also been updated: ldappasswd(1), ldap_url(3), slapd.conf(5), slapd(8) and slurpd(8) have been updated.

 

Documents

These documents contain a tutorial on state computer crime laws for Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine and Maryland.


Tools for Windows

Packetstorm

Natas 3.00.01
Björn Stickler
http://intex.ath.cx/natas.shtml

Natas is an advanced network packet capturing and analyzing program designed for Windows 2000. It only works with the new Windows 2000 winsock v2.2 which supports raw sockets like *nix operating systems. Features the ability to filter traffic by address and port, log packets, parse out passwords, and requires no driver.
Editor's note: it did not work on our Win2k/SP1 test Laptop with an 3com network card and selecting Configuration->Network adapter setup caused it to crash.

 

SecuriTeam

WSendTo
Richard Stevenson
http://www.pmail.com/downloads.htm

WSendTo is a Pegasus Mail add-on utility that improves the integration between Microsoft Internet Explorer and Pegasus Mail. It also adds Pegasus Mail as an  option on the Windows Explorer "Send To" menu (this also protects against the file reading vulnerability). WSendTo requires Windows 95OSR2 or later or Windows NT4.0 or later, and works with either the 16-bit or 32-bit versions of Pegasus Mail.

 

SecurityFocus

Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.

PsLogList
Mark Russinovich
http://www.sysinternals.com/psloglist.htm

The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides. It runs under Windows 2000 and Windows NT.


Firewalls for UNIX/Linux/BSD & Cross-platform

FreshMeat

FireWall Log Spawn 1.0.5
Karl
http://www.shagz.org/index.cgi?files

FireWall Log Spawn is a simple Perl script which collects firewall information from the specified source, formats it to make it easier to read, and places it in another file.

 

Ipmkchains 0.17
Bruce Guenter
http://em.ca/~bruceg/ipmkchains

Ipmkchains reads in a set of firewall rule files, computes the differences between those rules and the rules that are currently in use, and executes the necessary commands to make the rules in use match the rules from the file, using diff and IPchains.

 

ELOFW 1.1.2
Luciano Lima
http://www.elo.com.br/elofw

ELOFW is an easy firewall, transparent proxy, and masquerade configuration script.

 

Fwctl 0.28
Francis J. Lacoste
http://indev.insu.com/Fwctl

Fwctl is a program that intends to make it easier to configure a tight firewall. It provides a configuration syntax that is easier to use and more expressive than the low-level primitives offered by IPchains. It supports multiple interfaces, masquerading and packet accounting. Fwctl doesn't replace a good security engineer, but it can make the job of the security engineer simpler.

 

Cfire 0.1
Raist cr0ntab
http://members.nbci.com/xkolt/cfire

Cfire is a simple domestic firewall written in bash to control remote connections to your machine. It's based on Linux Kernel 2.2.x and the IPchains tools.

 

PMFirewall 1.1.4
Rick Johnson
http://www.pointman.org

PMFirewall is an IPchains Firewall and Masquerading Configuration Utility for Linux. It is designed to allow a beginner to build a custom firewall with little or no IPchains experience. This firewall should work for most Workstations, Servers, and Dual NIC routers using either a dialup, DSL, Cable, or LAN setup. It is restrictive to outside attacks while still being as transparent as possible to those inside.

 

DynFw for IPchains 0.2.1
Marcus Schopen
http://www.uni-bielefeld.de/~schoppa/dynfw/dynfw.README

DynFW for IPchains constantly checks /var/log/messages for packets denied by IPchains and responds by temporarily setting up firewall rules that deny any access from the originating IPs. Optionally it can do an indent lookup before setting up the rules.

 

Fwdumpd 1.0
Francis J. Lacoste
http://indev.insu.com/Fwctl/fwdumpd.html

Fwdumpd is a daemon which communicates with the kernel firewall using the netlink socket interface and copies packets marked for outputs to user space (usually using the -o of IPchains) to a binary capture file. This file is compatible with tcpdump and several other analysis programs. It is now possible to inspect all those denied packets.

 

Falcon Firewall Project 0.1.5
Falcon Open Group
http://falcon.naw.de

The Falcon Project (Free Application-Level CONnection kit) is an open firewall project with the intention of developing a free, secure and OS-independent firewall system. Falcon consists of three major modules: Falcons's own proxies (written in Perl); 3rd-party proxies (squid / qmail / BIND8), each modified for chroot environment; and general concepts for OS hardening, chrooting etc.

 

Ipfwadm Dotfile module 1.0
John D. Hardin
ftp://ftp.rubyriver.com/pub/jhardin/ipfwadm/ipfwadm.html

The Ipfwadm Dotfile module is a GUI wrapper around the Ipfwadm command. It simplifies setup of a firewall and masquerading for new users, and automates much repetitive work for experienced users. It is based on Jesper Pedersen's Dotfile Generator, a generic framework for writing GUI wrappers around configuration files.

 

Ipfwadm2ipchains 0.5.0
William Stearns
http://www.pobox.com/~wstearns/ipfwadm2ipchains

The Ipfwadm2ipchains script is designed to convert Ipfwadm rulesets into IPchains rulesets. Simply feed it your Ipfwadm rules via stdin and it will print out the corresponding IPchains rules.

 

Fwlogwatch 0.0.25
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

Fwlogwatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator.

 

rc.firewall-5.0.1
Jean-Sebastien Morisset
http://www.jsmoriss.dyndns.org/linux/firewall.html

rc.firewall is an IPchains-based firewall script with extensive support for network services (IPSec, VTUN, NFS, SMB, Napster, Proxies, etc.), masquerading, port forwarding (including definitions for network games), and IP accounting. Protections include spoofing, stuffed routing / masquerading, DoS, smurf attacks, outgoing port scans, and much more.
• Changes: the version 5.0.1 includes a lot of changes and enhancements. See http://jsmoriss.mvlan.net/linux/rcf/ChangeLog

 

mmtcpfwd 0.3b (devel)
Matthew Mondor
http://mmondor.rubiks.net/software.html

Mmtcpfwd is a port forwarder daemon for Linux firewalls, a superserver which starts a standalone, non-root daemon per service. It has ability to limit connections on how many IPs and connections per IP, auto-DENY IPs upon an exceeded connection threshold, or fake services a-la portsentry. It uses a single configuration file and runs on Linux platforms.
• Changes: better logging features have been added to this version: connection ID for every connection, permitting to match open/close events, and keeping better stats, logs how many seconds a connection lasted and how much bytes were transferred in both directions, reports the reason/status when a connection is closed. Transproxy (kernel transparent proxying) support has been added: when kernel been compiled for it, in a MASQ/NAT environment, this permits the internal box providing the service to see the clients IPs instead of the IP of firewall box running mmtcpfwd, requires a new column to be added in the config file for real services to be forwarded (see example mmtcpfwd.conf, and README file)

 

MonMotha's IPtables Masquerading Firewall 2.1.13 (devel)
MonMotha and Steff
http://t245.dyndns.org/~monmotha/firewall/index.php

MonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time the IP address changes, making it perfect for users with dialup connections. Many features, such as a built-in list of the root DNS servers (for people who run their own DNS servers), are available.
• Changes: this version includes new configuration notes. The Synflood protection has been moved to per-port to prevent the syn hole. Old rules from INETIN are now being removed properly. The default port allows are tuned down. Small restructure to TCP_ALLOW loop. A minor status reporting bug has been fixed in deny section (no newline being output), this was just a cosmetic bug, 2.1.12 is functionally working.

 

Packet Storm

Firestarter 0.5.0
Tomas Junnonen
http://firestarter.sourceforge.net

The goal of FireStarter is to provide an easy to use, yet powerful, GUI tool for setting up, administrating and monitoring firewalls for Linux machines. FireStarter is made for the GNOME desktop. It can actively monitor your firewall and list any unauthorized connection attempts made to your machine in a readable table format.
• Changes: improved IPchains rules, advanced ICMP filtering, ability to create new dynamic rules from scratch, a new set of  icons, Linux 2.4 netfilter support, option to suppress logging of a specific port, sound event support, and bug fixes.


Tools for UNIX/Linux/BSD & Cross-platform

Syslog-ng 1.4.8
Balazs Scheidler
http://www.balabit.hu/products/syslog-ng

Syslog-ng is a syslogd replacement, but with new functionality for the new generation. The original syslogd allows messages only to be sorted based on priority/facility pair, Syslog-ng adds the possibility to filter based on message contents using regular expressions. The new configuration scheme is intuitive and powerful.
• Features: filtering using regular expressions, log forwarding, hash protected log (planned in version 1.5), multi-platform. Requires libol-0.2.17.
• Changes: configure.in: bumped version number to 1.4.8, src/affile.c (expand_macro): added macros $SEC for seconds, $MIN for minutes and $HOUR for hours (do_reap_affile_dest): fixed a memory leak wrt destination files (cfg->resources kept a reference to closed files) (make_affile _dest_reaper): added parameter struct syslog_config. Cfg, which is needed by the fix above. (expand_macro): new parameter syslog_config, to implement use_time_recvd() value. Doc/sgml/syslog-ng.sgml: added note about possible DoS attack, fixed some typos, updated to include information about the new features.

 

Knetfilter 2.0
Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X frontend to IPtables, used with Linux kernels 2.4.0 and up to manage the netfilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.
• Changes: new version 2.0 released.

 

PIKT - Problem Informant/Killer Tool 1.12.0pre6
Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.

 

FreshMeat

Tcpdstats 0.1.3
Brian Peterson
http://www.kaostech.com/products/html/tcpdstats.html

Tcpdstats is a Perl program written to quickly analyze log files from standard tcpd wrappers. It outputs a text report of accepted and refused connections for each destination host sorted by source host/protocol.

 

Woodchuck 0.5
Doug Muth
http://www.claws-and-paws.com/software

Woodchuck parses logfiles from any UNIX system, and prints out any lines which don't fit into user-defined regular expressions. That way, anything out of the ordinary will be printed. It is great for discovering unusual activity on a system.

 

eSS 0.86
Ech0 Security Team
http://www.ech0.de

eSS is a remote security scanner for Linux that scans remote nodes for known security flaws. It does some of the simple probing techniques automatically like banner grabbing, OS guessing, and it includes a multithreaded TCP portscanner.

 

Secure Remote Password Protocol 1.7.0
Tom Wu
http://srp.stanford.edu

Secure Remote Password (SRP) is a password-based authentication and key exchange mechanism where no information about the password is leaked during the authentication process. It does not require any public key cryptography, yet even if one were to eavesdrop on the authentication process, no information which would aid in guessing the password can be obtained (in theory). There are some reworked Telnet and FTP clients and servers available already.

 

Thpppt! 2000.01.25
Jay Kominek
http://distorted.wiw.org:9000/~jkominek/thpppt

Thpppt! is a useful demonstration of how to modify the RC4 algorithm. All 8-bit values are replaced with 16-bit values, providing 65536 bits of key. It can also apply an All Or Nothing Transformation and gzip compression to the message before encryption, further obscuring it.

 

srm 1.2.1
Matthew Gauthier
http://sourceforge.net/projects/srm

Srm (secure rm) is a command-line compatible rm which destroys file contents before unlinking.

 

The Anomy mail sanitizer 1.28
Bjarni R. Einarsson
http://mailtools.anomy.net

The Anomy mail sanitizer is a filter designed to block email-based security risks, such as Trojans and viruses. It can scan an arbitrarily complex RFC822 or MIME message and remove or rename attachments, truncate unusually long MIME header fields and sanitize HTML by disabling JavaScript, etc. It uses a single-pass pure Perl MIME parser, which can make it both more efficient and more precise than other similar programs. The sanitizer has built-in support for third-party virus scanners.

 

md5mon 1.3
Serge Winitzki
http://members.linuxstart.com/~winitzki/md5mon.html

md5mon is a file monitor that verifies files by computing their checksums. The shell script is suitable for use as a basic security checking tool from cron. It features configurable monitoring levels, local copies of find/md5sum, and integrity checks to prevent tampering with itself. It can also use a more secure checksum instead of md5sum.

 

Packet Storm

libnids 1.16
Nergal
http://www.packetfactory.net/Projects/Libnids

Libnids is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. The libnids library offers IP defragmentation, TCP stream assembly and TCP port scan detection. Libnids is highly configurable, reliable, and portable.

 

SecuriTeam

PaX
Pax
http://pageexec.virtualave.net

PaX is an implementation of non-executable pages for IA-32 processors (i.e. pages which user mode code can read or write, but cannot execute code in). Since the processor's native page table/directory entry format has no provision for such a feature, it is a non-trivial task. The project was designed to provide Linux with protection from buffer overflows. Making parts of the memory pages read/write access enabled, but not executable provides the protection.

 

SecurityFocus

Note: tools announced on SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you of new or updated, free, tools.

 

Log_analysis 0.34
Mordechai T. Abzug
http://linux.umbc.edu/~mabzug1/log_analysis.html

Log_analysis goes through several different kinds of logs (currently syslog, wtmp, and sulog), over some period (defaults to yesterday). It strips out the date and PID, and throws away certain entries. Then it tries each entry against a list of perl regular expressions. Each perl regular expression is associated with a category name and a rule for extracting data. When there's a match, the data-extracting rule is applied, and filed under the category. If a log entry is unknown, it's filed under a special category for unknowns. Identical entries for a given category are sorted and counted. There's an option to mail the output, so you can just run it out of cron. You can also save a local copy of the output. If you prefer to PGP-mail yourself the output, you can do this, too. The whole thing is designed to be easily extended, complete with an easy plug-in interface.

 

SILC (Secure Internet Live Conferencing) 20001108
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. Strong cryptographic methods are used to secure all traffic. SILC has been coded and tested under Linux platforms but has not been tested on other Unix platforms.
• Changes: this new version contains a lot of changes and includes new features. More information: http://silc.pspt.fi/changes.txt

 

Crypto++ 4.0
Wei Dai
http://www.eskimo.com/~weidai/cryptlib.html

Crypto++ is a free C++ class library of cryptographic schemes. Currently the library consists of the following, some of which is other people's code, repackaged into classes. It works for Linux, Solaris and UNIX.

 

TCPRelay 1.0.1
Matt Undy, Anzen Computing
http://www.anzen.com/research/nidsbench

Many NIDSs fare poorly when looking for attacks on heavily-loaded networks. Tcpreplay allows you to recreate real network traffic from a real network for use in testing.

 

Multiscan 0.8.5
Karl Söderström
http://sourceforge.net/projects/multiscan

Multiscan is a simple portscanner coded in c and running under Linux, which allows you to scan a range of IP addresses.


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 09 November, 2000