By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include: Mindterm, GnuPG, SSHD for NT, BIND9.
Auditing and Intrusion Monitoring tools include Snort and 7 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include IPchains and 6 other tools.
Tools for Linux/Unix/Cross Platform: 9 tools this week.
Tools for Windows include the Random Number Generator Pro.
SSH
- Mindterm 1.99pre2
Mats Andersson
http://www.mindbright.se/mindtermMindterm is a complete SSH-client in pure Java. It can be used either as a standalone Java application or as a Java applet. Three packages of importance are provided (terminal, SSH, and security). The terminal package is a rather complete VT102/xterm-terminal, and the SSH-package contains the SSH- protocol and also "drop-in" socket replacements to use SSH-tunnels transparently from a Java application/applet. It also contains functionality to realize a SSH-server. Finally, the security package contains RSA, DES, 3DES, Blowfish, IDEA, and RC4 ciphers.
• Changes: Fixed bug in http proxy code (parsed "sloppy" response header incorrect). Fixed bug in terminal "select all" after drag-select "backwards" (wasn't cleared when deselected). Fixed X11 channels in ssh2 code. Fixed bug in ssh2 kex method diffie-hellman-group-exchange-sha1, didn't request correct group order (thanks to Niels Provos for pointing this out). Fixed code in ssh1 that triggered funny bug in MS's jvm jview (causing ArrayIndexOutOfBoundsException in blowfish and 3des ciphers). Fixed bug when connecting through "Settings Dialog", settings couldn't be saved (thanks to Jade Cravy for pointing this out). Fixed bug, didn't send correct CHANNEL_OPEN_FAILURE to draft incompatible servers.
• Note: the available version are currently only demos. Sources and old code will be available soon as the webpages are being restructured. The license for the ssh2 package has not yet been decided but will be before the end of this year.
- Another SSHD for NT v1.02
http://marvin.criadvantage.com/caspian/Software/SSHD-NT/default.phpLast week we reported on and quickly tested a SSHD for NT. A reader wrote in to tell us of a second which works for him. We took it for a quick test drive:
- It is the UNIX SSH 1.2.26 ported using the Cygnus libraries.
- The setup.bat script installs sshd, ssh-keygen, sshd_config in %systemroot% (C:\winnt), generates an SSH host key and starts SSHD as a proper service.
- Advantages
- NT account authentication is used rather than separate passwords.
- The default configuration in sshd_config is quite tight.
- The NT Application event log is used.
- Disadvantages
- Sources code not available.
- More documentation of the exact sources used and modifications would be welcome.
- no scp or ssh client.
- No deinstallation script.
- Tests
- Using putty's command-line SSH plink, an SSH login to localhost didn't want to work, it hung at the prompt.
plink -v joe_bloggs@localhost- Using putty's command-line SCP pscp, a file was downloaded "c:\cmd.exe" successfully. Note that the root directory seems to be drive C by default.
pscp -v joe_bloggs@localhost:/cmd.exe .- Further extensive tests with access control, trusts, RSA authentication etc. are really required....
PGP
- GnuPG: patch for 1.0.4
Free Software Foundation
http://www.gnupg.org• Changes: GnuPG security patch released for GnuPG 1.0.4. This patch fixes a serious bug which could lead to false positives when checking detached signatures.
BIND 9.1.0b1
Internet Software Consortium
http://www.isc.org/products/BIND/bind9-beta.htmlComment: Although the famous DNS server is not a security tool, we will inform you of updates as it is a critical element of TCP/IP networks and several security extensions are included in the new BIND9.
BIND 9.1.0b1 is the first beta release of BIND 9.1.0. It includes a number of new features:
- Many BIND 8 features previously unimplemented in BIND 9, including domain-specific forwarding, the $GENERATE master file directive, and the "blackhole", "dialup", and "sortlist" options
- Forwarding of dynamic update requests; this is enabled by the "allow-update-forwarding" option
- A new, simplified database interface and a number of sample drivers based on it; see doc/dev/sdb for details
- Support for building single-threaded servers for environments that do not supply POSIX threads
- New configuration options: "min-refresh-time", "max-refresh-time", "min-retry-time", "max-retry-time", "additional-from-auth", "additional-from-cache", "notify explicit"
- Faster lookups, particularly in large zones. BIND 9.1.0 also includes experimental implementations of a number of DNS protocols extensions still under development in the IETF. These include transparent processing of unknown RR types and use of the EDNS "DNSSEC OK" bit to explicitly enable DNSSEC processing in responses.
- Cryptographic operations are now based on the OpenSSL library instead of DNSsafe.
- Numerous bugs have been fixed.
There are a few known bugs:
- On some systems, IPv6 and IPv4 sockets interact in unexpected ways. For details, see doc/misc/ipv6. To reduce the impact of these problems, the server no longer listens for requests on IPv6 addresses by default. If you need to accept DNS queries over IPv6, you must specify "listen-on-v6 { any; };" in the named.conf options statement.
- There are known problems with thread signal handling under Solaris 2.6.
- On FreeBSD systems, the server logs error messages like "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device". This is due to a bug in the FreeBSD /dev/random device. The bug has been reported to the FreeBSD maintainers. Versions of OpenBSD prior to 2.8 have a similar problem.
- --with-libtool does not work on AIX.
Snort
http://ww.snort.org
- New Ruleset Released: I've updated the ruleset today with all older 'beta' code as well as some updates. The new rules file will be snortfull.conf - This file will be updated on an ongoing basis. New beta rules have also been released. You can get both of them at http://www.snort.org/snort-files.htm#Rules. The database and downloads section have both been fixed. Please let me know of any other errors you may find.
- Snort 1.6 Win32
Michael Davis, original code by Martin Roesch
http://www.datanerds.net/~mike/snort.htmlWindows version of the lightweight network intrusion detection system.
• Changes: new beta release: snort-1.6.3-patch2-win32 including the following enhancement: updated WIN32 port to the new 1.6.3 code base. Added the -s bug handling patch into rules.c. Snort actually starts Winsock now because it does a getprotobynumber() look up, which needs Winsock to be started - only Winsock 1.1 is start that should satisfy the masses. Decided to add service code for the -D option in the next version. Possibly fixed the problem reported on Windows Advanced Server in which it was not possible to specify the adapter to bind to - further tests are necessary.
X-SARte 1.0
Ralf Wiegand and Todd Fraser
http://www.x-sarte.comX-SARte, or Systems Activity Reporter and Traffic Examiner gathers system statistics and displays them on easy-to-read graphs. By using X-SARte's easy-to-use Web front end, these graphs can be quickly accessed with any Web browser that supports PNG images. Possible uses for X-SARte include diagnosing system performance issues, keeping track of system and network load, detecting possible cracking attempts, performance tuning of your systems, finding rogue programs, finding peak and low points of system usage, finding possible problems with network configuration or hardware, and checking to see when upgrades are needed.
• Remark: the version 1.0 is free and is a modified version of the Open Source utility SARGE by Ed Finch. The version 2.0 costs $29.95 but can be tested for a 60 day trial period.
Uptime Client 4.14 - Devel: 4.16
Alex de Haas
http://uptimes.atomicvoid.netUptime Client is a little program that keeps track of your uptime and sends it to a server where you can compare it to many other hosts and browse through various statistical information.
PACT 0.9c
Garry Glendown
http://pact.insider.orgPACT is a software package to do complete port accounting for SNMP-manageable devices like routers, hubs, and switches. Administration is done using an HTML interface with dynamic data fed through PHP and MySQL database backend.
Adwids 0.8b2
Defense Worx
http://www.defenseworx.comThe Defense Worx Network Intrusion Detection System is a Linux based IDS which performs TCP/IP traffic analysis to detect unauthorized traffic in near real-time. It includes a Java-based console to display alerts remotely and several open-source attack signatures.
• Changes: the version 0.8b2 includes bug fixes in the sensor and speed improvements. The Java GUI has been changed.
Netwatch 0.9h
Gordon MacKay
http://www.slctech.org/~mackay/netwatch.htmlNetwatch allows monitoring of an Ethernet segment or PPP line and examine activity on the network, highlighting hostnames in colors to indicate activity on the bus network based on time. The monitor includes packet statistics and a TOP mode which allows a sorted list of hosts based on IP usage. All info is updated on a per second basis.
• Changes: New features include configuration files for logging and colors, a passive mode for logging, a Netbus and Back Orifice packet watch, Mac-Ethernet Address watch, HTTP and FTP server types.
Spoofaudit 0.1.3
Ghede
http://spoofaudit.op.nuSpoofAudit is a Perl tool which helps you determine what basic spoofing filters are present between two test points on two networks, and what anti-spoofing filters are missing. It is designed to work between endpoints that would not normally have any filtering between them except for anti-spoofing filters. Spoofaudit requires the Net-RawIP Perl module.
Qaudit.pl
Vade79
http://www.fakehalo.orgQaudit.pl is a script for quickly auditing .c and .cc source files for stack and heap overflows, format bugs, exec calls, environment variables, and misc functions which often have security issues.
Knetfilter 2.0.1
Luigi Genoni
http://expansa.sns.it/knetfilterKnetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the netfilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.
• Changes: new version 2.0.1 released, stable version for KDE2. Knetfilter 1.2.X for KDE1 will still be maintained, but just for bug fixes, no more features will be added to 1.2.X versions, the latest stable version for KDE1 is version 1.2.3.
Smoothwall 0.9.6
http://sourceforge.net/projects/smoothwallSmoothWall is a popular Linux Distro cut down to a complete minimal automated installation providing out of the box security & functionality as a router & firewall managed by platform independent web browsers. No prior Linux experience required.
Changes: Included for the first time in a SmoothWall release are the following: 1) SSH for remote access managed by SmoothWeb interface. 2) Increased management logging of all processes and services. 3) Support for up to 5 ISP dial in accounts (as requested by many) 4) New look front end with new color scheme 5) Menu bar for ease of navigation 6) DHCP modifications 7) Inclusion of Rawrite and RawWrite for Win for those unable to use DD 8) Modification and bug fixes in the calendar engine
EasyChains 0.9.3 Release 2 (devel)
Dejavo
http://dejavo.homepage.com/djvlinux.htmlEasyChains is a very easy-to-use GUI for the console firewall script. It makes it easy to make a custom firewall using the script generator or you can add custom rules and remove rules from a numbered list.
• Some features: EasyChains permits to easily add and remove rules. It allows to generate rules by asking simple questions during the process about the ports, for who to open, etc. It includes a monitoring script for the console that will log all connections (IP, time, port and status) to a logged port.
IPchains-firewall 1.7.3
Ian Hall-Beyer
http://firewall.langistix.comIPchains-firewall is an easily-configurable shell script to establish masquerading and firewalling rules using IPchains. The script self-configures out of the box for IP addresses, netmasks, and interfaces. All that is needed is a command line specification of external and internal interface names. It automatically determines type of firewall to set up (standalone, routing, or masquerading) based on interface IP addresses. The distribution also includes a copy of midentd, to enable identd over the masqueraded network.
• Changes: added blocks for LDAP, Kerberos and CIFS
Seattle Firewall 3.2.4
Tom Eastep
http://seawall.sourceforge.netThe Seattle Firewall is an IPchains firewall that supports IP masquerading and can be used on a standalone system, on a dedicated firewall system, or on a multi-use gateway/server. It supports VPN via IP tunnels, IPSec, and PPTP. It is easily configurable by editing configuration files, and can be extended without modifying the base product. It also includes real-time monitoring with an audible alarm that sounds when suspect packets are detected.
• Changes: the version 3.2.4 is a bug-fix release of Seattle Firewall and correct the following known problems in version 3.2.2: the version 3.2.2 (and LRP version 3.2.3) failed to start on systems that have a DMZ configured and that have IP installed. The installation of Coyote LRP failed. Seattle Firewall failed to start on systems with pptpserver set. Coyote was incompatible with the version of "grep" released with Coyote (Seattle Firewall assumes that grep searches for regular expressions while Coyote grep only searches for strings). It broke dial-up. Restarting the firewall when masquerading an IPSec tunnel results in the message: IOCADDRT: File exists. A "seawall stop" command will cause subsequent attempts to obtain an IP address via DHCP to fail. More information about these bug fixes at http://seawall.sourceforge.net/errata.html.
IPchains Firewalling Module for Webmin 0.83.1
Tim Niemueller
http://www.niemueller.de/webmin/modules/ipchainsThe IPchains Firewalling Module, part of the RockSolid Linux Distribution, allows you to easily maintain a firewall based on IPchains with the Webmin look and feel. It has three modes: Newbie (select one of five security levels), Template (define from a table with protocols and directions what should be allowed to pass your firewall), and Expert (have the real IPchains experience by having every parameter under control by editing a script file which has all IPchains rules). Nearly all of the IPchains options are supported.
Gibraltar Firewall 0.91a
Rene Mayrhofer
http://www.gibraltar.atGibraltar is a Debian-based router/firewall distribution, fully workable from a bootable, live CD-ROM. Log files can be stored on a hard-disk, and configuration data is stored on a floppy disk and kept on a RAM disk during run-time. It runs directly from the CD-ROM. The official ISO images of Gibraltar can be used freely but commercial distribution is restricted.
Firewall Log Daemon 1.1
Ian Jones
http://www.speakeasy.org/~roux/dmnFirewall Log Daemon provides two programs, chaindaemon and tabledaemon, that you can choose between, depending on your firewall type (IPchains or IPtables-netfilter). The program will start a small daemon process that parses and resolves firewall logs in real-time by reading a FIFO that syslog writes to. It will queue a batch of alerts and mail them to you. It features hostname, port, protocol, and ICMP type/code lookup, with formatted output for easy reading.
• Changes: bug fixes and code cleanup.
TrustedBSD
http://www.trustedbsd.org0.5 of the ACL patches provides improvements on the 0.4 release, including better handling of directories, fixing of chmod() interaction bugs involving the updated -CURRENT VADMIN changes. Further work is still required on the POSIX.2c utility set; this revision requires a FreeBSD 5.0-CURRENT source tree from 12/1/2000.
Exiscan v0.9
Tom Kistner
http://duncanthrax.net/exiscanExiscan is an email virus scanner which works together with the Exim MTA (http://www.exim.org). It is written in Perl and designed to be as subtle and lightweight as possible. Exiscan relies on McAffee's uvscan or Trend Micro's vscan to do the actual scanning work.
• Changes: AVP Scanner support (thanks to Marcus Klein) and Sophos Sweep support (thanks to Chris Beauchamp).
OpenCA
Massimiliano Pala
http://www.openca.orgThe OpenCA project is a collaborative effort to develop a full featured interfaces structure for currently available security-related and administrative toolkit developed for managing x509 digital certificates common operations (i.e. admission, verify, revocation, suspension, etc... ). The project will therefore cover various aspects of administrative solutions in managing digital certificates and will be using many different software today available among the Open Source community.
• Changes: a new series of updated OpenCA PERL modules are available for download. Don't update to the new versions if you are not a very skilled developer (especially the DB module) as them are meant for the new upcoming release and should be used only for testing - them are not fully compatible with current releases or SNAPs. The new modules could be downloaded at http://www.openca.org/docs/download.shtml
Trustix Secure Linux 1.2
The Trustix Team
http://www.trustix.netTrustix Secure Linux is a project to make a hardened Linux distribution for servers. It features FreeS/WAN, OpenSSL, OpenSSH, Apache w/SSL & PHP, Postfix, POP3 and IMAP with SSL support, ProFTP, ftpd-BSD, and PostgreSQL.
Antiroute 1.0
Neven Lovric
http://www.lovric.net/software/antirouteAntiroute prevents and logs UDP-based route tracking. Programs like traceroute utilize the IP protocol `Time to live' field to elicit an ICMP TIME_EXCEEDED response from each gateway along the path to a host, or an ICMP PORT_UNREACH from the host itself. This is impossible if the target ports are open. Antiroute listens on ports used in UDP-based route tracking and determines the IP address, source port, and distance (in hops) of the host from which the trace is being performed.
Freeswan 1.8
Linux FreeS/WAN Team
http://www.freeswan.orgLinux FreeS/WAN provides IPSec (IP Security, which is both encryption and authentication) kernel extensions and an IKE (Internet Key Exchange, keying and encrypted routing daemon) allowing you to build secure tunnels through untrusted networks. Compatible with with other IPSec and IKE systems already deployed by other vendors such as OpenBSD.
• Changes: this release features mostly stabilization changes due to the large amount of new code since the 1.5 release.
LibMix 120
Mixter
http://mixter.void.ruLibMix is a library that provides an API for various useful functions, including an AES encryption interface, various network front-ends and low level datagram functions, as well as functions for string manipulations and other miscellaneous utility functions. It also includes functions to transmit encrypted data via stateless spoofed datagrams (tfntransmit/tfnread).
• Changes: added exclude database function, to add and match classless ranges of IP addresses (for network scanners, access control, etc.), added new packet headers, updated man pages.
Fpf
Fusys and Cyrax
http://www.pkcrew.orgFPF is a lkm for Linux which changes the TCP/IP stack in order to emulate other OS's TCP fingerprint. The package contains the lkm and a parser for the Nmap file that let you choose directly the OS you want.
HttpTunnel 3.0.5
Lars Brinhoff
http://www.nocrew.org/software/httptunnel.htmlHttpTunnel creates a bi-directional data channel through an HTTP proxy, from your isolated computer behind a restrictive firewall, to a system on the Internet you have access to.
• Changes: bug fixes.
FormatGuard 1.0
Immunix
http://www.immunix.org/download2.htmlFormatGuard is designed to provide a rapid, general solution to the large number of unknown format bugs expected to emerge in the next year. FormatGuard works by employing CPP's ability to distinguish macros with identical names but a different number of arguments.
Random Number Generator Pro 1.23
Segobit Software
http://www.segobit.com/rng.zipRandom Number Generator is a Windows based application designed to generate random numbers. Program allow users choose lower and upper limits and increments of the numbers. Limits can be positive or negative values. User can exclude digits from generated random numbers. Random numbers can be edit and copied to the clipboard for pasting into other applications. Random Number Generator can print all random numbers or save numbers as file. Random Number Generator will generate to 9999 numbers at the time. It runs under Windows 2000, Windows 95/98 and Windows NT.
Note: tools announced on forums like SecurityFocus are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 07 December, 2000 |