By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include Nifty Telnet SSH, BIND, TrustedBSD and Linux kernel.
Auditing and Intrusion Monitoring tools include Snort and Snort tools, SAINT, SARA, SAStk, BigBrother and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include FwLogWatch, Ferm, IPtables, GshieldConf and 5 other tools.
Tools for Linux/Unix/Cross Platform include Bastille Linux, Zebedee, Openwall Linux kernel patch, Lomac, StegFS, SILC and 3 other tools.
Tools for Windows include Tiny Personal Firewall and Crack Whore.
SSH
- NiftyTelnet 1.1 SSH r3
Jonas Wallden
http://www.lysator.liu.se/~jonasw/freeware/niftysshNiftyTelnet 1.1 SSH r3 is an enhanced version of Chris Newman's NiftyTelnet 1.1 application which adds support for encrypted terminal sessions using the SSH (Secure Shell) protocol.
Changes: release 3 adds SCP (Secure Copy), RSA authentication, printing and a number of other new features along with the usual bug fixes.
BIND 9.1.1rc2
Internet Software Consortium
http://www.isc.org/products/BINDBIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly re-distributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.
Changes: the latest version of BIND 8 is still version 8.2.3. New version 9.1.1rc2. BIND 9.1.1rc2 is a release candidate for BIND 9.1.1. It contains fixes for a small number of bugs in BIND 9.1.1rc1 but no new features.
TrustedBSD Project
Robert Watson & Ilmar S. Habibulin
http://www.trustedbsd.org/downloadsTrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC). The targeted features include: Extensible and audited authorization framework for integrating third-party authorization modules, include general-purpose subject and object labeling and centralized policy management. Fine-grained capabilities for system functions so as to implement least-privilege and reduce the risks of compromise. Mandatory access control for privacy and integrity, allowing FreeBSD to be used in environments hosting mutually suspicious parties and multi-level security models. Access control lists for the file system and other kernel resources allowing fine-grained and manageable discretionary access control. Event auditing support, and single-host modular IDS system to monitor security events and notify administrators in the event of irregularities.
Changes: the version 0.5.2 of the ACL patches has been released. This version provides a completed setfacl utility, a minor bug fix to return EPERM instead of EACCES for certain access control check operations, a man page for the getfacl utility. This patch requires FreeBSD 5.0-CURRENT from February 11, 2001. Pre-release for revised MAC implementation, including label enforcement for file system operations on UFS/FFS, and inter-process signaling, visibility, and debugging. This is highly experimental; it requires a FreeBSD 5.0-CURRENT checkout from December 17, 2000. A substantial rewrite is in progress and will be released in mid-February.
Linux-2.4.2 pre2 and Linux-2.2.19 pre9
http://www.kernel.orgNew version 2.4.2 pre2 of Linux 2.4 kernel as well as new version of Linux 2.2 kernel.
Changes for 2.2.19 pre9: merged all the pending NFS server fixes, updated to aic7xxx 5.1.32, fixed cs89x0 media selection, tidy APM stuff, make buggy bios selector tighter, fixed i2o config typo, network updates, fixed possible classifier hang, SPARC updates (NFS compat, syscalls), SPARC watchdog driver, removed experimental tag on QoS code, moved dumpable extra logic into binfmt avoiding, other changes to arch code, backed out old stuff, fixed sysctl miscasting from signed/unsigned, Alpha OSF syscall remove error printk, and don't trust IRQ routing on the ruffian ARC.
Changes for 2.4.2 pre2: new architecture (cris), arm and mips updates, major IDE driver fixes, elevator fixes, and fixes to raw IO mode.
Snort 1.7
Martin Roesch & many others
http://ww.snort.orgChanges: new site mirror in Korea! http://sos.sogang.ac.kr/snort
- snort-1.7-win32-static
Michael Davis
http://www.datanerds.net/~mikeThis is a working port of Snort to Windows NT/2000/9x.
Changes: Snort 1.7-win32 for Windows is now available. This version includes the following changes: fixed a bug in which you could not specify the full path for a portscan log to be stored. Fixed a "Too many open handles to EventLog" problem. Complete rewrite of the snort port. "-s" now sends alerts/logs to a remote syslog server. "-E" is for EventLog. "-W" lists available interfaces. Please note: "-E" sends alerts to the EventLog. "-s" sends alerts to a remote syslog server. Also, this release is not 1.7 exactly, but is a CVS from 2 days ago. This means it includes the Spade fixes and any other bug fixes that were in the CVS version.
- GIRR - Guardian IP-Chains Rules Remover
Mahendra
http://www.snort.org/Files/girr.dat
GIRR is a script which can be used along with Guardian and snort. When Guardian is run along with snort, it starts blocking IP Addresses using IPchains. This is good when the sysadmin is not near the server or when he is away and no one else knows what to do. The IPchains rules list may become huge and unmanageable. This script helps sysadmins to remove the IPchains rules. Removing the rules should not be a problem, since if the hacker tries the same attack again he gets blocked again.
- WinSnort2HTML
Chris Koutras
http://home.earthlink.net/~ckoutrasWinSnort2Html takes the alert log files and parses them into a an HTML page. Since it is written in Visual Basic, the program requires VB 5.0 or later runtime libraries. The program runs on Windows 95/98/NT4/2000. WinSnort2Html can be downloaded including the VB5 runtime libraries or without the runtime libraries.
SAINT 3.1.5
World Wide Digital Security, Inc.
http://www.wwdsi.com/saintSaint is a security scanning tool based on Satan.
Changes: new vulnerability checks with this version: BIND, Secure Shell, LPRng, improved detection of Cold Fusion vulnerabilities, new variation on JRun //WEB-INF vulnerability, new variations on web folder traversal vulnerabilities, Tinyproxy and PlanetIntra (/cgi-bin/pi).
SARA 3.3.4
Advanced Research Corporation
http://www-arc.com/saraSecurity Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.
Changes: rewrote cim.sara to detect new CIM vulnerabilities, tests for new DNS vulnerabilities, fixed an induced error in reconfig, corrected problem and added filter to CSV reporting, fixed code associated with CSV, added tutorial for MS Terminal Server.
BigBrother 1.6e1 UNIX, 1.07d NT WS, 2.2 NT SRV
Sean McGuire
http://bb4.com/index.htmlBigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.
Changes: BigBrother is now also available for VAX OpenVMS client.
Slackware Administrators Security Toolkit 0.1.2.0
John Jenkins
http://sourceforge.net/projects/sastkSAStk (Slackware Administrators Security tool kit) aims to provide a set of tools and utilities to install and maintain a reasonable level of security for the Slackware GNU/Linux distribution. At the same time, it should ease administration with a new centralized initialization setup and background information on what the daemons do.
Changes: permissions of 0750 for in.identd caused trouble with auth fixed, changed back to original 0755. Moved src files to /root/SAStk/ to enable upgradepkg functionality. Small version conflict with grep was not setting password aging on Slackware-7.0 systems fixed, modified regex string. Added suauth section to sastk.sh. Added sastk.info install-info section to install.sh.
Syslogd+Mysql 1.0
Eran R.
http://thegod.bsd.org.il/files/syslogd+mysql.tgzSyslogd+Mysql is a modified version of the syslogd code from FreeBSD's syslogd. This version supports logging into a Mysql table.
Note: first time in the Tools Digest.
Monitord 3.5beta
Ricardo Galli & Guillem Cantallops Ramis
http://sourceforge.net/projects/monitordThe Network Security Monitor Daemon is a lightweight network security monitor for TCP/IP LANs which will capture certain network events and record them in a relational database. The recorded data is then made available for analysis via a CGI-based interface.
Note: first time in the Tools Digest.
ScanSSH 1.3a
Provos
http://www.monkey.org/~provos/scansshScanSSH scans a list of addresses and networks for running SSH servers and their version numbers. ScanSSH supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole.
Note: first time in the Tools Digest.
FwLogWatch-0.2
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtmlFwLogWatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator. FwLogWatch has the following modes: log summary mode, interactive report mode and Real-time response mode.
Changes: this release features support for the IPfilter log format, host and port selection/exclusion, and parser selection. A real-time response mode is now available in non-IPchains and non-root environments too.
Ferm 0.0.16 (Devel)
Auke Kok
http://www.geo.vu.nl/~koka/ferm
Ferm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.Changes: fixed default IPchains option- removed the default kernel interface program. Fixed 5 IPtables/IPchains copy-paste typo's.
Knetfilter 2.0.4
Luigi Genoni
http://expansa.sns.it/knetfilterKnetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the NetFilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.
Changes: added stop button to Tcpdump and Nmap interfaces (very useful), starting to plan mark based chain rules, some additional procfs tuning to maximize performances and security.
MonMotha's IPtables Masquerading Firewall 2.3.1
MonMotha and Steff
http://t245.dyndns.org/~monmotha/firewallMonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time your IP address changes, making it perfect for users with dialup connections. Many features, such as SSH rulesets and limited flood protection, are available. There are three branches: the default branch (actual version is 2.3.1), the IPtables-insecure branch (actual version is 2.0.1) and the IPtables 2.2 branch (actual version is 2.2.0).
Changes: new default branch version 2.3.1. This release is currently not stable: added option to deny specific ports from specific hosts. Added limiting to logging chains to prevent log DoS. Spiffed up comments. Changed the "AUTH_ALLOW" and "DNS" options to to be more generic and flexible. Updated comments for new kernel version. Removed double drop setting. Updated for IPtables-1.2. Began a kernel option list.
GshieldConf 0.33
Davinci
http://members.home.com/vhodges/gshieldconf.htmlGshieldConf is a simple tool to edit GShield configuration files. It can be extended when changes are made to the configuration file format and preserves settings which it does not know about.
Changes: this release adds support for GShield 2.x and is current with GShield 2.0.3.
EasyChains 0.9.3-4
Dejavo
http://dejavo.virtualave.net/djvlinux.htmlEasyChains is a very easy-to-use GUI for the console firewall script. It makes it easy to create a custom firewall using the firewall generator, or you can add and remove custom rules from a numbered list. You can generate a monitor for the console and for X.
Changes: this release includes various firewall fixes, and better rule viewing.
RChains 200102081254
Curt Rebelein, Junior
http://rchains.rebby.comRChains is a highly detailed firewall script which implements many features including per host bandwidth monitoring w/ MRTG.
Changes: new stable version including the following changes: rewrote several functions to make configuration easier. Improved the scalability of the script. Implemented the ability to include a list of hosts for the variable configuration rather than using DNS (much more secure).
Astaro Security Linux 1.790
Astaro AG
http://www.astaro.com/products/index.htmlAstaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities. See also the discussion board on http://www.astaro.org
Changes: this release includes a new portscan detection module, a SOCKS5 proxy service, support for proxy user authentication against RADIUS and SMB servers, and enhanced connection tracking.
Fwup 20010214
Raf
http://fwup.orgFirewall is a set of scripts (firewall, fwup, and fwdown) that implement an IPchains firewall and various forms of network address and port translation. All you have to do is read the policy file and edit it to reflect your topology and filtering policy. It supports many different types of network topology (single host, traditional forwarding, masquerading, port forwarding, alias port forwarding and NAT), up to 10 untrusted interfaces each with their own policy, and over 50 network applications.
Bastille Linux v1.1.1
Jay Beale
http://www.bastille-linux.orgThe Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible.
Changes: development continues with the first RPM, made for MandrakeSoft 7.x-8.x, which might be compatible with Red Hat. It incorporates lots of bug fixes, near RH7.0/MDK8.0 support, and a new X based GUI.
SILC 20010211 (Devel)
Pekka Riikonen
http://silc.pspt.fiSILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.
Changes: auditing code for obvious mistakes, bugs and errors. Also, removing any code that is obsolete: lib/silcutil/silcbuffer.c (the buffer interface is entirely in inline in the file lib/silcutil/silcbuffer.h) and lib/silcutil/silcbufutil.c (the header has inline versions). Changed code to fix possible error conditions. Please refer to http://silc.pspt.fi/changes.txt for more details.
Zebedee 2.2.1
Neil Winton
http://www.winton.org.uk/zebedeeZebedee is a simple program to establish an encrypted, compressed tunnel for TCP/IP or UDP data transfer between two systems. This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression.
Changes: fix bug handling client access using IP address rather than host name.
StegFS 1.1.4
Andrew McDonald
http://ban.joh.cam.ac.uk/~adm36/StegFSStegFS is a steganographic file system for Linux. It offers security beyond that afforded by a regular cryptographic file system, since it not only encrypts data, but also provides a plausible deniability mechanism by securely hiding the data. It is designed to give the user a very high level of protection against being compelled to disclose its contents. StegFS extends the standard Linux file system (ext2fs), allowing normal and several levels of hidden files to coexist. This allows some data to remain hidden even if some of the keys are compromised.
Changes: added other AES finalist algorithms to StegFS now fully supports: AES (Rijndael), Serpent, Twofish, MARS. RC6 has been removed due to patent restrictions (see README). Changed default cipher to AES, added support for digestapi/SHA-1 support from kernel crypto patch, fixed bug when using btab file on non-ext2 filesystem (llseek problem, modified stegfs module so that it can be compiled separately from kernel, lots of makefile rewriting, fixed oops on closing non-open level, restricted permissions on opening/closing levels, fixed a couple of other minor bugs.
Restricted DNS 0.5
Eran R.
http://thegod.bsd.org.il/projects.phpRdns allows you to control access to the query services of a specific name server. Rdns can be used to specify access lists for the name server's records. It uses a configuration file to define how to act when a specific record (or class of records) is being requested by a specific IP (or IP range).
Note: first time in the Tools Digest.
Password Management System 0.91a
Eisbaer82
http://easy.soft-ware.deThe Password Management System is a simple password manager for the console which uses blowfish for encryption, and CDK for the interface.
Note: first time in the Tools Digest.
Lomac 1.0.4
Network Associates, Inc.
http://www.pgp.com/research/nailabs/secure-execution/lomac.aspLomac (Low Water-Mark Integrity Protection for Linux) is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. Lomac is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.
Changes: version 1.0.3 and 1.0.4 have been released during this week. Version 1.0.3 fixes a Unix-domain socket labeling bug on socket pair and abstract-name space bindings. Version 1.0.4 greatly improves performance of utility scripts.
Openwall Linux kernel patch 2.0.29-ow2
Solar Designer
http://www.openwall.com/linuxThe Secure-Linux patch adds a few security features to the kernel which, while not a complete method of protection, will stop most of the 'cookbook' buffer overflow exploits cold. It also adds the option of restricting the use of symlinks and named pipes in +t (temp) directories which fixes most tmp-race exploits as well. It can also add a little bit more privacy to the system by restricting access to parts of /proc to root so that users may not see who else is logged on or what they're doing. Also tightens down file descriptors 0, 1, and 2, implements process limits and shared memory destruction, and privileged IP aliases for kernel 2.0.
Changes: a fix for the recently announced execve(2)/ptrace(2) race condition vulnerability in the Linux kernel.
Rident 0.9.0b
Rob J. Meijer
http://www.xs4all.nl/~rmeijer/rident.htmlRidentd is a stand-alone replacement for identd that uses a random selection of a spell dictionary to use as fake ident responses. This server application is meant for the totally paranoid that need access to servers that require ident and don't want to give any information about local users to the remote server or its other users.
Note: first time in the Tools Digest.
Tiny Personal Firewall build 10
Tiny Software, Inc.
http://www.tinysoftware.com/pwall_news.phpTiny Personal Firewall represents smart, easy-to-use personal security technology that fully protects personal computers against hackers. Built on ICSA-certified security technology, it is also an integral part of The Tiny Software Centrally Managed Desktop Security (CMDS) system selected by the US Air Force for its approximately 500,000 desktop computers. Note: Tiny Personal Firewall is intended for users that are NOT running either WinRoute Pro or WinRoute Lite.
Changes: NetBIOS dialog now persists into user's desktop during boot process. Port "0" problem with rule generation is resolved.
Crack Whore 2.2
SubReality
http://www.subreality.netThis application will test your website's security in a similar way that hackers will, efficiently and quickly. It has some extra features, such as a random proxy selector, an exploit vulnerability scanner and an FTP root crack utility.
Note: first time in the Tools Digest.
Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 16 February, 2001 |