Weekly Security Tools Digest
2001/02/09 to 2001/02/15

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include Nifty Telnet SSH, BIND, TrustedBSD and Linux kernel.

Auditing and Intrusion Monitoring tools include Snort and Snort tools, SAINT, SARA, SAStk, BigBrother and 3 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include FwLogWatch, Ferm, IPtables, GshieldConf and 5 other tools.

Tools for Linux/Unix/Cross Platform include Bastille Linux, Zebedee, Openwall Linux kernel patch, Lomac, StegFS, SILC and 3 other tools.

Tools for Windows include Tiny Personal Firewall and Crack Whore.


General Tools

SSH

NiftyTelnet 1.1 SSH r3 is an enhanced version of Chris Newman's NiftyTelnet 1.1 application which adds support for encrypted terminal sessions using the SSH (Secure Shell) protocol.

Changes: release 3 adds SCP (Secure Copy), RSA authentication, printing and a number of other new features along with the usual bug fixes.

 

BIND 9.1.1rc2
Internet Software Consortium
http://www.isc.org/products/BIND

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly re-distributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.

Changes: the latest version of BIND 8 is still version 8.2.3. New version 9.1.1rc2. BIND 9.1.1rc2 is a release candidate for BIND 9.1.1. It contains fixes for a small number of bugs in BIND 9.1.1rc1 but no new features.

 

TrustedBSD Project
Robert Watson & Ilmar S. Habibulin
http://www.trustedbsd.org/downloads

TrustedBSD provides a set of trusted operating system extensions to the FreeBSD operating system, targeting the Common Criteria for Information Technology Security Evaluation (CC). The targeted features include: Extensible and audited authorization framework for integrating third-party authorization modules, include general-purpose subject and object labeling and centralized policy management. Fine-grained capabilities for system functions so as to implement least-privilege and reduce the risks of compromise. Mandatory access control for privacy and integrity, allowing FreeBSD to be used in environments hosting mutually suspicious parties and multi-level security models. Access control lists for the file system and other kernel resources allowing fine-grained and manageable discretionary access control. Event auditing support, and single-host modular IDS system to monitor security events and notify administrators in the event of irregularities.

Changes: the version 0.5.2 of the ACL patches has been released. This version provides a completed setfacl utility, a minor bug fix to return EPERM instead of EACCES for certain access control check operations, a man page for the getfacl utility. This patch requires FreeBSD 5.0-CURRENT from February 11, 2001. Pre-release for revised MAC implementation, including label enforcement for file system operations on UFS/FFS, and inter-process signaling, visibility, and debugging. This is highly experimental; it requires a FreeBSD 5.0-CURRENT checkout from December 17, 2000. A substantial rewrite is in progress and will be released in mid-February.

 

Linux-2.4.2 pre2 and Linux-2.2.19 pre9
http://www.kernel.org

New version 2.4.2 pre2 of Linux 2.4 kernel as well as new version of Linux 2.2 kernel.

Changes for 2.2.19 pre9: merged all the pending NFS server fixes, updated to aic7xxx 5.1.32, fixed cs89x0 media selection, tidy APM stuff, make buggy bios selector tighter, fixed i2o config typo, network updates, fixed possible classifier hang, SPARC updates (NFS compat, syscalls), SPARC watchdog driver, removed experimental tag on QoS code, moved dumpable extra logic into binfmt avoiding, other changes to arch code, backed out old stuff, fixed sysctl miscasting from signed/unsigned, Alpha OSF syscall remove error printk, and don't trust IRQ routing on the ruffian ARC.

Changes for 2.4.2 pre2: new architecture (cris), arm and mips updates, major IDE driver fixes, elevator fixes, and fixes to raw IO mode.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch & many others
http://ww.snort.org

Changes: new site mirror in Korea! http://sos.sogang.ac.kr/snort

This is a working port of Snort to Windows NT/2000/9x.

Changes: Snort 1.7-win32 for Windows is now available. This version includes the following changes: fixed a bug in which you could not specify the full path for a portscan log to be stored. Fixed a "Too many open handles to EventLog" problem. Complete rewrite of the snort port. "-s" now sends alerts/logs to a remote syslog server. "-E" is for EventLog. "-W" lists available interfaces. Please note: "-E" sends alerts to the EventLog. "-s" sends alerts to a remote syslog server. Also, this release is not 1.7 exactly, but is a CVS from 2 days ago. This means it includes the Spade fixes and any other bug fixes that were in the CVS version.

WinSnort2Html takes the alert log files and parses them into a an HTML page. Since it is written in Visual Basic, the program requires VB 5.0 or later runtime libraries. The program runs on Windows 95/98/NT4/2000. WinSnort2Html can be downloaded including the VB5 runtime libraries or without the runtime libraries.

 

SAINT 3.1.5
World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan.

Changes: new vulnerability checks with this version: BIND, Secure Shell, LPRng, improved detection of Cold Fusion vulnerabilities, new variation on JRun //WEB-INF vulnerability, new variations on web folder traversal vulnerabilities, Tinyproxy and PlanetIntra (/cgi-bin/pi).

 

SARA 3.3.4
Advanced Research Corporation
http://www-arc.com/sara

Security Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.

Changes: rewrote cim.sara to detect new CIM vulnerabilities, tests for new DNS vulnerabilities, fixed an induced error in reconfig, corrected problem and added filter to CSV reporting, fixed code associated with CSV, added tutorial for MS Terminal Server.

 

BigBrother 1.6e1 UNIX, 1.07d NT WS, 2.2 NT SRV
Sean McGuire
http://bb4.com/index.html

BigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.

Changes: BigBrother is now also available for VAX OpenVMS client.

 

FreshMeat

Slackware Administrators Security Toolkit 0.1.2.0
John Jenkins
http://sourceforge.net/projects/sastk

SAStk (Slackware Administrators Security tool kit) aims to provide a set of tools and utilities to install and maintain a reasonable level of security for the Slackware GNU/Linux distribution. At the same time, it should ease administration with a new centralized initialization setup and background information on what the daemons do.

Changes: permissions of 0750 for in.identd caused trouble with auth fixed, changed back to original 0755. Moved src files to /root/SAStk/ to enable upgradepkg functionality. Small version conflict with grep was not setting password aging on Slackware-7.0 systems fixed, modified regex string. Added suauth section to sastk.sh. Added sastk.info install-info section to install.sh.

 

Syslogd+Mysql 1.0
Eran R.
http://thegod.bsd.org.il/files/syslogd+mysql.tgz

Syslogd+Mysql is a modified version of the syslogd code from FreeBSD's syslogd. This version supports logging into a Mysql table.

Note: first time in the Tools Digest.

 

PacketStorm

Monitord 3.5beta
Ricardo Galli & Guillem Cantallops Ramis
http://sourceforge.net/projects/monitord

The Network Security Monitor Daemon is a lightweight network security monitor for TCP/IP LANs which will capture certain network events and record them in a relational database. The recorded data is then made available for analysis via a CGI-based interface.

Note: first time in the Tools Digest.

 

ScanSSH 1.3a
Provos
http://www.monkey.org/~provos/scanssh

ScanSSH scans a list of addresses and networks for running SSH servers and their version numbers. ScanSSH supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole.

Note: first time in the Tools Digest.


Firewalls for UNIX/Linux/BSD & Cross-platform

FwLogWatch-0.2
Boris Wesslowski
http://www.kyb.uni-stuttgart.de/boris/software.shtml

FwLogWatch analyzes the IPchains packet filter logfiles and generates text and HTML summaries. It features real-time anomaly response capability and has an interactive report generator. FwLogWatch has the following modes: log summary mode, interactive report mode and Real-time response mode.

Changes: this release features support for the IPfilter log format, host and port selection/exclusion, and parser selection. A real-time response mode is now available in non-IPchains and non-root environments too.

 

Ferm 0.0.16 (Devel)
Auke Kok
http://www.geo.vu.nl/~koka/ferm


Ferm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.

Changes: fixed default IPchains option- removed the default kernel interface program. Fixed 5 IPtables/IPchains copy-paste typo's.

 

Knetfilter 2.0.4
Luigi Genoni
http://expansa.sns.it/knetfilter

Knetfilter is a KDE 1.X front-end to IPtables, used with Linux kernels 2.4.0 and up to manage the NetFilter functions. It is possible to perform all standard and most "exceptional" system management of a complex firewall within the program.

Changes: added stop button to Tcpdump and Nmap interfaces (very useful), starting to plan mark based chain rules, some additional procfs tuning to maximize performances and security.

 

FreshMeat

MonMotha's IPtables Masquerading Firewall 2.3.1
MonMotha and Steff
http://t245.dyndns.org/~monmotha/firewall

MonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time your IP address changes, making it perfect for users with dialup connections. Many features, such as SSH rulesets and limited flood protection, are available. There are three branches: the default branch (actual version is 2.3.1), the IPtables-insecure branch (actual version is 2.0.1) and the IPtables 2.2 branch (actual version is 2.2.0).

Changes: new default branch version 2.3.1. This release is currently not stable: added option to deny specific ports from specific hosts. Added limiting to logging chains to prevent log DoS. Spiffed up comments. Changed the "AUTH_ALLOW" and "DNS" options to to be more generic and flexible. Updated comments for new kernel version. Removed double drop setting. Updated for IPtables-1.2. Began a kernel option list.

 

GshieldConf 0.33
Davinci
http://members.home.com/vhodges/gshieldconf.html

GshieldConf is a simple tool to edit GShield configuration files. It can be extended when changes are made to the configuration file format and preserves settings which it does not know about.

Changes: this release adds support for GShield 2.x and is current with GShield 2.0.3.

 

EasyChains 0.9.3-4
Dejavo
http://dejavo.virtualave.net/djvlinux.html

EasyChains is a very easy-to-use GUI for the console firewall script. It makes it easy to create a custom firewall using the firewall generator, or you can add and remove custom rules from a numbered list. You can generate a monitor for the console and for X.

Changes: this release includes various firewall fixes, and better rule viewing.

 

RChains 200102081254
Curt Rebelein, Junior
http://rchains.rebby.com

RChains is a highly detailed firewall script which implements many features including per host bandwidth monitoring w/ MRTG.

Changes: new stable version including the following changes: rewrote several functions to make configuration easier. Improved the scalability of the script. Implemented the ability to include a list of hosts for the variable configuration rather than using DNS (much more secure).

 

Astaro Security Linux 1.790
Astaro AG
http://www.astaro.com/products/index.html

Astaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities. See also the discussion board on http://www.astaro.org

Changes: this release includes a new portscan detection module, a SOCKS5 proxy service, support for proxy user authentication against RADIUS and SMB servers, and enhanced connection tracking.

 

Fwup 20010214
Raf
http://fwup.org

Firewall is a set of scripts (firewall, fwup, and fwdown) that implement an IPchains firewall and various forms of network address and port translation. All you have to do is read the policy file and edit it to reflect your topology and filtering policy. It supports many different types of network topology (single host, traditional forwarding, masquerading, port forwarding, alias port forwarding and NAT), up to 10 untrusted interfaces each with their own policy, and over 50 network applications.


Tools for UNIX/Linux/BSD & Cross-platform

Bastille Linux v1.1.1
Jay Beale
http://www.bastille-linux.org

The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible.

Changes: development continues with the first RPM, made for MandrakeSoft 7.x-8.x, which might be compatible with Red Hat. It incorporates lots of bug fixes, near RH7.0/MDK8.0 support, and a new X based GUI.

 

SILC 20010211 (Devel)
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: auditing code for obvious mistakes, bugs and errors. Also, removing any code that is obsolete: lib/silcutil/silcbuffer.c (the buffer interface is entirely in inline in the file lib/silcutil/silcbuffer.h) and lib/silcutil/silcbufutil.c (the header has inline versions). Changed code to fix possible error conditions. Please refer to http://silc.pspt.fi/changes.txt for more details.

 

FreshMeat

Zebedee 2.2.1
Neil Winton
http://www.winton.org.uk/zebedee

Zebedee is a simple program to establish an encrypted, compressed “tunnel” for TCP/IP or UDP data transfer between two systems. This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression.

Changes: fix bug handling client access using IP address rather than host name.

 

StegFS 1.1.4
Andrew McDonald
http://ban.joh.cam.ac.uk/~adm36/StegFS

StegFS is a steganographic file system for Linux. It offers security beyond that afforded by a regular cryptographic file system, since it not only encrypts data, but also provides a plausible deniability mechanism by securely hiding the data. It is designed to give the user a very high level of protection against being compelled to disclose its contents. StegFS extends the standard Linux file system (ext2fs), allowing normal and several levels of hidden files to coexist. This allows some data to remain hidden even if some of the keys are compromised.

Changes: added other AES finalist algorithms to StegFS now fully supports: AES (Rijndael), Serpent, Twofish, MARS. RC6 has been removed due to patent restrictions (see README). Changed default cipher to AES, added support for digestapi/SHA-1 support from kernel crypto patch, fixed bug when using btab file on non-ext2 filesystem (llseek problem, modified stegfs module so that it can be compiled separately from kernel, lots of makefile rewriting, fixed oops on closing non-open level, restricted permissions on opening/closing levels, fixed a couple of other minor bugs.

 

Restricted DNS 0.5
Eran R.
http://thegod.bsd.org.il/projects.php

Rdns allows you to control access to the query services of a specific name server. Rdns can be used to specify access lists for the name server's records. It uses a configuration file to define how to act when a specific record (or class of records) is being requested by a specific IP (or IP range).

Note: first time in the Tools Digest.

 

Password Management System 0.91a
Eisbaer82
http://easy.soft-ware.de

The Password Management System is a simple password manager for the console which uses blowfish for encryption, and CDK for the interface.

Note: first time in the Tools Digest.

   

PacketStorm

Lomac 1.0.4
Network Associates, Inc.
http://www.pgp.com/research/nailabs/secure-execution/lomac.asp

Lomac (Low Water-Mark Integrity Protection for Linux) is a security enhancement for Linux that uses Low Water-Mark Mandatory Access Control to protect the integrity of processes and data from viruses, Trojan horses, malicious remote users, and compromised root daemons. Lomac is implemented as a loadable kernel module - no kernel recompilations or changes to existing applications are required. Although not all the planned features are currently implemented, it presently provides sufficient protection to thwart script-kiddies, and is stable enough for everyday use.

Changes: version 1.0.3 and 1.0.4 have been released during this week. Version 1.0.3 fixes a Unix-domain socket labeling bug on socket pair and abstract-name space bindings. Version 1.0.4 greatly improves performance of utility scripts.

 

Openwall Linux kernel patch 2.0.29-ow2
Solar Designer
http://www.openwall.com/linux

The Secure-Linux patch adds a few security features to the kernel which, while not a complete method of protection, will stop most of the 'cookbook' buffer overflow exploits cold. It also adds the option of restricting the use of symlinks and named pipes in +t (temp) directories which fixes most tmp-race exploits as well. It can also add a little bit more privacy to the system by restricting access to parts of /proc to root so that users may not see who else is logged on or what they're doing. Also tightens down file descriptors 0, 1, and 2, implements process limits and shared memory destruction, and privileged IP aliases for kernel 2.0.

Changes: a fix for the recently announced execve(2)/ptrace(2) race condition vulnerability in the Linux kernel.

 

Rident 0.9.0b
Rob J. Meijer
http://www.xs4all.nl/~rmeijer/rident.html

Ridentd is a stand-alone replacement for identd that uses a random selection of a spell dictionary to use as fake ident responses. This server application is meant for the totally paranoid that need access to servers that require ident and don't want to give any information about local users to the remote server or its other users.

Note: first time in the Tools Digest.


Tools for Windows

Tiny Personal Firewall build 10
Tiny Software, Inc.
http://www.tinysoftware.com/pwall_news.php

Tiny Personal Firewall represents smart, easy-to-use personal security technology that fully protects personal computers against hackers. Built on ICSA-certified security technology, it is also an integral part of The Tiny Software Centrally Managed Desktop Security (CMDS) system selected by the US Air Force for its approximately 500,000 desktop computers. Note: Tiny Personal Firewall is intended for users that are NOT running either WinRoute Pro or WinRoute Lite.

Changes: NetBIOS dialog now persists into user's desktop during boot process. Port "0" problem with rule generation is resolved.

 

SecurityFocus

Crack Whore 2.2
SubReality
http://www.subreality.net

This application will test your website's security in a similar way that hackers will, efficiently and quickly. It has some extra features, such as a random proxy selector, an exploit vulnerability scanner and an FTP root crack utility.

Note: first time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 16 February, 2001