Weekly Security Tools Digest
2001/02/16 to 2001/02/22

By Seán Boran (sean at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include TTSSH, OpenSSH and GnuPG.

Auditing and Intrusion Monitoring tools include Snort and a Snort tool, NetSaint, PIKT, Integrit, ScanSSH, OpenNMS and Sysmon.

Firewalls for UNIX/Linux/BSD & Cross-platform include Ferm, Dante, IPtables, IPtables Linux Firewall, Firestarter, RChains and 2 other tools.

Tools for Linux/Unix/Cross Platform include Bastille Linux, APG, SILC and 8 other tools.

Tools for Windows include CryptIM and Twwwscan.


General Tools

SSH

TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH has been developed entirely in Australia, and can be exported from here to anywhere in the world. The current version of TTSSH (1.5.3) includes the following features: compatible with SSH protocol version 1.5, ciphers: 3DES, Blowfish, DES (RC4 and IDEA are also included but must not be used), server authentication using the ssh_known_hosts database (including the option of adding a server's key to the database), authentication using password, RSA, rhosts, rhosts+RSA, TIS challenge/response, compression support and connection forwarding, including full support for X connection forwarding.

Changes: the source and binary code for TTSSH 1.5.3 has been released. This version is identical to 1.5.2 and 1.5.1 except that it completely disables the use of RC4 and IDEA algorithms because of security problems with those algorithms as used in SSH1.

This is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. OpenSSH also features an independent implementation of the SSH2 protocol.

Changes: contains support for SSH1 and SSH2 protocols. Adds support for: RSA pubkey, Agent forwarding, remote forwarding, and SFTP!

 

PGP

GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.

Changes: the graphical version of GnuPG for Windows is available. The packages includes GnuPG and GPA, as well as an automatic installation in French.

GnuPG::Interface is a Perl module interface to interacting with GnuPG. It implements a rich set of file handle communication with GnuPG and includes a key object organization structure with information gathered from GnuPG's with-colons option.

Note: first time in the Tools Digest.


Auditing and Intrusion Monitoring Tools

Snort 1.7
Martin Roesch & many others
http://www.snort.org

Changes: update on the rule database cleanup. The rule database has now had nearly 500 rules removed, and we are in process of testing now. Note: The current on-line database is NOT this cleaned up version. No ETA on updated ruleset/database going live, but it is in the works.

 

NetSaint Network Monitor 0.0.7 beta1
Ethan Galstad
http://www.netsaint.org

NetSaint is a program that will monitor hosts and services on your network. It has the ability to email or page you when a problem arises and when it gets resolved. NetSaint is written in C and is designed to run under Linux, although it should work under most other Unix variants. It can run either as a normal process or as a daemon, intermittently running checks on various services that you specify. The actual service checks are performed by external "plugins" which return service information to NetSaint. Several CGI programs are included with NetSaint in order to allow you to view the current service status, history, etc. via a web browser.

Changes: beta 1 of the 0.0.7 release is now available for public consumption. Tactical overview CGI. Availability reporting CGI. WAP interface CGI. Embedded Perl interpreter. Forced service checks. Acknowledgements without notifications. Ability to schedule downtime for hosts and services. Flap detection. Custom intervals for notification escalations. Auto-save of retention data. Extended service information. Service notification and execution dependencies. Aggregated status data updates. External command file now implemented as a FIFO. Statusmap and statuswrl CGI rewritten to use user-supplied coordinates for drawing. Database support for status, comment, extended, and retention data.

 

PIKT - Problem Informant/Killer Tool 1.12.1 - Devel: 1.13.0pre3
Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.

Changes: this is the third pre-release (beta) of the 1.13.0 series. Highlights of this dev release are: during the preprocessor syntax check, a parse error used to abort the entire piktc process; now, we just report the error for the current host, and move on to the next. Strengthened the safeguards against running multiple concurrent piktc, piktd, and piktc_svc processes. Fixed a bug where, under certain circumstances, a piktc fetch/diff file operation ('piktc -f') might dump core.

 

FreshMeat

Integrit 1.06.06-stable
Ed L. Cashin
http://integrit.sourceforge.net

Integrit is an alternative to file integrity verification programs like Tripwire and aide. It helps you determine whether an intruder has modified a computer system. Integrit's major advantages are a small memory footprint and simplicity. It works by creating a database that is a snapshot of the most essential parts of your computer system. You put the database somewhere safe, and you can then use it to make sure that no one has made any illicit modifications to the computer system. In the case of a break in, you know exactly which files have been modified, added, or removed.

Changes: adding rpm support, reporting permissions of symlinks as "sym" instead of "777", making short reads in cdb_seq_get and cdb_seq_getkey an error. Adding file stat and checksum information for missing files to human-readable output. Split file stat & checksum info for missing files onto two lines, to be consistent with the rest of the output and to make the output more readable (less wide). Big bugfix: byte order issues were making cdb_seq routines fail on big architectures (SPARC was the one tested). By using cdb's uint32_unpack when reading in numbers from the cdb file, the byte-order works out correctly.

 

ScanSSH 1.4
Provos
http://www.monkey.org/~provos/scanssh

ScanSSH scans a list of addresses and networks for running SSH servers and their version numbers. ScanSSH supports random selection of IP addresses from large network ranges and is useful for gathering statistics on the deployment of SSH servers in a company or the Internet as whole.

Changes: no information regarding the changes.

 

OpenNMS 0.6 - Devel 0.7
Shaneo
http://www.opennms.org

OpenNMS is an effort to build a fully distributed network management platform providing both enterprise and element management capabilities, using Java 2, C/C++, XML/XSL and other open source projects/tools such as RRDTool, Tomcat and Postgres. The following features are planned for the version 1.0: automatically locate and identify TCP/IP addressable devices, consolidate events from various managed devices and management platforms into a single store, distributed architecture (poll locally, and preserve your WAN bandwidth), service polling (HTTP, SMTP, DNS, FTP, and easily-extensible polling for service availability. ICMP polling for interface availability), secure policy-based partitioning of the network creates subsets of devices relevant to different administrators, managers, and customers, real-time presentation, reporting for both ad hoc and scheduled presentation of data in your choice of formats, include Adobe Acrobat, web presentation, manage only the devices you want to manage, rule-based configuration allows you to configure the platform once, with no requirement to maintain lists of managed devices or external databases.

Note: first time in the Tools Digest.

 

SecurityFocus

Sysmon 0.90.12
Jared Mauch
http://www.sysmon.org

Sysmon is a network monitoring tool designed to provide high performance and accurate network monitoring. Currently supported protocols include SMTP, IMAP, HTTP, TCP, UDP, NNTP, and PING tests. It provides better performance and checking capabilities than other tools such as Rover, Nocmon, Whatsup, Big Brother, and other such tools.

Note: first time in the Tools Digest.


Firewalls for UNIX/Linux/BSD & Cross-platform

Ferm 0.0.17 (Devel)
Auke Kok
http://www.geo.vu.nl/~koka/ferm

Ferm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.

Changes: added better literal string handling enclosed in quotes. Added "module" parameter for IPtables. Added "LOG" target for IPtables, the "log" option still works the old way, so "proto tcp log ACCEPT;" works fine. Fixed table parameter in clearing/policy/creation of chains. Added a special IPtables example. Added support for "! syn" and "! fragment" syntax. Fixed fragment parameter bug.

 

Dante Socks V1.1.8
Inferno Nettverk A/S
http://www.inet.no/dante

Dante is a circuit-level firewall/proxy that can be used to provide convenient and secure network connectivity to a wide range of hosts while requiring only the server Dante runs on to have external network connectivity.

Changes: two versions released during this week: version 1.1.7: support for giving interface names as internal/external address. Contrib/ directory added. Contrib/sockd-stat.awk, provides statistics based on sockd logfiles. If gethostbyname() fails, treat it as if resolve protocol was set to fake, meaning we hope the socks server will be able to resolve it. Will presumably make certain DNS configurations work better for client. Version 1.1.8 corrects an omission in 1.1.7: contrib directory actually added to distributed archive.

 

FreshMeat

MonMotha's IPtables Masquerading Firewall 2.3.2
MonMotha and Steff
http://t245.dyndns.org/~monmotha/firewall

MonMotha's IPtables firewall is a shell script that implements masquerading and basic security using IPtables. It is easily configurable by modifying the options near the beginning and does not need to be rerun every time your IP address changes, making it perfect for users with dialup connections. Many features, such as SSH rulesets and limited flood protection, are available. There are three branches: the default branch (actual version is 2.3.2), the IPtables-insecure branch (actual version is 2.0.1) and the IPtables 2.2 branch (actual version is 2.2.0).

Changes: new default branch version 2.3.2. This release is currently not stable. There is no information about the modifications in this new version.

 

IPtables Linux Firewall  4.3f - Devel: 4.4a-7
Patrik Hildingsson
http://www.kurd.nu

IPtables Linux Firewall is a firewall that uses NetFilter in Linux 2.4. It features easy configuration and a DMZ option, logs portscans (limited so they won't flood the logfile), and has stateful inspection, masquerading, and general NAT support.

Changes: new stable version 4.3f: the FTP_PORT bug is now gone. New development version 4.4a-7: fixes BUG in FTP_PORT. Tracks multiple ports now. Check_mac now applies to NAT too. Created new chains. CHECK_MAC and NetBIOS. If IRC="y" then 6667:7000 will open up for masq/snat by default. Fixed bug in MAC match. Added BLOCK for outgoing packets. Stay tuned for more info.

 

Firestarter 0.6
Tomas Junnonen
http://firestarter.sourceforge.net

Firestarter is a firewall tool for Linux, and uses GNOME. You can use the wizard to create a basic firewall, then streamline it further using the dynamic rules. You can open and close ports with a few clicks, or stealth your services giving access only to a select few. It features a real-time hit monitor which you can watch as attackers probe your machine for open ports.

Changes: this new version brings several new improvements to the program which makes the program both easier and more powerful to use. Firestarter is now an official GNOME 1.4 package. Enhancements with this new version: much improved firewall wizard, better Linux 2.4 NetFilter support, type of Service configuration, halt all network traffic option, bug fixes: SSH freezing problems, Linux 2.4 NAT problems, crash under extreme loads and lots of small things.

 

RChains 200102191558
Curt Rebelein, Junior
http://rchains.rebby.com

RChains is a highly detailed firewall script which implements many features including per host bandwidth monitoring w/ MRTG.

Changes: minor code revision.

 

rTables Linux Firewall 1.02.21.2 (Devel)
Rebby
http://rtables.rebby.com

rTables is a detailed, custom, IPtables firewall for Linux 2.4.x, easily implemented on boxes with one to three network interfaces. It is currently set up to handle a single external LAN, single internal LAN, and a single internal DMZ with support for multiple LANs/DMZs to follow.

Note: first time in the Tools Digest.

 

Firewall Server Small Business 1.16
LinkX GmbH
http://www.securepoint.cc/download.htm

The Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer. The "Small Business" solution is freeware. There is a commercial version "Professional".

Note: first time in the Tools Digest.

 

PacketStorm

HAP Kernel Patches 2.2.18-hap-4
Digital Outlets, Inc.
http://www.doutlets.com/downloadables/hap.phtml

HAP-Linux is a collection of security-related patches that are floating around, plus a few non-security (but required) patches to the 2.x.x Linux kernels.

Changes: minor security fixes - ioctl protections in chroot, and other bug fixes.


Tools for UNIX/Linux/BSD & Cross-platform

Bastille Linux v1.1.1 - Devel: 1.2.0.pre9
Jay Beale
http://www.bastille-linux.org

The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible.

Changes: new development release 1.2.0.pre9. No information regarding the changes.

 

APG - Automated Password Generator 1.2.11
Adel I. Mirzazhanov
http://www.adel.nursat.kz/apg

APG is the tool set for random password generation. There is a Standalone version that generates some random words of required type and prints them to standard output and there is a network version that consist of an APG server and of an APG client. When client's request is arrived, the server generates some random words of predefined type and send them to client over the network (according to RFC0972). APG uses two Password Generation Algorithms: the Pronounceable Password Generation Algorithm (according to NIST FIPS 181) and the Random Character Password Generation Algorithm with 19 configurable modes of operation. The password length parameters are configurable as well as the amount of generated passwords. It supports /dev/random. It has the ability to use password generation service from any type of box (Mac, WinXX, etc.) that connected to network and has the ability to enforce remote users to use only allowed type of password generation.

Changes: version 1.2.1 and 1.2.11 have been released during the week: added mode modificator -R for shell script password generation. Added option -y that allows to get additional encrypted password output. Added support for IRIX. Added new style password generation mode specification. Changed default owner of APG and apgd (now it is root). Some cosmetic changes.

 

Certificate Management Library Announce 1.9
Getronics Government Solutions
http://www.getronicsgov.com/hot/cml_home.htm

The Certificate Management Library (CML) implements the 2000 X.509 certification path processing rules and SDN.706. It meets the majority of the IETF PKIX RFC 2459 Certificate/CRL Profile requirements. The accompanying Storage and Retrieval Library (SRL) (optionally) provides local certificate and CRL storage management functions. The SRL (optionally) provides remote directory retrieval capabilities using the Lightweight Directory Access Protocol (LDAP). It uses the v1.2 Certificate Path Development Library (CPDL) developed by CygnaCom Solutions, an Entrust Technologies company, to provide robust certification path building capabilities such as using cross certificates. The CML is designed for use in conjunction with the Getronics-developed, freeware Access Control Library (ACL) and SFL, but can be used independently.

Note: first time in the Tools Digest.

 

FreshMeat

SILC 20010222 (Devel)
Pekka Riikonen
http://silc.pspt.fi

SILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.

Changes: quite a lot of changes with this new version. Please consult http://silc.pspt.fi/changes.txt for more information. This version includes major feature enhancements and major bugfixes.

 

Password Management System 0.92
Eisbaer82
http://easy.soft-ware.de

The Password Management System is a simple password manager for the console which uses blowfish for encryption, and CDK for the interface.

Changes: added Comments for Hosts. Added pms_passwd for changing the database password and converting the database to the new format with comments for Hosts. Removed the dots from the input boxes. Bug fixing (see BUGS).

 

Passwdd 0.11
Alexander Feldman
http://sourceforge.net/projects/passwdd

Passwdd is a client/server packages which allows basic synchronization of password files among different machines. There are Linux/Solaris server and console clients. With Visual C/C++, you can compile the Windows version of the clients. Perl CGIs are included as well.

Note: first time in the Tools Digest.

 

Passwords On Card 1.0
Henning Koester
http://poc.crackinghacking.de

With Passwords On Card you can manage passwords on smartcards. The passwords are stored encrypted on the card.

Note: first time in the Tools Digest.

 

Motion 2.5.0
Jeroen
http://motion.technolust.cx

Motion uses a video4linux device for detecting movement. It makes snapshots of the movement which later will be converted to MPEG movies, making it usable as an observation or security system. It can send out email and SMS messages when detecting motion.

Note: first time in the Tools Digest.

 

PacketStorm

Ramenfind 0.4
William Stearns
http://www.sans.org/y2k/ramen.htm

Ramenfind v0.4 is a local Ramen worm detection and removal tool. Final release unless problems are found. Ramenfind now handles a new Ramen variant, which creates /usr/sbin/update.

Note: first time in the Tools Digest.

 

Rootjail 0.1
Luciano Rocha
http://strange.nsk.yi.org/rj

Rootjail is a small program designed help run dangerous or unreliable services more securely. It works like init in that it spawns processes and watches for them, respawning them upon death. If the child is misbehaving, in that it's dying repeatedly, it is then disabled. In addition, it uses chroot to prevent the service from accessing files outside its directory.

Note: first time in the Tools Digest.


Tools for Windows

CryptIM 1.2.0
P. Parson
http://pparson58.tripod.com/CryptIM.html

CryptIM is an instant messaging application for Windows. It provides easy encryption for your conversations, All you have to do is type and hit SEND. CryptIM uses 3 different algorithms (one of which is Rijndael - The Advanced Encryption Standard) to provide well for the privacy of your communication. Multi-user chats have just been added. The program still has a few rough edges but, many more features will be implemented in the future. CryptIM is freeware for private noncommercial use. A For Sale version may be available if any parties are interested.

Note: first time in the Tools Digest.

 

PacketStorm

Twwwscan 1.2
Pilot
http://search.iland.co.kr/twwwscan

Twwwscan is a Windows based www vulnerability scanner which looks for 400 www/cgi vulnerabilities. Displays http header, server info, and tries for accurate results. Now features anti-IDS URL encoding and passive mode scan. Tested on Win95 OSR2, Win98, Win98se, WinNT, Win2000 and WinMe.

Changes: major update - Added virtual host scan, GET method, http request injection, blowfish support, and bug fixes.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 22 février, 2001