By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal
Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html
To receive this digest via Email:
http://securityportal.com/subscribe.html
This is a summary of changes to free security tools over the last week.
Updates to General free tools this week include GnuPG, GnuPG::Interface, OpenSSH and Linux Kernel.
Auditing and Intrusion Monitoring tools include NetSaint, SARA, PIKT, BigBrother, John the Ripper, Port Scan Attack Detector, TcpSpy and 3 other tools.
Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, PCX Firewall, Firewall Monitor, Firestarter, Ferm, Firewall Builder and 2 other tools.
Tools for Linux/Unix/Cross Platform include Bastille Linux, Ngrep, SILC, Srm, Grsecurity, Libmcrypt and 5 other tools.
Tools for Windows includes Tiny Personal Firewall, Random Number Generator Pro, ICEWatch and NTLM Authorization Proxy Server.
PGP
- GnuPG 1.0.5
Free Software Foundation
http://www.gnupg.orgGnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.
Changes: the semantics of --verify have changed. Corrected hash calculation for input data larger than 512M. Large File Support is now working. A bunch of new options and commands. Keyserver support for the W32 version. Better handling of key expiration and subkeys. Estonian and Turkish translation. The usual fixes and other enhancements.
- GnuPG::Interface 0.3
Frank J. Tobin
http://GnuPG-Interface.sourceforge.net
GnuPG::Interface is a Perl module interface to interacting with GnuPG. It implements a rich set of file handle communication with GnuPG and includes a key object organization structure with information gathered from GnuPG's with-colons option.
Changes: version 0.2 and 0.3 were released during this week. Changes for version 0.2: fixes for running under Perl 5.6.0 (stdin, stdout, stderr file handling changed). Fix testing so that it works with GnuPG 1.0.4h. Move a lot of testing code from inside the code to outside, so that it doesn't need to be loaded along with normal usage. This might help speed. License is now the same terms as Perl itself. Don't ship with Class::MethodMaker. Changes for version 0.3: re-worked inheritance tree so that GnuPG::SecretKey and GnuPG::PublicKey are sub-classes of newly-added GnuPG::PrimaryKey. Tested with GnuPG 1.0.5. GnuPG::Fingerprint deprecate hex_data(), in favor of as_hex_string(). GnuPG::UserId deprecates user_id_string(), in favor of as_string().
SSH
- OpenSSH 2.9p1
Damien Miller
http://www.openssh.com/portable.htmlThis is a Unix/Linux port of OpenBSD's excellent OpenSSH. OpenSSH is based on the last free version of Tatu Ylonen's SSH with all patent-encumbered algorithms removed, all known security bugs fixed, new features reintroduced, and many other clean-ups. OpenSSH also features an independent implementation of the SSH2 protocol.
Changes: a lot of change since the last official release 2.5.2p1 (2001/03/20). For information about the changes, consult directly the changelog included in the TAR file.
Linux 2.4.4 and Linux 2.2.19
http://www.kernel.orgChanges: new version 2.4.4 of Linux Kernel. Refer to http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.4 for more information about the changes.
NetSaint Network Monitor 0.0.7 beta4
Ethan Galstad
http://www.netsaint.orgNetSaint is a program that will monitor hosts and services on your network. It has the ability to email or page you when a problem arises and when it gets resolved. NetSaint is written in C and is designed to run under Linux, although it should work under most other Unix variants. It can run either as a normal process or as a daemon, intermittently running checks on various services that you specify. The actual service checks are performed by external "plugins" which return service information to NetSaint. Several CGI programs are included with NetSaint in order to allow you to view the current service status, history, etc. via a web browser.
Changes: beta 4 of the 0.0.7 release is now available. It fixes a notification logic bug found in beta 3.
SARA 3.4.1
Advanced Research Corporation
http://www-arc.com/saraSecurity Auditor's Research Assistant (SARA) is a security analysis tool based on Satan. Checks for common old holes, backdoors, trust relationships, default CGI, common logins, open shares, and much more.
Changes: added plugin facility for proprietary testing and reporting. Released US Government only Adore worm detector to public domain. Improved tests for rsh, rlogin, netstat, and systat. Upgraded Sendmail tests. Upgraded DNS tests to check for zone transfers. Added tests for doubtful RPC services. Added test for poor pre-login banners for Telnet. Added facility to modify SARA menu subsystem (perl/menu.pl). Added JavaScript to menu subsystem. Provided additional documentation for report correction and fact drop. Removed port scans that caused Oracle listener to terminate. Minimized Windows (all versions) false alarms to backdoors.
PIKT - Problem Informant/Killer Tool 1.12.1 - Devel: 1.13.0pre10
Robert Osterlund
http://pikt.uchicago.edu/piktPIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.
Changes: tenth pre-release (beta) of the 1.13.0 series: introduced the #include|#verbatim <file> [<proc>] variants, for including process output (not just file content) into config files. Added the '-I' piktc option, which--together with #include|#verbatim <file> [<proc>] can auto-update your configuration files. Introduced a new, "official" PIKT utility, piktx - piktx does remote command execution with PIKT-style macros and command-line (+H and -H) host lists; moreover, piktx allows concurrent operation from any PIKT host, not just the piktmaster. PIKT scripts may now be stand-alone (exist outside of .alt files) and directly executable (much like scripts in other languages). Client-side PIKT scripts may now contain #-style comments. Introduced a new alerts.cfg keyword, execcmd, for registering crontab-like, one-liner command entries in piktd.conf. Introduced several new piktc options. Added the #setdef and '!' variant define preprocessor directives. Added #verbatim support within systems.cfg. During the preprocessor syntax check, a parse error used to abort the entire piktc process. Now, we just report the error for the current host, and move on to the next. Resolved most AIX problems. Fixed lots of bugs.
BigBrother 1.7b4 for UNIX, 1.07f for NT and Win2k WS, 2.2e for NT and Win2k SRV
Sean McGuire
http://bb4.com/index.htmlBigBrother is a system and network monitor. It use a web-based monitoring notification & reporting. Big Brother uses a client-server architecture combined with methods which both push and pull data. Network testing is done by polling all monitored services from a single machine, and reporting these results to a central location (the BBDISPLAY). If you want local system information, you can install a BB client on the local machine, which will send CPU, process, disk space, and logfile status reports in periodically. Each report is timestamped with an expiration date (like milk). This lets us know when a report is no longer valid, which is usually an indication of a more serious problem.
Changes: new version 2.2e for Windows NT Server and Windows 2000 Server. No information about the changes.
John the Ripper 1.6 - Devel: 1.6.25
Openwall Project
http://www.openwall.com/johnJohn the Ripper is a password cracker, currently available for UNIX, DOS, Win32. Its primary purpose is to detect weak UNIX passwords.
Changes: no information about the changes.
Port Scan Attack Detector 0.8.7
Michael Rash
http://www.cipherdyne.com/psadPort Scan Attack Detector (psad) is a program written in Perl that is designed to work with Linux firewalling code (IPtables in the 2.4.x kernels, and IPchains in the 2.2.x kernels) to detect port scans. It features a set of highly configurable danger thresholds (with sensible defaults provided), verbose alert messages that include the source, destination, scanned port range, begin and end times, TCP flags and corresponding Nmap options (Linux 2.4.x kernels only), email alerting, and automatic blocking of offending IP addresses via dynamic configuration of IPchains/IPtables firewall rulesets. In addition, for the 2.4.x kernels psad incorporates many of the TCP signatures included in Snort to detect highly suspect scans for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (syn, fin, Xmas) which are easily leveraged against a machine via Nmap.
Changes: no information about the changes.
Modular syslog 1.03
Core SDI S.A.
http://www.core-sdi.com/english/freesoft.htmlThe modular syslog allows for an easy implementation of input and output modules. The modules that maintain compatibility with its precursor are included in the standard distribution along with four modules: om_peo (an implementation of PEO-1 and L-PEO, two algorithmic protocols for integrity checking), om_mysql and om_pgsql (modules that sends output to a Mysql and PostgreSQL database, respectively) and om_regex (a module that allows output redirection using regular expressions).
Note: first time in the Tools Digest.
TcpSpy 1.6
Tim J. Robbins
http://box3n.gumbynet.org/~fyre/softwareTcpSpy is a Linux administrator's tool that logs information about incoming and outgoing TCP/IP connections: local address, remote address and, probably the most useful feature, the user name. The current version allows you to include and exclude certain users from logging - this may be useful if you suspect one of the users on your system is up to no good but do not want to violate the privacy of the other users.
Changes: rules can now be read from a file. Also includes code cleanup and optimizations.
Trojans First Aid Kit 5.0
SnakeByte
http://www.kryptocrew.de/snakebyteTFAK (Trojans First Aid Kit) is a client for 22 remote access trojans, and detects 736 remote access trojans and 9 file joiners. This is the first trojan scanner which is able to find new, unknown trojans.
Note: first time in the Tools Digest.
Shoki 0.9.2
Shoki
http://www.meshuggeneh.net/shokiShoki is a collection of IDS tools, scripts, and so forth. All the bits together can collect data from sensors, schlep it to a central location for storage, run signature-based and statistical analysis on the data, and load the data into a SQL database.
Note: first time in the Tools Digest.
GShield 2.5
R. Gregory
http://muse.linuxmafia.org/gshield.htmlGShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.
Changes: added configuration kernel options for icmp_echo_ignore_broadcasts. Added configuration kernel options for tcp_timestamps. Syncookies are now disabled by default. Bugfix for run-time client-add option. Miscellaneous documentation additions.
PCX Firewall 2.2
James A. Pattie
http://pcxfirewall.sourceforge.netPCX Firewall is an IPtables firewalling solution that uses Perl to generate static shell scripts based upon the user's configuration settings. This allows the firewall to startup quickly, as it does not have to parse config files every time it starts.
Changes: updated bootp rule in Rules.pm. Added Template.pm file and updated documentation. Updated generator to accept the "Rules" file to work with.
Firewall Monitor 1.0.6
Gianni Tedesco
http://www.sourceforge.net/projects/firestorm-idsFwmon is a firewall monitor for Linux. It integrates with IPchains to give you real-time notification of firewall events. It has fairly customizable output, allowing you to display a packet summary, hex, and ASCII data dumps to stdout, a logfile, or Tcpdump-style capture files. It also boasts some simple security features such as the ability to chroot itself, and operate in a non-root environment.
Changes: added syslog logging facility. Logfiles are now opened AFTER dropping privileges and chrooting. This allows a chrooted Fwmon process to be HUPed when its logs are rotating. Added a README.chroot to help people setup Fwmon in a chroot environment. Updated RPM spec so that it installs files in the same place as the Makefile.
Firestarter 0.7
Tomas Junnonen
http://firestarter.sourceforge.netFirestarter is a firewall tool for Linux, and uses GNOME. You can use the wizard to create a basic firewall, then streamline it further using the dynamic rules. You can open and close ports with a few clicks, or stealth your services giving access only to a select few. It features a real-time hit monitor which you can watch as attackers probe your machine for open ports.
Changes: port forwarding configuration interface. Protection against trojans: all known trojans are identified, outbound port filtering for all known trojans. Blocks Trinity V3 and DDoS attacks. Localization updates and small enhancements all around.
Ferm 1.0
Auke Kok
http://www.geo.vu.nl/~koka/fermFerm compiles ready-to-go firewall rules from a structured rule-setup. These rules will be executed by the preferred kernel interface, such as IPchains and IPtables. Ferm will also add in modularizing firewalls, because it creates the possibility to split up the firewall into several different files, which can be loaded at will, so you can dynamically adjust your rules.
Changes: fixed IPtables addr/port combination errors (IPtables lacks IPchains shorthand method for this). Removed 'reverse' for IPtables (misses capability). Added filter and NAT cleaning for 'clearall' option. Major update on chain-administration in IPtables.
Firewall Builder 0.9.0
Lord Vkurland
http://www.crocodile.org/~vadim/fwbuilderFirewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users maintain a database of objects and allows policy editing using simple drag-and-drop operations. The GUI and policy compilers are completely independent, and support for a new firewall platform can be added to the GUI without any changes to the program (only a new policy compiler is needed). This provides for a consistent abstract model and the same GUI for different firewall platforms. It currently supports IPchains, IPtables, and IPfilter.
Changes: this release includes new XML DTD data file format, lots of improvements in GUI and policy compilers, policy printing capability and bug-buddy support. Consult http://sourceforge.net/project/shownotes.php?release_id=33351 for more detailed information.
IPtrap 0.1
Frank Denis
http://www.jedi.claranet.frIPtrap listens to several TCP ports to simulate fake services (X11, NetBIOS, DNS, etc) . When a remote client connects to one of these ports, his IP address gets immediately firewalled and an alert is logged. It runs with IPtables and IPchains, but any external script can also be launched. IPv6 is supported.
Note: first time in the Tools Digest.
Check_Chains 0.1
Raffaello Di Martino
http://konus.homeip.netCheck_Chains checks the integrity of /proc/net/ip_fwchains file of a remote firewall with a master file stored in a management server where Check_Chains runs.
Note: first time in the Tools Digest.
Bastille Linux v1.1.1 - Devel: 1.2.0.rc6
Jay Beale
http://www.bastille-linux.orgThe Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports Red Hat and Mandrake systems. We attempt to provide the most secure, yet usable, system possible.
Changes: no information about the changes.
Ngrep 1.39.2
Jordan Ritter
http://ngrep.sourceforge.netNgrep strives to provide most of GNU grep's common features, applying them to the network layer. Ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as Tcpdump and snoop.
Changes: minor bugfix/feature-add release.
SILC 0.2
Pekka Riikonen
http://silc.pspt.fiSILC (Secure Internet Live Conferencing) is a protocol which provides secure conferencing services in the Internet over insecure channels. SILC superficially resembles IRC, although they are very different internally. The purpose of SILC is to provide secure conferencing services. Strong cryptographic methods are used to secure all traffic.
Changes: implemented the [DenyConnection] config section in the server: added silc_server_config_denied_conn to check whether incoming connection is denied, modification made in the file silcd/serverconfig. Do not check the ports when checking the incoming configuration data if the port is 0, meaning any, modification made in the file silcd/serverconfig.c.
Srm 1.2.4
Matthew Gauthier
http://srm.sourceforge.netSecure rm (Srm) is a command-line compatible rm(1) which completely destroys file contents before unlinking. The goal is to provide drop in security for users who wish to prevent command line recovery of deleted information, even if the machine is compromised.
Changes: this is a maintenance release to fix difficult builds on some platforms. There are no bug fixes or changes. The RPM is now built on Redhat 7.1, not 7.0. Build cleanly on Solaris and Tru64.
Grsecurity 0.9b
Spender
http://www.getrewted.netGrsecurity consists of security patches based on code from hap-linux and Openwall which have been ported to the 2.4 kernel. It features a no-syscall stack, /proc restrictions, chroot restrictions, linking and FIFO restrictions, exec and set*id logging, secure file descriptors, stealth networking enhancements, signal logging, failed fork logging, time change logging, and others. Read the help file while compiling the kernel for more information.
Changes: the 2.4.4 kernel was released. The new patch has an updated non-executable stack patch, and socket restrictions. LIDS has been removed from the new patch, along with the NetFilter modules, as per request from some users.
Libmcrypt 2.4.11
Nikos Mavroyanopoulos
http://mcrypt.hellug.grLibmcrypt is a library which provides a uniform interface to several symmetric encryption algorithms. It is intended to have a simple interface to access encryption algorithms in OFB, CBC, CFB, and ECB modes. The algorithms it supports are DES, 3DES, RIJNDAEL, Twofish, IDEA, GOST, CAST-256, ARCFOUR, SERPENT, SAFER+, and more. The algorithms and modes are also modular so you can add and remove them on the fly without recompiling the library.
Changes: corrected memory leaks in mcrypt_module_close().
Mcrypt 2.5.6
Nikos Mavroyanopoulos
http://mcrypt.hellug.grMcrypt is a program for encrypting files or streams. It is intended to be a replacement for the old UNIX crypt. It uses well-known and well-tested algorithms like DES, BLOWFISH, TWOFISH, ARCFOUR, CAST-128, and more in several modes (CBC, CFB, etc.). It also has a compatibility mode with the old UNIX crypt and Solaris DES.
Note: first time in the Tools Digest.
OtpCalc 0.9
Anthonyu
http://original.killa.net/infosec/otpCalcOtpCalc generates one time passwords for responding to S/Key (RFC1760) and OTP (RFC2289) challenges. It supports MD4, MD5, and SHA1 message digests.
Note: first time in the Tools Digest.
TCFS 3.0b2
TCFS Group - University of Salerno
http://www.tcfs.itTCFS is a Transparent Cryptographic File System that is a suitable solution to the problem of privacy for distributed file system. By a deeper integration between the encryption service and the file system, it results in a complete transparency of use to the user applications. Files are stored in encrypted form and are decrypted before they are read. The encryption/decryption process takes place on the client machine and thus the encryption/decryption key never travels on the network.
Note: first time in the Tools Digest.
MaraDNS 0.6.02
Sam Trenholme
http://www.maradns.orgMaraDNS is a DNS server that strives to be secure and fully open-sourced.
Note: first time in the Tools Digest.
Xinetd 2.1.8.8
Panagiotis Tsirigotis
http://www.securityfocus.com/tools/89Xinetd is a replacement for inetd, the internet services daemon. It supports access control based on the address of the remote host and the time of access. It also provide extensive logging capabilities, including server start time, remote host address, remote username, server run time, and actions requested. It runs under Linux, Solaris and UNIX.
Note: first time in the Tools Digest.
Tiny Personal Firewall build 13
Tiny Software, Inc.
http://www.tinysoftware.com/pwall_news.phpTiny Personal Firewall represents smart, easy-to-use personal security technology that fully protects personal computers against hackers. Built on ICSA-certified security technology, it is also an integral part of The Tiny Software Centrally Managed Desktop Security (CMDS) system selected by the US Air Force for its approximately 500,000 desktop computers. Note: Tiny Personal Firewall is intended for users that are NOT running either WinRoute Pro or WinRoute Lite.
Changes: Token Ring is now supported. All TDI related errors should be resolved. Added application icons to filter rules. Remote Administration dialog more user friendly. Added clear screen function for log and statistics windows. DNS name resolution now available in statistics window. Improved connection alert dialog.
Random Number Generator Pro 1.25
Segobit Software
http://www.segobit.com/rng.zipRandom Number Generator is a Windows based application designed to generate random numbers. Program allow users choose lower and upper limits and increments of the numbers. Limits can be positive or negative values. User can exclude digits from generated random numbers. Random numbers can be edit and copied to the clipboard for pasting into other applications. Random Number Generator can print all random numbers or save numbers as file. Random Number Generator will generate to 9999 numbers at the time. It runs under Windows 2000, Windows 95/98 and Windows NT.
Changes: no information about the changes.
ICEWatch 2.20
Robin Keir
http://keir.net/software.htmlThis is a program that monitors a given file for changes in size. It is very efficient; a small program that uses almost no CPU time. This handy program monitors all "hack" attempts coming in from the Internet and it creates a log file with many details of the attempted access. Although the program alerts you to an incoming intrusion attempt it only does so by flashing an icon in the system tray. It runs under Windows 2000, Windows 95/98 and Windows NT. ICEWatch is also know as FileWatch.
Note: first time in the Tools Digest.
NTLM Authorization Proxy Server 0.8.8
Dmitry
http://www.geocities.com/rozmanov/ntlmNTLM Authorization Proxy Server is a proxy software that allows you to authenticate via an MS Proxy Server using the proprietary NTLM protocol. It can change arbitrary values in your client's request header so that those requests will look like they were created by MS IE. It is written in Python v1.5.2 language. It runs under Windows 95/98 and Windows NT.
Note: first time in the Tools Digest.
Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.
© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 02 mai, 2001 |