Weekly Security Tools Digest
2001/06/29 to 2001/07/05

By Pascal Etienne (pascal.etienne at boran.com) for SecurityPortal


Weekly Security Tools Digest Archive
http://securityportal.com/research/research.wst.html

To receive this digest via Email:
http://securityportal.com/subscribe.html

This is a summary of changes to free security tools over the last week.


The Rundown

Updates to General free tools this week include OpenSSH SRP, SFTP and BIND.

Auditing and Intrusion Monitoring tools include ACID, RazorBack, SAINT, PIKT, LIDS, Samhain and 2 other tools.

Firewalls for UNIX/Linux/BSD & Cross-platform include GShield, IP Filter, Securepoint Firewall Server SB and 4 other tools.

Tools for Linux/Unix/Cross Platform include Hypersec Linux Kernel Patch, Mcrypt, LibMcrypt, HardEncrypt and OtpCalc.

Tools for Windows include Without A Trace and BackOfficer Friendly.


General Tools

SSH

OpenSSH SRP patch-srp9 - Dr. Tom
http://members.tripod.com/professor_tom/archives

This patch adds Secure Remote Password (SRP) support to OpenSSH. The Stanford SRP distribution is not required, although this is compatible with that (it will use your existing SRP configuration files, if they exist).

Changes: This patch contains a couple of purely cosmetic changes as well to clean up compiler warnings.

 

SFTP 0.9.8 - Brian Wellington
http://www.xbill.org/sftp

SFTP is an FTP replacement that runs over an SSH tunnel. Two programs are included: sftp and sftpserv. When sftp is running and a host is connected to, an SSH connection is initiated to the remote host, and sftpserv is run. So, sftpserv must be in your path on the remote host. Note that since sftpserv is run from SSH, no root privileges are necessary. From within SFTP, all of the normal FTP commands are present. SFTP should work with ssh1, ssh2 and rsh (if rsftp is used), with all known forms of authentication. SFTP does not support anonymous logins, a user account is required on the remote host. SFTP is not compatible with the program of the same name included in ssh2 or any similar programs (F-Secure, SecureFX, etc.).

Changes: This new version fixes the fact that upload was broken in 0.9.7. This is just a maintenance release.

 

BIND 9.1.3 - Internet Software Consortium
http://www.isc.org/products/BIND

BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly re-distributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named), a Domain Name System resolver library and tools for verifying the proper operation of the DNS server.

Changes: New version 9.1.3. This is a maintenance release containing fixes for a number of bugs in 9.1.2 but no new features. BIND version 8 is still in wide usage, the latest release of BIND 8 is version 8.2.5.


Auditing and Intrusion Monitoring Tools

Snort 1.7 - Martin Roesch
http://www.snort.org

ACID 0.9.5 - Devel. 0.9.6b11 - Roman Danyliw
http://acidlab.sourceforge.net

ACID stands for Analysis Console for Intrusion Databases and is a PHP-based analysis engine to search and process a database of security incidents generated by the NIDS Snort. The features currently include: search interface for finding alerts matching practically any criteria, this includes arrival time, signature time, source/dest address/port, flags, payload, etc. furthermore, these queries can be made arbitrarily complex to satisfy almost any parameters. Alert Groups: allow for a logical grouping of alerts on which analysis can be done, it is a quick way to combine multiple searches or to associate a comment with an alert or group of alerts. Alert purging to remove false positives. Statistics: snapshot statistics to assess current network state, aggregate statistics on a per sensor, IP, or alert basis and graphing alert arrival over time. All analysis is done in real-time.

Changes: New development version 0.9.6b11 that includes query speed optimizations and partial schema v103 support.

 

RazorBack 1.0.1 - InterSect Alliance
http://www.intersectalliance.com/projects

RazorBack is a log analysis program that interfaces with the Snort open source Intrusion Detection System to provide real-time visual notification when an intrusion signature has been detected on the network. Snort should be configured to send data to syslog for RazorBack to display the data. RazorBack is designed to work within the GNOME framework on Unix platforms.

Changes: RazorBack is now out of beta cycle. Removed the automatic column resize. Minor memory leak removed. RazorBack now works with Snort 1.8.

 

SAINT 3.2.1 - World Wide Digital Security, Inc.
http://www.wwdsi.com/saint

Saint is a security scanning tool based on Satan. Latest versions of SAINT are now released only to SAINTwriter and SAINTexpress customers. The latest SAINT version is 3.3.4 (03/July/01). Older versions of SAINT are still released to all users.

Changes: Version 3.2.1 has been released to all users (07/July/01). This new release includes checks for FTP filename globbing vulnerability, for the Adore worm, for NTP servers and for Alcatel ADSL modems. The documentation has been updated for these new features.

 

PIKT - Problem Informant/Killer Tool 1.13.1 - Devel: 1.14.0pre6 - Robert Osterlund
http://pikt.uchicago.edu/pikt

PIKT is a cross-platform (AIX, FreeBSD, HP-UX, IRIX, Linux, Solaris, SunOS), multi-functional toolkit for monitoring systems, reporting and fixing problems, and managing system configurations. It consists of an embedded scripting language with unique, labor-saving features, a script and system config file preprocessor, a scheduler, an installer, and other tools.

Changes: Release of the sixth pre-release (beta) of the 1.14.0 series: fixed several more minor parser bugs.

 

LIDS 0.9.1 - Devel: 0.10.0 (2.2.19 kernel) / 1.0.10 (2.4.5 kernel) - Huagang Xie
http://www.lids.org

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection "on" or "off" on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.

Changes: New development version 1.0.10 for 2.4.5 kernel. This version add a new feature: time restriction for the ACL and merge a patch from David Spreen to make lidsadm compatible with GCC 3.0. With the new time restriction feature, you can define the time scale for ACLs.

 

Samhain 1.2.4 - Samhain Labs
http://la-samhna.de/samhain

Samhain is a file system integrity checker that can optionally be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, tamper-resistant log file, and syslog) are available. Samhain has been tested on Linux, AIX 4.1, HP-UX 10.20, UnixWare 7.1.0, and Solaris 2.6.

Changes: Bugfix for the reading stealth option, and fix for RFC 2822 compliance of the built-in mailer. On request, when watching login/logout events, the IP address is logged in addition to the DNS host name (if supported by the OS).

 

Viperdb 0.9.8 - Peter Surda
http://panorama.sth.ac.at/viperdb

Viperdb is a file checker. It is meant to be run from cron on a regular basis in order to monitor strange activity on a system. It supports checking of size, mtime, privileges, UID/GID, added/deleted files, and MD5 checksums. Data isn't stored in a single archive as in Tripwire, but is split among all the monitored directories. This Viperdb is in fact a fork of the original, as the original authors seem unreachable.

Changes: This new version includes an option parsing bugfix and a locking bugfix.

 

John the Ripper 1.6 - Devel: 1.6.29 - Openwall Project
http://www.openwall.com/john

John the Ripper is a password cracker, currently available for UNIX, DOS, Win32. Its primary purpose is to detect weak UNIX passwords.

Changes: No information about the changes.


Firewalls for UNIX/Linux/BSD & Cross-platform

GShield 2.6.9 - R. Gregory
http://muse.linuxmafia.org/gshield.html

GShield is an aggressive, modular firewall script for IPtables which features easy configuration through a BSD-style configuration file, optional NAT support, TCP-wrapper-like functionality for service access, port forwarding, routable protection, DMZ support, and more.

Changes: Added option for QUEUE target. Unclean toggle. Adjusted domain service to handle brain-dead service listings.

 

IP Filter 3.4.19 - Darren Reed
http://coombs.anu.edu.au/~avalon

IPfilter is a TCP/IP packet filter suitable for use in a firewall environment. To use, it can either be run as a loadable kernel module (recommended) or incorporated into your kernel. Scripts are provided to install and patch system files as required. IP Filter also supports transparent proxying via packet forwarding, including round-robin forwarding to achieve load-balanced proxy.

Changes: Fix to support suspend/resume on Solaris 8 as well as IPv6. Include group/group-head in match of filter rules. Fix endian problem reading snoop files. Make all license comments point to one place. Fix FTP proxy to only advance state if a reply is received in response to a recognized command.

 

Securepoint Firewall Server SB 1.1 - Client 1.16 - Lutz Hausmann
http://www.securepoint.cc

The Securepoint Firewall Server is a high-performance, commercial-grade application designed to offer full protection for network assets. The Securepoint is a complete software system with an operation system, based on a secure Linux. You can use the firewall on a standard PC with two or three network cards, and is easy to install and administer.

Changes: New Securepoint patch: update disk 1.1X. The feature disk enables the direct installation and configuration of trend micro virus scanner for all Securepoint Firewall Servers versions 1.1X. With this disk the user doesn't have to make special firewall rules for the trend micro virus scanner. The integrated web server is automatically enabled secure. After the user installed the patch, he has to create a CD-ROM with the Trend Micro Viruswall (ISO Image). Copy the file (ive_lx.tar) to the /usr/src directory and follow the installation instructions from Trend Micro. Use the install file in the linux6 directory.

 

FreshMeat

Astaro Security Linux 1.820 - Devel: 1.920 - Astaro AG
http://www.astaro.com/products/index.html

Astaro Security Linux is a new firewall solution. It does stateful inspection, packet filtering, content filtering, virus scanning, VPN with IPsec, and much more. With its Web-based management tool and the ability to pull updates over the Internet, it it is pretty easy to manage. It is based on a special hardened Linux 2.4 distribution where most daemons are running in change-roots and are protected by kernel capabilities.

Changes: The new version 1.920 of version 2.0 BETA2 is available for download.

 

Firewall Builder 0.9.2 - Lord Vkurland
http://www.crocodile.org/~vadim/fwbuilder

Firewall Builder consists of a GUI and set of policy compilers for various firewall platforms. It helps users to maintain a database of objects and allows policy editing using simple drag-and-drop operations. The GUI and policy compilers are completely independent and support for a new firewall platform can be added to the GUI without any changes to the program (only a new policy compiler is needed). This provides for a consistent abstract model and the same GUI for different firewall platforms. It currently supports IPchains, IPtables and IPfilter.

Changes: This release includes fixes for problems found during tests of version 0.9.1, several new features and GUI enhancements. "Bulk import" or objects discovery feature simplifies creation of multiple objects using /etc/hosts file or DNS. This release also fixes many problems in IPtables compiler.

 

EchoWall Firewall - Sbest
http://leaf.sourceforge.net

EchoWall is a firewall configuration package for creating an IPchains based Linux firewall. It is optimized for the Linux Router Project (LRP), but was originally created for a Debian platform. EchoWall's aim is simplicity for entry-level users. It presumes the user is using a Linux box as a masquerading firewall/router for a single Class-C address range. It manages services in an interesting way: instead of indicating the IP addresses of machines you want to act as servers, you instead specify them by their MAC address. When run, the EchoWall script automatically detects the current IP address associated with this MAC address. This allows you to connect a service to a machine whose IP address is dynamically assigned.

Note: First time in the Tools Digest.

 

SecurityFocus

Sentry Firewall CD-ROM 1.0.7 - Sentry Network Security
http://www.SentryFirewall.com

Sentry Firewall CD-ROM is a Linux-based bootable CD-ROM, suitable for use as an inexpensive and easy to maintain firewall or IDS (Intrusion Detection System) node. The system is designed to be immediately configurable for a variety of different operating environments via a configuration file located on a floppy disk or a local hard drive.

Changes: This new version fixes several bugs, includes a cron directive to replace user's crontab file, adds the ability to merge shadow, passwd and group files rather than just replacing them. Other changes: added 'hostname' directive to replace /etc/HOSTNAME, added a FAQ, upgraded to e2fsprogs-1.22, increased ramdisk size to ~16M, removed SCSI-SMP and IDE-SMP kernels (GENERIC kernels work just as well), added hot-swap and PCMCIA support to default kernels, added 2.2.x support to cd-config and mkrootdsk.sh scripts, added new kernel 2.2.19 (generic 2.2.19 kernel with Openwall patch) and added XFS toolkit.


Tools for UNIX/Linux/BSD & Cross-platform

Hypersec Linux Kernel Patch - Kaladis
http://www.maganation.com/~kaladix/hypersec.html

Hypersec Linux is a compilation of security-related patches for the Linux kernel. It provides extreme security on the kernel level. It integrates cryptography, support for encrypting loopback devices (partitions), random PIDs and random TCP Sequence Numbers to prevent TCP/IP Session Hijacking, Mandatory Access Control with Access Control Lists, non-exec heap and stack areas to prevent overflow techniques, restricted access to /proc and /tmp, protection against OS fingerprinting, other network protections, and several other security-related enhancements.

Changes: The Hypersec Kernel is now available for the 2.4 branch of the kernel. It is mainly based on Grsecurity and RSBAC (Rule Set Based Access Control) and has mostly the same features like the Hypersec Kernel from the 2.2 branch has, plus bugfixes for ReiserFS and Quota support for ReiserFS.

 

Mcrypt 2.5.7 - Nikos Mavroyanopoulos
http://mcrypt.hellug.gr

Mcrypt is a program for encrypting files or streams. It is intended to be a replacement for the old UNIX crypt. It uses well-known and well-tested algorithms like DES, BLOWFISH, TWOFISH, ARCFOUR, CAST-128, and more in several modes (CBC, CFB, etc.). It also has a compatibility mode with the old UNIX crypt and Solaris des.

Changes: A lot of changes since last release. Refer to the changelog file for more information.

 

LibMcrypt 2.4.15 - Nikos Mavroyanopoulos
http://mcrypt.hellug.gr

Libmcrypt is a library which provides a uniform interface to several symmetric encryption algorithms. It is intended to have a simple interface to access encryption algorithms in OFB, CBC, CFB, and ECB modes. The algorithms it supports are DES, 3DES, RIJNDAEL, Twofish, IDEA, GOST, CAST-256, ARCFOUR, SERPENT, SAFER+, and more. The algorithms and modes are also modular so you can add and remove them on the fly without recompiling the library.

Changes: A lot of changes since last release. Refer to the changelog file for more information.

 

HardEncrypt 1.1 - HardenedCriminal Software
http://hcsoftware.sourceforge.net/HardEncrypt/HardEncrypt.html

HardEncrypt package contains three pieces of software: GenKeyFile that generates a series of key files from a user-provided seed file, HardEncrypt that encrypts any kind of file and HardDecrypt that decrypts a file encrypted by HardEncrypt. This package utilizes an utterly simple one-time pad encryption scheme. As simple as it may be, a symmetric, one-time pad scheme is theoretically the best encryption scheme. This scheme has been avoided in many popular internet encryption packages because it is not as convenient as a public-key encryption scheme. However, when you really want to ensure that no third party is able to read an intercepted message, convenience is not the main issue. This package offers everyone a completely secure encryption alternative. No special hardware is required, though a sound card is recommended for generating key seed files. All three programs are written in C++ using only ANSI standard library calls. This means that the package is completely portable and can be compiled and used on virtually every platform. These tools run in a console interface and don't require a windowing environment.

Note: First time in the Tools Digest.

 

FreshMeat

OtpCalc 0.96 - Anthonyu
http://original.killa.net/infosec/otpCalc

OtpCalc generates one time passwords for responding to S/Key (RFC1760) and OTP (RFC2289) challenges. It supports MD4, MD5, and SHA1 message digests.

Changes: Autoconf: changed the @$$ reference. Auto paste challenge upon focus.


Tools for Windows

Without A Trace 3.2 - Karmadrome Software
http://www.karmadromesoft.com/software/download.html

Without A Trace (WAT) is a file deletion utility, that erases files without using the recycle bin. This makes recovering the file after deletion very difficult, even if file recovery programs are in use. WAT deletes files and directories, wipes drive free space at a button click and empties the recycle bin from WAT. It runs under Windows 95/98 and Windows NT.

Note: First time in the Tools Digest.

 

BackOfficer Friendly - NFR Security
http://www.nfr.com/products/bof

NFR BackOfficer Friendly is a useful little burglar alarm - simple, unobtrusive, and easy to install - which rings when someone rattles your doorknob. It identifies attacks from Back Orifice as well as other sorts of scans. BackOfficer Friendly is a spoofing server application that runs on your Windows system, and actively notifies you whenever someone attempts to remotely control your system using Back Orifice. Basically, it pretends to be a Back Orifice server: BackOfficer Friendly gives the attacker false answers that look like they came from Back Orifice, while logging the attacker's IP address and the operations they attempted to perform. It also contains routines that allow it to selectively emulate a variety of other services, such as FTP, HTTP and SMTP. BackOfficer Friendly is freely available for personal use.

Note: First time in the Tools Digest.


Note: tools announced on forums are not necessarily updates or new or free, it's just that someone posted an announcement. We try out best to only notify you only of new or updated free tools.

© Copyright 2001, SecurityPortal Inc. & Pascal Etienne, All Rights Reserved, Last Update: 04 juillet, 2001