SATAN is here! The Security Administrator Tool for Analyzing
was scheduled for release on April 5, and unless a last
of mind has caused a delay, it will be out and available
at the time
this issue of Sys Admin hits the newsstands.
SATAN, unlike any other UNIX tool, has had substantial
both the technical trade press and the public press.
No doubt the
name of the tool is part of the reason for this: if
it had been named
something like SIMON, it would probably have gotten
much less publicity.
However, another reason is that, over the last six months,
public has become increasingly aware of the Internet.
It is interesting
to see this change in public awareness, but it makes
me wonder what
the Internet will be like five years from now.
SATAN has been the source of a lot of worry for network
everywhere. While it is meant to be a tool to help network
find weak spots in site security, SATAN can equally
well be used by
the black hats to find the same weaknesses and exploit
in all the talk, there has not been much information
about what SATAN
actually could and would do.
Creating a software package like SATAN is actually an
old dream of
Dan Farmer's. Many of the concepts were laid out in
a paper published
in December, 1993 on the firewall mailing list (also
anonymous ftp from ftp.win.tue.nl:/pub/security/admin-guide-to-cracking.101.Z).
Most of the security holes that SATAN will recognize
in that paper, and they are all old problems, described
over and over again. However, with SATAN, it has suddenly
easier for administrators and crooks alike to find such
main security areas which SATAN tests arewriteable anonymous ftp home directory
The first release to the public is scheduled for April
5, 16:00 MET.
If you have not already gotten a copy to test the security
site, you had better do so very soon, lest intruders
may beat you
to it. It is worth noting that even if you are not directly
to the Internet, you should still be very concerned
for your internal
security. In fact, a well-designed firewall that uses
is probably SATAN-proof. The big problem for many security
is the internal hosts, where common sense about security
been ignored for the sake of convenience. Where such
are left unsecured, SATAN can provide information about
can be cracked in many different ways.
For each type of problem found, SATAN offers a tutorial
the problem and what its impact could be. The tutorial
what can be done about the problem: correct an error
in a configuration
file, install a bugfix from the vendor, use other means
access, or simply disable service.
At the time of the publication of this column, SATAN
be available by anonymous ftp from ftp.win.tue.nl:/pub/security/SATAN.tar.Z.
It has not been ported to very many platforms, and is
quite a resource
hog. It will run under SunOS 4.1.3_U1 or SunOS 5.3 on
either a SPARCstation
4/75 or a SPARCstation 5 and under Irix 5.3 on an Indigo
2. It may
require a great deal of memory to run. The program itself
approximately 2 Mb of disk space, but it also requires
or netscape and perl5, which may use an additional 10
to 15 Mb of
As stated above, a well-constructed firewall will probably
safe from SATAN. However, firewall administrators would
no doubt like
to know if their firewalls were under attack from this
a program already exists to do this job; it is available
ftp from ciac.llnl.gov:/pub/ciac/sectools/unix/courtney.tar.Z.
This program, written in perl5, uses tcpdump to count
number of new services a machine originates within a
window. If one machine connects to numerous services
within that time
window, courtney identifies that machine as a potential
host. If a hostile act is detected, it will be logged
via the syslog
utility at the "ALERT" logging level.
Speaking of security, recent problems with sendmail
Eric Allman to issue several releases of the sendmail
code: the current relase is sendmail 8.6.12. If you
a version older than 8.6.10, you should plan to make
the upgrade a
major priority. Also, if you are running very old versions
(older than version 8), you will probably need to rewrite
file, as version 8 is not backwards compatible with
version 6. Upcoming
There are two upcoming conferences of interest to UNIX
Of more general interest is the 5th USENIX UNIX Security
June 5-7, 1995, at the Salt Lake City Marriott Hotel,
in Salt Lake
City, Utah. This conference is sponsored by the USENIX
the UNIX and Advanced Computing Systems Professional
Association, in cooperation with The Computer Emergency
(CERT), IFIP WG 11.4, and Uniforum. For detailed program
information, contact the USENIX Conference Office at
Street, Suite 613, Lake Forest, CA 92630, (714) 588-8649;
588-9706; email: firstname.lastname@example.org.
The second conference is more specialized: it is the
95, July 6-8, Royal York Hotel, Toronto, Ontario, Canada.
is sponsored by Unisys Inc. and the USENIX Association.
is limited to 150 active Tcl/Tk users. Potential attendees
to submit a half-page description of their reason for
workshop. Registration requests may be submitted via
email to: email@example.com;
via mail to: Tcl/Tk Workshop 95, c/o Unisys Canada Inc,
Rd, Scarborough, Ontario, M1S 5A9, Canada; or via fax
to (416) 297-2520.
March saw two of the biggest trade shows in the UNIX
and Interop+NetWorld. UniForum, which took place in
13 to 17, was calmer and more centered than in previous
far fewer gimicks from the exibitors and more people
on the show floor
who understood the technical details of their products.
some speculation as to whether UniForum might be in
trouble in the
competition with InterOp, which followed just two weeks
InterOp+Networld has grown bigger than ever. In contrast
to this year's
UniForum, InterOp was heavy on circus-like entertainment,
or no information of value. The main focus of the show
seemed to be
ATM solutions for all parts of the network. However,
I am far from
certain that ATM is ready for prime time. The marketing
to obscure rather than clarify what the product really
Of most interest to me were the various commercial firewall
Between UniForum and InterOp, I was able to talk with
all the major
vendors, and so got a fairly good idea of what is available.
of the vendors are reluctant to talk about the underlying
which makes it difficult to evaluate the real capabilities
products. What became very clear is that there is strong
in a small market. In spite of all the discussions in
the media, it
appears that commercial firewall products have not yet
themselves in the marketplace. All the firewall vendors
to have an installed base of fewer than one thousand
the technology continues to change rapidly in this area,
none of the big players has yet shown a real commitment,
it will take
some time for this market to mature, and only when it
does will we
know which are here to stay.
And now to this month's questions:
We are currently using routed to maintain our
routing information, but are not very satisfied with
Are there any products, commercial or otherwise, that
can be used
to maintain routing information more effectively?
You should take a look at some software called gated,
which is available by anonymous ftp from gated.cornell.edu:/pub/gated.
While gated is far from trivial to use, it will give
better control and flexibility than routed.
I need to install a firewall for our site. There are
several packages available via anonymous ftp. Which
The first thing you need to do, if you have not already
done so, is to go out and get Cheswick & Bellovin's
and Internet Security (Addison-Wesley). The reason is
cannot build a reasonably safe firewall without understanding
you need to protect against. Once you've understood
this you can evaluate
the available packages. The two most common packages
are both available
by anonymous ftp. One is SOCKS, which is available from
the other is the Firewall Toolkit, which is available
security/firewall/fwtk. [Editor's Note: For more on
see Matt Ganis's article, "Implementing SOCKS,"
in this issue.]
The Firewall Toolkit is probably the more secure of
the two, but it
is also very intrusive for users because none of the
as ftp, telnet, or mosaic will work as expected from
the inside. SOCKS,
on the other hand, provides a firewall more or less
inside users, but at the cost of replacing all the inside
Which of the two packages will work best for you depends
on your security
requirements, your user base, and other site-specific
For the sake of completeness, I'll mention the other
One of these is Screend, which makes the UNIX host behave
in a router-like
manner. You can use this to implement an inexpensive,
if not very
fast, router. However, attempting to base a firewall
only on routers
would be asking for trouble.
Do you know of a product that would run under PC DOS
but would give the capabilities of the UNIX sed editor.
believe I read somewhere about a Canadian company that
made a software
package that ran under PC DOS and mimicked UNIX commands.
be aware of such a product?
The Canadian company TMK has a software package which
gives you the touch and feel of UNIX on a PC. I believe
sed, as well as vi, make, and other common
After seeing how much is on the Internet, we decided
to join and set up a dial-up connection to our service
problem is that although I can set up the SLIP connection,
know how to set up the mail system. Messages not destined
addresses don't get sent.
You need to make a small change to your sendmail.cf
file, so that e-mail that cannot be delivered locally
will be forwarded
to your Internet gateway. If you are running a recent
version of sendmail,
you can do this by adding the following macro somewhere
near the top:
# "Smart" relay host (may be null) DSsmtp:gateway.domain
You will, of course, need to change gateway to
the name of your gateway, and domain to the name of
On the machines at /sys/admin, inc. the lines look like
# "Smart" relay host (may be null) DSsmtp:heimdal.sysadmin.com
Could you direct me to an ftp site that would
have the sources listed in your fine magazine?
The staff of Sys Admin does a fine job of
collecting all these pieces, and placing them for anonymous
on ftp.uu.net at /published/sysadmin. Beginning
the first of May, when the System Administration Archive
you will find this and much more available by anonymous
I am trying to set up a simple network, using either
PPP or SLIP, but have problems, as both seem to work
only with modems.
I have yet to try to use PPP over fixed serial lines,
but there is nothing in the PPP configuration that suggests
that it will only work with modem lines. SLIP certainly
does not require
dial-up modems -- the early implementations did not
dial-up capability at all.
The first thing you need to do, if you not already have
done so, is
ensure that you are able to log into the remote system,
using a utility
such as tip or cu. When you have established that
this is working, you can go on to the next step, making
or PPP work.
When the serial lines are working, you can add the following
to your /etc/rc.local file (or wherever you keep the
ifconfig sl0 localhost remotehost up stty -f
/dev/tty01 cts_oflow rts_iflow slattach
Depending on the SLIP version and OS you use, you might
need to make some slight changes to the above.
All this said and done, however, I suggest that you
some inexpensive ethernet boards for your systems. This
provide you with much higher bandwith, and many fewer
About the Author
Bjorn Satdeva is the president of /sys/admin, inc.,
firm which specializes in large installation system
Bjorn is also co-founder and former president of Bay-LISA,
a San Francisco
Bay Area user's group for system administrators of large
can be contacted at /sys/admin, inc., 2787 Moorpark
Ave., San Jose,
CA 95128; electronically at firstname.lastname@example.org; or by
at (408) 241-3111.