Cover V04, I03


Questions and Answers

Bjorn Satdeva

SATAN is here! The Security Administrator Tool for Analyzing Networks was scheduled for release on April 5, and unless a last minute change of mind has caused a delay, it will be out and available at the time this issue of Sys Admin hits the newsstands.

SATAN, unlike any other UNIX tool, has had substantial coverage in both the technical trade press and the public press. No doubt the name of the tool is part of the reason for this: if it had been named something like SIMON, it would probably have gotten much less publicity. However, another reason is that, over the last six months, the general public has become increasingly aware of the Internet. It is interesting to see this change in public awareness, but it makes me wonder what the Internet will be like five years from now.

SATAN has been the source of a lot of worry for network adminstrators everywhere. While it is meant to be a tool to help network administrators find weak spots in site security, SATAN can equally well be used by the black hats to find the same weaknesses and exploit them. However, in all the talk, there has not been much information about what SATAN actually could and would do.

Creating a software package like SATAN is actually an old dream of Dan Farmer's. Many of the concepts were laid out in a paper published in December, 1993 on the firewall mailing list (also available by anonymous ftp from Most of the security holes that SATAN will recognize are described in that paper, and they are all old problems, described and discussed over and over again. However, with SATAN, it has suddenly become much easier for administrators and crooks alike to find such holes. The main security areas which SATAN tests are

  • NFS filesystems exported to arbitrary hosts

  • NFS filesystems exported to unprivileged programs

  • NFS filesystems exported via the portmapper

  • NIS password file access from arbitrary hosts

  • Old (i.e., before 8.6.10) sendmail versions

  • REXD access from arbitrary hosts

  • X server access control disabled

  • arbitrary files accessible via TFTP

  • remote shell access from arbitrary hosts

  • writeable anonymous ftp home directory

    The first release to the public is scheduled for April 5, 16:00 MET. If you have not already gotten a copy to test the security of your site, you had better do so very soon, lest intruders may beat you to it. It is worth noting that even if you are not directly connected to the Internet, you should still be very concerned for your internal security. In fact, a well-designed firewall that uses recent software is probably SATAN-proof. The big problem for many security administrators is the internal hosts, where common sense about security has often been ignored for the sake of convenience. Where such environments are left unsecured, SATAN can provide information about how hosts can be cracked in many different ways.

    For each type of problem found, SATAN offers a tutorial that explains the problem and what its impact could be. The tutorial also explains what can be done about the problem: correct an error in a configuration file, install a bugfix from the vendor, use other means to restrict access, or simply disable service.

    At the time of the publication of this column, SATAN should be available by anonymous ftp from It has not been ported to very many platforms, and is quite a resource hog. It will run under SunOS 4.1.3_U1 or SunOS 5.3 on either a SPARCstation 4/75 or a SPARCstation 5 and under Irix 5.3 on an Indigo 2. It may require a great deal of memory to run. The program itself occupies approximately 2 Mb of disk space, but it also requires either Mosaic or netscape and perl5, which may use an additional 10 to 15 Mb of disk space.

    As stated above, a well-constructed firewall will probably be fairly safe from SATAN. However, firewall administrators would no doubt like to know if their firewalls were under attack from this program. Luckily, a program already exists to do this job; it is available by anonymous ftp from This program, written in perl5, uses tcpdump to count the number of new services a machine originates within a certain time window. If one machine connects to numerous services within that time window, courtney identifies that machine as a potential SATAN host. If a hostile act is detected, it will be logged via the syslog utility at the "ALERT" logging level.

    sendmail Alert

    Speaking of security, recent problems with sendmail have caused Eric Allman to issue several releases of the sendmail source code: the current relase is sendmail 8.6.12. If you are running a version older than 8.6.10, you should plan to make the upgrade a major priority. Also, if you are running very old versions of sendmail (older than version 8), you will probably need to rewrite the file, as version 8 is not backwards compatible with version 6. Upcoming Conferences

    Upcoming Conferences

    There are two upcoming conferences of interest to UNIX system administrators. Of more general interest is the 5th USENIX UNIX Security Symposium, June 5-7, 1995, at the Salt Lake City Marriott Hotel, in Salt Lake City, Utah. This conference is sponsored by the USENIX Association, the UNIX and Advanced Computing Systems Professional and Technical Association, in cooperation with The Computer Emergency Response Team (CERT), IFIP WG 11.4, and Uniforum. For detailed program and registration information, contact the USENIX Conference Office at 22672 Lambert Street, Suite 613, Lake Forest, CA 92630, (714) 588-8649; fax (714) 588-9706; email:

    The second conference is more specialized: it is the Tcl/Tk Workshop 95, July 6-8, Royal York Hotel, Toronto, Ontario, Canada. This conference is sponsored by Unisys Inc. and the USENIX Association. Attendance is limited to 150 active Tcl/Tk users. Potential attendees are asked to submit a half-page description of their reason for attending the workshop. Registration requests may be submitted via email to:; via mail to: Tcl/Tk Workshop 95, c/o Unisys Canada Inc, 61 Middlefield Rd, Scarborough, Ontario, M1S 5A9, Canada; or via fax to (416) 297-2520.

    Trade Shows

    March saw two of the biggest trade shows in the UNIX universe, UniForum and Interop+NetWorld. UniForum, which took place in Dallas, March 13 to 17, was calmer and more centered than in previous years, with far fewer gimicks from the exibitors and more people on the show floor who understood the technical details of their products. There was some speculation as to whether UniForum might be in trouble in the competition with InterOp, which followed just two weeks later.

    InterOp+Networld has grown bigger than ever. In contrast to this year's UniForum, InterOp was heavy on circus-like entertainment, with little or no information of value. The main focus of the show seemed to be ATM solutions for all parts of the network. However, I am far from certain that ATM is ready for prime time. The marketing hype tends to obscure rather than clarify what the product really can do.

    Of most interest to me were the various commercial firewall products. Between UniForum and InterOp, I was able to talk with all the major vendors, and so got a fairly good idea of what is available. Many of the vendors are reluctant to talk about the underlying technology, which makes it difficult to evaluate the real capabilities of the products. What became very clear is that there is strong competition in a small market. In spite of all the discussions in the media, it appears that commercial firewall products have not yet established themselves in the marketplace. All the firewall vendors combined appear to have an installed base of fewer than one thousand systems. Since the technology continues to change rapidly in this area, and since none of the big players has yet shown a real commitment, it will take some time for this market to mature, and only when it does will we know which are here to stay.

    And now to this month's questions:

     Q We are currently using routed to maintain our routing information, but are not very satisfied with its functionality. Are there any products, commercial or otherwise, that can be used to maintain routing information more effectively?

     A You should take a look at some software called gated, which is available by anonymous ftp from While gated is far from trivial to use, it will give you much better control and flexibility than routed.

     Q I need to install a firewall for our site. There are several packages available via anonymous ftp. Which one should I use?

     A The first thing you need to do, if you have not already done so, is to go out and get Cheswick & Bellovin's Firewalls and Internet Security (Addison-Wesley). The reason is that you cannot build a reasonably safe firewall without understanding what you need to protect against. Once you've understood this you can evaluate the available packages. The two most common packages are both available by anonymous ftp. One is SOCKS, which is available from; the other is the Firewall Toolkit, which is available from security/firewall/fwtk. [Editor's Note: For more on SOCKS, see Matt Ganis's article, "Implementing SOCKS," in this issue.]

    The Firewall Toolkit is probably the more secure of the two, but it is also very intrusive for users because none of the utilities, such as ftp, telnet, or mosaic will work as expected from the inside. SOCKS, on the other hand, provides a firewall more or less transparent to inside users, but at the cost of replacing all the inside client programs. Which of the two packages will work best for you depends on your security requirements, your user base, and other site-specific questions.

    For the sake of completeness, I'll mention the other packages available. One of these is Screend, which makes the UNIX host behave in a router-like manner. You can use this to implement an inexpensive, if not very fast, router. However, attempting to base a firewall only on routers would be asking for trouble.

     Q Do you know of a product that would run under PC DOS but would give the capabilities of the UNIX sed editor. I believe I read somewhere about a Canadian company that made a software package that ran under PC DOS and mimicked UNIX commands. Would you be aware of such a product?

     A The Canadian company TMK has a software package which gives you the touch and feel of UNIX on a PC. I believe it includes sed, as well as vi, make, and other common UNIX commands.

     Q After seeing how much is on the Internet, we decided to join and set up a dial-up connection to our service provider. The problem is that although I can set up the SLIP connection, I don't know how to set up the mail system. Messages not destined for local addresses don't get sent.

     A You need to make a small change to your file, so that e-mail that cannot be delivered locally will be forwarded to your Internet gateway. If you are running a recent version of sendmail, you can do this by adding the following macro somewhere near the top:

    # "Smart" relay host (may be null) DSsmtp:gateway.domain

    You will, of course, need to change gateway to the name of your gateway, and domain to the name of your domain. On the machines at /sys/admin, inc. the lines look like this:

    # "Smart" relay host (may be null)

     Q Could you direct me to an ftp site that would have the sources listed in your fine magazine?

     A The staff of Sys Admin does a fine job of collecting all these pieces, and placing them for anonymous ftp on at /published/sysadmin. Beginning the first of May, when the System Administration Archive goes online, you will find this and much more available by anonymous ftp from

     Q I am trying to set up a simple network, using either PPP or SLIP, but have problems, as both seem to work only with modems.

     A I have yet to try to use PPP over fixed serial lines, but there is nothing in the PPP configuration that suggests to me that it will only work with modem lines. SLIP certainly does not require dial-up modems -- the early implementations did not provide the dial-up capability at all.

    The first thing you need to do, if you not already have done so, is ensure that you are able to log into the remote system, using a utility such as tip or cu. When you have established that this is working, you can go on to the next step, making either SLIP or PPP work.

    When the serial lines are working, you can add the following lines to your /etc/rc.local file (or wherever you keep the network configuration files):

    ifconfig sl0 localhost remotehost up stty -f
    /dev/tty01 cts_oflow rts_iflow slattach
    /dev/tty01 57600

    Depending on the SLIP version and OS you use, you might need to make some slight changes to the above.

    All this said and done, however, I suggest that you consider purchasing some inexpensive ethernet boards for your systems. This will generally provide you with much higher bandwith, and many fewer problems.

    About the Author

    Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at; or by phone at (408) 241-3111.