Cover V04, I02
Article
Figure 1
Figure 10
Figure 11
Figure 12
Figure 13
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Sidebar 1

mar95.tar

Sidebar: Publicly Available Tools

The number of publicly available tools is large, and the network administrator who is prepared to spend time investigating each of them is wise. Listed here are some of the more popular tools.

As is always the case with publicly available software, the authors of the software make no claims as to its usefulness (nor do I). As the system administrator, you are responsible for verifying the usefulness and risks associated with the software you choose for your system.

TCPwrapper

This is probably one of the best-known tools for adding logging and filtering to most standard services. The tcpwrapper program supports only services that are invoked through inetd, while portmapper is used for RPC services that are invoked through the standard portmapper. The tool was written by a consultant at Eidhoven University in The Netherlands to help determine the source of some cracking activity directed at the University. The collection of programs that make up the TCPwrapper kit can be found by anonymous ftp on FTP.WIN.TUE.NL in the /pub/security directory.

With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. It supports both 4.3 BSD-style sockets and System V.4-style TLI.

The package provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the remote host and of the requested service. The wrappers do not exchange information with the remote client process, and impose no overhead on the actual communication between the client and server applications.

Optional features are: access control, to restrict the systems that can connect to your network daemons; remote user name lookups, with the RFC 931 protocol; additional protection against a host pretending to have someone elses host name; additional protection against a host pretending to have someone else's host address.

Early versions of the programs were tested with Ultrix = 2.2, SunOS = 3.4, and ISC 2.2. Later versions have been installed on a wide variety of platforms, including SunOS 4.x and 5.x, Ultrix 3.x and 4.x, DEC OSF/1 T1.2-2, HP-UX 8.x, AIX 3.1.5 up to 3.2., Apollo SR10.3.5, Sony, NeXT, SCO UNIX, DG/UX, Cray, Dynix, and an unknown number of others.

Requirements are that the network daemons be spawned by a super-server such as the inetd; a 4.3 BSD-style socket programming interface and/or System V.4-style TLI programming interface; and the availability of a syslog(3) library and of a syslogd(8) daemon The wrappers should run without modification on any system that satisfies these requirements. Workarounds have been implemented for several common bugs in systems software.

The Swatch Logfile Monitor

Swatch is a tool (written in perl) that lets you associate actions with logfile entries. When logfile entries are found, the administrator can arrange for a command such as mail, finger, etc. to be executed. For example, swatch can be used to read through the contents of the system syslog file to filter and report only on information that is of interest. Figure 10 shows a sample configuration file to restrict information from a syslog file.

The configuration file shown in Figure 10 consists of patterns in the same style as perl, and an action to be performed. In most of these examples, the patterns are echo or ignore. Echo actions print the lines; ignore is self-explanatory. When the swatch program uses this configuration file to examine the syslog file, the output is similar to that shown in Figure 11.

The configuration possibilties using swatch are extensive, and it is a good tool for sort through the contents of a syslog file. The swatch programs can be found on sierra.stanford.edu in /pub/sources.

tcpdump

tcpdump is the best tool available on the Internet for monitoring the traffic on a network. tcpdump prints out the headers of packets on a network interface that match a Boolean expression. In order to build tcpdump, you must also have the libpcap library from the same ftp site. Sample output of the tcpdump command is shown in Figure 12.

The source code for tcpdump can be found on FTP.EE.LBL.GOV in /tcpdump-3.0 (as of November 5, 1994).

TAMU

The TAMU (Texas A&M University) system is a collection of tools that you can use to build a firewall, or detect attack signatures. The collection includes a set of scripts included that can be used to assess the security of the machines in your network. The tools include drawbridge, an advanced internet filter bridge; tiger scripts, extremely powerful but easy-to-use programs for securing individual hosts; and xvefc (XView Etherfind Client), a powerful distributed network monitor. Be warned that the anonymous ftp server at NET.TAMU.EDU tightly restricts the number of anonymous ftp users. The directory /pub/security/TAMU contains the scripts.

COPS

COPS, another popular system auditing package, runs a set of programs, each of which checks a different aspect of security on a UNIX system. If potential security holes do exist, the results are either mailed or saved to a report file. COPS provides extensive capabilities; Figure 13 shows a sample report from the COPS tools.

The COPS system can be retrieved from FTP.CERT.ORG, in the directory /pub/tools/cops.

Crack

In Sys Admin vol. 1, no. 1, I presented an article entitled "How UNIX Password Controls Work." In this article I discussed the validity of using the password cracking program as a system administration tool. While I am loath to condone their use, I also feel that if we as system administrators don't use the tools at hand to validate the state of our system's security, someone else will use those tools to break that security. A real firewall alleviates the possibility of external attack, but it does not solve the problem of potential threats from internal users.

crack is one of the best-known password cracking programs, and it can be customized to use your own dictionaries. crack can be found on ftp.cert.org in /pub/tools/crack. A good set of alternate dictionaries can be found on black.ox.ac.uk in /ordlists.

Firewall and Security Mailing Lists

A number of mailing lists and forums are available on the topic of firewalls, and on security in general. Some are distributed via electronic mail, while others are part of the USENET News System.

There are two major mailing lists for firewalls. One is hosted by greatcircle.com, and the other is hosted by tis.com. To subscribe to the Great Circle mailing list, send a message to majordomo@greatcircle.com, with the body of the message reading

subscribe firewalls your-email-address

You can subscribe to the tis.com firewall list, which focuses primarily on using the TIS firewall toolkit, by sending a message to fwall-user-request@tis.com, with the body of your message reading 

subscribe fwall-users your-email-address

In both cases, the messages will start flowing to your mailbox within a day or two.

There are other forums available for the discussion of security in general. These forums are typically part of the USENET News system, and include the news groups comp.security.announce, comp.security.misc, comp.security.unix, and alt.security.


 

© 2002 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com