D.4 Software Resources
This section describes some of the tools
and packages available on the Internet that you might find useful in
maintaining security at your site. Many of these tools are mentioned
in this book. Although this software is freely available, some of it
is restricted in various ways by the authors (e.g., it may not be
permitted to be used for commercial purposes or be included on a
CD-ROM, etc.) or by the U.S. government (e.g., if it contains
cryptography, there may be constraints on export or use in certain
locales). Carefully read the documentation files that are distributed
with the packages. If you have any doubt about appropriate use
restrictions, contact the author(s) directly.
Although we have used most of the software listed here, we
can't take responsibility for ensuring that the copy
you get will work properly and won't cause any
damage to your system. As with any software, test it before you use
Some software distributions carry an external PGP signature. This signature helps
you verify that the distribution you receive is the one packaged by
the author. It does not provide any guarantee
about the safety or correctness of the software, however.
Because of the additional confidence that a digital signature can add
to software distributed over the Internet, we strongly encourage
authors to take the additional step of including a standalone
signature. We also encourage users who download software to check
several other sources if they download a package
without a signature.
And we remind you: even if a tool is signed, it does not mean that it
is correct, nor does it mean that the author intended it to be
benign. Be careful!
The chrootuid daemon, by Wietse Venema, simplifies the
task of running a network service at a low privilege level and with
restricted filesystem access. The program can be used to run web and
other network daemons in a minimal environment: the daemons have
access only to their own directory tree and run with an unprivileged
user ID. This arrangement greatly reduces the impact of possible
security problems in daemon software.
You can get chrootuid from:
D.4.2 COPS (Computer Oracle and Password System)
The COPS package is a collection of short shell files and C programs
that perform checks of your system to determine whether certain
weaknesses are present. Included are checks for bad permissions on
various files and directories, and malformed configuration files. The
system has been designed to be simple and easy to verify by reading
the code, and simple to modify for special local circumstances.
The original COPS paper was presented at the summer 1990 USENIX
Conference in Anaheim, CA. It was entitled "The COPS
Security Checker System" and was written by Dan
Farmer and Eugene H. Spafford.
Copies of the COPS tool can be obtained from:
In addition, any of the public Usenix repositories for
comp.sources.unix will have COPS in Volume 22.
D.4.3 ISS (Internet Security Scanner)
ISS, written by Christopher William Klaus, is the Internet Security
Scanner. When ISS is run from another system and directed at your
system, it probes your system for software bugs and configuration
errors commonly exploited by attackers. You can get the freeware
version of ISS from:
There is a commercial version of ISS that is not available on the
Net. It has many more features than the freeware
version. The freeware version has not been updated in nearly a
is a secure network authentication system that is based on private
key cryptography. The Kerberos source code and papers are available
from the Massachusetts Institute of Technology. Contact:
- MIT Software Center
- 20 Carlton Street
- Cambridge, MA 02139
- (617) 253-7686
You can use anonymous FTP to transfer files over the Internet from:
nmap is the port scanner of choice for both
attackers and defenders. It can perform a wide variety of TCP, UDP,
and ICMP scans (including various "stealth
scans" that attackers might use to disguise their
activities), and has a sophisticated ability to
"fingerprint" operating systems and
determine their vendor and version remotely.
You can get nmap from:
Nessus is a first-rate vulnerability scanner, better than many
commercial products. You can get it from:
OpenSSH is a free software implementation of the Secure Shell
protocol (Versions 1 and 2) for cryptographically secured remote
terminal emulation, command execution, and file transfer. It is
developed and maintained by the OpenBSD project, but the
"portable" version compiles and
runs on most Unix systems (as well as several other operating
systems). Disable the telnet daemon before you
connect your Unix system to a network; install OpenSSH (or another
SSH server) if you need to be able to connect to your system over the
You can get OpenSSH from:
OpenSSL is a free software implementation of the Secure Sockets Layer
(Versions 2 and 3) and Transport Layer Security (Version 1)
protocols. It provides libraries for these protocols that are
commonly required by other server software (such as web servers). It
also provides a command-line tool for generating cryptographic
certificate requests, certificates, signatures, and random numbers.
You can get OpenSSL from:
The portmap daemon, written by Wietse Venema, is a
replacement program for Sun Microsystems'
portmapper program. Venema's
portmap daemon offers access control and logging
features that are not found in Sun's version of the
program. It also comes with the source code, allowing you to inspect
the code for problems or modify it with your own additional features,
You can get portmap from:
The portsentry program is a proactive defense
against port scans that may precede an attack.
portsentry listens on unused TCP/IP ports and
takes action when outsiders attempt to establish connections to one
or more monitored ports. Actions can include adding the scanning host
to /etc/hosts.deny, adding the scanning host to
a packet-filtering firewall, or running other arbitrary commands.
You can get portsentry from:
SATAN, by Wietse Venema and Dan Farmer, is
the Security Administrator Tool for Analyzing Networks. Despite the
authors' strong credentials in the network security
community (Venema was from Eindhoven University in the Netherlands
and is the author of the tcpwrapper package and
several other network security tools; Farmer is the author of COPS),
SATAN was a somewhat controversial tool when it was released. Why?
Unlike COPS, Tiger, and other tools that work from within a system,
SATAN was really the first generally available tool that probed the
system from the outside, as an attacker would. The unfortunate
consequence of this approach is that someone (such as an attacker)
could run SATAN against any system, not only those that she already
had access to. According to the authors (c. 1995):
SATAN was written because we realized that computer systems are
becoming more and more dependent on the network, and at the same time
becoming more and more vulnerable to attack via that same network.
SATAN is a tool to help systems administrators. It recognizes several
common networking-related security problems, and reports the problems
without actually exploiting them.
For each type or problem found, SATAN offers a tutorial that explains
the problem and what its impact could be. The tutorial also explains
what can be done about the problem: correct an error in a
configuration file, install a bugfix from the vendor, use other means
to restrict access, or simply disable service.
SATAN collects information that is available to everyone with access
to the network. With a properly-configured firewall in place, that
should be near-zero information for outsiders.
The controversy over SATAN's release was largely
overblown. SATAN scans were usually easy to spot, and the package is
not easy to install and run.
From a design point of view, SATAN was interesting in that the
program used a web browser as its presentation system. The source may
be obtained from:
Source, documentation, and pointers to defenses may be found at:
Tools developed and released commercially and by the computer
underground since the time of SATAN are much more complex and use
similar interfaces. SATAN is thus mostly of interest from a
historical point of view.
Snort is a
powerful open source packet sniffer and network intrusion detection
system. Its IDS ruleset is regularly updated, enabling it to parse
the TCP/IP packets that it monitors in real time and to report
You can get Snort from:
Todd Atkins of Stanford University, is the Simple Watcher. It
monitors log files created by syslog, and allows
an administrator to take specific actions (such as sending an email
warning, paging someone, etc.) in response to logged events and
patterns of events.
You can get Swatch from:
D.4.14 TCP Wrappers
TCP Wrappers is a system written by
Wietse Venema that allows you to monitor and filter incoming requests
for servers started by inetd. You can use it to
selectively deny access to your sites from other hosts on the
Internet or, alternatively, to selectively allow access.
You can get TCP Wrappers from:
by Doug Schales of Texas A&M University, is a set of scripts that
scan a Unix system looking for security problems in a manner similar
to that of COPS. Tiger was originally developed to provide a check of
the Unix systems on the A&M campus that users wanted to be able
to access off-campus. Before the packet filtering in the firewall
would be modified to allow off-campus access to the system, the
system had to pass the Tiger checks.
You can get Tiger from:
trimlog is designed to help you manage log files.
It reads a configuration file to determine which files to trim, how
to trim them, how much they should be trimmed, and so on. The program
helps keep your logs from growing until they consume all available
You can get trimlog from:
written by Gene H. Kim and Gene Spafford of Purdue University, is a
file integrity checker, a utility that compares a designated set of
files and directories against information stored in a previously
generated database. Added or deleted files are flagged and reported,
as are any files that have changed from their previously recorded
state in the database. Run Tripwire against system files on a regular
basis. If you do so, the program will spot any file changes when it
next runs, giving system administrators information to enact
damage-control measures immediately.
You can get the freeware version of Tripwire from:
There is a commercial suite of Tripwire products, including Tripwire
for Apache web servers and for network
devices. The commercial version also has a console to manage Tripwire
in an enterprise. Trial versions of this software can also be
downloaded from that site.
D.4.18 wuarchive ftpd
wuarchive FTP daemon from Washington University
offers many features and security enhancements, such as per-directory
message files shown to any user who enters the directory, limits on
the number of simultaneous users, and improved logging and access
control. These enhancements are specifically designed to support
You can get the daemon from: