UNIX
Tool |
Description |
Authentication |
|
anlpasswd |
The anlpasswd program (formerly perl-passwd) from Argonne National Laboratory. A
proactive password checker that refuses to let users choose
"bad" passwords. |
Crack |
The Crack program by Alex Muffett. A password-cracking program
with a configuration language, allowing the user to program the
types of guesses attempted. |
cracklib |
The cracklib distribution by Alex Muffett. A library of
functions that can be called from passwd-like programs to try to
prevent users from choosing passwords that crack would be able to
guess. |
Kerberos |
Kerberos is a network authentication system for use on
physically insecure networks, based on the key distribution model
presented by Needham and Schroeder. It allows entities
communicating over networks to prove their identity to each other
while preventing eavesdropping or replay attacks. It also
provides for data stream integrity (detection of modification)
and secrecy (preventing unauthorized reading) using cryptography
systems such as DES. |
npasswd |
The npasswd program by Clyde Hoover. A plug-compatible
replacement for passwd that refuses to accept "bad"
passwords. Includes support for System V Release 3 password aging
and Sun's Network Information Service (NIS). |
passwd+ |
The passwd+ program by Matt Bishop. A proactive password
checker that is driven by a configuration file to determine what
types of passwords are and are not allowed. The configuration
file allows the use of regular expressions, the comparison of
passwords against the contents of files (e.g., dictionaries) and
the calling of external programs to examine the password. |
pidentd |
The pident daemon by Peter Eriksson. Implements RFC1413
identification server that can be used to query a remote host for
the identification of the user making a TCP connection request. |
sra |
Part of the TAMU tool set. sra provides secure RPC
authentication for FTP and TELNET. |
Cryptographic Checksums |
MD2 |
The source code and specification for the MD-2 message
digest function. |
MD4 |
The source code and specification for the MD-4 message
digest function. |
MD5 |
The source code and specification for the MD-5 message
digest function. |
Snefru |
The source code and documentation for the Snefru
message digest function (Xerox's Secure Hash Function). |
Firewalls |
tcpr |
Tcpr is a set of perl scripts that enable you to run
ftp and telnet commands across a firewall. Forwarding
takes place at the application level, so it's easy to
control. Tcpr consists of an inetd-type server that
interprets commands, a relay program, and a client that
talks to the server. |
udprelay |
The udprelay package by Tom Fitzgerald. A daemon
process that runs on a firewall host and forwards UDP
packets into and out of the firewalled network, as
directed by a configuration file. |
Network Monitoring |
Netlog version 2.1 |
Netlog is a C library that can be linked into an existing
network application to provide some instrumentation of network
performance. It replaces standard Unix socket calls with its own
wrappers, which log the call. Output is either to a local file or
via a socket to a client such as Viznet. |
NETMAN |
The NETMAN package of network monitoring and visualization
tools from Curtin University. The etherman program is an X Window
System tool that displays a representation of real-time Ethernet
communications. The interman program focuses on IP connectivity
within a single segment. The packetman tool is a retrospective
Ethernet packet analyzer. |
NOCOL |
The NOCOL (Network Operations Center On-Line) package from
JVNC-Net. Can monitor various network variables such as ICMP or
RPC reachability, host performance, SNMP traps, modem line usage,
AppleTalk and Novell routes and services, BGP peers, etc. The
software is extensible and new monitors can be added easily. |
Network Security |
ipacl |
The ipacl package from Siemens. Forces all TCP and UDP
packets to pass through an access control list facility.
The configuration file allows packets to be accepted,
rejected, conditionally accepted, and conditionally
rejected based on characteristics such as source address,
destination address, source port number, and destination
port number. Should be portable to any system that uses
System V STREAMS for its network code. |
logdaemon |
The logdaemon package by Wietse Venema. Provides
modified versions of rshd, rlogind, ftpd, rexecd, login, and telnetd that log significantly more
information than the standard vendor versions, enabling
better auditing of problems via the logfiles. Also
includes support for the S/Key one-time password package. |
portmap |
The portmap program by Wietse Venema. A
replacement for the standard portmap program
that attempts to close all known holes in portmap.
This includes prevention of NIS password file theft,
prevention of unauthorized ypset commands, and
prevention of NFS file handle theft. |
rcpbind |
The rpcbind program by Wietse Venema. A
replacement for the Sun rpcbind program that
offers access control and copious logging. Allows host
access control based on network addresses. |
Sara |
The Security Auditor's Research Assistant (SARA) is a
third generation Unix-based security analysis tool that
is Based on the SATAN model. |
SATAN |
SATAN, the System Administrator Tool for Analyzing
Networks, is a network security analyzer designed by Dan Farmer and
Wietse Venema. SATAN scans systems connected to the
network noting the existence of well known, often
exploited vulnerabilities. For each type of problem
found, SATAN offers a tutorial that explains the problem
and what can be done.
For additional information see: CIAC Notes 95-07, CIAC Notes 95-08. |
Scanssh |
Scanssh scans networks for SSH servers and returns
the connection string provided by the server. From the connection string, you can determine
what version of SSHD is running, which SSH protocol (1 or 2) is
implemented, and if SSH protocol 2 servers can drop back to protocol 1
in the event that an SSH client cannot handle protocol 2. Scanssh was developed by Niels Provos at the
University of Michigan. The code is
multithreaded and scans subnets very fast. CIAC has done a source
code review & has used the tool.
Built and tested on OpenBSD and Linux, but it should also run with
other UNIX-like operating systems.
VULNERABLE VERSIONS INCLUDE:
SSH Communications Security SSH 2.x and 3.x (if configured with
version 1 fallback enabled only) SSH Communications Security SSH 1.2.23-1.2.31
F-Secure SSH versions prior to 1.3.11-2
OpenSSH versions prior to 2.3.0 (if configured with version 1 fallback
enabled only)
For additional information, see:
|
screend |
The screend package by Jeff Mogul. Provides
a daemon and kernel modifications to allow all packets to
be filtered based on source address, destination address,
or any other byte or set of bytes in the packet. Should
work on most systems that use Berkeley-style networking
in the kernel, but requires kernel modifications (i.e.,
kernel source code). |
securelib |
The securelib package by William LeFebvre.
Provides a replacement shared library from SunOS 4.1.x
systems that offers new versions of the accept, recvfrom, and recvmsg networking
system calls. These calls are compatible with the
originals, except that they check the address of the
machine initiating the connection to make sure it is
allowed to connect, based on the contents of the
configuration file. The advantage of this approach is
that it can be installed without recompiling any
software. |
TCP Wrappers |
The tcp_wrapper package by Wietse Venema.
Formerly called log_tcp. Allows monitoring and
control over who connects to a hosts TFTP, EXEC, FTP,
RSH, TELNET, RLOGIN, FINGER, and SYSTAT ports. Also
includes a library so that other programs can be
controlled and monitored in the same fashion. |
xinetd |
xinetd is a replacement for inetd, the internet
services daemon. It supports access control based on the
address of the remote host and the time of access. It
also provide extensive logging capabilities, including
server start time, remote host address, remote username,
server run time, and actions requested. |
System Monitoring |
COPS |
The Computer Oracle and Password System (COPS) package from
Purdue University. Examines a system for a number of known
weaknesses and alerts the system administrator to them; in some
cases it can automatically correct these problems. |
Check Promiscious Mode (cpm) |
The cpm program from Carnegie Mellon University. Checks a
system for any network interfaces in promiscuous mode; this may
indicate that an attacker has broken in and started a packet
snooping program. |
ifstatus |
The ifstatus program by Dave Curry. Checks a system for any
network interfaces in promiscuous mode; this may indicate that an
attacker has broken in and started a packet snooping program.
Designed to be run out of cron. |
Internet Security Scanner (ISS) |
The iss program by Christopher Klaus. A multi-level security
scanner that checks a UNIX system for a number of known security
holes such as problems with sendmail, improperly configured NFS
file sharing, etc. |
RIACS Intelligent Auditing and Categorizing System |
The RIACS Intelligent Auditing and Categorizing System, from
the Research Institute for Advanced Computer Science. A file
system auditing program that compares current contents against
previously-generated listings, and reports differences. |
Swatch |
The Swatch package by Stephen Hansen and Todd Atkins. A system
for monitoring events on a large number of systems. Modifies
certain programs to enhance their logging capabilities, and
software to then monitor the system logs for ``important''
messages.. |
Tiger |
The tiger package of system monitoring scripts. Similar to
COPS in what they do, but significantly more up to date, and
easier to configure and use. |
Tripwire |
The Tripwire package from Purdue University. Scans file
systems and computes digital signatures for the files therein,
then can be used later to check those files for any changes. |
Watcher |
The Watcher package by Kenneth Ingham. A configurable and
extensible system monitoring tool that issues a number of
user-specified commands, parses the output, checks for items of
significance, and reports them to the system administrator. |
General Tools |
SCRUB 1.5 Disk Sanitization Tool |
This disk sanitization tool was developed by Jim Garlick at the Lawrence Livermore National Laboratory. The SCRUB utility is a program for sanitizing UNIX files or disk drives. It has been tested on Linux, Solaris, and AIX. The utility can overwrite a single file, all unused space on a disk, or a whole disk drive with six different patterns to make it highly unlikely that anyone could retrieve the original data from the disk. Scrub is available as an archive of the source code (scrub-1.5-1.tgz) and as Linux rpm files of the source code (scrub-1.5-1.src.rpm) and the executable (scrub-1.5-1.i386.rpm). Check the Livermore Computing Scrub page for newer versions of Scrub. |
Dig |
The dig utility by Steve Hotz and Paul Mockapetris. This is a
command-line tool for querying Domain Name System servers. It is
much easier to use than nslookup, and is well-suited for use
within shell scripts. |
Fremont |
The fremont utility from the University of Colorado. A
research prototype for discovering key network characteristics
such as hosts, gateways, and topology. Stores this information in
a database, and can then notify the administrator of anomalies
detected. |
host |
The host program by Eric Wassenaar. A program for obtaining
information from the Domain Name System. Much more flexible than
nslookup, and well-suited for use in shell scripts. |
IRTS Incident Response Ticket System |
The IRTS is a tool for tracking incidents, requests for help,
and contact information. It was designed and implemented by CIAC
for managing the day-to-day responsibilities of its team members.
Readme | MD5 Checksum |
lsof |
The lsof program by Vic Abell. A descendant of ofiles and
fstat, lsof is used to list all open files (and network
connections, pipes, streams, etc.) on a system. Can find out
which processes have a given file open, which files a specific
process has open, and so forth. Useful for tracing network
connections to the processes using them, as well. |
nfswatch |
The nfswatch program by Dave Curry and Jeff Mogul. Monitors
the local network for NFS packets, and decodes them by client and
server name, procedure name, and so forth. Can be used to
determine how much traffic each client is sending to a server,
what users are accessing the server, and several other modes. |
rdist |
The rdist program from the University of Southern California.
This is a replacement for the rdist software distribution utility
that originated in Berkeley UNIX and is now shipped with most
vendors' releases. In addition to a number of wonderful new
features and improvements, this version has had all known rdist
security holes fixed. This version does not need to run
set-user-id ``root,'' unlike the standard version. |
SCRUB |
SCRUB version 1.3 is a UNIX disk sanitization tool that was developed at the Lawrence Livermore National Laboratory It has been tested on Linux, Solaris, and AIX.
The utility can overwrite a single file, all unused space on a disk, or a whole disk drive
with six different patterns to make it highly unlikely that anyone could retrieve
the original data from the disk. |
sendmail |
The sendmail program by Eric Allman. This version is a
successor to the version described in the sendmail book from O'Reilly and Associates, and is much newer than the versions
shipped by most UNIX vendors. In addition to a number of
improvements and bug fixes, this version has all known sendmail
security holes fixed. It is likely that this version of sendmail
is more secure than the versions shipped by any UNIX vendor. |
tcpdump |
The tcpdump program by Van Jacobson. This program is similar
to Sun's etherfind, but somewhat more powerful and slightly
easier to use. It captures packets from an Ethernet in
promiscuous mode, and displays their contents. Numerous options
exist to filter the output down to only those packets of
interest. This version runs on a number of different UNIX
platforms. |
traceroute |
The traceroute program by Van Jacobson. A utility to trace the
route IP packets from the current system take in getting to some
destination system. |
Washington University ftpd |
The ftpd program from Washington University. This version is
designed for use by large FTP sites, and provides a number of
features not found in vendor versions, including increased
security. This is the ftpd used by most major FTP sites,
including wuarchive.wustl.edu, ftp.uu.net, and oak.oakland.edu. NOTE: Releases
of wu-ftpd prior to version 2.4 have a serious security hole in
them, and should be replaced as soon as possible with the latest
version. |