This appendix describes some of the tools and packages available on the Internet that you might find useful in maintaining security at your site. Many of these tools are mentioned in this book. Although this software is freely available, some of it is restricted in various ways by the authors (e.g., it may not be permitted to be used for commercial purposes or be included on a CD-ROM, etc.) or by the U.S. government (e.g., if it contains cryptography, it can"t ordinarily be exported outside the United States). Carefully read the documentation files that are distributed with the packages. If you have any doubt about appropriate use restrictions, contact the author(s) directly.
Although we have used most of the software listed here, we can"t take responsibility for ensuring that the copy you get will work properly and won"t cause any damage to your system. As with any software, test it before you use it!
NOTE: Some software distributions carry an external PGP signature (see Chapter 6, Cryptography). This signature helps you verify that the distribution you receive is the one packaged by the author. It does not provide any guarantee about the safety or correctness of the software, however.
Because of the additional confidence that a digital signature can add to software distributed over the Internet, we strongly encourage authors to take the additional step of including a stand-alone signature. We also encourage users who download software to check several other sources if they download a package without a signature.
CERN is the European Laboratory for Particle Physics, in Switzerland, and is "the birthplace of the World Wide Web." The CERN HTTP daemon is one of several common HTTP Servers on the Internet. What makes it particularly interesting is its proxying and caching capabilities, which make it especially well-suited to firewall applications.
You can get the CERN HTTP daemon from:
The chrootuid daemon, by Wietse Venema, makes the task of running a network service at a low privilege level and with restricted filesystem access easy. The program can be used to run Gopher, HTTP, WAIS, and other network daemons in a minimal environment: the daemons have access only to their own directory tree and run with an unprivileged user ID. This arrangement greatly reduces the impact of possible security problems in daemon software.
You can get chrootuid from:
The COPS package is a collection of short shell files and C programs that perform checks of your system to determine whether certain weaknesses are present. Included are checks for bad permissions on various files and directories, and malformed configuration files. The system has been designed to be simple and easy to verify by reading the code, and simple to modify for special local circumstances.
The original COPS paper was presented at the summer 1990 USENIX Conference in Anaheim, CA. It was entitled "The COPS Security Checker System," by Dan Farmer and Eugene H. Spafford.
Copies of the paper can be obtained as a Purdue technical report by requesting a copy of technical report CSD-TR-993 from:
Department of Computer Sciences
West Lafayette, IN 47907-1398
COPS can be obtained from:
In addition, any of the public USENIX repositories for comp.sources.unix will have COPS in Volume 22.
ISS, written by Christopher William Klaus, is the Internet Security Scanner. When ISS is run from another system and directed at your system, it probes your system for software bugs and configuration errors commonly exploited by crackers. Like SATAN, it is a controversial tool; however, ISS is less controversial than SATAN in that it is older and less capable than SATAN, and it was written by someone who (at the time it was released) was relatively unknown in the network security community. Informal conversation with personnel at various response teams indicates that they find ISS involved in a significant number of intrusions - far more than they find associated with SATAN.
You can get the freeware version of ISS from:
There is a commercial version of ISS that is not available on the net. It is supposed to have many more features than the freeware version. Neither of the authors has had any experience with the commercial version of ISS.
Kerberos is a secure network authentication system that is based upon private key cryptography. The Kerberos source code and papers are available from the Massachusetts Institute of Technology. Contact:
MIT Software Center
20 Carlton Street
Cambridge, MA 02139
You can use anonymous FTP to transfer files over the Internet from:
The portmap daemon, written by Wietse Venema, is a replacement program for Sun Microsystem's portmapper program. Venema's portmap daemon offers access control and logging features that are not found in Sun's version of the program. It also comes with the source code, allowing you to inspect the code for problems or modify it with your own additional features, if necessary.
You can get portmap from:
SATAN, by Wietse Venema and Dan Farmer, is the Security Administrator Tool for Analyzing Networks. Despite the authors' strong credentials in the network security community (Venema is from Eindhoven University in the Netherlands and is the author of the tcpwrapper package and several other network security tools; Farmer is the author of COPS), SATAN was a somewhat controversial tool when it was released. Why? Unlike COPS, Tiger, and other tools that work from within a system, SATAN probes the system from the outside, as an attacker would. The unfortunate consequence of this approach is that someone (such as an attacker) can run SATAN against any system, not only those that he already has access to. According to the authors:
 If you don"t like the name SATAN, it comes with a script named repent that changes all references from SATAN to SANTA: Security Administrator Network Tool for Analysis.
SATAN was written because we realized that computer systems are becoming more and more dependent on the network, and at the same time becoming more and more vulnerable to attack via that same network.
SATAN is a tool to help systems administrators. It recognizes several common networking-related security problems, and reports the problems without actually exploiting them.
For each type or problem found, SATAN offers a tutorial that explains the problem and what its impact could be. The tutorial also explains what can be done about the problem: correct an error in a configuration file, install a bugfix from the vendor, use other means to restrict access, or simply disable service.
SATAN collects information that is available to everyone on with access to the network. With a properly-configured firewall in place, that should be near-zero information for outsiders.
The controversy over SATAN's release was largely overblown. SATAN scans are usually easy to spot, and the package is not easy to install and run. Most response teams seem to have more trouble with people running ISS scans against their networks.
From a design point of view, SATAN is interesting in that the program uses a Web browser as its presentation system. The source may be obtained from:
Source, documentation, and pointers to defenses may be found at:
SOCKS, originally written by David Koblas and Michelle Koblas and now maintained by Ying-Da Lee, is a proxy-building toolkit that allows you to convert standard TCP client programs to proxied versions of those same programs. There are two parts to SOCKS: client libraries and a generic server. Client libraries are available for most UNIX platforms, as well as for Macintosh and Windows systems. The generic server runs on most UNIX platforms and can be used by any of the client libraries, regardless of the platform.
You can get SOCKS from:
Swatch, by Todd Atkins of Stanford University, is the Simple Watcher. It monitors log files created by syslog, and allows an administrator to take specific actions (such as sending an email warning, paging someone, etc.) in response to logged events and patterns of events.
You can get Swatch from:
The tcpwrapper is a system written by Wietse Venema that allows you to monitor and filter incoming requests for servers started by inetd. You can use it to selectively deny access to your sites from other hosts on the Internet, or, alternatively, to selectively allow access.
You can get tcpwrapper from:
Tiger, written by Doug Schales of Texas A&M University (TAMU), is a set of scripts that scans a UNIX system looking for security problems, in a manner similar to that of Dan Farmer"s COPS. Tiger was originally developed to provide a check of the UNIX systems on the A&M campus that users wanted to be able to access off-campus. Before the packet filtering in the firewall would be modified to allow off-campus access to the system, the system had to pass the Tiger checks.
You can get Tiger from:
The TIS Internet Firewall Toolkit (FWTK), from Trusted Information Systems, Inc., is a useful, well designed, and well written set of programs for controlling access to Internet servers from the Internet. FWTK includes:
Authentication server that provides several mechanisms for supporting nonreusable passwords
Access control program (wrapper for inetd-started services), netac
Proxy servers for a variety of protocols (FTP, HTTP, Gopher, rlogin, Telnet, and X11)
Generic proxy server for simple TCP-based protocols using one-to-one or many-to-one connections, such as NNTP
Wrapper (the smap package) for SMTP servers such as Sendmail to protect them from SMTP-based attacks.
The toolkit is designed so that you can pick and choose only the pieces you need; you don"t have to install the whole thing. The pieces you do install share a common configuration file, however, which makes managing configuration changes somewhat easier.
Some parts of the toolkit (the server for the nonreusable password system, for example) require a Data Encryption Standard (DES) library in some configurations. If your system doesn't have the library (look for a file named libdes.a in any of your system directories in which code libraries are kept), you can get one from:
TIS maintains a mailing list for discussions of improvements, bugs, fixes, and so on among people using the toolkit; Send email to [email protected] to subscribe to this list.
You can get the toolkit from:
David Curry's trimlog is designed to help you to manage log files. It reads a configuration file to determine which files to trim, how to trim them, how much they should be trimmed, and so on. The program helps keep your logs from growing until they consume all available disk space.
You can get trimlog from:
Tripwire, written by Gene H. Kim and Gene Spafford of the COAST project at Purdue University, is a file integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Added or deleted files are flagged and reported, as are any files that have changed from their previously recorded state in the database. Run Tripwire against system files on a regular basis. If you do so, the program will spot any file changes when it next runs, giving system administrators information to enact damage-control measures immediately.
You can get Tripwire from:
Several technical reports on Tripwire design and operation are also present in the distribution as PostScript files.
You can get this proxy system from:
The wuarchive FTP daemon offers many features and security enhancements, such as per-directory message files shown to any user who enters the directory, limits on number of simultaneous users, and improved logging and access control. These enhancements are specifically designed to support anonymous FTP.
You can get the daemon from:
An updated version of the server, with enhancements by several people, is available from: