-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
October 2, 1997
Version 1.2
ftp://info.cert.org/pub/tech_tips/security_tools
CERT(*) Coordination Center
List of Security Tools
This document describes tools that can be used to help secure a system and
deter break-ins.
In addition to the information in this document, we provide three companion
documents that may help you:
ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines
- contains suggestions for avoiding common UNIX system
configuration problems that have been exploited
ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
- contains suggestions for determining if your system has been
compromised
ftp://info.cert.org/pub/tech_tips/root_compromise
- contains suggested steps for recovering from a root compromise on
a UNIX system
Also, please see our CERT advisory 01-README file and CERT vendor-initiated
bulletin 01-README file, which contain brief descriptions of all past CERT
advisories and vendor-initiated bulletins. These files are available from
ftp://info.cert.org/pub/cert_advisories/01-README
ftp://info.cert.org/pub/cert_bulletins/01-README
We encourage you to get all advisories that pertain to your system(s),
and to install the patches or workarounds described in the advisories.
We also encourage you to check with your vendor(s) regularly for any
updates or new patches that relate to your systems.
- -------------------------------------------------------------------------------
NOTES - When installing and using any security tool, read and follow all
available directions. Ensure that use of the tool conforms to
your organization's policies and procedures. Keep sensitive files,
such as MD5 checksums, log files, off-line or on read-only media.
*****************************************************************************
* The CERT Coordination Center does not formally review, evaluate, or *
* endorse the tools and techniques described. The decision to use the *
* tools and techniques described is the responsibility of each user or *
* organization, and we encourage each organization to thoroughly evaluate *
* new tools and techniques before installing or using them.
*****************************************************************************
Network Monitoring Tools
1. Argus
Argus is a network monitoring tool that uses a client-server model to
capture data and associate it into "transactions." The tool provides
network-level auditing; it can verify compliance to a router
configuration file, and information can be easily adapted to protocol
analysis, intrusion detections, and other security needs. Argus is
available from many sites, including
ftp://ftp.net.cmu.edu/pub/argus-1.5/
2. swatch
Swatch, the Simple WATCHer program, is an easily configurable log file
filter/monitor. Swatch monitors log files and acts to filter out
unwanted data and take one or more user-specified actions based on
patterns in the log. Swatch is available from
ftp://ftp.stanford.edu/general/security-tools/swatch/
Authentication/Password Tools
3. Crack
Crack is a freely available program designed to identify, by standard
guessing techniques, UNIX DES encrypted passwords that can be found in
widely available dictionaries. The guessing techniques are outlined in
the Crack documentation.
Many system administrators run Crack as a regular system
administration procedure and notify account owners who have
"crackable" passwords. Crack is available from
ftp://info.cert.org/pub/tools/crack/
4. Shadow passwords
If your UNIX system has a shadow password capability, you should use
it. Under a shadow password system, the /etc/passwd file does not
have encrypted passwords in the password field. Instead, the
encrypted passwords are held in a shadow file that is not world
readable. Consult your system manuals to determine whether a shadow
password capability is available on your system and to get details of
how to set up and manage it.
Service-Filtering Tools
5. TCP/IP wrapper program
The TCP/IP wrapper program provides additional network logging
information and gives a system administrator the ability to deny or
allow access from certain systems or domains to the host on which the
program is installed. Installation of this software does not require
any modification to existing network software. This program is
available from
ftp://info.cert.org/pub/tools/tcp_wrappers/
Tools to Scan Hosts for Known Vulnerabilities
6. ISS (Internet Security Scanner)
ISS is a program that will interrogate all computers within a specified
IP address range, determining the security posture of each with respect
to several common system vulnerabilities. ISS is available from many
sites, including
ftp://info.cert.org/pub/tools/iss/
For further information about ISS, see
ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner
7. SATAN (Security Administrator Tool for Analyzing Networks)
SATAN is a testing and reporting tool that collects a variety of
information about networked hosts. SATAN is available from many sites,
including
ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.tar.Z
For further information about SATAN, see
ftp://info.cert.org/pub/cert_advisories/CA-95:06.satan
ftp://info.cert.org/pub/cert_advisories/CA-95:07a.REVISED.satan.vul
Multi-Purpose Tools
8. COPS (Computer Oracle and Password System)
COPS is a publicly available collection of programs that attempt to
identify security problems in a UNIX system. COPS does not attempt to
correct any discrepancies found; it simply produces a report of its
findings. COPS is available from
ftp://info.cert.org/pub/tools/cops/
and by uucp from uunet.uu.net.
Integrity-Checking Tools
9. MD5
MD5 is a cryptographic checksum program. MD5 takes as input a message
of arbitrary length and produces as output a 128-bit "fingerprint" or
"message digest" of the input. It is thought to be computationally
infeasible to produce two messages having the same message digest or
to produce any message having a given pre-specified target message
digest. MD5 is found in RFC 1321. See
ftp://info.cert.org/pub/tools/md5/
10. Tripwire
Tripwire checks file and directory integrity; it is a utility that
compares a designated set of files and directories to information
stored in a previously generated database. Any differences are
flagged and logged, including added or deleted entries. When run
against system files on a regular basis, Tripwire enables you to spot
changes in critical system files and to immediately take appropriate
damage control measures. Tripwire is available from many sites,
including
ftp://info.cert.org/pub/tools/tripwire/
Other Tools
11. lsof
lsof lists open files and what UNIX processes have them open. lsof is
available from
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
12. ifstatus
The ifstatus program can be run on UNIX systems to identify network
interfaces that are in debug or promiscuous mode. Network interfaces
in these modes may be a sign that an intruder is monitoring the network
to steal passwords and other traffic (see CERT advisory CA-94:01).
The program does not print any output (unless -v is given) unless it
finds interfaces in "bad" modes. So, it's easy to run ifstatus from
cron once an hour or so. If you have a modern cron that mails the
output of cron jobs to their owner, use a line like this:
00 * * * * /usr/local/etc/ifstatus
If you have a version of cron that doesn't do this, use the
"run-ifstatus" shell script instead (edit the script to use the right
path to the command):
00 * * * * /usr/local/etc/run-ifstatus
ifstatus is available from many sites, including
ftp://info.cert.org/pub/tools/ifstatus/ifstatus.tar.Z
ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus/ifstatus.tar.Z
13. smrsh
With all versions of sendmail, we recommend that you use the sendmail
restricted shell program, smrsh, by Eric Allman (the original author of
sendmail). When configured correctly, the smrsh program can help protect
against a vulnerability that can allow unauthorized remote or local
users to execute programs as any system user other than root. For
example, smrsh can prevent an intruder from using pipes (|) to execute
arbitrary commands on your system.
We encourage you to use smrsh regardless of whether you use the vendor's
supplied sendmail or install sendmail yourself, and regardless of
patches that have been installed.
Beginning with sendmail version 8.7.1, smrsh is included in the
sendmail distribution, in the subdirectory smrsh. See the
RELEASE_NOTES file for a description of how to integrate smrsh into
your sendmail configuration file.
smrsh is also available from many sites, including
ftp://info.cert.org/pub/tools/smrsh/
ftp://ftp.uu.net/pub/security/smrsh/
Warning: If you are running such an old version of sendmail that you
must install smrsh separately, intruders will continue to be
able to exploit vulnerabilities that were fixed in later
versions of sendmail. We urge you to upgrade to the current
version of sendmail mail and then run the tools, which are
included with the distribution.
Refer to the following files for further information about smrsh:
ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
14. mail.local
Some versions of /bin/mail based on BSD 4.3 UNIX are vulnerable
because of timing windows in the way /bin/mail uses publicly writable
directories. If you cannot install a patch from your vendor, replace
/bin/mail with mail.local.
Beginning with sendmail version 8.7.1, mail.local is included in the
sendmail distribution, in the subdirectory mail.local. The program is
also available from many sites, including
ftp://info.cert.org/pub/tools/mail.local/
For further information about mail.local, see
ftp://info.cert.org/pub/cert_advisories/CA-95:02.binmail.vulnerabilities
Other Reading About Security Tools
For a list of additional security tools, see Appendix B of the "UNIX
Computer Security Checklist" developed by the Australian Computer
Emergency Response Team (AUSCERT). A copy of the AUSCERT checklist can
be found in
ftp://info.cert.org/pub/tech_tips/AUSCERT_checklist1.1
The CERT Coordination Center maintains a directory of information that has
come to our attention concerning the most current releases of software,
releases that contain security improvements. The directory is by no means
complete, but it does contain pointers to the latest versions of some
security tools. The location is
ftp://info.cert.org/pub/latest_sw_versions
- ------------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOBTCMlr9kb5qlZHQEQKa2ACgyjMuJ9nycHoeTnDEUWlz8by+nVYAoOb+
JtFsibQA5MRfoRtIYwpsct/q
=0F8t
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
