A listing of network security tools and sites where they can be obtained. If you have any comments or updates, please send email to the address below.
This script checks for people logged on to a local machine from insecure X servers. It is intended for system administrators to check up on whether users are exposing the system to unacceptable risks. Like many commands, such as finger(1), checkXusers could potentially be used for less honorable purposes. checkXusers should be run from an ordinary user account, not root. It uses kill which is pretty dangerous for a superuser. It assumes that the netstat command is somewhere in the PATH. Table of Contents
Title chkacct v1.1
Authors: Shabbir Safdar
File size: 127934 bytes
Abstract:
chkacct was designed to complement tools like COPS and Tiger. Instead of checking for configuration problems in the entire system, it is designed to check the settings and security of the current user's account. It then prints explanatory messages to the user about how to fix the problems. It may be preferable to have a security administrator ask problem users to run chkacct rather than directly alter files in their home directories.ToC
Title: COPS (Computer Oracle and Password System)
Author: Dan Farmer
Abstract:
Examines a system for a number of known weaknesses and alerts the system administrator to them; in some cases it can automatically correct these problems.ToC
The purpose of the crashme program is to cause instruction faults that would otherwise be only rarely seen in the normal operation of a system . Normal includes conditions of user programs with bugs in them and also includes executable code corruption due to memory, disk, and network problems.ToC
Doc is a program that diagnoses misbehaving domains by sending queries to the appropriate DNS nameservers and performing simple analysis on the responses. Doc verifies a domains proper configuration and it is functioning correctly. The only required parameter is the valid domain name of a domain. Important: Doc requires version 2.0 of the DNS query tool `dig` domain internet groper.ToC
Tiger-like program for the IRIX operating system on SGIs. See tiger later in this section.ToC
A multi-level security scanner that checks a UNIX system for a number of known security holes such as problems with sendmail, improperly configured NFS file sharing, etc.ToC
This is a perl version of Dan's version of Bob Baldwin's Kuang program, which was originally written as shell scripts and C programs. Features including Caches passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and frequent. User can specify target (uid or gid) on command line. can use -l option to generate PAT for a goal. User can use -f to preload file owner, group and mode info, which is helpful in terms of speed and avoiding file system 'shadows'.ToC
This program checks for 14 common SunOS configuration security loopholes. It has been tested only on SunOS4.0.3 on Sun4, Sun3, and Sun386i machines. Each test reports its findings, and offers to fix any discovered problems. The program must be run as root to fix any of the problems but, it can be run from any account by replying \'n\' to any fix requests.ToC
SPI provides a suite of security inspections for most Unix systems at the touch of a button. The SPI software product is available free of charge to all DOE and DoD organizations. Sponsoring agencies may define redistribution policies within their own respective user communities.ToC
The tiger package of system monitoring scripts. Similar to COPS in what they do, but significantly more up to date, and easier to configure and use.ToC
Trojan.pl is a trojan horse checking program. It examines the search path and looks at all of the executables in the search path for people who can create a trojan horse that root can execute.ToC
A hacked copy of the BSD 4.3-tahoe tftpd program.ToC
This is a new more functional version of fingerd. This version offers: logging, access control lists, for restricting finger requests to certain hosts and certain users, and a message of the day file.ToC
Introduction to the fix-kits archive. Residing in this archive are patches to various popular packages in common use around the Internet. These patches are designed to increase security and robustness. This archive was brought into existence due to a desire to set up server machines, plug them into the Internet, and have them be reasonably secure on their own without hiding behind firewalls. In some cases these servers would be part of a firewall system.ToC
A network routing daemon that understands the BGP, EGP, RIP RIP II, OSPF, and HELLO protocols. This version of gated is more configurable than the routed program that comes with most UNIX systems and can be useful when constructing firewalls.ToC
This mountd for Solaris 2.3 does reserved port checking. As an added feature, it also logs denied mount requests.ToC
The file msystem.c contains a version of system(3), popen(3), and pclose(3) that provide considerably more security than the standard C functions. They are named msystem, mpopen, and mpclose, respectively. While the author does not guarantee them to be PERFECTLY secure, they do constrain the environment of the child quite tightly, or at least enough to close the obvious holes.ToC
The Operator Shell (Osh) is a setuid root, security enhanced, restricted shell for providing fine- grain distribution of system privileges for a wide range of usages and requirements.ToC
Official fixes from Sun Microsystems. These are mirrored from a Sun site. These patches should be checked first.ToC
This is the 3rd enhanced portmapper release. The code compiles fine with SunOS 4.1.x, Ultrix 4.x and ESIX System V release 4.0, but it will work with many other UNIX flavors. Tested with SunOS 4.1.1; an earlier version was also tested with Ultrix 3.0. SysV.4 uses a different program that the portmapper, however; rpcbind is the name, and it can do much more than the old portmapper. This is a portmapper replacement with access control in the style of the tcp wrapper (log_tcp) package. It provides a simple mechanism to discourage access to the NIS (YP), NFS, and other services registered with the portmapper. In some cases, better or equivalent alternatives are available. The SunOS portmap that is provided with patch id100482-02 should close the same security holes. In addition, it provides NIS daemons with their own access control lists. This is better than just portmapper access control. The "securelib" shared library (eecs.nwu.edu:/pub/securelib.tar) implements access control for all kinds of (RPC) services, not just the portmapper. Reportedly, Irix 4.0.x already has a secured portmapper. However, many vendors still ship portmap implementations that allow anyone to read or modify its tables and that will happily forward any request so that it appears to come from the local system.ToC
This is a rpcbind replacement with access control in the style of the tcp/ip daemon wrapper (log_tcp) package. It provides a simple mechanism to discourage remote access to the NIS (YP), NFS, and other rpc services. It also has host access control on IP addresses. Note that the local host is considered authorized and host access control requires the libwrap.a library that comes with recent tcp/ip daemon wrapper (log_tcp) implementations. If a port requests that are forwarded by the rpcbind process will be forwarded through an unprivileged port. In addition, the rpcbind process refuses to forward requests to rpc daemons that do, or should, verify the origin of the request: at present. The list includes most of the calls to the NFS mountd/nfsd daemons and the NIS daemons.ToC
Provides a replacement shared library from SunOS 4.1.x systems that offers new versions of accept, recvfrom, and recvmsg networking system calls. These calls are compatible with the originals, except that they check the address of the machine initiating the connection to make sure it is allowed to connect, based on the contents of a configuration file. Can be installed without recompiling any software.ToC
This version is a successor to the version from O'Reily and Asso., and is much newer than the version shipped by most UNIX vendors. This version of sendmail has bug and security hole fixes.ToC
sfingerd is a secure replacement for the standard unix finger daemon. The goal is to have the smallest and safest code.ToC
This package provides drop in replacements for telnet and ftp client and server programs, which use Secure RPC code to provide encrypted authentication across the network, so that plaintext passwords are not used. These programs require no external keyserver or ticket server and work equally well for local or internet wide connections.ToC
This version of tftpd is hacked from the 4.3 Reno tftpd. The author modified original source code since all of the versions that did a chroot() were unable to then syslog who got what file because of a rather obnoxious subtlety in the way 4.3 syslog works. This version has several improvements. 1.) chroot() to a restricted subdirectory. 2.) syslog() logs all accesses (and failures) to include the accessor, the file, and the access type. 3.) likely to have the ability to control which files or subdirectories of the tftp directory were accessible to which clients based on the incoming IP addressToC
Designed for use by large FTP sites, and provides a number of features not found in vendor versions, including increased security.ToC
A replacement for inetd, the internet services daemon. It supports access control based on the address of the remote host and the time of success. It also provides extensive logging capabilities including server start time, remote host address, remote username, server run time, and actions requested.ToC
A modified version of Larry Wall's Perl password program that in an NIS environment, allows for gecos changes and also checks a sorted list of all the "bad passwords".ToC
Chalace is a intercept proof password authentication system which can be used over normal communications channels. Chalace is very, very portable, being for the most part pure ANSI-C. However, it will not run on a terminal, or calculator alone. You must have secure access to a LOCAL machine in order to run the response client. In an ideal world, everyone would be running something like kerberos, however kerberos is not very portable or exportable and runs only over TCP/IP style connections. Chalace is useful under many circumstances and not at all useful under others. Chalace is useful for connecting from a local or considered secure machine to a remote machine over a possibly insecure communications line, without giving any intercepting agents access to your account authentication information (password) and thus your account itself. Chalace is not useful for protecting the data that is actually transferred from the remote machine or connection from a dumb terminal, etc. where no computer is nearby to run the Chalace client.ToC
Cracklib is a pro-active password sanity library. CrackLib is a library containing C function which may be used in a "passwd"-like program. The idea is simple: try to prevent users from choosing passwords that could be guessed by "Crack" by filtering them out, at the source. CrackLib is an offshoot of the version 5 "Crack" software and contains a considerable number of ideas nicked from the new software.ToC
Replacement for existing password program that eliminate the choosing of poor passwords. Includes support for System V Release 3 password aging and Suns Network Information Service (NIS).ToC
This function depends upon a subtle property of English. Less than one-third of the possible triples, sequences of three letters, are used in English words. This property makes it possible to distinguish random letter strings from strings that look like English words. The idea is to reject passwords that look like English words.ToC
A proactive pass word checker that is driven by a configuration file to determine what types of passwords are and are not allowed. The configuration file allows the use of regular expression, the comparison of passwords against the contents of files (e.g., dictionaries), and the calling of external programs to examine the password.ToC
This package consists of two parts. One server based passwd/chsh/chfn replacement and a server based /etc/group editor which gives each and every user the ability to privately manage one group on his own.ToC
Pwdiff takes multiple password files and compares them in an intelligent way. For instance, it will report on different names with the same uid, but let pass the same name with the same uid.ToC
Shadow is a replacement for login and passwd that can enable any system to use shadow password files. Shadow is concerned with keeping its user data, as well as the integrity of the network, private and secure. As with all forms of security, this is done with the loss of some convenience. Incoming telnet from hosts on the Internet is blocked, barring presence of the host in an access control file. Incoming ftp to real accounts is blocked as well. This is done because Shadow does not have physical control over all of the routers on the Internet, and thus cannot guarantee the security of incoming connections. It is for this reason that services which require the transmittal of a cleartext password are not normally allowed, since the password can be sniffed with a packet sniffer.ToC
Yppapasswd is designed to do proactive password checking based upon the passwd program given in the O'Reilly book on perl (ISBN 0-937175-64-1). This program has a subroutine called 'goodenough' that can easily be extended to perform any type of password checks that aren't already being done. Yppapasswd extends this program to be used with Network Information System (NIS). To accomplish this there is a daemon, yppapasswdd, that runs on the NIS master in replacement of yppasswdd. Yppapasswd supports -f and -s options that change finger and shell information. This also works across the NIS domain so that changes do not have to be on the NIS master server to change passwd info.ToC
The Code Breaker's Workbench - break crypt(1) encrypted files.ToC
High speed, dictionary-based password cracking tool with a configuration language, allowing the user to program the types of guesses used.ToC
This is a password checking program that author wrote after the infamous Internet Worm. He used the password cracking algorithm the worm used in order to check the obviousness of a password.ToC
This crypt implementation plug in compatible with crypt(3)/fcrypt, Extremely high- performance when used for password cracking. Portable to most 32 bit machines, startup time/mixed salt performance not critical, but is 25-45 times faster than crypt(3) when invoked repeated times with the same salt and varying passwords. With alternating salts, performance is only about 4 times that of crypt(3). Tested on 68000,386,SPARC,MIPS,HP-PA and RS/6000 systems, it Requires 280 kb for tables.ToC
This package provides a network login service with more secure authentication than telnet or rlogin. Also, all data transmitted to and from the remote host in encrypted using the DES. Thus, this package allows you to use a remote host across untrusted networks without fear of network snooping. This package is not available on our archive due to ITAR restrictions. See the file /pub/tools/unix/deslogin/DESLOGIN.README for details.ToC
The drawbridge-1.1.tar.Z package is the Drawbridge base package without DES support. The drawbridge-1.1-des.tar.Z package is a supplemental package that contains the DES support. This package is installed in addition to the drawbridge-1.1.tar.Z package. Simply extract it on top of the regular package. This will add a few source files and new makefiles to the filter and fm directories. Note that the DES package is not required to operate drawbridge; it only allows drawbridge management in a secure manner.ToC
Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity by detection of modification, and secrecy by preventing unauthorized reading, using cryptography systems such as DES.ToC
MD5 - New Message Digest Algorithm is a new message-digest algorithm.ToC
In a basic BSD environment only three utilities let people onto a machine: login, rshd, and ftpd. These three programs are modified to check a YP map called 'permissions' which determines whether a person is allowed to login. Control over login is given based on four parameters: hostname, ttyname, login, and groups.ToC
The S/KEY one-time password system provides authentication over networks that are subject to eavesdropping/replay attacks.ToC
This is an implementation of Snefru. Snefru is a one-way hash function that provides authentication. It does not provide secrecy.ToC
Authd is an implementation of RFC 931, the Authentication Server under BSD. RFC 931 provides the name of the user owning a TCP connection. This helps network security, unless TCP itself is compromised, it is impossible to forge mail or news between computers supporting RFC 931. Authd also becomes much easier to trace attackers than in the current, largely anonymous, network. Authd requires no changes to the current code. The functions every connect() and accept() are authenticated automatically, with no loss of efficiency.ToC
Under most versions of Unix, there is a "lastlog" file that records the time and sometimes the terminal of the last login for each user. This is then printed as part of the next login as information. Some systems also include information on the number of invalid attempts on the account since the last valid login. This Perl program dumps the file for SunOS/Solaris systems as it works on both. If your lastlog format is different, simply modify this logging format. One may need to adjust the path to the lastlog file.ToC
Provides modified versions of rshd, rlogind, ftpd, rexecd, login, and telnetd that log significantly more information than the standard vendor versions. This enables better auditing of problems via the logfiles.ToC
This finger daemon is written in perl to do additional logging into a file called /var/log/trap/fingerd. It contain additional information like who is at the other end of the connect (via rfc931 : read authuser), who does s/he finger, and any other information which is sent through the finger port. It is programmed to deny chain fingering and stop immediately if it detects special symbols like "|<>..." in the input stream. It can easily be modified to filter out information, deny fingering of a certain person, deny fingering from certain hosts, and filter finger information etc. without the trouble of recompilation since it is written in perl.ToC
A small program that tails the wtmp file and reports all logins to the syslogd.ToC
Constitutes a TCP/UDP traffic logging system, usable for locating suspicious network traffic.ToC
The spar program is used for showing process accounting records. Much more flexible and powerful than the standard UNIX utilities such as lastcomm.ToC
For systems that have no syslog library. This version logs directly to a file (default usr/spool/mqueue/syslog). The fake syslog that comes with nntp seems to be OK, too.ToC
chklastlog checks the file /var/adm/lastlog and the file /var/adm/wtmp for inconsistencies. The 'zap' utility deletes the last entry for a given username from the /var/adm/wtmp file and the entry in the lastlog file. If there are other entries in the wtmp file, this tool will find the missing entry in the lastlog file.ToC
chkwtmp checks the file /var/adm/wtmp for entries that were overwritten with zeros. If such an entry is found, the entries above and following the entry are printed to indicate the time range wherein the deletion has been made.ToC
Trimlog is used to trim system log files to keep them from growing without bound. When invoked, it reads commands from the file which tell it which files to trim, how to trim them, and by how much they should be trimmed.ToC
L5 simply walks down Unix or DOS file systems, sort of like "ls -R" or "find" would, generating listings of anything it finds there. It tells you everything it can about a file's status, and adds on an MD5 hash of it. Its output is rather "numeric", but it is a very simple format and is designed to be post-treated by scripts that call L5.ToC
traceroute traces the route IP packets take from the current system to some destination system.ToC
A package that allows you to analyze any form of Audit Trail by customizing the format description of your trail. Analyzing substantial amounts of data and extracting releiant information out of huge sequential files has always been a nightmare, unless you use ASAX, FUNDP. Using highly sophisticated and powerful algorithms, ASAX tremendously simplifies the intelligent analysis of sequential files. Of course, the data should fit the analyzer. Therefore, ASAX has defined a normalized audit file format (NADF) with built-in flexibility to guarantee a simple and straight forward translation of any stream of native data into the normalized sequential files ASAX understands. But ASAX's real power is unleashed by deploying its embedded, easy to use rule based language RUSSEL. This tailor-made analysis tool solves very intricate queries on any sequential data.ToC
A generic IP network transaction auditing tool that has allowed Carnegi Mellon University's SW Engineering Institute to perform a number of powerful network management tasks that are currently not possible using commercial network management tools. Requires the libpcap and tcp_wrappers packages.ToC
arpmon does a popen() to tcpdump and collects data. It writes its pid by default to /home/arpmon/arpmon.pid and dumps its data to /home/arpmon/addrs. Doing a kill -HUP `cat arpmon.pid` creates or updates the addrs file. A kill -QUIT `cat arpmon.pid` updates the addrs file and instructs the arpmon process to die. You can change these path names by editing paths.pl. ipreport will write a formatted report of the addrs files to stdout. Do an ipreport -h for the other options.ToC
This directory contains source code for arpwatch, a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch uses libcap, a system-independent interface for user-level packet capture. Before tcpdump is built, retrieve and build libpcap, also from LBL, in: ftp://ftp.ee.lbl.gov/libpcap-*.tar.Z.ToC
Monitors network and identifies the source machines of SATAN probes/attacks.ToC
A SATAN detector similar to Courtney. Available for Sun platforms, it is written entirely in C and comes pre-built.ToC
Hobgoblin checks file system consistency against a description. Hobgoblin is a language and an interpreter. The language describes properties of a set of hierarchically organized files. The interpreter checks the description for conformity between the described and actual file properties. The description constitutes a model for this set of files. Consistency Ondishko checking verifies that the real state of these files corresponds to the model, flagging any exceptions. Hobgoblin can verify conformity of system files on a large number of systems to a uniform model. Relying on this verification, system managers can deal with a small number of conceptual models of systems, instead of a large number of unique systems. Also, checking for conformity to an appropriate model can enhance system reliability and security by detecting incorrect access permissions or non-conforming program and configuration files.ToC
Check to see if existing binary files match their appropriate cryptographic signatures.ToC
Network monitoring and visualization tools from Curtin University. The etherman program is an X window System tool that displays a representation of real-time Ethernet communications. The interman program focuses on IP connectivity within a single segment. The packetman tool is a retrospective Ehternet packet analyzer.ToC
Monitors the local network for NFS packets and decodes them by client and server name, procedure name, and so forth. Can be used to determine how much traffic each client is sending to a server and determine what users are accessing the server, etc.ToC
Provides a suite of security tools that detects and analyzes network intrusion. NID provides detection and analysis of intrusion from individuals not authorized to use a particular computer and from individuals allowed to use a particular computer, but who perform either unauthorized activities or activities of suspicious nature on it.ToC
Monitors various network variables such as ICMP or RPC reachability, host performance, SNMP traps, modem line usage, AppleTalk and Novell routes and services, BGP peers, etc. The software is extensible and new monitors can be added easily.ToC
This program is designed to provide the system administrator with additional information about who is logging into disabled accounts. Traditionally, accounts have been disabled by changing the shell field of the password entry to "/bin/sync" or some other benign program. Noshell provides an informative alternative to this method by specifying the noshell program as the login shell in the password entry for any account which has been disabled.ToC
raudit is a Perl script which audits each user's .rhosts file and reports on various findings. Without arguments, raudit will report on the total number of rhosts entries, the total number of non- operations entries, for which the hosts is listed in the /etc/hosts.equiv file, the total number of remote entries, for which the host is a non-NAS host. raudit will also report on any entries which may be illegal. An entry is considered illegal if the username does not mach the username from the password file or if the entry contains a "+" or a "-". Raudit is normally run on a weekly basis via a cron job which runs rhosts.audit. The output is mailed to the NAS security analyst(s).ToC
A file system auditing program that compares current contents against previously-generated listings and reports differences.ToC
A system for monitoring events on a large number of systems. Modifies certain programs to enhance their logging capabilities and software to then monitor the system logs for ``important'' messages.ToC
swIP is a network-layer security protocol for the IP protocol suite. swIPe provides confidentiality, integrity, and authentication of network traffic and can be used to provide both end-to-end and intermediate-hop security. swIPe is concerned only with security mechanisms; policy and key management are handled outside the protocol.ToC
Invoke it without arguments in the same directory that has the TAMU Security distribution. It will automagically validate the files in the distribution to make sure that they have not been tampered with.ToC
Scans file systems and computes digital signatures for the files therein, then can be used later to check those files for any changes. Tripwire also checks all inode information on a user-selectable basis, and monitors for missing or added files.ToC
A configurable and extensible system monitoring tool that issues a number of user-specified commands, parses the output, checks for items of significance, and reports them to the system administrator.ToC
This program monitors X connections. It uses RFC931 to display usernames, when the client host supports RFC931. It allows the user to freeze and unfreeze connections, or kill them, independent of the client, and very importantly independent of the server. The KillClient request can be used to forcibly disconnect a client from the server, but only if the client has created a resource, which for example neither xkey nor crowbar does. It monitors the connection, and if it sees certain dubious requests, currently configurable only by hacking on the source, it pops up a little menu with which the user can allow the request, have it replaced with a NoOperation request, or kill the connection. The dubious requests are, at present, requests to change the host access list, requests to enable or disable access control, and Change Window Attributes requests operating on non-root windows not created by the same client.ToC
A Root-compromised system that supports a promiscuous network interface is being used by intruders to collect host and user authentication information visible on the network. There are network monitoring tools that use the promiscuous mode of a specific network interface to capture host and user authentication information on all newly opened FTP, TFTP, TELNET, and RLOGIN sessions. CPM checks for network interfaces in promiscuous mode and reports the results to the users for corrections.ToC
This is a command-line tool for querying DNS servers. It is easier to use than nslookup and is well-suited for use within shell scripts.ToC
A research prototype for discovering key network characteristics such as hosts, gateways, and topology. Fremont stores this information in a database and can then notify the administrator of anomalies detected.ToC
icmpinfo is a tool for looking at the icmp messages received on the running host. The source code is written by Laurent Demailly and comes from a heavily modified BSD ping source. Icmpinfo comes without warranty.ToC
Program for obtaining information from the DNS. More flexible than nslookup.ToC
The ident package contains the following: identify - A small program that can be used to log "ident" info in conjunction with the "inetd" daemon. idlookup - A small tool that can be used to look up the identifier associated with a particular TCP/IP connection if the remote site is running an Ident server.tcplist . idlookup makes a list of tcp connections to and from the local machine, displaying the user name associated with the local end, and makes use of rfc931 services if available to determine the "user" at the other end. tcplocate Identifies the process(es) that have sockets that are either connected to a remote TCP port or are bound to a given local TCP port.ToC
Checks a system for any network interfaces in promiscuous mode. This may indicate that an attacker as broken in and started a packet snooping program.
Lsof version 3 lists open files for running UNIX processes. It is a descendent of ofiles, fstat, lsof version 1, and lsof version 2.ToC
Strobe is a network tool that locates and describes all listening tcp ports on a remote host or on many hosts in a network.ToC
A TCP port probing program is fairly self-explanatory. It is known to work on Unix workstations but the C code is fairly portable.ToC
Displays a list of all TCP connections and the corresponding user name along with the process identifier associated with each connection.ToC
"tpage" or "Tom's Pager System" is a set of programs that let you send messages to alpha- numeric pagers using the "IXO" protocol. It supports a dialing directory, a "who's on duty now" schedule, and can do special tricks with RFC822-format email. The system has several features. Tpage sends pages to any pager system that supports the IXO protocol and additional protocols can be added. Tpage can parse email messages and extract the interesting info from them resulting in shorter messages. Tpage can also copy its input to stdout and therefore can be used as a "tee". It also maintains a directory of people's phone numbers/PINs and can page "the person on duty" by searching a schedule. Schedule can have slots that are empty, but find someone anyway if the message is marked "urgent". With programs like procmail, tpage permits you to send certain email messages to your pager. And lastly, a list of modems can be given to the daemon.ToC
PGP is a program that gives electronic mail something that it otherwise doesn't have: Privacy. It does this by encrypting your mail so that nobody but the intended person can read it. When encrypted, the message looks like a meaningless jumble of random characters.ToC
This distribution makes available a nearly public-domain public key encryption system. Included are functions implementing the algorithm, functions implementing related capabilities including a DES implementation for recipients in the USA, and a program, rpem, that implements a simple Privacy Enhanced Mail system. The principal applications provided are: rpem - program to encrypt a file into an encapsulated postscript file suitable for inclusion into a mail message. The program is somewhat compatible with RFC 1113. makerkey is a program to create public keys, both public and private components, for use with rpem. There are also some miscellaneous applications included with RPEM.ToC
If you have a multihomed Sun server/workstation (2 or more ethernet interfaces) which performs routing and have a problem with IP headers being forged with no router on the system for assistance, then this package will allow you to setup packet filters for each interface, much like those which can be setup in Ciscos and others. Packets going in or out can be filtered. They can just be logged, blocked, or passed. You can filter on any combination of TCP flags, the various ICMP types, as well as the standard variations on IP# source-destination pairs (with variable netmasks) and source-destination ports for TCP and UDP. Packets with non-standard IP header lengths, such as those with source routing information inside, can be selected apart from standard packets. There is no need to worry about fragments as only complete IP packets are examined.ToC
Forces all TCP and UDP packets to pass through an access control list facility for screening.ToC
Provides a daemon and kernel modifications to allow all packets to be filtered based on source address, destination address, or any other byte or set of bytes in the packet.ToC
The TCP/Wrappers program monitors and filters incoming requests for network services such as TFTP, EXEC, FTP, RSH, TELNET, RLOGIN, FINGER, and SYSTAT. This package provides tiny daemon wrapper programs that can be installed without any changes to existing software or existing configuration files. The wrappers report the name of the remote host and of the requested service; the wrappers do not exchange information with the remote process and impose no overhead on the actual communication between the client and server. Optional features are: access control to restrict what systems can connect to network daemons, remote user name lookups with the RFC 931 protocol, and additional protection against hosts that pretend to have someone else's host name or address.ToC
tcpdump is similar to Sun's etherfind. Captures packets from an Ethernet in promiscuous mode and displays their content. Numerous options exist to filter the output down to only those packets of interest.ToC
access_list_examples is series of Perl scripts that allow one to quickly and easily configure ACL entries for firewall routers.ToC
fwtk is a software kit for building and maintaining internetwork Firewalls. It is distributed in source code form with all modules written in the C programming language. fwtk runs on many BSD UNIX derived platforms.ToC
gau currently supports access to the Internet through the use of a firewall system. All internal systems are hidden behind a firewall or gateway from the Internet. These utilities allow users from inside the network to get to archives and services on the Internet without requiring that they have an account on the gateway system.ToC
SOCKS is a package that allows hosts behind a firewall to gain full access to the Internet without requiring direct IP reachability. It works by redirecting requests to talk to Internet sites to a server who authorizes the connection.ToC
Tcpr is a set of Perl scripts that enable ftp and telnet commands to be run across a firewall. Forwarding takes place at the application level for easy control.ToC
Used for relaying X Window System connections across network firewalls.ToC
This package consists of 2 components. udprelay is a daemon process which runs on a bastion system and forwards UDP packets in and out of a firewalled network as directed by a configuration file. Rsendto.c provides the routines Rsendto and Rrecvfrom which allow tunneling through the bastion to arbitrary outside hosts. Rsendto and Rrecvfrom communicate with udprelay using UDP packets encapsulated in a wrapper that includes the address of the remote host/port to transfer traffic to.ToC
When you want to lock the door after all kosher modloads and kmem writes have happened, attempt to open the device (for example, add "sh -c 'ToC
This program is intended to help an intruder who does not know the system to trip alarms so the rightful system administration will notice and respond.ToC
fake_rshd echoes the specified arguments to the remote system after satisfying a minimal subset of the rshd protocol. It works with the TCP Wrapper to send an arbitrary message back to someone trying to make an rsh/rlogin connection.ToC
Rsucker is a perl script that acts as a fake r* daemon and log the attempt is syslog. Byte sucker for r* commands.ToC
This program uses the DES algorithm to read and write the encrypted data. If file name is not given in command line, des uses standard input or output. The data is transformed by a one-way function into a 8-byte key, which is then used by the algorithm. If no key is given on command line, des asks one with getpass(3). Des encrypts when given a flag and decrypts with a given flag. With the flag, des encrypts normally, but it doesn't produce encrypted output, instead it prints 8-byte cryptographic checksum of input data.ToC
Descore is a package containing just the core DES functionality: specifying keys, encryption and decryption. It is for those who want to implement such things as DES filters rather than UNIX password crackers.ToC
This kit builds a DES encryption library and a DES encryption program. It supports ecb, cbc, ofb, cfb, triple ecb, triple cbc and MIT's pcbc encryption modes and also has a fast implementation of crypt(3). It contains support routines to read keys from a terminal, generate a random key, generate a key from an arbitrary length string, and read/write encrypted data from/to a file descriptor. The implementation was written so as to conform with the manual entry for the des_crypt(3) library routines from MIT's project Athena.ToC
Snuffle are generic hash-based encryption and decryption programs. Snuffle and unsnuffle turn any good one-way hash function, such as Merkle's Snefru, into a reasonably fast private-key encryption method. You must have Snefru or something providing the same Hash512() interface for snuffle and unsnuffle to work. Snuffle is rather portable provided the Hash512() interface is present.ToC
ACMAINT which stands for An Account Creation and Maintenance System for Distributed UNIX Systems is a network-based, centralized database system used to manage account creation and maintenance similar to NIS/YP.ToC
Chrootuid makes it easy to run a network service at low privilege level and with restricted file system access. At Eindhoven University they use this program to run the gopher and www (world-wide web) network daemons in a minimal environment. The daemons have access only to their own directory tree and run under a low-privileged userid. The arrangement greatly reduces the impact of possible loopholes in daemon software.ToC
Op is a tool designed to allow customizable super user access. A user can do everything from emulating giving a super user shell for nothing to only allowing one or two users access via login names or special passwords that are neither root, nor their own. Plus, as an added bonus, for those commands that you would like users to be able to use, but need to place restrictions on the arguments, you can configure that as well. (ie. if you want your users to be able to mount NFS file systems).ToC
Replacement for the rdist software distribution utility that originated in Berkeley UNIX and is now shipped with most vendor's releases. In addition to a number of new features and improvements, this version has had all known rdist security holes fixed. This version does not need to run set-user-id "root", unlike the standard version.ToC
Sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow people to get their work done. The purpose of sudo is to make super-user access easier, self-documenting, and controlled. The sudo control file is called /usr/local/adm/sudoers. You were given 'all' permissions which means you have unlimited super-user access. You may have already been given a lecture at some point as to the moral and social etiquette that you should observe as a super-user. With super-user permissions, it is possible to do great damage by accident. With super-user permissions you may look at any file you wish. Resist all temptation to look in other people's personal files.ToC
ypx is a utility to transfer a NIS map from any host running a ypserv daemon. ypx is similar to ypcat, with some additions. To be able to transfer a map, a domainname must be specified. There unfortunately is no way to ask the remote host about its domain name, so it must be known already or guessed to transfer a map successfully. If none is specified, the hostname of the remote host is used as the domain name. ypx is able to guess at the remote domain name, by trying parts of the hostname only if guessing is enabled with the -g option. If the -s option is used, ypx will connect to the sendmail daemon, read the hostname, and parse that too, to be used as additional guesses. Finally, any additional strings on the command line will be added to the list of domain name guesses.ToC
dnswalk is a DNS debugger. It performs zone transfers of specified domains and checks the database in numerous ways for internal consistency as well as accuracy. dnswalk requires perl and dig.ToC
This was developed for sun4c machines under SunOS 4.1.2. The author believes it should work for any 4.1.x system, possibly with minor tweaks. It treats tcp_iss as a CRC accumulator into which it hashes every IP output packet. This is perhaps not as strong as it might be, but it is better than what was used and if the machine is at all busy on the network the attacker faces essentially random sequences of numbers. It does cost some cpu cycles for each output packet.ToC
This is a decompiled C version of the infamous Internet Worm released in November 1988. It is not very readable! ToC
Merlin is a http front-end system that allows point and click internal vulnerability scanning. Merlin runs in conjunction with the Netscape browser and any security package, such as COPS, Crack, TAMU-tiger, etc. Simply download desired security packages and then run merlin. Merlin makes system scanning easy with its innovative http interface. Merlin is a useful tool for system administrators who have little time to perform the necessary security scans.ToC
A network security analyzer that scans systems connected to the network noting the existence of well known, often exploited vulnerabilities.ToC
STREAMS is a pushable-module/driver tap. It driver is a kernel-loadable-module meaning no reboot required. STREAMS is a combination of a STREAMS-module and a STREAMS-driver. The pushed-tap-module pass all downstream M_DATA messages coming from above to the tapc0-driver upstream on the read-side. All upstream M_DATA message coming from below to the tapc1-driver upstream on the read_side. All messages coming downstream from the tapc?-driver are discarded.ToC
This program will fill the wtmp and utmp entries corresponding to the entered Username. It also zeros out the last login data for the specific user, fingering that user will show 'Never Logged In'.ToC