Berkeley Lab Computer Protection Program: Resources

Emergencies | Site Index | Contact Us


	CPP Home

	Contacts

	Policy Guidelines

	Scan Information

	System Procedures

	Tools & Services

	ALERTS

	Recent CPP Actions

	News & Articles

	CPP Intranet

PROCEDURES FOR SECURING SYSTEMS

Unix Security Tool Kit

<< Back to Unix Security
_____________

Achieving a suitable level of security in Unix systems is possible, but it is quite a challenge. The most important thing you can do to secure your Unix systems is to ensure they are properly configured. See CERT Tech Tips for an excellent checklist of the things to do to correctly configure Unix systems for security.

Once you have configured your Unix systems correctly, you may have special security needs that cannot be met by your systems’ built-in functionality. In this case, you may want to deploy one or more of the many Unix security tools (most of which are in the public domain) that are available.

anlpasswd (http://www.lbl.gov/ITSD/CIS/UNIX/Software/modules/anlpasswd.html)

anlpasswd is a password filter. A password filter weeds out bad (easy to guess) passwords each time a user tries to change a password, forcing the user to enter another password until an acceptable one is entered. It replaces passwd and (if NIS is run) yppaswd, comparing passwords to a comprehensive dictionary using password cracker rule sets.

bind patch (ftp://ftp.vix.com/pub/bind)

Various versions of the bind program have numerous security vulnerabilities that can be easily exploited by attackers. bind patch is a patched (and thus much more secure) version of bind.

crack (http://www.packetstormsecurity.org)

Crack is a password cracking tool that uses a dictionary of precomputed candidate passwords to break passwords. Crack can be used to discover weak passwords chosen by users. If you choose the –mail option in connection with the crack command, it can also send mail to users whose passwords have been cracked. Note: Crack should be run only by the system administrator(s) or people whom the system administrator authorizes in writing.

fix_modes (ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/fix-modes/)

Default modes, especially on critical system configuration files and binaries, are often bad (e.g., world-writable) from a security perspective. fix_modes will reset bad modes to better values.

ifstatus (ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/)

ifstatus displays the status of network interfaces. Most importantly, it determines whether interfaces are in promiscuous (sniffing) mode. Attackers will often reset a network interface on a victim system to promiscuous mode to sniff passwords and other critical information, so checking the status of all interfaces is critical for security.

John the Ripper (http://www.packetstormsecurity.org/)

This, like Crack, is a password cracking tool. This tool should be run only by the system administrator(s) or people whom the system administrator authorizes in writing.

logdaemon (http://wuarchive.wustl.edu/packages/security/logdaemon/)

This very handy tool allows you to install special rsh and rlogin daemons that log the remote username, perform logging, enforce special access controls, provide ftpd and login software that supports the SecureNet card, and provide S-KEY (one-time password) authentication for use when it is impossible to replace the /bin/login program.

NFSBug (ftp://ftp.cs.vu.nl/pub/leendert/nfsbug.shar)

NFSBug tests Unix hosts for well-known NFS problems and bugs. It finds world-exportable file systems, tests whether the export list really works, determines whether someone can mount file systems through the portmapper, attempts to guess file handles, and attempts to exploit the mknod bug and uid masking bugs.

NFSWatch (ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/nfswatch/)

NFS traffic does not show up in mainstream logs such as utmp, wtmp, pacct, and others. NFSWatch monitors all incoming network traffic to an NFS file server and sorts it into several categories.

noshell (ftp://ftp.cerias.purdue.edu/pub/tools/unix)

This program is a replacement shell for disabled accounts. When someone uses login, rlogin, telnet, rsh, rcp, or ftp to attempt to access any of these accounts, noshell sends a message to a specified account. This message specifies the remote host attempting access as well as the remote user (if user information is available).

npasswd (ftp://ftp.cc.utexas.edu/pub/npasswd)

This is another password filter program that prevents users from selecting easy-to-guess passwords. It is designed to replace passwd, chfn, and chsh.

passwd+ (ftp://ftp.dartmouth.edu/pub/security)

passwd+ is still another password filter program. It changes the passwd program as well as other things, such as the login shell and the GECOS information for each login account.

portmapper (http://www.ja.net/CERT/Software/portmapper/)

This is a replacement for the security hole-riddled built-in portmap program. It incorporates access control capabilities for RPC-based services such as NFS and NIS.

rpcbind (ftp://ftp.win.tue.nl/pub/security)

This is a replacement for the hole-ridden rpcbind program. It limits remote access to the NIS, NFS, and other RPC-based services using a TCP-wrapper type of mechanism.

rscan (ftp://ftp.vis.colostate.edu/pub)

rscan is a facility that enables system administrators to run scanner scripts on one or more IRIX or HP-UX hosts and produce nicely formatted reports.

Solaris migration toolkit (http://www.sun.com/smcc/solaris-migration)

This toolkit supports secure migration from legacy versions of Sun operating systems to more recent ones.

sudo (ftp://ftp.cerias.purdue.edu/pub/tools/unix)

sudo enables system administrators to assign to particular users (or groups) the ability to execute a certain command or set of commands as root. It allows the administrator to give restricted root access.

swatch (ftp://ftp.cerias.purdue.edu/pub/tools/unix)

swatch monitors messages as syslog writes them to a log file.

tcp wrapper tool (ftp://ftp.cerias.purdue.edu/pub/tools/unix)

This tool monitors and selectively filters incoming requests for network services such as systat, finger, ftp, telnet, rlogin, rsh, exec, tftp, talk, and others.

Tiger (ftp://ftp.cerias.purdue.edu/pub/tools/unix)

tiger is a set of scripts that find security weaknesses in hosts. It is similar to COPS, but is more complete (in that it looks for a greater number of weaknesses) and up-to-date.

Titan (http://www.fish.com/titan/)

This tool improves the security of Solaris systems by blocking entry points into a host, resisting various types of denial of service attacks, enabling or elevating the level of logging and auditing features, enhancing host- and network-based security mechanisms, and helping in defining and enforcing a system security policy.

Tripwire (ftp://ftp.cerias.purdue.edu/pub/tools/unix)

Unix attackers often replace system binaries, change configuration files, and make other changes to systems to which they gain unauthorized access. tripwire uses a variety of cryptographic and hashing algorithms to detect changes in directories and files. It thus serves both as an intrusion detection tool and as a means of checking system integrity.

xinetd (http://www.xinetd.org/ OR ftp://quclab.scn.rain.com/pub/security)

This is a more secure implementation of inetd.