BOFH Software Information

BOFH Software Information

This page is here to provide a list of software that you should consider installing on your network to secure both your network and any individual machines you have on it. Each package has a URL and a brief description.`

sendmail

"What?!?!", you say. "How can you suggest sendmail?" The answer is easy. I simply suggest the latest version of sendmail, and it is available here. Most of the recent releases of sendmail have been security bug fixes and if you don't upgrade to the most recent version, you're asking for trouble.

One of the best things about sendmail is the author. Eric Allman normally takes security very seriously. The reason that there are so many problems with sendmail are two-fold:

When Eric first wrote it he wrote it with functionality in mind and not security. (Who ever could have guessed how prevalent the Internet would become 10 years ago?)
It's huge. For anyone who has ever had to engage in mortal combat with the configuration file, you realize the code just to parse that is as far from trivial as is imaginable.

Occasionally you'll hear people suggest using one of the other mailers (smail for instance) but for the most part these people also believe that security through obscurity is a a great idea.

Update: I've heard good things about qmail recently, but haven't looked at it myself. However, it's can't be as bad as some of the others.

Update: Ok, I finally got around to grabbing qmail and at least looking at it. If you can get past the sermons, it appears to be well written code. The qmail source is about 15,000 lines of C, this is in comparison to roughly 75,000 lines for sendmail. Bernstein has done a good job of create subroutines to make sure that he's doing bounds checking and return code checking all through the code. This isn't good, it's great.

perl

Perl is really a requirement for any system as a general rule. Additionally, it is mandatory for some software packages, such as SATAN .

However, perhaps more important is the fact that Perl is security aware. Unlike any other programming language (that I know) Perl has an idea of how to deal with untrusted user input in a trusted environment. Any WWW programmer that doesn't use Perl programs with the -T option for taint checking is setting themselves up for the kill. One of the reasons taint checking is good is that it understands what Tom Christiansen has called "the associative property of security". This means that not only does it understand about recieving input from users, it worries about potentially bad input from other "trusted" programs.

COPS

This is the precursor to SATAN. It does basic integrity checks of your local machine.

This is a good thing. Among other components, check out kuang.pl, which is an actual example of how "the associative property of security" is evaluated.

Crack

This is the most complete password guesser available. All administrators should run them on their own password files periodically so that you can be one step ahead if your system does get broken into. A small useless fact to help you understand the need is that i have never run Crack on an unchecked system and gotten less than 25% of the user passwords (typically the number is closer to 40%).

Additionally, you can get a whole bunch of dictionaries in order to guarantee that your Crack job will probably never finish and your users will hate you.

Update: I've recently run Crack version 5.0, and I'll tell you right now, it's downright scary. It guesses a lot of passwords that I consider pretty damn good. The fact that it guesses them now means that the standard for a good password has been raised.

TCP Wrappers

This is an excellent package, that allows you to control access to various network services on a per-host or per-network basis. This is a must.

Tripwire

This is a package that is used to see what has changed on your system, and to create cryptographically secure signatures for all of your files. In practice it is hard to use correctly, simply because it should be first run on a system immediately after install, and before it is on the network. Failure to do so reduces your confidence of security.

smrsh

SendMail Restricted SHell (smrsh). This is a shell wrapper for sendmail that severely limits the number of things that can be executed by sendmail.

This is also a very good thing, although pruportedly it is of limited value with the newest versions of sendmail. Still, the idea of a small amount of code processing the intial SMTP session instead of sendmail is truly tantalizing.

SATAN

(or SANTA for the meek among you) This is the much ballyhoo-d product for basically doing COPS over the network. (This is not particularly surprising since Dan Farmer had his hand in both.) In spite of all of the press, it is a useful product. The problem descriptions are exceptional in their readability and detail.

SARA

This is an updated and upgraded version of SATAN. It has a nice interface and appears to do a credible job. I'm going to test this more soon, hopefully. (written 7/3/2001)

Other Useful Information

Data Comm Magazine Firewall Tests
Firewall Product Overview (thanks to Carlos Eduardo Souza Lopes for the pointer.)
Data Fellows World Wide Web Server (A good source of informationi on computer viruses)
Internet Firewalls Frequently Asked Questions
Security Programs

Things that are NOT security problems

Good Times Virus

I'm so sick and tired of seeing this I could heave. It seems that about every 3 months I get someone sending me frantic mail telling me how horrific this is. The only thing that makes this a virus is that fact that I can't stop these people from sending me email about it.

PKUNZIP Virus

This is not a virus, it's a Trojan Horse. Basically, someone took a version of PKUNIZP, made it malicious and then "released" it and claimed it was the new version, 3.0. The latest version of PKUNZIP is 2.4 something. Anything that claims to be more recent than that should be investigated very carefully.

Unix/VMS/Multi-user OS of your choice viruses

There are several reasons that this isn't a problem.

Source code distribution. Most of the free sofware that people get from the net are source code, not executable. This means that anyone can look at the code (and you'd be suprised how many people do) too see the malicious code.
Different privilege levels. Under DOS/Windows/MacOS there is really only one user, and that user has access to everything. However, in multi-user systems there is generally one user that has access to everything, and ideally this person knows better than to run arbitrary code. This being said, there have been some experiences to see how long it takes for a malicious un-priviledged program to become fully privledged, and the results aren't encouraging. On a highly loaded user system, they times were typically less than an hour.

However, these operating systems can experience "Typhoid Mary Syndrome". This is named after the 19th century woman who worked in a restaraunt and was a carrier of typhoid, but was not affected by it herself. As a result, she infected a large number of people unwittingly. This means, for instance, that a SCO Unix box serving Windows 3.1 applications to other machines and infecting those machines, without the Unix system ever being adversly affected.

Back to the home page.