In addition to the custom scripts which have been
written for specific tasks at the University and the software specificially
mentioned below several security tools archives are listed on the links page.
These scripts were written by MIS staff or other College
of Engineering sysadmins in order to monitor their systems and
are shared here for your benefit.
These are useful tools you can use to scan your system(s)
for known security holes and configuration vulnerabilities. NERDC
also offers are service of doing this scan for you. (If you want
this scan done send email to security@eng.ufl.edu.)
A unix shell which does not give a command line. Use this
for accounts which will only be used for POP or IMAP email.
By using this shell you insure that if an intruder cracks
the password of an account they will not be able to do anything
on your system.
Crack is a freeware program which is used to identify
easily guessable passwords. Many system administrators run
Crack as a regular procedure and notify account owners who
have crackable passwords. It is available through
CERT at: ftp://info.cert.org/pub/tools/crack
A replacement for the system passwd command
which does not accept poor passwords.
Shadow Passwords
If your operating system has shadow password capability,
you should use it. Under a shadow password system, the /etc/passwd file
does not contain the encrypted passwords. Instead the encrypted
passwords are in a system file which is not world readable.
SSH implements secure terminal logins to your system(s)
replacing telnet and rlogin. Any communication using SSH
is encrypted; thus, passwords are not transmitted as plaintext
across the network and unable to be sniffed.
The TCP/IP wrapper program provides additional network
logging information and gives system administrators the ability
to deny or allow access from certain systems or domains to
the host on which the service is installed.
MD5 is a cryptographic checksum program which you can use
to verify the integrity of system binaries.Using this program
you can produce MD5 checksums for all essential system binaries.
You can regularly produce
these checksums and compare against the original to
determine if system binaries get altered or replaced.
fstatus is a utility to identify network interfaces
which are placed into debug or promiscuous mode. This mode
usually indicates the presence of a network sniffer.
This program does not produce any output; thus it is ideal
to run
as a cronjob frequently (once an hour). If you have
a modern cron which mails the output of cron jobs to the
owner, use a line like this:
00 * * * * /usr/local/etc/ifstatus
If you have a version of cron that doesn't do this, use the run-ifstatus shell
script instead (be sure to edit the script to include the proper
path to the command).
00 * * * * /usr/local/etc/run-ifstatus
Syslog monitoring tools
A number of tools have been created to help monitor you
syslogs for suspicious activity. Some of these include: LogScanner, Logcheck, Swatch, Logsurfer
Internet Security
Scanner (ISS) is a program that will interrogate all
computers within a specified IP address range, determining
the
security posture
of each with respect to several commonn system vulnerabilities.
This software is available from Internet
Security Systems.
Security Administrator Tool for Analyzing
Networks (SATAN) is a testing and reporting tool which
searches for known vulnerabilities. Unfortunately it has
not been
updated
in quite some time.For further information about SATAN, see
