|
Unix Tools
|
|
|
Network Security Tools
-
-
ipacl
-
- logdaemon
-
- portmap
-
- rpcbind
-
-
- SATAN
-
- screend
-
- securelib
-
- TCP Wrappers
-
- xinetd
The ipacl package from Siemens. Forces all TCP and UDP packets to
pass through an access control list facility. The configuration
file allows packets to be accepted, rejected, conditionally accepted,
and conditionally rejected based on characteristics such as source
address, destination address, source port number, and destination
port number. Should be portable to any system that uses System V
STREAMS for its network code.
![[Information]](/file/34401/Supernet21.iso/offline/w32/images/z0000103.GIF)
![[Download]](/file/34401/Supernet21.iso/offline/w32/images/z0000087.GIF)
The logdaemon package by Wietse Venema. Provides modified versions of
rshd, rlogind, ftpd, rexecd,
login, and telnetd that log significantly more
information than the standard vendor versions, enabling better auditing
of problems via the logfiles. Also includes support for the S/Key one-time
password package.
The portmap program by Wietse Venema. A replacement for the
standard portmap program that attempts to close all known holes
in portmap. This includes prevention of NIS password file
theft, prevention of unauthorized ypset commands, and
prevention of NFS file handle theft.
The rpcbind program by Wietse Venema. A replacement for
the Sun rpcbind program that offers access control and
copious logging. Allows host access control based on network
addresses.
SATAN, the System Administrator Tool for Analyzing Networks, is a network
security analyzer designed by
Dan Farmer and Wietse Venema. SATAN scans systems connected to the
network noting the existence of well known, often exploited
vulnerabilities. For each type of problem found, SATAN offers a tutorial
that explains the problem and what can be done.
For additional information, see:
Documentation
SATAN
The screend package by Jeff Mogul. Provides a daemon and
kernel modifications to allow all packets to be filtered based on
source address, destination address, or any other byte or set of bytes
in the packet. Should work on most systems that use Berkeley-style
networking in the kernel, but requires kernel modifications (i.e.,
kernel source code).
The securelib package by William LeFebvre. Provides a replacement
shared library from SunOS 4.1.x systems that offers new versions of the
accept, recvfrom, and recvmsg networking
system calls. These calls are compatible with the originals, except that
they check the address of the machine initiating the connection to make
sure it is allowed to connect, based on the contents of the configuration
file. The advantage of this approach is that it can be installed without
recompiling any software.
The tcp_wrapper package by Wietse Venema. Formerly called
log_tcp. Allows monitoring and control over who connects
to a hosts TFTP, EXEC, FTP, RSH, TELNET, RLOGIN, FINGER, and SYSTAT
ports. Also includes a library so that other programs can be controlled
and monitored in the same fashion.
xinetd is a replacement for inetd, the internet services daemon. It
supports access control based on the address of the remote host and the
time of access. It also provide extensive logging capabilities, including
server start time, remote host address, remote username, server run time,
and actions requested.
[CIAC Home Page]
[Disclaimer]
Last modified: Friday, 18-Oct-96 17:14:01 PDT
CIAC / webmaster@ciac.llnl.gov
SATAN