If you administer a physically secure system and/or network, with trustworthy users and no external connections, you may be able to ignore security issues. Unless, of course, someone's finger slips while typing an rm command.

Most systems are not as isolated as this, in any case, and their administrators must not only worry about, but actually work to prevent security problems. This column is a flying look at some freeware to help administrators maintain a semblance of security on their systems.

Your first stop should be the Computer Emergency Response Team (CERT) FTP archive, available on cert.org. The /pub directory has sub-directories for ftp://cert.org/cert_advisories/ ftp://cert.org/cert_advisories/ clippings, papers, tech_tips, tools, vendors, etc. The tools directory contains a number of utilities, including cops, cpm, crack, lsof, md5, smrsh, tcp_wrappers, tripwire, and virus_scan.

COPS (Computer Oracle and Password System) is a particularly worthwhile tool. It checks the security status of your computer, giving you a report of suspected problems and recommended fixes. It includes a tool for ordinary users (Chkacct), which allows them to check their home directories for security problems.

Crack attempts to find "weak" passwords in your /etc/passwd file. This is a useful way to use up idle CPU cycles, but it could put you into a race with a cracker with a faster machine. A better solution is to keep users from setting weak passwords and/or keep the encrypted passwords invisible (see below).

CERT also publishes advisories related to security problems. These aren't always up to date, but they are authoritative. Keeping up with CERT's advisories may help you to foil at least some amateur crackers, and it will also give you an idea of your operating system's basic level of security. Send email to cert@cert.org for more information.

Password Security

If an intruder can find a valid password for your system, s/he is well on the way toward gaining root privileges. The first thing to do to avoid this is to educate your users. Passwords shouldn't be guessable, shared with friends, etc. Naive and/or lazy users can subvert any attempts at security.

You can cut down on the number of poor passwords by using a cracker, as mentioned above, or by checking all passwords as they are set. The Passwd+ distribution, written by Matt Bishop, does exactly this. It can be found in ftp://dartmouth.edu/pub/security, along with some other interesting tools and papers.

The open nature of the file /etc/passwd provides another weak spot. Despite the fact that UNIX passwords are encrypted, you may wish to hide them from outside surveillance. The shadow suite of password utilities takes care of this. You can find the suite in any comp.sources.misc archive (for example, ftp://ftp.uu.net/usenet/comp.sources.misc/.

Finally, if you have users that log in over the Internet, you should consider setting Kerberos. This is a computer-to-computer protocol that avoids sending the clear text of passwords through intervening (and possibly compromised) sites. Kerberos is available on ftp://athena-dist.mit.edu/pub/ATHENA/kerberos/.

TCP Security

If your machine is on the Internet, you should consider restricting some of the TCP services it offers. Do you, for instance, really want to allow outside attempts at NFS? The TCP Wrapper tool (see CERT, above) provides one way to control this. It provides both logging and control of TCP sessions.

The SOCKS package (available in ftp://s1.gov/pub/firewalls/ allows you to centralize all externally available services. It requires the initiating user to use a modified client, however, which can be a bit of a nuisance.

If your daemons have been modified to log problems to syslog, you can take advantage of Simple WATCHER (SWATCH). It monitors the log in real time, taking action when pre-set triggers are activated. SWATCH is available in ftp://sierra.stanford.edu/pub/sources/.

Other Resources

There are several Usenet groups that concern themselves with security. Try comp.risks, comp.security.* and perhaps alt.security. There are also some useful mailing lists, such as CERT's cert-advisory-request@cert.org and cert-tools-request@cert.org

Brent Chapman brent@GreatCircle.com maintains a mailing list on Firewalls Firewalls-Request@GreatCircle.com, and an FTP archive on ftp://ftp.greatcircle.com. The ftp://ftp.greatcircle.com/pub/firewalls/ directory contains a FAQ, archived papers, vendor information, etc.

Brent's Firewall tutorial Tutorial-Info@GreatCircle.com; +1 415 962 0841) was very helpful as a resource for this article. In particular, I am grateful to Robert Reinhardt breinhar@tomahawk.welch.jhu.edu for the useful pointers and package descriptions I obtained from his paper ("An Architectural Overview of UNIX Network Security").