Security Utilities
Overview
There are a number of important security functions that firewalls do not fulfill, such as vulnerability
analysis and disk encryption. This chapter covers the software utilities that we've found to be
especially useful and a good value in our security practice.
You have to be cautious when using multiple small scale tools to provide security; they are not−
integrated, they are usually not robust, and they invariably rely upon the strength of the operating
system's TCP/IP stack, which could be vulnerable to denial of service attacks and other problems.− −
The lack of integration among numerous security utilities causes the "Swiss cheese" effect, where a
combination of separated tools leave holes through your bastion host. Multiple tools can't prevent
problems that integrated solutions can. For example, using a separate NAT and proxy is an either/or
solution: you can either proxy a protocol or you can use NAT to pass it to the Internet. Good
firewalls can both proxy and perform Network Address Translation on connections flowing through,
thus providing stronger security.
Some security is always better than no security (as long as you aren't lulled into complacency by
thinking your solution is stronger than it is). Given the budget realities in many small organizations,
we think it's better to do what you can within the limits of your resources.
Note The security tools presented in this chapter are not replacements for firewalls, and they
should not be used instead of firewalls.
This chapter presents security utilities for Windows or Unix; they hold by far the most market share
among bastion hosts. This chapter should not be considered an exhaustive review of small security
utilities—rather, it's a mixed tool bag of software we know works well over the long term.
Software You Already Have
You should be aware of what the operating system utilities you already have can do for you.
Windows and Unix come with a wide range of security related tools that you can use to monitor−
your network. Other operating systems like NetWare and the Macintosh OS are considerably more
limited in this respect.
Unix/Linux Utilities
The first step to securing your Unix or Linux computer is to know what's going on inside it. Most
Unix services are quite happy to tell you everything you'd like to know about their operation in the
syslog, which you can either check by hand or scan automatically if you like. Top will show you

there's something unusual running and eating up your system resources, netstat will identify which
ports are open and who's connecting to them, find and grep are your automated file searching tools,
and diff will show you differences between files.
syslog
There is a file to which Unix services append status messages (using the syslog daemon) when
they start up, when they fail, and when they have denied access to a user due to a security
258
violation. This file is /var/log/messages in later versions of Linux; other versions of Unix may give it
another name, but it serves the same purpose—and it does no good if you don't review it. An
example snippet of a syslog follows, in which you can determine that someone is attempting and
failing to use the SMTP service (which has been configured to use password authentication to foil
spammers using it as an open relay), and someone else has successfully used the FTP service.
Oct 19 09:31:04 blahtech smtp(pam_unix)[4878]: check pass; user
unknown
Oct 19 09:31:04 blahtech smtp(pam_unix)[4878]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=
Oct 19 09:31:06 blahtech server cx29073 a.zone3.townsville.home.com−
[24.0.99.202] cmd read[4878]: NOQUEUE: cx29073−
a.zone3.townsville.home.com [24.0.99.202] did not issue MAIL/EXPN/
VRFY/ETRN during connection to MTA
Oct 19 09:31:12 blahtech smtp(pam_unix)[4879]: check pass; user
unknown
Oct 19 09:31:12 blahtech smtp(pam_unix)[4879]: authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=
Oct 19 09:31:14 blahtech server cx29073 a.zone3.townsville.home.com−
[24.0.99.202] cmd read[4879]: NOQUEUE: cx29073−
a.zone3.townsville.home.com [24.0.99.202] did not issue MAIL/EXPN/
VRFY/ETRN during connection to MTA
Oct 19 10:50:16 blahtech ftpd[5041]: FTP LOGIN FROM
associatedproducts.com [11.221.232.90], phillip

Oct 19 10:51:28 blahtech ftpd[5041]: FTP session closed
top
When your Unix mail server slows down, are you being hacked or is the machine merely processing
a lot of requests? You can find out by using the top command, which can show you the most
resource intensive processes running in the computer, sorted by percentage of CPU used or−
percentage of memory used.
8:05am up 22 days, 21:44, 5 users, load average: 0.00, 0.00,
0.00
68 processes: 67 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: 0.5% user, 0.1% system, 0.0% nice, 99.2% idle
Mem: 384408K av, 373068K used, 11340K free, 0K shrd,
49524K buff
Swap: 1052344K av, 0K used, 1052344K free
157720K cached
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
16581 root 16 0 1056 1056 836 R 0.3 0.2 0:00 top
1 root 8 0 544 544 472 S 0.0 0.1 0:04 init
2 root 8 0 0 0 0 SW 0.0 0.0 0:00 keventd
259
3 root 9 0 0 0 0 SW 0.0 0.0 0:00 kapm−
idled
4 root 9 0 0 0 0 SW 0.0 0.0 0:00 kswapd
5 root 9 0 0 0 0 SW 0.0 0.0 0:00
kreclaimd
6 root 9 0 0 0 0 SW 0.0 0.0 0:00 b 0:00 bdflush
7 root 9 0 0 0 0 SW 0.0 0.0 0:00
kupdated
8 root 1 20 0 0 0 SW< 0.0 0.0 0:00− −
mdrecoveryd
73 root 9 0 0 0 0 SW 0.0 0.0 0:00 khubd

601 root 9 0 600 600 500 S 0.0 0.1 0:27 syslogd
606 root 9 0 1104 1104 456 S 0.0 0.2 0:00 klogd
620 rpc 9 0 596 596 504 S 0.0 0.1 0:00 portmap
635 rpcuser 9 0 772 772 668 S 0.0 0.2 0:00
rpc.statd
759 root 8 0 532 532 464 S 0.0 0.1 0:00 apmd
810 root 9 0 648 648 544 S 0.0 0.1 0:00
automount
822 daemon 9 0 584 584 508 S 0.0 0.1 0:00 atd
netstat
Which ports are currently open on your Unix server? You could use a port scan package to find out,
but the operating system itself will tell you and also inform you of the active connections to those
ports. Netstat is the command to show open and active ports in most versions of Unix. An example
output of netstat l follows:−
[root@anonymous /root]# netstat l−
Active Internet connections (only servers)
Proto Recv Q Send Q Local Address Foreign Address State− −
tcp 0 0 *:exec *:* LISTEN
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 *:5801 *:* LISTEN
tcp 0 0 *:5802 *:* LISTEN
tcp 0 0 *:5901 *:* LISTEN
tcp 0 0 *:5902 *:* LISTEN
tcp 0 0 *:pop3 *:* LISTEN
260
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:6001 *:* LISTEN

tcp 0 0 *:6002 *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 0 *:3389 *:* LISTEN
udp 0 0 *:32768 *:*
udp 0 0 *:811 *:*
udp 0 0 *:sunrpc *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I Node Path−
unix 2 [ ACC ] STREAM LISTENING 1197 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 3380 /tmp/.X11 unix/X0−
unix 2 [ ACC ] STREAM LISTENING 8390 /tmp/.X11 unix/X1−
unix 2 [ ACC ] STREAM LISTENING 39835 /tmp/.X11 unix/X2−
unix 2 [ ACC ] STREAM LISTENING 1237 /tmp/.font unix/−
fs7100
When examining the open ports on your servers, you should look for anomalous behavior that could
be indicative of a back door or Trojan horse. Why, for example, would the Linux server in the above
example be listening on port 3389, which is the Windows Terminal Services port? Since Linux does
not provide Terminal Services support, that open port is suspicious and requires further
investigation.
IPChains/ipf
When you set up a firewall with Linux and IPChains (or BSD and ipf), you instruct the computer on
which packets to allow through and which ones to drop. To keep your network secure you need
more than that—you also need to know when your network is under attack and when those rules
are being violated. You can configure IPChains to log whenever a rule is activated (such as denying
ICMP packets) to the syslog. You can then browse the log for entries such as:
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025
L=34 S=0×00 I=18 F=0×0000 T=254

261
The various fields are broken down as follows:
1. The input chain originated the log message.
2. Deny indicates that the packet was denied.
3. The packet came in on eth0.
4. PROTO=17 announces that this was a UDP packet.
5. 192.168.2.1:53 shows the source IP and port numbers (or ICMP type) of the packet.
6. 192.168.1.1:1025 is the packet's destination IP and port numbers (or ICMP type).
7. L=34 shows the length of the packet to be 34 bytes.
8. The Type of Service field S=0×00 indicates that no TOS bits were set.
9. I=18 is the IP Identifier.
10. F=0×0000 indicates that this is not a fragment.
11. The Time To Live field T=254 is decremented at every router hop for the packet.
To include logging of a rule in IPChains, you include the l flag with the specific rule you want to log−
the activation of.
Windows Utilities
Like Unix, Windows comes with a number of small tools to assist you in security administration. The
Windows built in tools aren't quite as comprehensive as the set that comes with Unix, so you'll−
probably wind up supplementing them with third party utilities.−
Windows Event Viewer
The Windows Event Viewer utility displays system logs and allows you to filter the display to show
certain types of events. The security log includes security violations, such as account lockouts. Any
auditing you turn on with the User Manager's Audit Policy dialog box also causes events to be
written to these logs. You have to enable security logging in the User Manager for anything to
happen, since all auditing is disabled by default.
Event Viewer is located in the Administrative Tools menu under the Start menu. When you first run
the Event Viewer utility, a list of events in the system log is displayed. An icon indicating its
significance precedes each entry. Figure 13.1 shows the Windows Event Viewer.
262
Figure 13.1: The Windows Event Viewer showing the security log

Windows Network Monitor
The Windows Network Monitor allows you to capture network packets and display information about
them in extremely detailed form and with the protocols clarified. This can be a useful tool for
monitoring the usage of the network, as well as searching for specific packets to track down security
problems.
Before Network Monitor can be used, you must install the Network Monitor Agent on one or more
computers and the Network Monitor Tools and Agent service on the computer from which you will
do the monitoring.
To install these services under Windows NT, open the Network Control Panel. Select the Services
tab, then click Add to add a service. Select the appropriate service (either Network Monitor Agent or
Network Monitor Tools and Agent) and click OK. You must then restart the computer. Figure 13.2
shows the Windows Network Monitor performing a packet analysis.
263
Figure 13.2: The Windows Network Monitor
The version of Network Monitor included with Windows can only capture packets coming from and
going to the current workstation, which limits its use as a packet sniffer. This should be sufficient for
a bastion host because all Internet traffic must go through the machine. The version included with
Microsoft SMS (Systems Management Server) can capture all packets. This version may be more
useful to perform diagnostics or just get an idea of the type of information a hacker could obtain by
packet sniffing.
Performance Monitor
The Performance Monitor utility is one of the most useful Windows utilities for optimizing and
monitoring performance and also has a few uses relating to security. To run this utility, select
Performance Monitor from the Administrative Tools menu.
Performance Monitor deals with individual parameters, called counters, that relate to the system.
You can use the View menu to switch between four methods of monitoring these counters:
• Chart Displays a running graph of selected counters.
• Alert Allows you to set minimum and maximum values for one or more parameters. You are
alerted when a counter crosses one of these values.
• Log Creates a log of specified counters to a disk file.

• Report Allows you to create a customized report based on counter information.
There are a wide variety of counter categories available in Performance Monitor, each of which
includes several counters. The Server category includes several counters dealing with security:
• Errors Access Permissions The number of times users have attempted to access files
without proper access. A high number might indicate that a hacker is searching for
accessible files.
• Errors Logon The number of invalid logon attempts. A dramatic increase in this counter
may indicate that a hacker is attempting to guess a password, or running a program to try
264
passwords in succession.
• Logon/sec The number of logons per second. A change in this value may indicate that an
intruder is repeatedly logging in and out, perhaps trying different default accounts.
Depending on your needs, other counters may be useful. For example, you can monitor network
use and errors for the TCP/IP protocol using the TCP counter. Figure 13.3 shows the IP counter
being examined for the number of datagrams received per second. Unfortunately, to use and alert
on events using the Performance Monitor, you must be logged in, so it's typically most useful for
investigating suspected hacking activity.
Figure 13.3: The Performance Monitor
CACLS
CACLS (Command line Access Control Lists) is a Windows command line utility that provides fine− −
control over the assignment of permissions to files and directories. Since CACLS is a
command line utility, you can use it in batch files to perform mass changes to the permission−
structure of your drives.
Warning Be careful of the order in which you perform permission changes so that you don't deny
yourself access before you can grant it! Always add new access permissions first, then
delete inappropriate permissions.
When you type in CACLS with no command line parameters, you'll see the instructions on how to−
use it, as shown in Figure 13.4.
265
Figure 13.4: The CACLS Permissions Tool

Most of the functionality of CACLS is described by the above commands, but there are a few things
you should be aware of that are not immediately apparent:
• If you type CACLS with the name of a file or directory, the permissions for that file or
directory are displayed. This is useful for showing exactly who has permission to what before
you change anything. You can also save this information as a text file and later use a
command interpreter like qbasic.exe to rebuild permissions.
• If you don't include the /E (edit) switch, the access control list is completely replaced. The
access control list for an object is then created anew. You should usually include the /E
switch.
• Accounts (user or group) with spaces in their identifiers (like "Domain Users") must be
preceded by a single (") character, as shown here. Accounts without spaces do not require a
quote.
CACLS . /E /R "NETROPOLIS\Domain Users
• You can use a period to specify the current directory. Wildcards will show all files in the
current directory.
• Use the /T operator to show or change permissions from the current location and in all
subdirectories thereafter. The command below will record permissions for every file on your
hard disk to a text file:
CACLS C:\*.* /T >C:\PERMIT.TXT
You can use batch files to control the functionality of CACLS; otherwise, there is little advantage to
using it instead of the desktop explorer to change permissions on an NTFS volume.
Cross Platform Tools
Let's take a look at some tools that work with various platforms.
NSLOOKUP
NSLOOKUP (Name Server Lookup) is used to resolve Internet names to IP addresses. When you
type in NSLOOKUP with no command line parameters, and then type "?" at the greater than− −
prompt, you'll see instructions on how to use the command (this is true for most versions).
Typically, you'd use NSLOOKUP to resolve an IP address given a name, as in:
266
C:\>Nslookup www.ibm.com

This command will return the IP address of IBM's web server. Unlike most command line utilities,−
NSLOOKUP has two modes of operation. If you type NSLOOKUP [name] and press return,
NSLOOKUP will resolve the address using your default name server, return the results, and exit
back to the command prompt. If you provide no parameters when you launch NSLOOKUP, it will
run as a Unix style command line program, complete with its own prompt and list of commands.− −
You can then use these various commands to perform all sorts of name server–related functions,
such as changing your default name server. The use of most of these commands is esoteric and
usually not necessary except for troubleshooting purposes.
PING
Ping is used to send ICMP echo messages (pings) to a remote host to determine if the host is
available for further TCP/IP traffic. Ping is so often used to test for the existence of hosts and for the
proper operation of network clients that it is commonly used as a verb among TCP/IP network
integrators, as in "Did you ping the server?"
Ping is especially useful as a remote link status monitor. Using the continuous ping option ( t in−
Windows, l in Linux (the default), and s in most commercial Unix implementations), you can open− −
a command shell and use the text output as a running second by second indicator of the− −
connection status between the monitoring host and the monitored host. In Windows and
X Windows, you can open as many command shells as you want in order to monitor numerous−
hosts constantly. You can also use a scripting language to e mail or page you when the link status−
changes.
You can control the various ICMP message parameters of the generated ping packet using the
available parameters. Most of these options are used only during esoteric troubleshooting sessions.
Tip The success of a simple ping request can be used to determine exactly how a malfunctioning
client is operating. If a ping to another computer succeeds, you know that the Physical layer,
Data Link layer, and Network layer are all functioning correctly and that any communications
problems you may be experiencing must be occurring in higher layers.
Hackers also use ping for various detrimental purposes. For instance, you can generate a Ping of
Death from Windows 95 machines by typing the following:
C:\>Ping 10.1.1.1 −l 65510 −n 1000
The Ping of Death generates exceptionally large (>64K) and malformed ICMP echo requests that

are transmitted to hosts with delicate TCP/IP stacks. Many TCP/IP implementations will crash when
they can't decipher an ICMP message correctly, so these Ping of Death attacks can be used to− −
crash some TCP/IP servers remotely. Windows NT was susceptible to various Ping of Death− −
attacks prior to Service Pack 3, and may remain susceptible to some undiscovered attacks.
Note
Telnet
Microsoft eliminated the ability to generate a Ping Of Death in versions of Windows
later than 95. This limitation doesn't affect other operating systems like Linux.
Telnet is used to establish console user sessions with multi user computers. Windows NT does not−
support multiple simultaneous users interactively, so it does not have a Telnet server. Windows
2000 does support Telnet for administrative services and allows two simultaneous users. The Telnet
267