Host Security The host security directory contains software which can assist a system administrator increase and maintain the level of security on their systems. (A number of the host intrusion detection software packages are also listed here in host security) o ACUA (& RADACUA) ACUA is a software package designed to facilitate the administration of user accounts and the enforcement of access restrictions on a Linux system. ACUA is most often used on systems that host modem pools such as ISPs, BBSs, School Dial-Ups and Business Dial-Ups. RADACUA is a version of ACUA designed to operate with RADIUS servers. o Cain & Abel Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary & Brute-Force attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. o checkinstall Installs a compiled program from the program's source directory using "make install" or any other command supplied on checkinstall's command line. checkinstall will create a Slackware, RPM or Debian compatible package and install it using your distribution's standard package administration utilities. o chkrootkit chkrootkit is a shell script that checks system binaries for rootkit modification. It checks a number of thing inside a number of system binaries, checks if any network interfaces are in promiscuous mode, checks for lastlog deletions, checks for wtmp deletions, checks for wtmpx deletions. (Solaris only), and checks for signs of LKM trojans. o chrootuid chrootuid runs a command in a restricted environment. Uses include running network services at a low privelige level and with restricted filesystem address. Now available under a BSD-style license. o Forensics # Autopsy The Autopsy Forensic Browser is a graphical interface to the command line digital forensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit and Autopsy provide many of the same features as commercial digital forensics tools for the analysis of Windows and UNIX file systems (NTFS, FAT, FFS, EXT2FS, and EXT3FS). The Sleuth Kit and Autopsy are both Open Source and run on UNIX platforms. As Autopsy is HTML-based, the investigator can connect to the Autopsy server from any platform using an HTML browser. Autopsy provides a "File Manager"-like interface and shows details about deleted data and file system structures. # FLAG FLAG was designed to simplify the process of log file analysis and forensic investigations. Often, when investigating a large case, a great deal of data needs to be analysed and correlated. Flag uses a database as a backend to assist in managing the large volumes of data. This allows flag to remain responsive and expedite data manipulation operations. Since FLAG is web based, it is able to be deployed on a central server and shared with a number of users at the same time. # The Sleuth Kit The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file system forensic tools that allow an investigator to examine NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems of a suspect computer in a non-intrusive fashion. The tools have a layer-based design and can extract data from internal file system structures. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown. # The Coroners Toolkit The Coroner's Toolkit (TCT) is a collection of tools designed to assist in a forensic examination of a computer. It is primarily designed for Unix systems, but it can some small amount of data collection & analysis from non-Unix disks/media. # TCTUTILS TCTUTILs use functions and structures from The Coroners Toolkit (TCT) and provides further functionality. The biggest new addition is the utility 'fls' that processes a directory inode. It allows deleted file names to be displayed and allows the file structure of a drive image to be examined. o imp Imp is a NetWare password cracking utility with a GUI (Win95/NT). It loads account information directly from NDS or Bindery files and and allows the user to attempt to compromise the account passwords with various attack methods. o John The Ripper John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, and BeOS. Its primary purpose is to detect weak Unix passwords, but a number of other hash types are supported as well. o lsof Lsof is a UNIX-specific tool. Its name stands for LiSt Open Files, and it does just that. It lists information about files that are open by the processes running on a UNIX system. o mdcrack mdcrack is an md5/md4/NTLM1 hash brute forcer, taking a number of arguments including minimum password size, leading and/or trailing partial strings etc and brute forces this information to discover what input and/or what collisions will match the user-supplied hash. o OS Hardening # Bastille Linux The Bastille Hardening System attempts to "harden" or "tighten" Unix operating systems. It currently supports Red Hat, Debian, Mandrake and even HP-UX systems, with support on the way for SuSE and TurboLinux. # harden_suse harden_suse is system security script for SuSE Linux only. It makes several changes to the system configuration to make the operating system very secure and therefore very resistent to local as to remote attacks. # Titan Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system. Conceived and created by Brad Powell, it was written in Bourne shell, and its simple modular design makes it trivial for anyone who can write a shell script or program to add to it, as well completely understand the internal workings of the system. o pam_passwdqc pam_passwdqc is a simple password strength checking module for PAM-aware password changing programs, such as passwd(1). In addition to checking regular passwords, it offers support for passphrases and can provide randomly generated passwords. All features are optional and can be (re-)configured without rebuilding. o Secure Deletion # fwipe fwipe is a secure file deletion/overwrite utility for Unix, written in C. fwipe is immune to filenames containing spaces, carriage returns, dashes, or any other special characters. You can use it in place of rm in cron jobs, together with "find ... -print0". The output of fwipe is specially designed to be parsed easily by machine, so it can be embedded in other applications which need secure file erasure. # ncrypt A file encryptor/decryptor/wiper used for data encryption of files, built from the ground up with security and privacy in mind, especially on shared systems. # overwrite Overwrite is a UNIX utility that try to make harder data recovering. What overwrite does is to overwrite files using random patterns and deterministic patterns, as suggested in the Peter Gutmann's paper "Secure Deletion of Data from Magnetic and Solid-State Memory". # srm srm is a secure replacement for rm(1). Unlike the standard rm, it overwrites the data in the target files before unlinking them. This prevents command-line recovery of the data by examining the raw block device. It may also help frustrate physical examination of the disk, although it's unlikely that it can completely prevent that type of recovery. It is, essentially, a paper shredder for sensitive files. # (THC) Secure Delete THC's Secure Delete toolkit provides 4 programs, srm, for secure deletion, sfill, for secure overwriting and cleaning of unused disk space, sswap, for secure overwriting and cleaning of the swap filesystem (must be unmounted; tested only on Linux), and smem for secure overwriting and cleaning of RAM (memory). # wipe Wipe is a secure file wiping utility for Unix. For wipe to be effective, a number of filesystem and drive caching considerations must be made. Therefore, we strongly recommend that users read about and understand the methods used for file wiping and the assumptions on which their security is based. o shadow shadow is a shadow password suite for Linux. Most Linux users will know this package as "shadow utils". We are mirroring the source code of the package here. o slocate Secure locate provides a secure way to index and quickly search for files on your system. It uses incremental encoding just like GNU locate to compress its database to make searching faster, but it will also check file permissions and ownership so that users will not see files they do not have access to. o syslog-ng syslog-ng, as the name shows, is a syslogd replacement, but with new functionality for the new generation. The original syslogd allows messages only to be sorted based on priority/facility pairs; syslog-ng adds the possibility to filter based on message contents using regular expressions. Forwarding logs over TCP and remembering all forwarding hops makes it ideal for firewalled environments. o whowatch whowatch is an interactive who-like program that displays information about the users currently logged on to the machine, in real time. Besides standard informations (login name, tty, host, user's process), the type of the connection (ie. telnet or ssh) is shown. You can toggle display between users' command or idle time. You can watch processes tree, navigate in it and send INT and KILL signals. (Note: This list of software and information available at Wiretapped is not exhaustive. Users are encouraged to browse and search the archive and read any available "-README.txt" files that are available)