Wietse's tools and papers

Some files have a (separate) PGP signature to protect you against trojanized versions.

This is my PGP public key. You can reach me personally as wietse@porcupine.org

Disclaimer

Table of Contents

• Wietse's Tools

• Wietse's Papers

The Coroner's Toolkit (TCT)

The Coroner's Toolkit is yet another result from the long-lasting collaboration between security researchers Dan Farmer (Earthlink) and Wietse Venema (IBM).

TCT is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. The software was presented first during a free Computer Forensics Analysis class in August 1999.

Postfix

Postfix is Wietse Venema's attempt to provide an alternative to the widely-used Sendmail program.

Postfix attempts to be fast, easy to administer, and secure, while at the same time being sendmail compatible enough to not upset existing users. Thus, the outside has a sendmail-ish flavor, but the inside is completely different.

This software was formerly known as VMailer. It was released by the end of 1998 as the IBM Secure Mailer. From then on it has lived on as Postfix.

SATAN (satan-1.1.1.tar.Z) | README file | PGP signature

For more than one year, the most famous piece of Internet vaporware. SATAN closes much of the knowledge gap between intruders and system administrators, by proposing how to fix problems. CERT-UU wrote a nice overview of the program, of vendor bulletins, and of alternative archive sites. Additional information can be found on this really slow site. This unusual program is the result of an even more unusual cooperation between unusual people: Wietse Venema and Dan Farmer.

port-scan (port-scan.tar.gz) | README file | PGP signature

Wietse Venema's UDP and TCP portscanners from the SATAN program. After all these years, people still seem to find these useful. I make this software available as a separate package so you don't have to deal with the rest of SATAN.

TCP Wrapper (tcp_wrappers_7.6.tar.gz) | BLURB file | PGP signature | Updated License

IPV6 version by Casper Dik (tcp_wrappers_7.6-ipv6.4.tar.gz) | PGP signature

Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests. Security options are: access control per host, domain and/or service; detection of host name spoofing or host address spoofing; booby traps to implement an early-warning system. The current version supports the System V.4 TLI network programming interface (Solaris, DG/UX) in addition to the traditional BSD sockets.

See hints-and-tips.html if you have trouble compiling or configuring the software.

Chrootuid (chrootuid1.3.tar.gz) | README file | PGP signature | Updated License

Chrootuid makes it easy to run a network service at low privilege level and with restricted file system access. At Eindhoven University we use this program to run the gopher and www (world-wide web) network daemons in a minimal environment: the daemons have access only to their own directory tree, and run under a low-privileged userid. The arrangement greatly reduces the impact of possible loopholes in daemon software.

Apache shell (sh-apache.tar.gz) | README file | PGP signature | License

A minimal shell program for use with Apache web servers running inside a chroot jail. This shell program drops privileges when run as root, and does not support any shell metacharacters.

Portmap (portmap_4.tar.gz) | BLURB file | PGP signature

Replacement portmapper with access control. Makes it somewhat harder to attack your RPC daemons, for example to steal YP password maps or NFS file handles. Must be linked against a library produced with a recent tcp wrapper release (see above). Tested with SunOS 4.1.x. Also supports HP-UX 9.0, AIX 3.x (bsdcc compiler with -D_SUN), AIX 4.x and Digital UNIX (OSF/1). If you run SunOS 4, the securelib library (see above) is better because it can also cope with direct attacks on your RPC daemons (i.e. attacks without assistance from portmap).

Rpcbind (rpcbind_2.1.tar.gz) | README file | PGP signature

Replacement rpcbind program (the System V.4 portmapper) that prevents intruders from bypassing your NFS export restrictions. Derived from a legal copy of the SunOS 5.3 rpcbind source code. This version refuses requests sent by remote clients to TCP or UDP ports other than 111.

Logdaemon (logdaemon-5.13.tar.gz) | README file | PGP signature | Updated License

• Rlogin and rsh daemons that log the remote user name as well as the remote host name, with tcp_wrapper access control. These daemons are believed to be drop-in replacements for SunOS 4.x, Ultrix 4.x and SunOS 5.x (Solaris 2.x).

• Login replacement supporting S/Key one-time passwords, SecureNet keycard one-time passwords, per-user/host/terminal access control, and with fascist login failure logging (tested with SunOS 4.x and 5.x). Probably works with HP-UX 9.x, IRIX 5.3, Digital UNIX.

• Ftp daemon that supports S/Key one-time passwords, SecureNet keycard one-time passwords, fascist login failure logging, and logging of anonymous FTP xfers (tested with SunOS 4.x and 5.x). Probably works with Ultrix 4.x, HP-UX 9.x, IRIX 5.3, Digital UNIX.

• Rexec daemon that supports S/Key one-time passwords, fascist login failure logging, and that blocks access to the root account (tested with SunOS 4.x and 5.x). Probably works with Ultrix 4.x, HP-UX 9.x, IRIX 5.3, Digital UNIX.

Unproto (unproto5.shar.Z)

A wrapper program that upgrades your traditional C compiler to something that understands a very large subset of ANSI C, including stdarg-style variadic functions. The program is a wrapper around the C preprocessor that on the fly translates ANSI C to traditional C. It comes with a set of ANSI-compatible include files.

Yapasswd (yapasswd.tar.Z) | PGP signature

Yet another password command for SunOS 4.x and 5.x. No shadow support, uses insecure NIS, but we depend on it anyway.

Agetty (agetty.shar.Z)

A flexible getty (portmon) replacement for System V Release 2, SunOS 4.x, and SunOS 5.x. Automagically adapts to parity settings, erase characters etcetera. This is another program that my sanity depends on when I hook up modems or terminals to my own machines.

murphy.ps.gz (postscript)

murphy.txt.gz (ascii)

"Murphy's law and computer security", a paper presented at the Sixth USENIX Security Symposium (San Jose, July 1996). The title should have been "Lessons learned from errors in my own software and from those by other people", but that did not sound as sexy.

admin-guide-to-cracking.101.Z (ascii)

Slightly updated version of an article that was posted to Usenet on December 2, 1993, titled: "Improving the security of your site by breaking into it." by Dan Farmer and Wietse Venema. The paper explains to the administrator what crackers have known for a long time.

The paper also announces a piece of security software called SATAN (Security Administrator Tool for Analyzing Networks). It took the authors more than a year to fulfill their promise.

SATAN demo release (satan_doc.tar.Z) | README file | PGP signature

Updated version of the SATAN documentation release on March 15, 1995. This archive contains a sample database that illustrates a lot of the problems that SATAN can find for you.

tcp_wrapper.ps.Z (postscript)

tcp_wrapper.txt.Z (ascii)

Presented at the 3rd UNIX Security Symposium (Baltimore, September 1992). Describes the development of the TCP Wrapper tool (aka the log_tcp package) to trace a malicious Dutch computer cracker (see also: An evening with Berferd by Bill Cheswick).

tcp_wrapper.dutch.ps.Z (postscript)

tcp_wrapper.dutch.txt.Z (ascii)

Text (in Dutch!) of a presentation given at the 23 april 1992 security meeting of the NLUUG (Dutch UNIX users group) and SURF (network provider for the Dutch universities).