Archive
Posts in Security
Logging connections to inetd services
When a Solaris server is configured to support network services, it is valuable to know which clients are connecting to these services. If the network service is controlled by inetd(1m), each connection can be logged by setting ENABLE_CONNECTION_LOGGING to "YES" in the /etc/default/inetd configuration file: If you are using Solaris 10, you can also use the new inetadm(1m) utilities “-Mâ€? (change the values of the specified inetd default properties) option to enable connection logging: This will enable connection logging for all inetd-based services, and is identical to setting "ENABLE_CONNECTION_LOGGING=YES" in the /etc/default/inetd configuration file. If you are using Solaris 10, you can verify that connection logging is enabled by checking for "tcp_trace=TRUE" in the inetadm(1m) "-p" (lists all default inet service property values provided by inetd in the form of name=value pairs) output: Once connection logging is enabled, a system logfile entry similar to the following will be created for each new connection: This lists the IP address, TCP source port, and the service (imaps in this example) the client tried to connect to…
$ read more →Nifty OpenSSH 4.0 feature
I was reading through O'Reilley's OnLamp today, and came across their interview with the OpenBSD developers. In the interview, Dave Miller discussed the new features in OpenSSH 4.X, and described the following awesome new feature: "Added the ability to store hostnames added to ~/.ssh/known_hosts in a hashed format. This is a privacy feature that prevents a local attacker from learning other hosts that a user has accounts on from their known_hosts file." So instead of hostnames being stored in plain text like: yourhost.example.com ssh-rsa AAAB3NzaC1yc2EAAAABIwAAAIEAp832eeMwYH... They are hashed first, so they don't reveal the hostname…
$ read more →Visualizing IP Filter and PF state tables
IP Filter is a stateful packet inspecting firewall that ships with FreeBSD and Solaris 10. Stateful packet inspecting firewalls use a state table to maintain established connections, which allows packets to traverse the firewall if they are part of an existing established connection. IP filter comes with the ipfstat(1m) utility, which can be used to print connection statistics, rule definitions, and active connection. When ipfstat(1m) is invoked with the "-t" (Show the state table in a way similar to the way the Unix utility, top, shows the process table) option, a text-based graphical representation of the firewall is continuosly displayed: To adjust the refresh interval, an integer value can be passed to ipfstat's "-T" (Specifies how often the state top display should be updated) option: If you are using the PF firewall, you can use pftop(8) to get a text-based graphical representation of the PF state table: To adjust pftop(8)'s refresh interval, an integer value can be passed to pftop(8)'s "-s" (Set the delay between display updates to time seconds) option: I find myself frequently using these utilities, and find them super useful!
$ read more →Managing PF logfiles with Hatchet!
I came across Hatchet while reading through my daily news. Hatchet is a program to summarize PF logfiles, and it looks like an extremely useful piece of software!!
$ read more →SNORT Logfile Analysis
While perusing the SNORT website, I came across snortalog. This super useful program can be used to analyze snort and firewall logfiles, and produces vulnerability reports in ASCII TXT, HTML and PDF format. The folks who wrote snortalog did a killer job, and their software will definitely give the other vulnerability reporting tools a run for their money.
$ read more →