[198] in linux-security and linux-alert archive
SATAN information
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Sat Apr 8 07:54:32 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Sat, 8 Apr 1995 02:35:22 +0200 (MET DST)
Cc: alex@bach.cis.temple.edu, juphoff@tarsier.cv.nrao.edu (Jeff Uphoff)
[mod: This is a draft for general information about SATAN vs. Linux.
Right now, I'm posting this only to linux-security in case people have
something to add. I'd like to make this more widely available later if
necessary. --okir]
SATAN is like a gun, and this is
handing a gun to a 12-year old.
LA Times according
to the SATAN docs
What is SATAN?
--------------
The acronym stands for Security Analysis Tools for Auditing Networks. The
core of SATAN is a set of scripts that can run various security checks on
one or more remote hosts and display the output with an HTML viewer.
On one hand, this lets relatively inexperienced system administrators check
their system for security holes; on the other hand, it lets the average
wannabe-cracker find out about them too. BUT: this does not mean SATAN
actually helps people break into your system. It shows where the weak spots
are and tells you what the problem is, but it never actually breaks into a
system. And unless you really know what you're doing, the tools in SATAN
won't even help you a lot in cracking someone else's system.
To understand some of the information presented by SATAN, it may be useful
to know that one of the central concepts in SATAN is trust. In this
context, the term describes the ability of processes on a remote host to
access services on the machine in question. Letting users from host
foobar.com log in without password is one special form of trust; but
SATAN considers letting them log in *at all* an act of trust, too.
For more information, please refer to the online documentation that comes
with SATAN.
What problems does SATAN probe for?
-----------------------------------
Here's a list of things SATAN probes for:
* Scan UDP and TCP ports for interesting services.
* Scan the portmapper for interesting services.
* Availability of the rex RPC service
* World-exported NFS volumes.
* Ability to mount NFS volumes either directly from mountd
or through a portmapper proxy call.
* Ability to access files in /etc through TFTP.
* Writable FTP home directory.
* X servers allowing unauthenticated access.
* Wildcard hostname in /etc/hosts.equiv.
* Probing host's name in /etc/hosts.equiv.
* sendmail prior to version 8.6.10.
Please note that this list is incomplete. There are a few other things
SATAN checks for that I either found not interesting enough to mention
or I was too stupid to notice.
All in all, these checks are by no means a gun in the hands of a minor.
Fixes to problems reported by SATAN
-----------------------------------
Here are fixes to various problems SATAN may complain about when probing
a Linux box.
rex: I'm not aware of any rex implementation for Linux. If you have
one, disable it. (Note: RPC-based rex service is *not* the same
as rexec, which is based on plain TCP).
NFS: * World-exported NFS volumes: Usually not what you want. If you
need to export a directory to a large number of hosts, use
the wildcard feature of Linux nfsd. To avoid IP address
spoofing, either set `nospoof on' in /etc/host.conf or
get the latest nfsd.
* Mounting NFS volumes through the portmapper: Get portmap_3.
You can compile portmap_3 both with tcp-wrapper access and
without. In the former case, you'll also need libwrap.a
from the tcp_wrapper package.
TFTP: If you don't need tftp, disable it in inetd.conf. If you do need
it, make sure to specify only those directories on the command
line you actually wish to provide access to.
FTP: Unlike much older documentation claimed, ftp's home directory
should not be owned by ftp itself. Better chown it to root,
ftpadmin, or whoever. If your run wu-ftpd, you may also want
to consult the manpage about restricting specific operations
such as MKDIR and CHMOD.
X11: When using host-based access, never run `xhost +'. If possible,
use user-based authentication such as MIT-MAGIC-COOKIE. This is
the default when logging in via xdm. With xinit, this requires
some tweaking (See Volume 8 of O'Reilly's X series).
hosts.equiv:
* Wildcard hostnames are evil. Don't use them.
* Normal trust is OK, I guess. SATAN will still complain
about this under some circumstances, but this is often due to
having things like `localhost' in hosts.equiv.
sendmail:
Run sendmail 8.6.10 or later.
Linux and SATAN.
----------------
To run SATAN on your Linux machine, you need to modify the source
slightly. You can get patches for this from linux.nrao.edu:/pub/security
or from fb0433.mathematik.th-darmstadt.de/pub/linux. Note: these patches
are ugly, because I just hacked the linux IP header files until the field
names agreed with what SATAN was expecting. They work for me, but they may
not work for you.
--Olaf
PS: For European users: I've also uploaded the latest version of nfsd to
fb0433. If you have problems reaching NRAO, try to get it from there.
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
