Wietse's software, technical hints and tips


Satan

If you have trouble using the SATAN program, please send your query to satan@fish2.com. Common questions will be answered by a robot.

However, the software is dead. For an open source scanner, have a look at http://www.nessus.org/

Portmap & Rpcbind

No bugs needed fixing recently.

To compile portmap on AIX version 5, you need to uncomment the line in the Makefile with SA_LEN = -DHAS_SA_LEN.

Logdaemon

CA-2001-34 does not apply. Logdaemon login doesn't use a static buffer for environment information. Moreover, logdaemon login accepts no environment information from standard input; logdaemon telnetd and rlogind accept no environment information from the network other than the remote terminal type.

SOLARIS 8: replace tcp6 by tcp for the logdaemon-ized services.

TCP Wrapper

On SOLARIS 8+ and AIX 4.3+ use the IPV6-enabled version by Casper Dik at ftp://ftp.porcupine.org/pub/security/index.html. Be sure to specify HAVE_IPV6 in the Makefile (see comments in that file for instructions).

If you run an IP version 6 enabled version of TCP Wrapper and still see connections from 0.0.0.0, you forgot to specify HAVE_IPV6 in the Makefile. or you forgot to specify tcp6 in the inetd.conf file.

If tcpd shell commands fail with a "bad option name" error message, have a look at the first paragraph of the hosts_options.5 document.

If tcpd access rules do not work as expected, run "tcpdchk -v" and see if its output matches your expectation. If that does not clear things up, please use the "tcpdmatch" command, report what it says, and also report what result you expected to get. Both commands come with the tcp wrapper source code. See tcpdchk.8 and tcpdmatch.8 for documentation (`nroff -man' format).

Otherwise, if you see connections from 0.0.0.0, someone may be portscanning your machine, by making brief connections that end before tcpd has a chance to run. If this happens a lot you might want to consider running a sniffer program such as tcpdump.

If tcpd banners and other features in hosts_options.5 do not work, please read the first paragraph of the hosts_options.5 manual page.

SOLARIS 7: the try-from command produces garbled output when run from, for example, rsh. In order to fix, remove the #ifdef TLI code in try-from.c.

SOLARIS: if you have trouble building TCP Wrapper, please look carefully at the error messages.

SOLARIS: if the build fails with with: "/usr/ucb/cc: language optional software package not installed" you must either spend $$ on the SUN C compiler, or you download and install GCC. See the SOLARIS FAQ at http://www.science.uva.nl/pub/solaris/solaris2.html

SOLARIS: if you have trouble building TCP Wrapper with GCC after upgrading the SOLARIS software, you are probably still using the include files from the PREVIOUS SOLARIS release (look at the exact error message). Fix: run the fixincludes command that comes with GCC, re-install GCC from scratch, or install GCC 2.8.

HP-UX: if you have trouble building TCP Wrapper, and the compilation fails with: "/usr/ccs/bin/ld: Unsatisfied symbols: yp_get_default_domain (code)", edit the Makefile and add -DUSE_GETDOMAIN to the definition of the BUGS macro.

LINUX: if you have trouble building TCP Wrapper version 7.5 get, the current version ftp://ftp.porcupine.org/pub/security/

LINUX: if the compilation fails with: "percent_m.c:17: conflicting types for `sys_errlist'", edit the "linux" entry in the Makefile, and add a -DSYS_ERRLIST_DEFINED directive like this:

linux:
	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o NETGROUP= \
	TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER -DSYS_ERRLIST_DEFINED" all