"The bad reputation Unix has gotten is totally undeserved, laid on by
people who don't understand, who have not gotten in there and tried anything."
Jim Joyce, owner of Jim Joyce's Unix Bookstore
Software and tools.
Dennis M. Ritchie: On the Security of Unix.
Maybe the first paper about Unix security, written by one of its designers.
Here he comments some of the most basics sides of system security: setuid and
setgid bits, internal DoS, etc.
Walter Belgers: UNIX Password Security.
In this article they analize the significance of an acceptable password for all
the system's security; also they talk about the Unix cipher mechanism, and also
it's described how an attacker can "discover" a password.
Robert Morris, Ken Thompson: Password Security: A
Morris and Thompson (two of the most important names on Unix history) describe
here the design the password crypt() mechanism, its first faults, its
David Feldmeier, Philip Karn: UNIX Password
Security: Ten Years Later.
Ten years after the publication of the last paper (this was from 1979) they
reexamine the vulnerabilities at the authentication mechanism of every Unix
system. Times have changed and with new technology faster attacks can be done.
So here they present some solutions to this vulnerabilitie.
Barton P. Miller, Lars Fredriksen, Bryan So: An
Empirical Study of the Realiability of Unix Utilities.
A study about fiability and estability of some common Unix tools. Authors arrive
to surprising conclusions: the third part of tested tools failed. Fortunately,
it has rained a lot since then (1989), and nowadays most Unices can be
Barton P. Miller, David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi
Murthy, Ajitkumar Natarajan, Jeff Steidl: Fuzz
Revisited: A Re-examination of the Reliability of Unix Utilities and Services
On 1995, Barton P. Miller, one of the authors of the previous paper, re-examine
the reliability of Unix tools with another group of researchers. A large
improvement has been done, but the most strange result is this: the most
reliable Unix system is Linux Slackware, a free Unix clone that runs on some
platforms (i386 and SPARC between them), and which has been developed by
programmers from all around the world, without a big company with them, and
with Linus Torvalds as their leader.
Nathan P. Smith: Stack Smashing Vulnerabilities in
the Unix Operating System.
Here they present and analize the vulnerabilities of Unix OS based upon the
posibility of executing stack code (on Intel x86 and compatibles). This is one
of the most importants Unix security faults, because an error on the source
code of a process that runs with root privileges becomes on the posibility of
a privileged access.
Matt Bishop: Race Conditions, Files and Security Flaws;
or the Tortoise and the Hare Redux.
In this paper Matt Bishop studies other of the most common Unix attacks: race
conditions. This study is done from real examples (passwd, binmail...), and
finally some solutions are proposed.
Matt Bishop, Michael Dilger: Checking for Race
Conditions in File Accesses.
Continuing with race conditions attacks on the Unix OS, in this paper they
study mechanisms that allow the detection of these failures when accessing
Eugen Mate Bacic: UNIX & Security.
In this paper they discuss the usual Unix security measures: passwords, DAC
(Discretionary Access Controls), auditing tools... Also they speak about
the classification of some Unix systems by the Orange Book, from USA Dod, and
the characteristics of these systems.
Robert T. Morris: A Weakness in the 4.2BSD Unix
Maybe the first paper where the well known IP Spoofing attack is
described. They speak about the mechanism which allows an untrusted host to
appear like a trusted one, and access this way to certain restricted services.
Matt Bishop: How to write a SetUID program.
Matt Bishop analices in this paper the problems derived from the existence of
setuid programs in Unix systems. He shows the potential attacks to these
programs, and also the basic rules to write some of them.
David A. Curry: Improving the Security of your Unix
One of the classical articles when talking about Unix Security. Here the author
makes an exhaustive analysis of the threads to the system, the protection
mechanisms offered by Unix, the rules when offering network services, etc.
Geoff Morrison: UNIX Security Tools.
Here the author analizes the most common Unix security tools. He classifies them
into three different groups: system tools (to prevent internal attacks), network
tools (to prevent external ones) and, at last, other group of tools.
Robert B. Reinhardt: An Architectural Overview of
Unix Network Security.
In this article its author presents a model of security architecture in Unix,
based upon the Network connection model (ISO/OSI layer structure).
Bill Cheswick: An Evening with Berferd, in which a
Cracker is Lured, Endured and Studied.
In this classical by B. Cheswick (a revisited version appears in Firewalls
and Internet Security, by Cheswick and Bellovin), the author describes
the real history of a cracker knocking at AT&T gateway in 1991. He analizes
the cracker's activities, methods and failures when trying to access the
Matt Bishop: A Taxonomy of Unix System and Network
Matt Bishop describes here some Unix weakneses, how to detect them at our
machine to prevent crackers, and, of course, how to erradicate those failures
in the system. He analizes, between others, the Thompson's trojan for the
login program, some race conditions, network daemons failures, IP
Landwehr, Bull, McDermott, Choi: A Taxonomy of
Computer Program Security Flaws, with Examples.
One of the bests papers (and most complete) between all of those which try to
establish a taxonomy of system vulnerabilities. In this article's appendix they
present, classified by its system, some examples of insecurities and its
classification into this taxonomy. The Unix section is excellent.
Steven M. Bellovin: There Be Dragons.
This article, a real classical, shows the attacks to the AT&T gateway by
crackers from all around the world. Tools used to attack, detected attacks,
tools used to defend the system...
Matt Blaze, John Ioannidis: The Architecture and
Implementation of Network-Layer Security under Unix.
In this paper the authors shows the design, philosophy and functionality of
swIPe, an IP layer security protocol. swIPe is fully compatible with the
current protocol, but it offers authentication, integrity and confidentiality
for IP datagrams.
Fuat Baran, Howard Kaye, Margarita Suarez:
Security Breaches: Five Recent Incidents at Columbia University.
In 1990, Columbia University (USA) suffered various attacks on its Unix
machines. In this paper they are described (some of them against password
files from some machines), as well as the security measures token.
Dan Farmer, Wietse Venema: Improving the Security
of your site by breaking into it.
In this Unix security classical, Dan Farmer and Wietse Venema show the
potential activities of an intruder in our Unix system. Here is where first
appeared the uebercracker term, so used since then.
Matt Bishop: Proactive Password Checking.
In this chapter the author analizes the suitable passwords Unix problem, and
some possible solution with programs like npasswd or passwd+.
Both of them (see the Software section) are
analized and compared to see how they solve the weak passwords problem.
Steven M. Bellovin, Michael Merritt: Limitations of
the Kerberos Authentication System.
Here Bellovin and Merrit analize and give solution to some weaknesses seen on
the Kerberos authentication system (MIT, Athena Project).
Steve Simmons: Life Without Root.
In this article the author studies the problem of doing certain administration
activities as root. The accesses as administrator to the system have
to be reduced, because of security, and here it's described how to make some
tasks without the need of total privileges, but with the use of dedicated
system users. DOWNLOAD.
Bob Vickers: Guide to Safe X.
Tipically the graphical Unix system, X Window, has been considerated
unsecure. In this paper that insecurity is studied, as well as how to prevent
it by using access controls on the X server side.
Dave Wreski: Linux Security Administrator's Guide.
A very good handbook to improve the security of our Linux system. Dave Wreski
explains here the filesystem security mechanisms, passwords, Cryptography...
Eugene Spafford: Unix and Security: The influence of History.
In spite that usually Unix has been considered an insecure OS, or at least a
very dificult to protect one, Spafford shows here that that's not true, giving
ideas to increase the security of the system from errors made along the history
of Unix and its development.
Daniel V. Klein: "Foiling the cracker": A survey
of, and improvements to, password security.
In this classical paper, it's shown the brute-force attack to password files
by using dictionaries, and how a weak password can compromise the entire
system. As a solution, the use of a proactive password checker is proposed.
SOFTWARE AND TOOLS
[NOTE]: Most of the links presented here to get the software mentioned, point
directly to the main distribution server or some mirror, but not to our server.
In this way, we try to guarantee that the version accessed will be always the
latest (apart from saving space in our hard disks :-))
Without any doubt this is the most used Unix security tool. TCP Wrapper allows
us to monitor and filter connexions to different network services (served by
inetd, like telnet, ssh, ftp or sendmail), so we can in this way deny
the access to some addresses or to some machines than don't match an specific
This is a tool very similar to the previous one, but to manage services
offerend by portmapper (such as NFS or Yellow Pages). It gives also
access control, like TCP Wrappers, but its use is not so common because it has
been displaced by standard Unix portmappers, which include now more security
measures than this tool does.
Crack is one of the tools whose appearing generated more controversy in Unix
security world. It's a powerful password guessing program that allows every
administrator verify that his/her users' passwords are good, by examining
the /etc/passwd file of a Unix system and by using dictionaries as a
guide to break poor passwords (click here to get some dictionaries).
lsof (List Open Files)
lsof is a program that will allow us to improve the security of our system by
looking for open file descriptors; in this way we will be able to locate
listening sockets, processes that write into a file, files opened by a
process (very important while trying to detect sniffers), etc.
TCFS (Transparent Cryptographic
TCFS is a file system which includes data encryption. In a way very similar
to NFS, it offers the posibility of maintaining encrypted files in a unit, and
also increases the security in the network communication between clients and
the file server: all data goes encrypted, which makes TCFS very advisable for
distributed systems. TCFS works at kernel layer, so it's supposed to be more
secure and faster than Matt Blaze's CFS, which is presented now:
CFS (Cryptographic File System)
CFS is an encrypted file system which works at user layer. It works as an
interface to many standard Unix file systems, including NFS (data NEVER goes
through the network or is stored at disk in clear text).
SANTA (Secure Analysis Network
Tool for Administrators)
SANTA is a security scanner for networked Unix systems which generates
databases with the bugs found. In spite that it maybe is nowadays a bit
outdated, depending out of the version and Unix clone we are managing it can
be useful. This is another one of the tools whose publication caused a big
problem in people that still defend the Security through Obscurity
philosophy, which has been proved unuseful many years ago but which still
has a lot of fans.
Tripwire is an integrity tool for files and directories, very useful to
prevent the trojan injection between our system's executable files. It uses
a digital signature algorithm (usually with MD5 and Snefru hash functions) to
do that. If we execute Tripwire in our system, it's VERY advisable to keep the
executable file and the generated logs in a read-only file system, to prevent
the modification of both of them (because that will make unuseful ALL the
logs generated by Tripwire).
This program is a port scanner that works on most Unix systems. It can be
very useful to verify which network services do we have listening and accepting
connections in our system, and so we can reduce this number to the minimal
SSH (Secure Shell)
SSH is an application that allow us to connect to a remote host, to execute
commands remotely, or to do a file transfer between systems, all by using
secure communications and cryptographical authentication. We can serve it just
like an independant daemon or by tcpd, so we can filter the requests to its
port by using TCP Wrappers.
COPS (Computer Oracle and
COPS is a large collection of Unix security tools (maybe a bit outdated, but
sometimes useful) that allows us to automatice task usually done manually
(just as verifying acceptable passwords, restricting NFS file systems, looking
for "+" in /etc/host.equiv...). Potential weaknesses of our systems are
logged and stored on disks, or e-mailed, but NEVER corrected: that's not COPS'
goal, but other programs' one that every system administrator has to know.
TCPdump is a tool to analize our network's traffic. It prints the headers of
packets that go through a network interface and that are compliant with some
characteristics (like a protocol, packets to some address, to some port...).
This is a tool composed by some programs that allows us to audit the security
of our system (mainly those bugs that can compromise root security, such as
a daemon bug). It also uses digital signature systems to detect the unauthorized
modification of binary files.
Sniffit & TOD
Sniffit is a network monitoring tool and a sniffer that works on some Unix
systems. It offers the system administrator detailed information about all the
traffic that goes through his/her system, and also the possibility to stop this
traffic by using TOD (Touch of Dead), that is, to close the connections
that go through his/her machine.
SSL (Secure Socket Layer)
SSL is a cryptographic librarie that allows us to add cipher system (DES,
IDEA, RC4...) to some standard network applications such as telnet, ftp or
http. In this way we can increase our system's and communication's security,
avoiding an attacker's potential monitoring. From this link you can access both
to the libraries and to some applications that include SSL.
This is a tool that logs the ICMP packets received by our system so we can
log attacks (or tryings) based on some kind of those packets, such as
ICMP_ECHO_REQUEST or ICMP_REDIRECT. We have to be careful if we use a very
verbose mode, because apart from the fact that this program will generate a
long log file, system load will increase fastly because of the logging work.
ARPWatch is a tool used to verify the correspondence between IP and HW
addresses pairs. In case a pair changes (that is, it's listened in our machine
network interface), ARPWatch sends a mail to the root, notifying this fact.
It's also useful to notify the appearance of new stations or an ARP
retransmission from stations that were powered down for a long time; in this
way, we can use it to detect some kind of attacks, such as IP Spoofing.
This packet is formed by a collection of patches that will increase
the Linux kernel security. It's very useful to prevent common attacks such as
buffer overflow, or certain race conditions based upon the file generation on
/tmp. An updated version, for kernels 2.0.X, can be found here:
Argus is a network analyzer specially designed for networks with a big packets
traffic. Its powerful historic (saved information) allows us to detect network
problems, new services, blocked traffic by a router, scans from a potentially
atacker... in a fast and efective way.
This is a tool to filter packets in Unix stations that are working as routers
(a kind of firewall). It allows to filter incoming or outgoing packets, in
function of their protocol, destination or source address, etc.
Npasswd is a tool that replaces the passwd command of a usual Unix
system. It's advisable for our system because it will make mandatory for our
users to pick good passwords (not on dictionaries, not joes, eojs, not very
short passwords...). Npasswd can work together with NIS or C2 security level
Passwd+ is a very similar tool to the last one. Its main goal (in spite it has
many others, see the manuals) is to avoid the users to pick poor passwords. It
doesn't work with NIS or in C2 systems.
ISS (Internet Security Scanner)
ISS is a system that allows the scanning of computer networks, looking for
different vulnerabilities in the hosts (maybe, today they are outdated). The
program, on a specific IP range, looks for security bugs, such as default
passwords in different OSes, NFS partitions with public access, the typical
sendmail problems, etc.
Trinux is a Linux distribution in two diskettes which runs completely in RAM
memory. It has all the tools to analize the network traffic and to detect many
problems, so it's very useful and advisable at some situations.
This program is used to analize NFS packets in our subnetwork. It's useful to
determine the NFS traffic kind, machines trying to access a server, users
accessing to the file system, etc.
S/Key is a mechanism which implements One Time Password (the most extreme
case of Aging Password, where a password can only be used once), avoiding
in this way the dangers derived from a password capture by a cracker.
Netlog is a TCP and UDP traffic analyzer, very useful to monitor our network's
usage (in Real Time, with NetWatch, or generating log files, with
Deception ToolKit is a powerfull tool that listens requests to our
network subsystem and answers them which false information, so the potential
intruder may think that our system is full of bugs. In this way, and with
help from the monitorization and logs system of DTK, we can get many information
about our attackers, as well as gain time if we want to trace the attack.
Linux Audit Daemon
This software increases the power of the usual Linux audit system, which doesn't
store some important data. It's formed mainly by a kernel patch and a daemon
(/sbin/auditd) which sends to log files all the data to save. HIGHLY
NMAP is a port scanner, that allows us checking the systems that are up in our
network and which services are they offering. But also allows remote OS
detection using fingerprinting (such as software like CheckOS or QueSO do),
stealth scanning, parallel scanning, and a large number of features that other
scanners don't have. Specially advisable if you are managing a subnetwork, to
check remotely some aspects of your hosts' security.
A great collection of programs to increase the security of our Unix system
(now only SunOS or Solaris, but soon we hope we can use Titan in other
Unices) written by well-known security experts (Muffett, Dik, Venema and
Safford). Titan is formed by little shellscripts which solve generic security
problems, such as the existence of lp accounts with a valid shell.
Authors insist on the fact that Titan doesn't replace any security software, but
only it solve those generic problems and makes the installation and
configuration of Unix systems easier to administrators.
This daemon, designed by Wietse Venema, executes some network services (http,
gopher...) with the lowest privilege level, as well as with a restricted access
to the filesystem (by using chroot()). This is mandatory to reduce the
impact of a potential attack.
This is a useful program to monitor our system logs and take actions (just like
send a mail to the admin) when suspicious activities are detected.
Unix Security Software, from CIAC (Computer Incident Advisory Capability
Unix Security Tools
An excellent collection of Unix security tools, classified by application
area, from NIST (National Institute of Standards and Technology).
Another large collection of Unix security software.
Software, papers, handbooks... about Unix security.
FIRST's papers about computer security.
Without any doubt, COAST (Computer Operations, Audit and Security Tools),
is the best reference point when looking for any paper about computer security,
or for any took we need to make or system more secure.
Some from the most important people of computer security world made Digicrime
Inc., a "company" that sells, always in a funny way, security services for
Unix systems and networks. It's the best place to spend a good time and see how
they ridiculize the Script Kiddies.
Usenix main page, an international organization for system managers,
programmers, engineers, computer scientist... related in one or other way to
Unix (or, best said, to OSes, languages... in general). In these pages we can
find papers, publications, or information about conferences related to
computer and Unix security, such as USENIX Security Symposium or
USENIX Workshop on Intrusion Detection and Network Monitoring.
Unix Reference Desk
Pages related to general Unix (of course, also to its security). Here we can
find from software to books, and also things like text processing usin TeX.
COAST links page, related to every matter about computer security (of course,
a large number of those links are related to Unix). We can find here from very
interesting software to WinNT security (?) handbooks, apart from firewalls or
University of Queensland
On these excellent pages from Queensland University, dedicated to Unix security,
we can find from links to software, apart from a useful classification of
vulnerabilities in function of the Unix clone affected.
Maybe RootShell is the page that every administrator has to watch daily to be
informed about potential problems with his/her software or hardware. An
excellent reference to find the potential exploits that can work on our
system, sometimes BEFORE they are commented on BUGTRAQ (see Mailing Lists).
Linux Security Home Page
Pages dedicated to Linux systems security, with tools, documentation, software
NIH page on Unix
Pages dedicated to Unix security, from USA NIH (National Institute of
Pages about general computer security, with an introduction to Unix security.
Other topics can be viruses, Cryptography, or other OSes security.
A very good paged fully dedicated to Unix system security. Very interesting,
with a large number of papers, tools, handbooks...
An interesting collection of papers about computer security, not only Unix.
A good bibliography about general Unix books (not only about system security).
For most of them, there is a link to
www.amazon.com, maybe the INet's largest
on-line library, where we can buy almost every title that we can't find on
a normal library.
Without any doubt, the best mailing list about Unix and general computer
security. They explain system problems, its solution, its exploiting, etc.
Mandatory for every Unix system administrator interested on keep his or her
system minimally secured. To subscribe, send an e-mail to
with subscribe bugtraq on the message's body.
A very similar to the last one list, but oriented to the Win* operating
system. Yes, it's not Unix, but maybe sometimes it's advisable to keep
informed about Win* problems that can also affect Unix. To subscribe, send a
with subscribe ntbugtraq on the message's body.
A list were the latest CERT advisories (Computer Emergency Response Team)
are mailed. Maybe a bit slow, because they advise about problems treated much
before on BUGTRAQ (sometimes, with months difference!). Apart from that, all the
CERT Advisories are remailed to BUGTRAQ, so maybe the only possitive
thing about this list is that it hasn't much traffic :-). Send an e-mail to
with subscribe on the message's subject.
List about Linux security. It hasn't much traffic, but it's advisable if we
manage any Linux system. To subscribe, send an e-mail to
with subscribe in the message's subject.
On this list they speak about Linux OS alerts. It hasn't much traffic, because
almost all the problems related to Linux go to BUGTRAQ or Linux Security. To
subscribe, send a mail to
with subscribe on the message's subject.
List about computer security topics, in Castillian. In spite the quality-noise
relationship is very low sometimes (of course, in our opinion), some messages
can be useful. To subscribe, send a mail to
with subscribe seg-l in the message's body.
Arnold: Unix Security: A Practical Tutorial.
Bryant: Unix Security for the Organization.
Curry: Improving the Security of your Unix
SRI International, 1990.
Curry: Unix System Security: A Guide for Users
and System Administrators.
Addison Wesley, 1992.
Farrow: Unix System Security: How to protect your
data and prevent intruders.
Ferbrache, Shearer: Unix installation Security
Practical Unix Security.
O´Reilly & Associates, 1991.
[NOTE]: This is one of the bests books (maybe the best?) about Unix
Security. Only excelled by its second edition, 1996: Practical Unix &
Kochan, Wood: Unix System Security.
Kochan, Wood: Unix Networking.
O´Shea: Security in Computer Operating
Ribagorda, Calvo, Gallardo: Seguridad en Unix:
Internet y Sistemas Abiertos.
Sandler, Badgett, Lefkowitz: VAX Security:
Protecting the System and the Data.
John Wiley & Sons, 1990.
[NOTE]: It isn't Unix, but VMS, but it's useful, specially chapter 4.
Stoll: The Cuckoo´s Egg: Tracking a Spy through the maze of Computer Spionage
Pocket Books - Simon and Schuster, 1990.
Wheeler: Secure Programming for Linux and Unix HOWTO
Linux Documentation Project. You can download it HERE.
X/Open Company: X/Open Security Guide.
Prentice Hall, 1988.