UNIX contains numerous tools and methods for auditing and securing your host. However, as your network of UNIX boxes expands, it becomes difficult to scale the host-based tools to perform the necessary auditing and verification. This is where toolkits such as Expect become handy. In this article, I will demonstrate the power of Expect as a rich development toolkit for automated auditing of the UNIX hosts on your network.
However, these services are also some of the most easily exploited services on any network. Quite often, these services are "open" to the Internet, which allows easy connectivity for remote users. It also allows easy connectivity for the miscreants who seek illegal access to your hosts.
To ensure compliance with policies and that the daemons are at the proper software release levels, we can use Expect to automatically probe networks for SMTP servers, POP servers, and IMAP servers.
1. The type and version of the SMTP daemon on TCP port 25, if any.
2. Determine if the daemon will allow the EXPN (expand) command.
3. Determine if the daemon is configured to relay all e-mail, thus
opening up the host to serving as a SPAM relay.
Once the type and version of the SMTP daemon are acquired, the auditor can cross reference this information with the various vendor alerts, CERT advisories, and vendor patch documents. This will help to ensure that the SMTP daemon is protected against the latest vulnerabilities.
Allowing the EXPN (expand) function to be performed can assist miscreants who are attempting to obtain account information or e-mail addresses. For example, many common e-mail aliases such as administrators, sales, info, and the like contain the actual e-mail addresses (which often correspond to login IDs) of employees. Allowing someone to peruse these IDs may be a bit more information than you care to share.
A wide-open, Internet connected e-mail relay is simply trouble brewing. The SPAMmers will find it, eventually, and use it to issue thousands of pieces of unsolicited e-mail. Such abuse may cause the mail relay to stop providing legitimate e-mail messaging. Worse, the SPAMmers may be forwarding e-mail with illicit content, causing quite a bit of public embarrassment. All of this may result in the site being added to a blackhole list, thus effectively blocking all e-mail from the site from reaching other, popular Internet addresses.
The script requires one modification prior to execution. You must replace
the \
The script requires a list of IP addresses or host names, and such a list
can be easily generated from /etc/hosts or DNS with the help of Perl or awk.
Here is the source code for
mtaprobe.exp.
As with mtaprobe.exp, poptart.exp requires a list of IP addresses or host
names. Here is the source code for
poptart.exp.
If you found these tools of use, please peruse my other creations which
can be found here.
POP and IMAP auditing with poptart.exp
The poptart.exp tool is designed to sweep a list of IP addresses or host
names to determine if the host has POP and/or IMAP services running, and
the version of those services if they exist. This tool will return the
version number of the server.
Conclusion
As you can see, creating auditing tools in Expect is quite a simple task.
These scripts could be easily modified to probe other TCP-based services,
such as FTP. While auditing and securing a network of UNIX machines may
be one of the most thankless of tasks, it can be automated by the use of
Expect. Further, Expect can be used to automate many routine system
administration tasks. After downloading and installing Expect, you will
likely be crafting your own set of tools in short order.