Hello fellow Slackers

It is obtainable from here: http://slackbuilds.org/repository/14.1/system/hntool/

Just wondering if anyone has used this HnTool to check for security vulnerabilities on their Slackware system(s)?

I am running Slackware 14.1

I started trying to configure/fix the "HIGH", "MEDIUM", "LOW" and "INFO" issues, beginning in editing the vsftpd.conf in the /etc directory. I changed it from:

to this:

Seems logical "no" meaning no ascii upload or ascii download.
running the hntool command again , the "HIGH" risk changed to "OK" changing from "ASCII mode data transfers is allowed" to: "ASCII mode data transfers is not allowed". Seems valid, if HnTools is reliable?

So my questions are, before I may do any more damage

(1). How reliable is the HnTool ouput for Slackware, or any other unix/linux distribution for that matter? I can not find much information on this tool, and have had no responses from its Slackbuilds maintainer Binh Nguyen.

(2). Is this ASCII configuration change I have made o.k.? I don't use ASCII mode, and do not really know enough to comment about it, but I changed this obviously because of the HnTool Ouput being "HIGH" risk.

Any opinions/advice from people who have utilized this tool and have experience with it would be really appreciated.

Appreciate your time and efforts.

Thanks.

Here we go again. Keep the whole thing bumping along the bottom. That's what it's all about, isn't it?

Are you running a proftpd or vsftpd server? Do you know what a FTP server is?

Are you running an apache web server? With php? Do you know what a web server is?

Are you running a postgresql server? Do you know what a database server is?

Are you running a ssh server on your machine? Do you know what a ssh server is?

If the answer to these questions is yes, then you're a competent user, and you should be able to configure the security of these services you have exposed to the public without this tool. You hardly need to ask us how to use this tool and what its reports mean.

If on the other hand you are not running these services, why on earth would you need to secure them using this 3rd-party package? Do you think a FTP or web or database server is vulnerable if it's not running?

If you're not running any of these services you can safely ignore this tool. It provides you with nothing whatsoever you couldn't pick up if you had the basic intelligence to understand what you are using your system for. I presume you do have that intelligence, given you were able to install Slackware and configure the services you wanted running on your machine.

You can mark this thread solved now. If you're running any of these services you're obviously intelligent enough to configure them and the security risks associated with them. If you're not running these services this tool is irrelevant to you. I hope this answers your question.

You have not really explained why this tool is irrelevant, why its output is irrelevant when it clearly showed vulnerabilities, and how that compares to editing particular config files in question and why. All you have really stated is that if you don't use these services this HnTool is not needed and if you have brains you should know this. So is it safe to say that If you are not using these services and you use this tool, this tool is showing false-positives, and should be reported to Slackbuilds?


gezley I appreciate some of the time and effort you have taken into responding. Thank you.

Thanks for not being condescending or sarcastic with intimidating me with your ego in how superior your knowledge is pertaining to Slackware, compared to mine. I wouldn't want you or anyone to feel uncomfortable in making someone else feel like an idiot just to satisfy ones mental stability, because that would only make one feel special. I am sure you knew everything, every tiny little thing about your whole entire system and related computer systems when being only introduced to it/them in a short time. And if you didn't then I know how you feel! I hope someone didn't make you feel like an idiot, and if they did, then I am incredibly sorry for that, but lets break the cycle ehhh.

It is more appropriate to respond in a full helpful way and excluding derogatory/condescending tone in comments gezley, the time and effort(s) you put forward in responding this way because you see opportunity to criticize one such as myself who knows far less than you, obviously, could be put to better use, in being more positive in responses, being more understanding, and complementary. And if we met in person I highly doubt you would speak to me in such a tone!
I highly suggest that your responses in future are not like this towards newbies such as myself.

I am sure it's obvious to everyone else that Slackware is the easiest system to use, that it's documentation is all up to date and easy friendly to use ... ohh no wait but no it's not. Everything could be explained a hell of a lot healthier. And I guess that is the challenge and a process that is currently underway and will take time ... I assume most users of Slackware struggled with learning everything about it's internals and how it relates to other systems at some point in their lifetime.


Obviously on my part I was expecting a response that was, lets say, more empathetic and helpful towards the HnTool in relation to Slackware, their experience(s) with it and how I may or may not need to worry about what vulnerabilities it spits out. In one way or another, gezley you kind of get this across.

When you first installed slackware did you turn these services on? If you not sure check out this link..http://docs.slackware.com/slackware:faq.

Nope, I did not turn them on ... I just did a random check with the HnTools and it showed vulnerabilities with certain files. Thanks for the link by the way.
The HnTool just showed for an example that ASCII was a vulnerability and to make it not a vulnerability, I needed to edit the vsftpd.conf file. So I did, and doing another scan, Hntool output then showed it was no longer a vulnerability. It is interesting, if it's not in use (the service considered vulnerable), and the HnTool shows it's a vulnerability, then? I think my concerns are centered around this HnTool, and it's output ... if it is used to check for vulnerabilities and it finds some, even if certain services are not in use, are they a vulnerability? Maybe some are and maybe some aren't? Only way to know I am guessing is if someone has experience with this tool can explain, I am assuming?

If the services aren't running there is no "vulnerability". If I were you I would do some more reading before messing with the configuration files. IMHO I wouldn't bother using HnTools.

My guess is that hntool just looks at configuration files for possible issues, but does not check whether any services using those files are running. If you're really worried about locking your computer down, you'd be better off by scanning your computer remotely. This is typically done with port scanners and there's a lot of tools out there. This will notify you what ports are open on the computer. Once you find that out, you can google the port number to find out what service typically uses that port. Any unneeded services should be stopped.

To me, it seems this tool isn't very smart. It didn't catch that the lines in the configuration file it wanted changed were commented out (that's what the "#" signifies). You changing it from #ascii_upload_enable=YES to ascii_upload_enable=no didn't do anything, since the program was ignoring it anyway. Include the fact that vsftp doesn't run by default, and likely wasn't running on your system, it seems that hntool isn't a great tool for actually finding security vulnerabilities.

It's been said before, Pat and team have gone through great efforts to provide us with a good, secure base install. There's a lot of things you can do to make that less secure, so before you start enabling things like a webserver, make sure you do some research to find what security issues could arise from that and ways to handle those issues.

1 members found this post helpful.

Hey bassmadrigal, great post, thank you.

There is a plethora of information out there to wade through. And are these resources actually definitive enough, do they have the KISS philosophy, are they explained well, does the information seem quite arbitrary at times? I have found often in trying to find something out related to Slackware, one has to stretch far beyond what Slackware resources are available, a problem that has likely and often motivated people in creating their own websites to better convey Slackware related information. This is similar to problems with other distributions of Linux as well. And this is what has likely motivated people such as "Alan Hicks" and others to revamp the Slackware Book. Manual pages can be sometimes helpful, sometimes not. And maybe the manual pages need revamping too. Something could be said about time management wasted for consumers, and the efficiency in the way information is conveyed, and organized to the public concerning not just Linux distributions but other operating systems such as with Windows and Apple.

As resources I currently use:

http://slackbook.org/

http://docs.slackware.com/start

I do read. And do search. To better learn, can you recommend what you consider the best resources specific to Slackware (apart from the Slackware Essentials and mentioned URL's and LQ's)?

Thanks

Nobody made me feel like an idiot. I was able to use man pages, and if they didn't solve the issues I had, I was able to use search engines, and if they didn't solve the issues, I was able to formulate brief and to-the-point questions here and in other technical forums. Lately there has been a clear drive on the part of somebody or somebodies to dumb down the Linux and BSD forums and to keep them dumbed down. Call it paranoia, call it what you like, the trend is obvious. We have members here whose only contribution is to make a steady stream of snide remarks about Slackware from the comfort of their high horse; we have others whose only contribution is a steady stream of argumentative posts. The main idea is to keep technical content out and constant arguments going. Needless to say nobody knows whether or not I am correct, and it is a racing certainty that nobody will ever know who is behind it.

Perhaps I misinterpreted your questions, perhaps not. You were able to edit the vsftpd.conf file but not willing or able to find out first what vsftpd is? And your excuse is that there's nothing about it in the manual? I have just searched Google for "slackware vsftpd" and the first hits tell me what vsftpd is and what it's for. I didn't even have to open any of those hits on the first page to know I don't need a FTP server.

Did you try that? No. Instead you *scanned* the man pages and the entire Slackware manual. How anyone can be concerned about the security of their system without doing the basic research necessary is beyond me. How anyone can proceed to edit system files without having the first clue about what they're doing is also beyond me.

Please make more of an effort next time. Then you will find I am not the unfriendly and cantankerous ogre you think I am.

I think you should read my response(s) again. It was an assumption that I made, that it is often a common trend that those who have been abused carry on the same cycle of abuse, no matter what the abuse, in this case it's in how people talk to other people. Just like your assumption of inferences about peoples intelligence regarding Slackware, to which you speak of so freely when really you have no grounding to even mention at all or in these threads. We all come from different backgrounds, we are all learning, and we are all going to die. Why make things harder? KISS is a brilliant philosophy. Maybe hard to always put to practical use? It is obvious in your response with how you come across, I did not find it practical or helpful, it's quite immature, and it was only a suggestion that you could work on. I can tell you this much, I do respond well, and can and would respond far better than that, people don't deserve condescending remarks period, regardless of discipline context or how ridiculous you think you find a post to be.

Excuse me, but I use the man pages, and it's just an opinion, they need revamped! And if someone paid me I'd revamp them, or I'd do if for free if I had time. My point is one should not have to rely so much on search engines. The consistency of information to be centralized, organized and immensely efficient for Slackware is lacking, needs updated and that is obvious. If there was a volume of books for Slackware I would buy it, even if it cost a considerable amount of money. But there isn't. And maybe Slackware's founder Patrick Volkerding and his associates could investigate that, and maybe they have?

A popular philosophy would be to not make people chase their tails. With any project, it's a very practical and intelligent way to be very organized. I'm talking about peoples "life-time" and a project's information not being properly organized waste's peoples time! "Everything" should be available with the distribution, in a clear, concise, and practical way so even a 10 year old can comprehend. There should not be a need to go look for anything related to the distribution using outside sources period. Slackware as a distribution Is excellent, people boast about it's excellence, I feel it's excellent. I enjoy a challenge, I enjoy trying to learn everything about it. However, it's not hard to find people who bag Slackware, I've read a large amount of complaints about it as well as other distros in other forums.

Was my post impolite, and unclear? So, are you saying it is o.k. to be rude to people if you find their posts ridiculous, well that isn't very mature is it. So you're saying it comes down to intelligence to post on LQ's then? That is a highly judgmental and discriminatory view m8, you might want to recalculate that one. How do we measure the practicality of a question on a forum based on people you come from different ethnic social contexts, educations, and human conditioning, and experience with a unix/linux distribution who need questions answered? There questions obviously reflect their experience don't they? Often people who can't get their head around this have a problem expecting others to think along the same lines as they do. That's not a reality and it's impractical. The answer, I am assuming is to provide the public, whatever their background or intelligence, a forum that has categories in preference to their interests so that they can ask questions and/or discuss problems, current/past events, and whatever else. This is what LQ's is. So many people visit it. It works, it's practical, useful and does have a wealth of information. I don't think LQ's built for ego building and thrashing. it's not a place to join to boast/impress upon other people just how proud they are about how intelligent they are with a specific distribution and related systems, by ridiculing people in a condescending way who come here to ask questions.
Isn't and shouldn't it be about healthy, practical, polite and respectful responses from those with knowledge sort by others regardless of their mental stability, color and creed? Well I think so and follow this line thinking. Are you doing this? No your justifying being a bully.

We'll I am new, and I am trying to learn. It's not hard for anyone to see that bad threads, posts and comments just waste time, even if those responding do see the content of questions being asked completely retarded! And even though I view all snide remarks completely stupid, immature and completely irrational ... it likely has a lot to say about personality deficiencies of the intimidator! Well I guess I will ignore the high horse(s) from now on. I'm willing to contribute, but only in a healthy way, even if for some reason I find what someone posts ridiculous. If you can't understand that, then there is a problem. No ones going to change my mind on that philosophy. I don't know if I will be brilliant at it, but I'll give it a go, and explain way better than some, and that is worthwhile.

From what I have read (that is from anywhere and everywhere) there seems to be a large consciousness with the philosophy to make it hard to completely understand everything about a distribution, which justifies my point that, well, shouldn't there be a very large book all about Slackware? I see some have tried to tackle this problem. I know a lot of information is obtainable within the man pages, within the Slackware Essential manual, and Websites dedicated to Slackware, and from other outside sources. I know I am not alone, people find Slackware difficult to use and I have read this quoted on some websites by people who could easily be considered masters of Slackware. I know some of these people are LQ members. But at some level I do like that Slackware is hard. I don't know enough to really comment about the dumbing down, the paranoia, ... the conspiracy ... But I am sure that personalities will clash no matter what the forum. That's life.

For research, a common process seems to be, look up the man pages, ... nope not in there, ... look up the Slackware Essentials manual ... nope not in there ... look up Linux Questions ... nope not in there ... do I create a thread on LQ's ... or ... and/or use search engines ????? It's completely impractical and it halts on one's learning. I often find the information I need in the most random places, nothing related to Slackware at all!! That speaks volumes to me.


Regarding vsftpd. I found it in the man pages, it was not hard, but I don't think I ever said that I didn't find it in the man pages, I'm sure I said that I did not find anything on apache in the man pages, and this was all relating to the HnTool output.
And I don't think it really matters gezley, seriously m8 you came across quite rude and obnoxious. Or an Ogre as you say. To me 'bully'. There is no justification for it, at all. It's that simple period. You can't change my mind. I don't think it matters if I was able to edit the vsftpd.conf file or not, that is not that hard. What was hard is knowing whether that edit is actually justifiable, and I expect that really only someone who knows the ins and outs of the HnTool, and why its output spat those vulnerabilities out to a standard installation of Slackware knows. I was seeking guidance pertaining to that perspective specifically. And m8, being able to edit a .conf file simply does not constitute as a justifiable excuse in judging ones intelligence on a Linux distribution so that you can speak rudely to them! It also clearly speaks volumes as to why each tool is not tested for Slackware in a way that also shows if you run this type of system, or that type of system ... you will get these issues with standard installations or with these configurations. Seems like there are plenty of jobs available but there is likely going to be no wages/salary!

The thread was simply to ask about the "HnTool" and its output, and you simply gave me a hell of a lot of flack for that!
I don't think you misinterpreted my questions, I just think you chose the wrong way to respond. That you, and like many people that you mentioned could do better. I know I will. Can you try that gezley?

Well, as I said, people come from different backgrounds, and have different intelligences, and not everyone will think like you do. So gezley, if you are still struggling with why I ran the HnTool, it is because of what it does, I have not tried it so I did, are you going to scrutinize everyone who does that? Write to Slackbuilds. As you say I *scanned* the HnTool output, found things I could not entirely understand, *scanned* the man pages on the HnTool to understand the HnTool output, then *scanned* the the "High" risk vulnerabilities in the man pages and found some information. I edited one file and the HnTool output said it was no longer vulnerable. And I am supposed to be an expert on everything, it seems so. It seems you expect a lot! I tell you one thing bud, if Slackbulds has this tool on their and its no good, then what the hell is it doing on there? Isn't that questionable. Doesn't that speak volumes about the organization of this project. Well I got to tell ya, it's not up to me to bloody take care of it, and if it was it would be way more organized.

Essentially its beyond me how it's beyond you, you might need to rescan the start of this thread, and my response(s). I think this is the first thread relating to this tool, not a very good one. It will probably only have one outcome, don't use the HnTool, that'll be a loss if its a good tool, nobody has posted yet that seems to have any experience with it. But if people read between the lines, they may not assume so much about the tool, and also learn that responding badly to people does not have a great outcome, and should not be allowed on LQ's. Just an assumption, that is generally a life rule? Treat people how you would like to be treated. There's no justification for it period! Take it somewhere else man, seek help, And gezley you should always make an effort to empathize with whatever fellow linux user who need's help, even if you think you find their post not to your expectations, with it's format or whatever your criticisms, be polite regardless, you are a linux user too!

I don't think you are an Ogre, I think a lot though, I just think you need to focus on better people skills and make sure you know what you are talking about, and convey that in a better way when you think you are trying to help people, period. People deserve the best from you not the worst, period. I am sure I would not find it that hard to be "cantankerous", that is so easy, anyone can do that, jeez! I think you have taken what I did clearly out of context. It was about the output, and the tool, not about your excited mental encapsulation from a judgement you made about the contents of my question to justify you to make analytical opinions that question my experience and intelligence. And what has that really got to do with you anyway? Very rude m8, and ridiculous, give a healthy response, or don't respond at all. How hard is that?
*It shows in this thread from my professional opinion that you are overestimating your assumptions too, I do make an effort m8! I am just not you.