From owner-freebsd-questions@FreeBSD.ORG Thu May 21 11:50:57 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B3926DDD for ; Thu, 21 May 2015 11:50:57 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 763401FEF for ; Thu, 21 May 2015 11:50:57 +0000 (UTC) Received: from r56.edvax.de (port-92-195-181-19.dynamic.qsc.de [92.195.181.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 53A533CEAB; Thu, 21 May 2015 13:50:55 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t4LBosx5003035; Thu, 21 May 2015 13:50:55 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Thu, 21 May 2015 13:50:54 +0200 From: Polytropon To: Matthias Apitz Cc: freebsd-questions@freebsd.org Subject: Re: looking for software to harden TCP/IP client-server application Message-Id: <20150521135054.87c97a4e.freebsd@edvax.de> In-Reply-To: <20150521060204.GA2203@c720-r276659> References: <20150521060204.GA2203@c720-r276659> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 May 2015 11:50:57 -0000 On Thu, 21 May 2015 08:02:04 +0200, Matthias Apitz wrote: > > Hello, > > I'm working for a company which develops since "ages" a client-server > application: Windows/UNIX Java or Perl written clients are connecting to > defined TCP ports where C/C++ written servers are doing LISTEN and serving the > connecting clients. The designed protocol is human readable and an > example is in clear text (normally SSL is used to protect the > data against network sniffing) here: http://www.unixarea.de/slnp.txt > > What I'm looking for is some (hopefully FreeBSD) software to harden the > server side against attacks of all kind of buffer overflow, SQL injection, > etc. > > Any ideas? Fuzzing tools are the first things I would think of. Because this is _not_ a web application, tools designed to harden web-based systems probably don't work here (Burp Suite, for example). The ports collection has security/fuzz, security/fuzzdb, and security/honggfuzz. AFL is also worth lookin at - try if it compiles on FreeBSD (it's a Linux program). Here's the source: http://lcamtuf.coredump.cx/afl/ -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...