Date: Wed, 1 Dec 1999 22:52:43 -0500 (EST) From: Barrett Richardson <barrett@aye.net> To: Jason Hudgins <thanatos@incantations.net> Cc: security@freebsd.org Subject: Re: logging a telnet session Message-ID: <Pine.BSF.4.01.9912012230150.4022-100000@phoenix.aye.net> In-Reply-To: <Pine.BSF.4.10.9912011334310.27776-100000@eddie.incantations.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 1 Dec 1999, Jason Hudgins wrote: > I've had an intruder visiting my box recently, and I tried to > setup a system for logging his telnet session. I was using the > tcpd wrraper in inetd.conf, and having it set off a trigger in > hosts.allow. > > The trigger calls a script that runs watch -c session on whatever > ttypX he logs into. The problem is that tcpd calls the trigger and > hands control back over to telnetd without ever knowing what ttypX > the remote user will be using. > > I've done some creative work arounds, but they only work about half > of the time (having they script that calls watch sleep for a little bit, > and then parses who output and tries to figure out the remote users > ttypX and then starting up watch) > > does anyone have a good solution for this, I'm sure there is a better > way. > Have you considered turning on process accounting and have it logged in a stashed away place? A hard link to the history files in a stashed away place may give up of few of his secrets too (its alwasy interesting to find one where the link count is one -- invariably has something like 'rm .bash_history' in it). Neither should cause anything that would seem unusual to an intruder. You may be able to pull script into the loop unnoticed also. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9912012230150.4022-100000>