From owner-freebsd-security  Wed Dec  1 19:54:39 1999
Delivered-To: freebsd-security@freebsd.org
Received: from phoenix.aye.net (phoenix.aye.net [198.7.192.5])
	by hub.freebsd.org (Postfix) with SMTP id DD36A14D5B
	for <security@freebsd.org>; Wed,  1 Dec 1999 19:54:34 -0800 (PST)
	(envelope-from barrett@aye.net)
Received: (qmail 12951 invoked by uid 1000); 2 Dec 1999 03:52:43 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 2 Dec 1999 03:52:43 -0000
Date: Wed, 1 Dec 1999 22:52:43 -0500 (EST)
From: Barrett Richardson <barrett@aye.net>
To: Jason Hudgins <thanatos@incantations.net>
Cc: security@freebsd.org
Subject: Re: logging a telnet session
In-Reply-To: <Pine.BSF.4.10.9912011334310.27776-100000@eddie.incantations.net>
Message-ID: <Pine.BSF.4.01.9912012230150.4022-100000@phoenix.aye.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Wed, 1 Dec 1999, Jason Hudgins wrote:

> I've had an intruder visiting my box recently, and I tried to 
> setup a system for logging his telnet session.  I was using the
> tcpd wrraper in inetd.conf, and having it set off a trigger in
> hosts.allow.
> 
> The trigger calls a script that runs watch -c session on whatever
> ttypX he logs into.  The problem is that tcpd calls the trigger and
> hands control back over to telnetd without ever knowing what ttypX
> the remote user will be using.
> 
> I've done some creative work arounds, but they only work about half
> of the time (having they script that calls watch sleep for a little bit,
> and then parses who output and tries to figure out the remote users
> ttypX and then starting up watch)
>  
> does anyone have a good solution for this, I'm sure there is a better
> way.
> 

Have you considered turning on process accounting and have it logged
in a stashed away place? A hard link to the history files in a stashed
away place may give up of few of his secrets too (its alwasy interesting
to find one where the link count is one -- invariably has something like
'rm .bash_history' in it). Neither should cause anything that would seem
unusual to an intruder. You may be able to pull script into the loop
unnoticed also.

-

Barrett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message