Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 01 Dec 1999 22:12:57 -0800
From:      Peter Benjamin <bvirtual@westworld.com>
To:        security@FreeBSD.ORG
Subject:   Re: logging a telnet session
Message-ID:  <4.1.19991201132855.0180f760@mail.wgn.net>
In-Reply-To: <Pine.BSF.4.10.9912011334310.27776-100000@eddie.incantation s.net>

next in thread | previous in thread | raw e-mail | index | archive | help

I should would like to know of an application, perhaps a port,
that does this already.  

It's not clear what you wish to log about the telnet session.
The fact it was done, where it came from, or the commands
use, which must follow any login, su, or other commands
that might change the "identity" of the intruder on your system.
I guess that is why you wish to monitor the ttypX session.

So hear are some methods I have heard about.

Telnet sessions will run the dot file for that shell type.
.chsrc, .login, and .profile, are the three primary dot files.
There are two levels of these.  One for all users, and then
any in the users home directory.

To log telnet sessions, simply add lines to the all user dot files
that echo out whatever values you care to a log file.  And email
them just in case the user likes/knows to clean up after themselves.

Of course, this is not as high level as inetd intercept of the telnet
session.

To log the commands issued by users there a few ways.
ssh has a single flag to turn this on.  

Install a telnet that does.

Convert to ssh and disable telnet. (Best solution - telnet is not secure).

Most shells support history, so that is one way, but the user can set history
off, and some systems allow the root use to force history on, and write
2000 or even 10000 commands to the file, and have the file read only
to the actual user.

Do one of the above for all users.

Lots of other ways of course, as you have indicated in your original
post.  You do not state how many users you have, what shells are used,
or even if you are sure the intruder used telnet (mail is possible, or
tcp stack overflow to get root access, etc).

One way is to use root access to monitor all the keyboard entries of all
users and record them to a file (plus email or other transmission to
remote computer).

Hope this helps.

Pete

BTW, a root access cron entry would be better than a sleeping script, IMHO.


At 11:40 AM 12/1/99 , Jason Hudgins wrote:
>I've had an intruder visiting my box recently, and I tried to 
>setup a system for logging his telnet session.  I was using the
>tcpd wrraper in inetd.conf, and having it set off a trigger in
>hosts.allow.
>
>The trigger calls a script that runs watch -c session on whatever
>ttypX he logs into.  The problem is that tcpd calls the trigger and
>hands control back over to telnetd without ever knowing what ttypX
>the remote user will be using.
>
>I've done some creative work arounds, but they only work about half
>of the time (having they script that calls watch sleep for a little bit,
>and then parses who output and tries to figure out the remote users
>ttypX and then starting up watch)
> 
>does anyone have a good solution for this, I'm sure there is a better
>way.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19991201132855.0180f760>