From owner-freebsd-security Wed Dec 1 12:13:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id 1447D150CB for ; Wed, 1 Dec 1999 12:13:16 -0800 (PST) (envelope-from freebsd@deepwell.com) Received: (qmail 22664 invoked from network); 1 Dec 1999 21:04:28 -0000 Received: from proxy.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 1 Dec 1999 21:04:28 -0000 Message-Id: <4.2.0.58.19991201120611.0165fb10@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 01 Dec 1999 12:13:04 -0800 To: Jason Hudgins , freebsd-security@freebsd.org From: Deepwell Internet Subject: Re: logging a telnet session In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you're looking to make this transparent then you should rethink running services on the box he is on. If he is any good then he will see this. If he's not good then why even bother watching him? I'd set up a second box and sniff the traffic. You may be able to have the compromised box send a trigger to the sniffer when he comes in. There were two independent threads on freebsd-security and freebsd-isp a while back that talked about getting an AUI ethernet card and clipping pins in the AUI to 10-base-T converter to stop the sniffer from sending outbound packets. Throw a modem on it, or place a second NIC in the sniffer connected to a "secure" segment and you could do all sorts of analysis of his sessions. At 01:40 PM 12/1/99 -0600, you wrote: >I've had an intruder visiting my box recently, and I tried to >setup a system for logging his telnet session. I was using the >tcpd wrraper in inetd.conf, and having it set off a trigger in >hosts.allow. > >The trigger calls a script that runs watch -c session on whatever >ttypX he logs into. The problem is that tcpd calls the trigger and >hands control back over to telnetd without ever knowing what ttypX >the remote user will be using. > >I've done some creative work arounds, but they only work about half >of the time (having they script that calls watch sleep for a little bit, >and then parses who output and tries to figure out the remote users >ttypX and then starting up watch) > >does anyone have a good solution for this, I'm sure there is a better >way. > >Jason Hudgins >http://www.incantations.net/~thanatos > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message