Date: Wed, 1 Dec 1999 14:50:43 -0600 (CST) From: Jason Hudgins <thanatos@incantations.net> Cc: freebsd-security@freebsd.org Subject: Re: logging a telnet session Message-ID: <Pine.BSF.4.10.9912011445290.8128-100000@eddie.incantations.net> In-Reply-To: <4.2.0.58.19991201120611.0165fb10@mail1.dcomm.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Setting up a second box to run a sniffer is a little extreme. Just creating a modified ps would be easier. I'm not really wanting to do either of those however, I just wanted something quick that i could throw together using already developed apps. I haven't found a packet sniffer that I really like yet. I tried sniff, but it wasn't very useful, tcpdump is a little too raw. Does anyone know of a clean & configurable packet sniffer? > If you're looking to make this transparent then you should rethink running > services on the box he is on. If he is any good then he will see this. If > he's not good then why even bother watching him? I'd set up a second box > and sniff the traffic. You may be able to have the compromised box send a > trigger to the sniffer when he comes in. > > There were two independent threads on freebsd-security and freebsd-isp a > while back that talked about getting an AUI ethernet card and clipping pins > in the AUI to 10-base-T converter to stop the sniffer from sending outbound > packets. Throw a modem on it, or place a second NIC in the sniffer > connected to a "secure" segment and you could do all sorts of analysis of > his sessions. > > > > At 01:40 PM 12/1/99 -0600, you wrote: > >I've had an intruder visiting my box recently, and I tried to > >setup a system for logging his telnet session. I was using the > >tcpd wrraper in inetd.conf, and having it set off a trigger in > >hosts.allow. > > > >The trigger calls a script that runs watch -c session on whatever > >ttypX he logs into. The problem is that tcpd calls the trigger and > >hands control back over to telnetd without ever knowing what ttypX > >the remote user will be using. > > > >I've done some creative work arounds, but they only work about half > >of the time (having they script that calls watch sleep for a little bit, > >and then parses who output and tries to figure out the remote users > >ttypX and then starting up watch) > > > >does anyone have a good solution for this, I'm sure there is a better > >way. > > > >Jason Hudgins > >http://www.incantations.net/~thanatos > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9912011445290.8128-100000>