From owner-freebsd-security Wed Dec 1 11:41: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from eddie.incantations.net (adsl-208-189-80-58.dsl.rcsntx.swbell.net [208.189.80.58]) by hub.freebsd.org (Postfix) with ESMTP id 3A00815B9B for ; Wed, 1 Dec 1999 11:40:53 -0800 (PST) (envelope-from thanatos@incantations.net) Received: from eddie.incantations.net (thanatos@eddie.incantations.net [208.189.80.58]) by eddie.incantations.net (8.8.8/8.8.8) with ESMTP id NAA08119 for ; Wed, 1 Dec 1999 13:40:53 -0600 (CST) (envelope-from thanatos@incantations.net) Date: Wed, 1 Dec 1999 13:40:53 -0600 (CST) From: Jason Hudgins To: security@freebsd.org Subject: logging a telnet session Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've had an intruder visiting my box recently, and I tried to setup a system for logging his telnet session. I was using the tcpd wrraper in inetd.conf, and having it set off a trigger in hosts.allow. The trigger calls a script that runs watch -c session on whatever ttypX he logs into. The problem is that tcpd calls the trigger and hands control back over to telnetd without ever knowing what ttypX the remote user will be using. I've done some creative work arounds, but they only work about half of the time (having they script that calls watch sleep for a little bit, and then parses who output and tries to figure out the remote users ttypX and then starting up watch) does anyone have a good solution for this, I'm sure there is a better way. Jason Hudgins http://www.incantations.net/~thanatos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message