From owner-freebsd-security Wed Dec 1 12:51:14 1999 Delivered-To: freebsd-security@freebsd.org Received: from eddie.incantations.net (adsl-208-189-80-58.dsl.rcsntx.swbell.net [208.189.80.58]) by hub.freebsd.org (Postfix) with ESMTP id 2F43215142 for ; Wed, 1 Dec 1999 12:51:07 -0800 (PST) (envelope-from thanatos@incantations.net) Received: from eddie.incantations.net (thanatos@eddie.incantations.net [208.189.80.58]) by eddie.incantations.net (8.8.8/8.8.8) with ESMTP id OAA14937 for ; Wed, 1 Dec 1999 14:50:43 -0600 (CST) (envelope-from thanatos@incantations.net) Date: Wed, 1 Dec 1999 14:50:43 -0600 (CST) From: Jason Hudgins Cc: freebsd-security@freebsd.org Subject: Re: logging a telnet session In-Reply-To: <4.2.0.58.19991201120611.0165fb10@mail1.dcomm.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Setting up a second box to run a sniffer is a little extreme. Just creating a modified ps would be easier. I'm not really wanting to do either of those however, I just wanted something quick that i could throw together using already developed apps. I haven't found a packet sniffer that I really like yet. I tried sniff, but it wasn't very useful, tcpdump is a little too raw. Does anyone know of a clean & configurable packet sniffer? > If you're looking to make this transparent then you should rethink running > services on the box he is on. If he is any good then he will see this. If > he's not good then why even bother watching him? I'd set up a second box > and sniff the traffic. You may be able to have the compromised box send a > trigger to the sniffer when he comes in. > > There were two independent threads on freebsd-security and freebsd-isp a > while back that talked about getting an AUI ethernet card and clipping pins > in the AUI to 10-base-T converter to stop the sniffer from sending outbound > packets. Throw a modem on it, or place a second NIC in the sniffer > connected to a "secure" segment and you could do all sorts of analysis of > his sessions. > > > > At 01:40 PM 12/1/99 -0600, you wrote: > >I've had an intruder visiting my box recently, and I tried to > >setup a system for logging his telnet session. I was using the > >tcpd wrraper in inetd.conf, and having it set off a trigger in > >hosts.allow. > > > >The trigger calls a script that runs watch -c session on whatever > >ttypX he logs into. The problem is that tcpd calls the trigger and > >hands control back over to telnetd without ever knowing what ttypX > >the remote user will be using. > > > >I've done some creative work arounds, but they only work about half > >of the time (having they script that calls watch sleep for a little bit, > >and then parses who output and tries to figure out the remote users > >ttypX and then starting up watch) > > > >does anyone have a good solution for this, I'm sure there is a better > >way. > > > >Jason Hudgins > >http://www.incantations.net/~thanatos > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message