[832] in linux-security and linux-alert archive
Re: [linux-security] suspicious users
daemon@ATHENA.MIT.EDU (Suicide Object)
Fri Jun 21 12:02:23 1996
Date: Mon, 17 Jun 1996 23:07:21 +0200 (MET DST)
From: Suicide Object <wvdputte@reptile.rug.ac.be>
To: Peter Orbaek <poe@theory.lcs.mit.edu>
cc: linux-security@tarsier.cv.nrao.edu, delznic@axess.net
In-Reply-To: <199606132115.AA22055@ostrich.lcs.mit.edu>
On Thu, 13 Jun 1996, Peter Orbaek wrote:
>
> >I am becoming suspicious of some users on my system. I am wondering what is
> >the best way to watch what they do or have done.
> >What have you (the members of list) done to "babysit" these users.
> - Hack their shell to log certain users' commands via syslog() or
> to a special hidden file. It's actually quite useful to have
> such shells installed all the time and be able to turn on
> snooping for certain users in some config file.
good idea. But what if he exec new_shell_safe 's ???
> - Use telnetsnoopd if they are coming in over telnet, this will allow
> logging of their entire session. I've sometimes heard of problems
> with telnetsnoopd: that it may sit around buring CPU time to no
> good use, so be careful.
well, telnet snooping is nice for irc sessions, but who has the time to
sit around and look what he is doing?
better use a packet sniffer and log...
> - Use tcpdump or snoop (Solaris) to dump eg. all telnet packets
> going from/to a certain host. This can generate a LOT of data.
not if you use it wisely. log all he types on port 23 for starters. 513,
21,....
some packetsniffers even allow you to get a realtime viewing of his screen
(I've seen tcpdump do it, and use sniffit for it frequently. by the way,
sniffit is a packetsniffer written for linux, available
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html)
major advantage of packetsniffing is that you can do it
1. centralised (one host for an entire segment)
2. unnoticed. no way a user can notice it (or know he *isn't*)
disadvantages: only logs the medium you have access over (so no console
logins, ppp connections if on another host)
Secure shell is also a nice game-braker :-) (well, that's why *I* use it)
> With linux you could also hack the kernel to log output to certain
> tty's somewhere, maybe this is already possible? Add a couple
> of ioctl calls to the tty driver to set dumping conditions and
> where to dump the stuff.
>
> Does Linux support process logging these days?
isn't there a standard acct for this?
(I never tried it on linux, the man page doesn't look to inviting anyways :-)
> Of course, all of this should be done only be people wearing white
> hats! Your users will hate you if you do this without proper
> cause.
>
> If you're a commercial access provider, it would be advisable to tell your
> users up front that you can and will eavesdrop on them if you suspect
> foul play.
a nice login disclaimer:
Note: This system is for the use of authorized users only.
Individuals using this computer without authority,
or in excess of their authority, are subject to having
all of their activities on this system monitored and
recorded by system personnel.
Tracing you is currently sponsored by Glock 17L (tm)
Wim Vandeputte, Tunnel Vision and the scars to prove it
"Is it time to shut down and lay to rest the Bomb
that Servant Suicide Object worshipped like a God"
-- NIVEK OGRE