[846] in linux-security and linux-alert archive
Re: [linux-security] suspicious users
daemon@ATHENA.MIT.EDU (Suicide Object)
Tue Jun 25 10:22:59 1996
Date: Mon, 24 Jun 1996 20:21:59 +0200 (MET DST)
From: Suicide Object <wvdputte@reptile.rug.ac.be>
To: "/* (c) 1996 dMv */" <dmv@cybercom.net>
cc: Peter Orbaek <poe@theory.lcs.mit.edu>, linux-security@tarsier.cv.nrao.edu,
delznic@axess.net
In-Reply-To: <Pine.BSD/.3.91.960622005823.11918A-100000@shell1.cybercom.net>
On Sat, 22 Jun 1996, /* (c) 1996 dMv */ wrote:
> But the same thing stands for telnetsnoop. If used unwisely, it can be
> unuseful, and generate a lot of data. However, if you log the data to a
> file, and have it search for certain things, based on what you want to
> know. It has the advantage that not everyone has their privacy needlessly
> violated.
telnetsnoop is a very restricted way of monitoring: only port 23?
gee... gives a good idea of what is going on on your machine, doesn't it?
Doesn't log ftp (well, /var/adm/messages does this rather well), rlogin,
rpc, peoples own telnetd running on port 20666.
As for most systems, access in not done on console but via networking so
what better way to monitor access then to keep an eye on your packets
traveling in and out.
> Really think hard about this: what give's you the right to monitor the
> user. If your answer is 'because I'm paid too' or 'because it is my
> system', then feel free (post a warning like the one in the previous post
> or something). But if the system is something general, like a ISP
> machine, then you really must be justified in potentially tapping and
> violating users' rights.
>
> Basically, how would you feel in a similar situation, reversed?
this is a bit off topic, more on this 'legal thing':
Basically: my machine is my ass. If someone abuses my machine *I*'m the
one who is going to take the responsability. Same should go for any ISP:
if you let people party in your house, they should behave. If they start
doing weird stuff, you should be able to look into it.
I don't say you should log all their connection nor read all their mail,
just if something suspicious is in the air or complaints start to roll
in, you should take action. Not just kick the abuse off, but also check
what and how he is doing.
{Having the sad honour if doing it a while ago :-(}
Wim Vandeputte, Tunnel Vision and the scars to prove it
"Is it time to shut down and lay to rest the Bomb
that Servant Suicide Object worshipped like a God"
-- NIVEK OGRE