Re: Kinda OT: Dealing with cracker attempts...

To: Michael Alan Dorman <mdorman-debian.devel@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Kinda OT: Dealing with cracker attempts...
From: aculich@hampshire.edu (aaron .'. culich)
Date: 05 Jul 1999 12:35:04 -0400
Message-id: <[🔎] 87n1xboy13.fsf@ghoti.hampshire.edu>
In-reply-to: <[🔎] 874sjkqv4f.fsf@juliet.private.net> (Michael Alan Dorman's message of "04 Jul 1999 15:42:40 +0000")
References: <[🔎] 874sjkqv4f.fsf@juliet.private.net>

In /etc/hosts.deny I have something that looks like:

ALL: ALL: twist /usr/local/sbin/spyboink %d %h 2>>/var/log/netabuse.err

which is a catch all if hosts.allow doesn't let a valid host connect
and other hosts.deny rules aren't activated.  the spyboink script
displays a happy little message (from the Guide :) and then does a
portscan, queso, traceroute, and finger sending the results to root
and logging to auth.emerg which will alert anybody currently logged
into the machine (if unsuspecting legitimate users may be logged in
you may want to change to something like auth.warn).

(note: the sleep 5 and background of the portscan is to make things a
little nicer if you're on a dial up connection)

-aaron

----------------------------[spyboink]---------------------------------

#!/bin/sh
cat <<EOF
-----------------------------------------------------------------------
WARNING: All activity from $2 is being monitored.
-----------------------------------------------------------------------
Greetings to you ...

This is a recorded announcement as I'm afraid we're all out at the
moment. The commercial council of Magrathea thanks you for your
esteemed visit ...

... but regrets that the entire planet is temporarily closed for
business. Thank you. If you would care to leave your name and the
address of a planet where you can be contacted, kindly speak when you
hear the tone.

<bzzzt>

<pause>

We would like to assure you that as soon as our business is resumed
announcements will be made in all fashionable magazines and colour
supplements, when our clients will once again be able to select from
all that's best in contemporary geography. Meanwhile we thank our
clients for their kind interest and would ask them to leave. Now.

<pause>

It is most gratifying that your enthusiasm for our planet continues
unabated, and so we would like to assure you that the guided missiles
currently converging with your ship are part of a special service we
extend to all of our most enthusiastic clients, and the fully armed
nuclear warheads are of course merely a courtesy detail. We look
forward to your custom in future lives ... thank you.

EOF
#'

LOGDIR=/var/log
LOGFILE=$LOGDIR/netabuse.log
ERRFILE=$LOGDIR/netabuse.err

if [ ! -e $LOGFILE ]; then
	touch $LOGFILE
fi

# First log a warning
/usr/bin/logger -t "SECURITY ALERT" -p auth.emerg $1 - $2

ABUSER=`/bin/grep -x $2 $LOGFILE`
if [ "$ABUSER" == "" ]; then
  echo $2 >> $LOGFILE;
  /usr/sbin/traceroute -q 1 $2 2>&1 | /usr/bin/mail -s "[SECURITY ALERT] $2: traceroute" root 2>&1 > $ERRFILE
  /usr/sbin/queso $2 2>&1 | /usr/bin/mail -s "[SECURITY ALERT] $2: queso" root 2>&1 > $ERRFILE
  (sleep 5; /usr/local/sbin/portscan $2 2>&1 | /usr/bin/mail -s "[SECURITY ALERT] $2: portscan" root 2>&1 > $ERRFILE) &
fi

/usr/sbin/safe_finger -l @$2 2>&1 | /usr/bin/mail -s "[SECURITY ALERT] $2 - $1: finger" root 2>&1 > $ERRFILE

exit

Reply to:

Follow-Ups:
- Re: Kinda OT: Dealing with cracker attempts...
  - From: ron@microtronics.com.au (Ron)

References:
- Kinda OT: Dealing with cracker attempts...
  - From: Michael Alan Dorman <mdorman-debian.devel@debian.org>

Prev by Date: Re: ITP: dejasearch
Next by Date: Re: Note Pentium Optimized only really helps P5 CPUs ...
Previous by thread: Re: Kinda OT: Dealing with cracker attempts...
Next by thread: Re: Kinda OT: Dealing with cracker attempts...
Index(es):
- Date
- Thread