From mboxrd@z Thu Jan 1 00:00:00 1970 From: Saint Neon Subject: Re: critical server commands logging Date: Sat, 11 Jan 2003 21:29:02 -0800 (PST) Sender: linux-admin-owner@vger.kernel.org Message-ID: <20030112052902.40492.qmail@web40812.mail.yahoo.com> References: <15904.33994.285524.349582@cerise.nosuchdomain.co.uk> Mime-Version: 1.0 Return-path: In-Reply-To: <15904.33994.285524.349582@cerise.nosuchdomain.co.uk> List-Id: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Glynn Clements Cc: linux-admin@vger.kernel.org This is somewhat unconventional, but works. You could sniffer programs on your server, without too much worries about load. sniffit is a good program. You can find it here: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html You can specify the host connections that you want to log. The configuration file packs lots of punch and power into it. Neon. --- Glynn Clements wrote: > > urgrue wrote: > > > there was some kind of "virtual tty" program, it > might even have been a > > kernel patch. > > if i remember correctly it allows you to capture > every keystroke and even > > screen output. > > im sorry i dont remember the name, maybe someone > else does. > > Probably ttysnoop and/or telnetsnoopd (a "snooping" > version of > telnetd). > > However, this will only get you so far. Someone who > is actively trying > to do something malicious without getting caught can > find a way around > almost any logging mechanism which you install. > > E.g. logging the telnet/ssh connection can be > circumvented by the > following method: > > 1. Log in. > 2. Generate a PGP key-pair. > 3. Display the public key (i.e. send it back to the > client). > 4. Send a script which has been encrypted with the > public key. > 5. Decrypt the script. > 6. Execute the script. > 7. Delete the PGP key-pair. > > As the private key is never sent over the > connection, you have no way > of seeing what's in the script. > > If you think that the above would look suspicious, > bear in mind that > there are a great many ways in which the process can > be obfuscated. > > Consider the situation where the user creates a text > file (e.g. a > script) by using a text editor (e.g. vi) > interactively; deducing the > exact contents of the file by examining the > keystrokes which are > logged is far from trivial. > > -- > Glynn Clements > - > To unsubscribe from this list: send the line > "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com