[rescue] A perverse thought (SGI security division)
Sheldon T. Hall
shel at cmhcsys.com
Thu Mar 11 14:57:54 CST 2004
OK, I have the latest, most secure SSHD peeking out at the world from my
Challenge L running IRIX 6.5.20, and it's sure to get scanned again, and,
probably, eventually attacked.
So, I had this thought....
IRIX lets you interpose a program between the syslog daemon and the syslog
file. I think this is cool, since my program can look at every syslog entry
as it's being made. I have it set to send alerts to my cellphone (as text
mesasages) when it sees certain key words or phrases in the syslog entries
that go by.
So far so good.
How about using this for a more active defense against attackers? If the
filter detects an unauthorized probing of the ssh port, say, it could
kill the sshd
connect the chargen port to the ssh port
killall -HUP inetd
wait a few minutes
reverse the changes
Of course, it would have to be sure an authorized user wasn't already
connected, or at least only kill the instance of the sshd the attacker was
using, or something, but the results might be amusing. You can see some
pimply-faced script-kiddie sitting at his machine ...
<PFSK's machine> scan ... scan ... scan ... DING!
<PFSK> <clickety-clickety> ssh 123.145.167.189
<my machine> <pukes out oodles of characters>
<PFSK's machine's ssh> WTF?
<PFSK> WTF?
<PFSK's machine> coredump (if we're lucky)
So, what'd'ya think?
-Shel
--
Sheldon T. Hall
shel at cmhc.com
206-780-7971 (CMHC)
206-842-2858 (Home)
More information about the rescue
mailing list