16.9 Paging telnet and rsh UsageYou can add portions to your script to page yourself when someone initiates a telnet session (whether or not the login is successful) with the following addition to the script. You do not get paged on telnet sessions from cia.com or cavu.com because you trust these systems. Note that this only handles telnet connections that are allowed by TCP Wrappers. The use of TCP Wrappers, a wonderful tool for keeping out crackers, is covered later in this chapter and in "TCP Wrappers" on page 555. set y=`echo "$x" | sed -e 's/.* //' -e 's/.*@//'` echo "$x" | grep -q 'telnetd\[.*: connect from ' if ( $status == 0 ) then if ( "$y" == "cia.com" ) goto pasttelnet if ( "$y" == "cavu.com" ) goto pasttelnet echo "$x" \ | sed -e "s/^... .. ..:..:.. \([^ ]*\).*: /telnet:\1:/" \ | Mail 1234567@skytel.com bob@homesys.com bob@pentacorp.com endif pasttelnet: This next example will generate a page when there is an attempt to telnet when it is disallowed by TCP Wrappers. This would be considered a cracking attempt that has been thwarted! echo "$x" | grep -q 'telnetd\[.*: refused connect from ' if ( $status == 0 ) then echo "$x" \ | sed -e "s/^... .. ..:..:.. \([^ ]*\).*:" \ "refused connect from /telnet:\1:REFUSED /" \ | Mail 1234567@skytel.com bob@homesys.com bob@pentacorp.com endif The rsh program is quite popular because it allows you to issue a command to a remote system easily. It is a security hole too because if someone cracks joe@cia.com and joe@cia.com has permission to issue rsh commands to the bob account on sa.com (by listing cia.com in ~joe/.rhosts on nsa.com), they "own" joe@nsa.com too. The ssh command is much preferred because it is secure. As an alternative (but not as secure), you can use TCP Wrappers to limit which systems can use rsh to issue commands on your system. In any case, if you allow rsh you will want to be paged (or receive e-mail) when it is used with the following addition to your script. echo "$x" | grep -q 'rshd\[.*: .*cmd=' if ( $status == 0 ) then echo "$x" \ | sed -e "s/^... .. ..:..:.. \([^ ]*\)[^:]*: /rsh:\1:/" \ | Mail 1234567@skytel.com bob@homesys.com bob@pentacorp.com endif The e-mail or page you will receive will look like the following: rsh:cavu:root@cracker.com as root: cmd='chown root /bin/csh; chmod 4777 /bin/csh' |
Top |