[rescue] A perverse thought (SGI security division)

Sheldon T. Hall shel at cmhcsys.com
Thu Mar 11 14:57:54 CST 2004

OK, I have the latest, most secure SSHD peeking out at the world from my
Challenge L running IRIX 6.5.20, and it's sure to get scanned again, and,
probably, eventually attacked.

So, I had this thought....

IRIX lets you interpose a program between the syslog daemon and the syslog
file.  I think this is cool, since my program can look at every syslog entry
as it's being made.  I have it set to send alerts to my cellphone (as text
mesasages) when it sees certain key words or phrases in the syslog entries
that go by.

So far so good.

How about using this for a more active defense against attackers?  If the
filter detects an unauthorized probing of the ssh port, say, it could

	kill the sshd
	connect the chargen port to the ssh port
	killall -HUP inetd
	wait a few minutes
	reverse the changes

Of course, it would have to be sure an authorized user wasn't already
connected, or at least only kill the instance of the sshd the attacker was
using, or something, but the results might be amusing.  You can see some
pimply-faced script-kiddie sitting at his machine ...

	<PFSK's machine> scan ... scan ... scan ... DING!
	<PFSK> <clickety-clickety> ssh
	<my machine> <pukes out oodles of characters>
	<PFSK's machine's ssh> WTF?
	<PFSK's machine> coredump (if we're lucky)

So, what'd'ya think?

Sheldon T. Hall
shel at cmhc.com
206-780-7971 (CMHC)
206-842-2858 (Home)

More information about the rescue mailing list