Well in that case you have a definite edge.
Using the cisco acs along with cisco works
to configure appropriate network management
you can almost catch him in the act.
good luck
abdul rahman
A. Rahman, Ph.D.
Product Engineer
Digex, Inc.
-----Original Message-----
From: M Z [mailto:[EMAIL PROTECTED]]
Sent: Saturday, June 17, 2000 5:19 AM
To: [EMAIL PROTECTED]
Subject: RE: Help me catch a Hacker
I use Cisco Secure ACS, which is great because It logs all attempts to hack
into the router whether successful or failed one's, you can apply it to
Asyncs, VTY, and console ports, but be careful, do not lock you self out of
the router with TACACS+.
>From: "Rahman, Abdul" <[EMAIL PROTECTED]>
>Reply-To: "Rahman, Abdul" <[EMAIL PROTECTED]>
>To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>CC: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
>Subject: RE: Help me catch a Hacker
>Date: Fri, 16 Jun 2000 15:13:32 -0400
>
>If you are using some snmp trap agent
>like openview you can narrow the time that that the
>box goes down. Then if you are motivated you can
>assign that specific snmp trap to attempt to run
>a set of diagnostics against the box to be able to
>determine its exact state. That is, can you telnet?
>If so can you log in, etc, etc. If you are using
>openview on unix, then a shell script using an 'expect'
>type of script or perl would accomplish this in a very
>nice fashion.
>
>Also:
>
>How is he actually getting into the box? If it is
>across a network then perhaps you can add a router between
>his subnet and the 7000. Then you can log, i believe,
>routes from his ip address across that router; correlate
>to the down time that you get from openview. Using these
>two you can get some data on "attacks" on the box.
>
>If he is using a console type connect then perhaps you need to
>think about securing the area and making sure that policies are in
>place to guard the box.
>
>Hope this helps.
>
>Best regards,
>
>A. Rahman, Ph.D.
>Product Engineer
>Digex, Inc.
>
>
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: Friday, June 16, 2000 12:13 PM
>To: [EMAIL PROTECTED]
>Subject: Help me catch a Hacker
>
>
>Greetings,
>
>I've a 7000 router in a remote location and it seems
>the local admin hacking in by using the power outage
>excuse. He changes the password by rebooting the
>router and peeks around. I'm trying to catch him in
>the act or log his activities, any ideas?????
>
>Thanks,
>
>Nabil
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
