Greetings,
The initial trouble is that key loggers work from a console or a terminal
device. (at least the ones that I have seen) When someone is attacking
your host, generally they are doing so from across the network. Since
there is no tty device, until the connection is made, the key logger has to
be spawned from the login shell or be integrated into the shell itself.
The next problem is that when your host is being attacked, it is seldom
that they break into a "normal" login shell. Instead they wind up in the
user space of the daemon that was broken. Think wu-ftp... when exploited
the attacker was left with an active blind shell. This means that commands
they typed were executed but they couldn't see what they were typing.
Your best bet (for what you requested) would be to set up some sort of
network sniffer to capture all traffic in and out of the host in
question. This will probably require a lot of disk space as well as be
unproductive. You may wind up sifting through mounds of traffic just to
find the one rouge packet... four months from now. Relying on a trigger to
start the logger will probably only capture the packets after the initial
compromising of your host.
The better bet would be to keep what ever daemons you are running at their
most current level and to implement a strong security policy which will
include a sound firewall. You can log things like attempts to connect to
services that you aren't running, malformed packets, etc. These things
should help you to be alerted of reconnaissance missions against your
host. Also, don't forget to run integrity software on your servers (e.g
Tripwire) so that in the event of compromise, you can identify any modified
files or directories.
Just my 2 cents.
- Bennett
At 17:46 10/14/99 -0400, Mr. Sharkey wrote:
>Hi,
>
>I'm running a mixed site of Linux and Solaris machines. What I'd like
>is some sort of keystroke logger that could have it's output piped to
>a remote loghost (if someone does get in, I'd like to know what they
>did / how they did it).
>
>Trouble is, as much as I've searched, all I can find are utilities for
>Dos/Windows. Has anyone run across such a beast? I did find TTY-watcher
>from engarde.com, but I doubt I'll ever get it to compile.
>
>
>Any help would be appreciated.
>
>Thanks,
>
>
>M.
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
