This list is about firewalls, basically keeping the bad guys out. But what
if they get in?
To consider an analogy, building security operates on different levels.
First level is to prevent a break-in, via perimeter alarms for example.
This would be the firewalls that we are all familiar with.
But even the best efforts at prevention aren't always effective, therefore
you need detection of break-ins as well.
Most companies hire a small army of underpaid security guards to sit
around, monitor TV cameras, walk around looking for problems, etc. So why
can't companies with a lot to loose on their corporate networks do the
same? In addition, why not be as tricky with the crackers as they are with
you? Use some of their tricks to trip them up. Many computer science
college students would probably love a 'security guard' assignment. Just
let them look out for fishy activity, and have various alarms and monitors
set to warn them as well.
Hide yourself. Edit utmp and other traces of your identity so it doesn't
look like you are logged in. True, they can use ps to find you, but if
they finger or ruser you from outside (OK, for those of us that still have
these services available), they won't see you logged in. On the flip-side,
kill -9 the process that spawned your shell when you leave (eg, telnetd)
so that you will remain in the utmp file to spook those taking a quick peek)
Plant trojans. What does a cracker do when he logs in? Run ps probably.
Make ps a trojan that examines its args. Simple ps's can pass, but if
someone is listing all the processes on the system, you may want to
send a warning to the 'security guard' on duty before letting it pass.
Hack cc in the normal search path to sound a warning if someone uses it.
Then tell your normal programmers to use the real cc somewhere else.
Hack the source to your systems' main shell program. Have it examine
commands against a list of commands that user usually uses and commands to
watch for. If a user all of a sudden starts to execute commands they never
did in the past, raise a warning flag somewhere.
Write a fake daemon shell called something like 'sysmonitor' or something
like that and just let it sit on your system doing nothing except some
gratuitous action periodically just to let the CPU time increment. It'll
drive a bad guy nuts trying to figure out what it is. Better yet, open a
tcp port to something and let it accept a connection, then report the
connection to your 'security guard' -- ie, some idiot will telnet to it
and type a HELP command to see what it is.
Take some of those old IBM classic 5150 PCs and throw an old 3C501 enet
card into it. Install a few into your DMZ zone and make them look
interesting with host names like development or something. Then have a
PC program open up some common ports and listen, like telnet, ftp, SMTP.
No legit user should use those machines, so if it gets a connection, send an
None of these little booby-trap things are hard to defeat, but if they are
unpredictable and numerous, a cracker is bound to trip one or two. And if
they notice a system littered with bobby-traps, they will not know for
sure if they've found them all and get very spooked and hopefully leave
After detection, you have to work on identification. Now this is tough, of
course, but usually you can at least trace a connection back to some host.
Try and learn all you can about your little intruder and then go about
discrediting him/her. Get an account on a public access internet site
somewhere with an alias. Use that site to conduct investigations into who
is cracking your system. If you find out an identity, even if it is not a
real one, then start doing 'get back' things like forging mail to other
crackers using this guys identity and do things to discredit him amongst
These are just some ideas that have popped into my head at 3:30 AM when I
should be sleeping! I am far from an expert in these things,
especially since I work in a very unsecure environment. I'll let the list
decide if these (probably not new) ideas have any merit.
BTW, I got a few hate mail messages when I suggested in an earlier message
about eavesdropping on IRC. Amazing. True, it is pretty unethical as I
think about it, but it makes me chuckle if these people think their
conversations are private. True nosey people don't advertise what they are
doing. I don't really know IRC very well, but last time I had to run a
packet analyzer on my backbone, I noticed those IRC message packets were
in very clear text with a complete message line per packet (no need to
assemble them), so I am sure they are snooped quite a lot...
Ken Weaverling weave @
Manager of Computer Services
Stanton/Wilmington Campuses of
Delaware Technical & Community College