Here's a modification of rexec source that I call klaxon. It is extremely useful for detecting portscanner attacks like those perpetrated by ISS and SATAN, among others. It also has optional IDENT (RFC931) support for finding out the remote user (where applicable). IF YOU ENABLE IDENT SUPPORT, DO NOT PUT KLAXON ON THE IDENT PORT OR YOU WILL THRASH YOUR MACHINE IN A NETWORK LOOP AS KLAXON CONTACTS KLAXON AD INFINITUM. Ident is a protocol sometimes also called TAP which is based on RFC931. If the machine that the scan attempt supports this protocol (usually out of inet) you will get a username as well as the hostname of the attacking machine. NOTE: This information should be taken with a grain of salt as ident can be very easy to spoof. However, it can also be useful, so I have left it as an option in the source. The current timeout for determining if the remote machine supports ident is 3 seconds. You can adjust this in the Makefile. Both ident-full and ident-free version of the executable are built from one Makefile. Currently, it compiles out of the box on Solaris2.X, SunOS4.1.X, Digital Unix 3.2*, Linux, HPUX, AIX, and probably others. Copy the version of the source (with or without ident) and rename it to klaxon. Put it in a directory where you put the rest of your custom non-OS executables. It's best to have it local to the machine rather than on an NFS mounted partition, since it is a daemon run out of inetd. For each service that you want to place a trap, you stick klaxon in place of the normal executable. Here are some examples: (stick in /etc/inetd.conf) # # Local testing counterintelligence # rexec stream tcp nowait root /etc/local/klaxon klaxon rexec link stream tcp nowait root /etc/local/klaxon klaxon link supdup stream tcp nowait root /etc/local/klaxon klaxon supdup tcpmux stream tcp nowait root /etc/local/klaxon klaxon tcpmux rje stream tcp nowait root /etc/local/klaxon klaxon rje tftp dgram udp wait root /etc/local/klaxon klaxon tftp Now, you need to restart inetd. Do this by sending it a HUP signal. ps -ax (SunOS4.X) or ps -ef (Solaris2.X) will tell you the process id of inetd. kill -HUP to restart inetd. (replace "/etc/local" with the location where you put klaxon) BUILDING: (example for SunOS) $(OS) = 4x or 5x on Sun machines. (You can look at the Makefile and modify the FLAGS for your machine if it won't build just by typing make) Known to build correctly with gcc and Sun SparcWorks compilers 1) Type make 2) a) Copy klaxon.$(OS).ident to klaxon if you want ident support b) Copy klaxon.$(OS) to klaxon if you do not care about ident support 3) edit your inetd.conf as described above 4) test it out by telneting to your machine on the tcpmux port. (e.g. telnet localhost 1) NOTES: This works in place of any tcp or udp service, but it does NOT work in place of RPC based services. You can also build a static version by compiling with the appropriate static flag (-Bstatic or -static depending on compiler) by linking in mine.o (gcc -c mine.c, and then add it to the linking phase in the Makefile) On linux systems you can save about 700 bytes of executable size by doing an 'export CC=gcc; export CFLAGS=-O' before doing your build. Don't install too many klaxons. It's probably a bad idea to install klaxon on every conceivable port. You may end up giving an attacker a convenient way to launch a denial of service attack against you. Pick a few key services that attackers are likely to probe. This will be enough to detect casual port scans, and security probes. (more below) Its best to install klaxon and all of your other security tools in a directory that does not have world access. Also, make sure your logs are in a safe place that nobody can get to either. If you have SunOS4 or Solaris2, I have a program called tocsin (probably available where you picked this copy of klaxon up) that works as a promiscuous network monitor. It will detect SYN and RST attacks against ports that klaxon will not. For klaxon to detect TCP/IP probes, ident must have completed the 3-way handshake before klaxon even gets called. If the intruder is using something like strobe, he can detect TCP/IP services without completing the handshake, and klaxon is oblivious. tocsin will detect these kinds of probes. On a regular Ethernet network (non switched) you only need one tocsin daemon running on one machine on any given subnet. ACKNOWLEDGEMENTS: Wietse Venema - from whom I borrowed and modified the rfc931 support NetBSD - from whom I borrowed the original rexec code. PROBLEMS and COMMENTS: email Doug.Hughes@eng.auburn.edu I answer all email (unless it's SPAM) A list of services to klaxon if not in use. These are common sources of probes: (contributed by Paul Roberts - proberts@mimscorp.com) - These are good for ident |- imap2 (Remote root exploit and common!) |- pop3 (Read overflow allowing access to other people's mail) |- nntp (INN exploit attempt) |- talk (There is an overflow exploit for this) |- ntalk (Some morons still try to 'flash' users) |- shell (something only shell users could use anyway) |- login (something only shell users could use anyway) |- systat (Barely useful, but can't hurt) |- netstat (Barely useful, but can't hurt) - These ports one should probably not have ident support on them |- auth (This can cause a feedback loop and crash you and the other guy) |- echo (Usually the source is spoofed anyway; pepsi attack) |- chargen (Usually the source is spoofed anyway; pepsi attack) |- tftp (This is a rare assault, but an ident call from this would | raise suspicion) |- uucp (Same reasons as tftp) |- ftpd (Your choice, really) - If you don't use RPC services, and you really want to obfuscate things, port 111 might be interesting. (usually rpcbind/portmap/rpc.portmapper run on this port)