abuse@ and postmaster@ in the modern world?
Danny Staple
danny at orionrobots.co.uk
Sat Nov 18 15:23:01 GMT 2006
On Fri, 2006-11-17 at 15:09 -0600, Jonathan Rockway wrote:
> Andy Armstrong wrote:
> > On 17 Nov 2006, at 17:05, Toby Corkindale wrote:
> >> Hmm. pam_abl allows people to continue to *try* to login, albeit
> >> automatically
> >> failing them.
> >
> > Yup - I liked the idea of allowing them to waste their time :)
>
> I think it would be even more fun to give them something that looks like
> a root shell and see what they do with it:
>
> Login successful!
> This is OpenLinuxBSD-NT 1.3.37 built in The Mysterious Future!
> All activity is unmonitored, so definitely feel free to serve warez!
> # id
> root(0) groups=wheel
> # uptime
> forever!
> # cat /etc/passwd
> root:*:0:0:Enoch Root:...
> # ftp http://secretrootkit.com/rootkit.ko
> [=================>] 100% (0:08)
> # modprobe rootkit.ko
> Oops: 0000 [#1]
> Modules linked in: foo bar baz
> CPU: 0
> EIP: 0060: [<00000000>] Tainted
> ...
> #
>
> etc. Great way to see what hackers are really doing to the machines they
> compromise, and to see whether or not they try to debug the oops ;)
> Plus, the time they waste with your machine is time that they no longer
> have to waste on real machines.
>
> Regards,
> Jonathan Rockway
>
I seem to remember people building stuff like this on a DOS/Netware
based college network. It was basically screen locking software, but
gave a fake shell, and then began to get cheeky - sometimes provoking
people to profanities until they realised they were had.
This would be cool, and fun, but you would have to make damn sure it
could not be exploited. For a start running it in a totally unprivileged
account inside an otherwise useless read-only virtual machine (or is
that also overkill?). Only needs a tiny amount of virtual disk, and
virtual memory (enough for this shell). Put that on your default port
22, loads of fun. A bit of variation maybe - like the bluescreen
screensaver, give them a DOS shell sometimes, or a VMS style shell,
maybe a MUD (you were eaten by a grue!), AmigaDOS or even for a giggle
present them with the text from a classic computer bootup screen - like
the Commodore 64 one, and a ready prompt. Logging could reveal some
pretty confused kiddies...
How many ssh clients could have a return packet from the server spiked
in some way... Maybe after so long with them messing around - a slightly
malevolent payload could be sent back..
I like it.. Time to laugh maniacally yet?
In truth sounds like it could be too much effort. I use Denyhosts at the
moment, don't allow root logins (in fact even on console you must use
sudo and be in the sudoers group) and have it on a non-standard port.
Danny
More information about the london.pm
mailing list