1 Here's a modification of rexec source that I call klaxon. It is
2 extremely useful for detecting portscanner attacks like those perpetrated
3 by ISS and SATAN, among others. It also has optional IDENT (RFC931)
4 support for finding out the remote user (where applicable).
6 Ident is a protocol sometimes also called TAP which is based on RFC931.
7 If the machine that the scan attempt supports this protocol (usually out
8 of inet) you will get a username as well as the hostname of the attacking
9 machine. NOTE: This information should be taken with a grain of salt as
10 ident can be very easy to spoof. However, it can also be useful, so I have
11 left it as an option in the source. The current timeout for determining
12 if the remote machine supports ident is 3 seconds. You can adjust this
14 Both ident-full and ident-free version of the executable are built from
15 one Makefile. Currently, it compiles out of the box on Solaris2.X,
16 SunOS4.1.X, Digital Unix 3.2*, Linux, HPUX, and probably others.
18 Copy the version of the source (with or without ident) and rename it
19 to klaxon. Put it in a directory where you put the rest of your custom
20 non-OS executables. It's best to have it local to the machine rather than
21 on an NFS mounted partition, since it is a daemon run out of inetd.
23 For each service that you want to place a trap, you stick klaxon in
24 place of the normal executable. Here are some examples:
25 (stick in /etc/inetd.conf)
28 # Local testing counterintelligence
30 rexec stream tcp nowait root /etc/local/klaxon klaxon rexec
31 link stream tcp nowait root /etc/local/klaxon klaxon link
32 supdup stream tcp nowait root /etc/local/klaxon klaxon supdup
33 tcpmux stream tcp nowait root /etc/local/klaxon klaxon tcpmux
34 rje stream tcp nowait root /etc/local/klaxon klaxon rje
35 tftp dgram udp wait root /etc/local/klaxon klaxon tftp
38 Now, you need to restart inetd. Do this by sending it a HUP signal.
39 ps -ax (SunOS4.X) or ps -ef (Solaris2.X) will tell you the process id
40 of inetd. kill -HUP <process_id> to restart inetd.
42 (replace "/etc/local" with the location where you put klaxon)
46 This works in place of any tcp or udp service, but it does NOT work
47 in place of RPC based services.
49 You can also build a static version by compiling with the appropriate
50 static flag (-Bstatic or -static depending on compiler) by linking
51 in mine.o (gcc -c mine.c, and then add it to the linking phase in
56 $(OS) = 4x or 5x on Sun machines.
57 Known to build correctly with gcc and Sun SparcWorks compilers
60 2) a) Copy klaxon.$(OS).ident to klaxon if you want ident support
61 b) Copy klaxon.$(OS) to klaxon if you do not care about ident support
62 3) edit your inetd.conf as described above
63 4) test it out by telneting to your machine on the tcpmux port.
64 (e.g. telnet localhost 1)
67 Wietse Venema - from whom I borrowed and modified the rfc931 support
68 NetBSD - from whom I borrowed the original rexec code.
72 email Doug.Hughes@eng.auburn.edu
74 LINUX users: line 104 must be changed to argv[0] instead of argv[1].