> >daemon that would get the name of the guy that fingered the attacked host? > yea it is called identd, I have modified my rlogin, telnet, ftpd & popper > servers to do identd queries on all connections. Or you can just use the standard rlogind, telnetd &c. together with tcp_wrappers (I remember you need to build with the appropriate option in the makefile to force ident queries). There are important limitations. ident aware daemons will only give you useful information if the host the person is fingering from is running identd and the host hasn't been compromised (once you have root, it is easy to replace identd with something that returns whatever username amuses you - a two line perl script can replace identd very nicely and return what you want). I still think ident is useful for logging (in practice it really _is_ useful), but you can't depend on it working and you can't depend on the information it returns. Mark -- Mark Henderson, SoftQuad Inc., 108-10070 King George Hwy, Surrey, B.C. V3T 2W4 Internet: mch@sqwest.bc.ca, markh@wimsey.bc.ca Voice: +1 604 585 8394 Fax: +1 604 585 1926 RIPEM MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433 ViaCryptPGP Key fingerprint = C4 EC 2F 6C 1B ED F6 06 1D E9 08 E4 E5 F9 FA 16