Re: finger-bombing

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Julian Assange: "Re: Internet worm source code"
• Previous message: Mark C. Henderson: "Re: finger-bombing"

> >daemon that would get the name of the guy that fingered the attacked host?
> yea it is called identd, I have modified my rlogin, telnet, ftpd & popper
> servers to do identd queries on all connections.  

Or you can just use the standard rlogind, telnetd &c. together with 
tcp_wrappers (I remember you need to build with the appropriate 
option in the makefile to force ident queries). 

There are important limitations.

ident aware daemons will only give you useful information if the host 
the person is fingering from is running identd and the host hasn't 
been compromised (once you have root, it is easy to replace identd 
with something that returns whatever username amuses you - a two line
perl script can replace identd very nicely and return what you want). 

I still think ident is useful for logging (in practice it really _is_ 
useful), but you can't depend on it working and you can't depend on 
the information it returns. 

Mark

-- 
Mark Henderson, SoftQuad Inc., 108-10070 King George Hwy, Surrey, B.C. V3T 2W4
Internet: mch@sqwest.bc.ca, markh@wimsey.bc.ca          Voice: +1 604 585 8394
Fax: +1 604 585 1926    RIPEM MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433
ViaCryptPGP Key fingerprint = C4 EC 2F 6C 1B ED F6 06  1D E9 08 E4 E5 F9 FA 16 

• Next message: Julian Assange: "Re: Internet worm source code"
• Previous message: Mark C. Henderson: "Re: finger-bombing"