There are a number of tapping and monitoring tools available now, and the hackers use them to devastating effect. We have kept these tools, and they have come in handy recently. But Berferd never got interested in our sacrificial host when we did set one up.
At first, I didn't have a spare machine handy, so I took the software route. This is not the easy way, and I don't recommend it.
I consulted the local Unix gurus about the security of a chroot environment. Their conclusion:
We constructed such a chroot "Jail" (or "roach motel") and rigged up logged connections to it through our firewall machine. Accounts berferd and guest were connected to the Jail through this arrangement.
Two logs were kept per session, one each for input and output. The logs were labeled with starting and ending times.
# setupsucker login SUCKERROOT=/usr/spool/hacker login=`echo $CDEST | cut -f4 -d!` # extract login from service name home=`egrep "^$login:" $SUCKERROOT/etc/passwd | cut -d: -f6` PATH=/v:/bsd43:/sv; export PATH HOME=$home; export HOME USER=$login; export USER SHELL=/v/sh; export SHELL unset CSOURCE CDEST # hide these Datakit strings #get the tty and pid to set up the fake utmp tty=`/bin/who | /bin/grep $login | /usr/bin/cut -c15-17 | /bin/tail -1` /usr/adm/uttools/telnetuseron /usr/spool/hacker/etc/utmp \ $login $tty $$ 1>/dev/null 2>/dev/null chown $login /usr/spool/hacker/dev/tty$tty 1>/dev/null 2>/dev/null chmod 622 /usr/spool/hacker/dev/tty$tty 1>/dev/null 2>/dev/null /etc/chroot /usr/spool/hacker /v/su -c "$login" /v/sh -c "cd $HOME; exec /v/sh /etc/profile" /usr/adm/uttools/telnetuseroff /usr/spool/hacker/etc/utmp $tty \ >/dev/null 2>/dev/null
The Jail was hard to set up. We had to get the access times in /dev right and update utmp for Jail users. Several raw disk files were too dangerous to leave around. We removed ps, who, w, netstat, and other revealing programs. The login shell script had to simulate login in several ways.
Diana D'Angelo set up a believable file system (this is very good system administration practice and loaded a variety of silly and tempting files. Paul Glick got the utmp stuff working.
A little later Berferd discovered the Jail and rattled around in it. He looked for a number of programs that we later learned contained his favorite security holes. To us the Jail was not very convincing, but Berferd seemed to shrug it off as part of the strangeness of our gateway.