-=-=-<< An automated response system under Unix using TCP Wrappers by Vortexia

Ok... here we go :) How to make a system respond to connection attempts
you well.... dont like so much *grin* Well... there are a coupla ways, I
only gonna cover the most simple one (with TCP Wrappers, which is a
standard program on linux systems and can be installed under a bsd
system from /usr/ports/security/tcp_wrapper)

Ok... first a brief explanation on how a tcp wrapper works....

Someone connects to your box... your box spawns tcpd (the tcp wrapper
daemon), which then checks the connecting person's ip against your allow
and deny lists, IF it likes that persons ip then it starts the program
they are connecting to (the daemon the connecting client wants), and
quits itself... if it doesnt, it either just drops the connection
clients connection, or it runs a script before dumping the connecting
clients connection :)

Ok... so now to the actual, how the hell to implement this section...

First of all if ya wanna tcp wrapper something you gotta put it in inetd.conf

2 sample entries from a bsd system:

This is without TCP Wrappers:

telnet stream tcp nowait root /usr/libexec/telnetd
/usr/libexec/telnetd

This is with TCP Wrappers:

telnet stream tcp nowait root /usr/local/libexec/tcpd
/usr/libexec/telnetd

Ok... this is pretty damn self explanatory... standard inetd.conf entry
is first, I wont explain all the options they arent important at this
stage, except you will notice that I inserted tcpd in the second entry,
following that example will allow you to wrapper most things.....
(backup original /etc/inetd.conf before you modify it incase you stuff
up).

Ok... then you find out where hosts.allow and hosts.deny are on your
system (if its linux its probably in /etc, if its FreeBSD probably
/usr/local/etc). Then you add some options to them... Ok, we wanna deny
all by default... we would put the following in hosts.deny for each
daemon.

telnetd: ALL
popper: ALL

etc etc, the first entry has to be the NAME of the actual file you are
denying, I.E if telnetd in inetd.conf is /usr/sbin/in.telnetd then put
there in.telnetd, if its /usr/libexec/telnetd put telnetd etc etc etc.

Then we wanna allow something in for telnetd, so in hosts.allow we put
something like:

telnetd: 34.23.42.38 235.34.129.38

This will allow those 2 ips in for telnetd, alternatively you can put
wildcards in there.

Ok, now you got basic wrappers working allowing and disallowing
connections, now you wanna do auto response, so first of all, I must say
this, now is a good time to learn how to read man pages :P

man 5 hosts_access will show you the man page, section 5 for hosts_access,
man 5 hosts_options can also help with what follows.

Ok... lets change our hosts.deny file slightly... we want auto response
on pop3 that uses a daemon with filename popper... so we put in
something like this....

popper: ALL: spawn (/root/security/wrapper.script %h %s %c %h)

This says, before dropping the denied connection, run the script
/root/security/wrapper.script with the parameters %h %s %c %h.

Note, you can tell it to run ANYTHING here with ANY parameters (please
dont abuse *grin*, will explain HOW to abuse later)

Ok... the parameters... first lets cover what they do, there are further
options than the ones covered by basic auto response only needs the ones
I have specified, I will cover one other one later as well.

%h is the hostname, or ip if it cant find the hostname
%s is the daemon they tried to connect to, and the server address, or
   as much info is available to TCPD
%c is client information (the perosn who is connecting) user@host, if
   identd is running, or just the hostname again.

A further useful one I found is %a which doesnt return host, it just
returns an ip address.

Ok... how to then write the script that it passes all this 2....

Lets look at a basic bash script...

Ok, we want this to portscan the host, finger the host, then email the
results to someone so they will be aware that someone is trying to
connect...

(remeber anything other than the first line of whats below that starts
with a # is a comment)

#!/bin/bash
nmap -o $1.$2.strobe.scan $1
# nmap is our portscanner, $1 refers to %h (the first parameter), $2 is
# %s. What this says is run a portscanner against $1 (the connecting
# host) and output it to a file with name containing the connecting client
# and the daemon they tried to connect 2.
finger \w@$1 >$1.$2.finger.results
# This says run finger against the host and output to a file
echo "Strobe results for $1" >$1.$2.mail.output
cat $1.$2.strobe.scan >>$1.$2.mail.output
echo "Finger results for $1" >>$1.$2.mail.output
cat $1.$2.finger.results >>$1.$2.mail.output
cat $1.$2.mail.output |mail -s "Security Violation Report" |mail root

(script ends here)

Ok... the last 5 lines are pretty simple really, the first line says
make a file called $1.$2.mail.output ($1 and $2 being the information
specified by %h and %s). The Second line says append the file
$1.$2.strobe.scan to the mail file. The Third line says append a line
that says: "Finger Results for $1" The forth line says append the finger
resulsts to the mail file the fifth line says email the entire file to
the local root account.

Simple huh? :)

Ok... now to auto respond *evil grin*, Say you felt REALLY nasty and
wanted to smurf or nestea everyone connecting to your box... just
replace the nmap line or one of the other lines with your favorite
attack proggy :)

For example:

smurf $1 bcast.file -S 128 -n 2000

will happily smurf $1 with 2000 128k packets (dont try this on a modem
link or anything with less bandwidth than dual channel ISDN, its just an
example *grin*).

Anyway :) thats how you do it

If this article is confusing or you want more info on how to do even
more fun things with tcpd or want explanations, I hang on #zahack on
efnet and Im always willing to help anyone out with what I know

Cheers
Vortexia (vortexia@one.se)