Installing BrerFox ================== 0. Install tcp_wrappers (tcpd), if it isn't already (it's commonly already installed on Linux). Read the man pages for tcpd and for hosts_access(5), especially the bit about booby traps. 1. Copy the BrerFox script to somewhere like /usr/local/adm or /root/adm. 2. You do not have to run BrerFox as root, and probably should not. I have found it useful to create a new user 'brerfox' for running this script without root privliges. In what follows be sure to use 'root' rather than 'brerfox' whenever you name the user running the script. 3. Make sure you understand your /etc/syslog.conf file and where auth.* messages are being sent. The sample syslog.conf file is an example which sends them to a separate file (it's easier to monitor that way) and the console (also easier to monitor if you watch your console or have a console window). 4. Copy or construct rules like those in the sample hosts.deny file in your own /etc/hosts.deny file for each of the services you wish to booby trap. For each service you wish to booby-trap do the following: a. Make sure the service is in /etc/services. If not, add it. b. Add a line like the following to /etc/inetd.conf tcpmux stream tcp nowait brerfox /usr/local/etc/tcpd /bogus/tcpmux Be sure that there isn't a real /bogus/tcpmux program (in fact it's best not to have a /bogus directory at all). Change 'brerfox' to 'root' if you have not created the brerfox account. c. Add an entry to /etc/hosts.deny for this service which spawns BrerFox with the priority and action flags you want. For example: tcpmux: ALL: spawn ( /usr/local/adm/BrerFox -wFD %d %a %h %u %p denied ) & This will log any connections to tcpmux (port 1) at priority (severity) auth.warning, perform a reverse finger of the probing host, and add an entry for the probing host to the /etc/hosts.deny file. Note: the first token in the line in /etc/inetd.conf is the name of the service as listed in /etc/services, but the name listed in /etc/hosts.deny is the name of the *program* to run for that service, taken from the *last* token in the line. An example makes this clearer. Suppose the service is 'pop3' but it runs the program 'popper'. Then the appropriate lines in each file are: /etc/services: pop3 110/tcp pop-3 # Post Office Protocol - Version 3 /etc/inetd.conf: pop3 stream tcp nowait brerfox /usr/local/etc/tcpd /bogus/popper /etc/hosts.deny: popper : ALL : severity daemon.debug : rfc931 \ : spawn ( /usr/local/adm/BrerFox -wFD %d %a %h %u %p denied ) &\ : twist /bin/cat /etc/issue The reason for changing the severity to daemon.debug is that I don't log at that severity, so the messages from tcpd are not logged, while those from BrerFox are. If you leave this out you will get syslog messages from both, which is somewhat redundant but not a problem. This is also an example of using twist to output a warning or banner to the attacker, but that is not required. Be sure /etc/issue says what you want it to. Hints: ====== If you want to use the -D option to add attacking hosts to the /etc/hosts.deny file then make sure that /etc/hosts.deny is writeable by `brerfox` (e.g. make it the same group and make it group writeable). If you don't have perl installed in the place listed in the first line of the BrerFox script then edit that first line to point to your perl interpreter. On Linux I just make a link from /usr/local/bin/perl to /usr/bin/perl. Eric Myers High Energy Theoretical Physics Tel: 734-763-4325 Department of Physics Fax: 734-763-2213 University of Michigan, Ann Arbor http://feynman.physics.lsa.umich.edu/~myers --- PGP Fingerprint: BA 39 1D 46 5E C3 0D 59 C2 AC 6F CB F9 20 4D C8 PGP Key: http://feynman.physics.lsa.umich.edu/~myers/pgpkey.html