Active Counter Measures
Several security folks like to take a proactive approach to tracking down
intrusion attempts. Logs are a passive collection method. However, it is
also possible to create "traps" of a sort which will try and determine
where and possibly who an attack is coming from.
Some example traps are:
- Fake ports
- It may be useful to create a program which listens on several
"unused" ports. If a connection attempt is made to this port then
a backfinger, and an rusers check can be made to the machine which attempted
to open it.
- Fake sendmail version
- By getting sendmail to display an older version it may be possible
to goad would be attackers into trying an old exploit out on sendmail.
Many of these are easily loggable and should trip an alarm.
- Fake guest account
- You can create a guest account which would place an attacker into
a restricted environment where you could then attempt to gather information
on him and also try to determine the motivation for the attack.
- And so on..
