HPE Community
Operating System - HP-UX
1752808 Members
5618 Online
108789 Solutions
New Discussion юеВ

Thwart a local sniffer

 
SOLVED
Go to solution
Tim Ryan
Advisor

тАО11-13-2001 07:00 AM

тАО11-13-2001 07:00 AM

Thwart a local sniffer

Hi everyone!

I've got a security team here trying to break into a few of my systems. Unfortunately, I don't have ssh or something similar loaded on these systems (yet). I know it's just a matter of time until they catch one of the several hundred usernames and passwords that fly across my network. My question is: Is there a way that I can identify the IP address of the sniffer and send it information to confuse it?

Even with secure passwords, I don't know how to hide from a packet sniffer unless I have ssh. Any ideas?

-Tim
0 Kudos
Reply
6 REPLIES 6
Roger Baptiste
Honored Contributor

тАО11-13-2001 07:05 AM

тАО11-13-2001 07:05 AM

Re: Thwart a local sniffer


Yeah, Secureshell seems the only way out to thwart sniffing, basically because
it encrypts the data sent
on the network.

Would like to hear what the
experts have to say.

-raj
Take it easy.
0 Kudos
Reply
Santosh Nair_1
Honored Contributor

тАО11-13-2001 07:07 AM

тАО11-13-2001 07:07 AM

Re: Thwart a local sniffer

While there are ways to detect port scanners, since sniffers work on the network and not on a particular host, I don't believe there is any way to detect a sniffer. The best policy is to secure everything being send over the wires by using things such as SSL, ssh and stunnel. Hope this helps.

-Santosh
Life is what's happening while you're busy making other plans
0 Kudos
Reply
Marco Paganini
Respected Contributor

тАО11-13-2001 07:08 AM

тАО11-13-2001 07:08 AM

Solution

Re: Thwart a local sniffer

Hello,

Yes, if security is a concern to you, you should never rely on protocols that pass the passwords in the clear (telnet, ftp, etc). However, you seem to have an urgent situation at hand.

If you want to confuse the password sniffer, I'd suggest writing a smallish perl program that sends bogus 'login: xxxxxx' and 'password: xxxxxx' attempts over the net. This will fill the sniffer's buffer with invalid info.

It may not solve the problem, but at least it will be fun to watch the confused people trying to find out the real password amidst 10.000 fake ones. :)

Regards,
Paga
Keeping alive, until I die.
Reply
harry d brown jr
Honored Contributor

тАО11-13-2001 07:09 AM

тАО11-13-2001 07:09 AM

Re: Thwart a local sniffer

You need to look into this, it describes how to "SECURE" your server!

http://people.hp.se/stevesk/bastion.html

live free or die
harry
Live Free or Die
0 Kudos
Reply
Craig Rants
Honored Contributor

тАО11-13-2001 07:21 AM

тАО11-13-2001 07:21 AM

Re: Thwart a local sniffer

Tim,
I don't know that a sniffer can be "confused" by sending it information. A sniffer really just collects packets sent over the network. As far as detecting a sniffer, it depends on how the sniffer is configured to act, basically if it does not send out broadcast packets, you won't know it is there. Sure you could do some complex line tests and check latency and all that, but in reality he is just a silent observer.

I don't think you should have anything to fear about a security audit, look at it as an opportunity. Once the results come out, you should be able to use them as justification for making changes to your systems. Believe me, if you start making changes like having users use ssh over telnet, you will get all kinds of complaining.

I'll stop rambling now.

Good Luck,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

тАО11-13-2001 07:25 AM

тАО11-13-2001 07:25 AM

Re: Thwart a local sniffer

Hi Tim

The fun is to beat them at their own game.

Yes they will eventally get a login and password.

So:-

If your users have a fixed ip address then write a small script to check to verify that users login is comming from a normal ip address.

By process of elimination - ip address list, where they are on your network, even have a look at their system when they go home at night.

But a good sniffer will not have an ip address and the TTL index in the IP packed will not be decremented as it passes through - so very difficult to trace and deal with.

In the event of the sniffer having an IP address then just blast it with big packet pings.

Have fun

Paula

If you can spell SysAdmin then you is one - anon
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.