Charles,
I like the exploding dye idea myself it removes all doubt as to the culprit!
-----Original Message-----
From: Cthulu, CCIE Candidate [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 19, 2000 8:42 AM
To: '[EMAIL PROTECTED]'; Cthulu, CCIE Candidate;
[EMAIL PROTECTED]
Subject: RE: Help me catch a Hacker
Tom,
I know about the powercycle thing: that is why I suggest hot glue "seals"
on the powercords and the power switch: you can peel it off, but it will be
very obvious that a "power failure" did not happen. (Y'all can stop
laffing!) I got the idea from the olden days when those old guys would melt
wax on an envelop, and stamp it with their seal. If the messenger opened it
during delivery, it was obvious.
The hot glue would not damage any components, and can be easily removed. I
thought it was better than attaching one of those exploding dye canisters
that the banks use...
Just a thought...
Charles
-----Original Message-----
From: Tom Thomas [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 19, 2000 2:10 PM
To: Cthulu, CCIE Candidate; [EMAIL PROTECTED]
Subject: RE: Help me catch a Hacker
I don't think you folks understand the concept of using the config-register
to bypass the routers config at startup (commonly used for password
recovery) when you have physical access to the rotuers power switch. The
presence of a UPS is irrelevant since by a simple power cycle and break key
you can get to enable mode then copy the startup config into the running
config and modify anything you like. So all these ideas of ACLs, TACACS,
RADIUS, Passwords on the console are completely and utterly useless. If I so
wanted I could delete any of them once I am in via the console port or have
my own config that I paste in that activates routing so I can poke around
the network.
Please send me a URL for the $100 uninteruptable power supply, thanks.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Cthulu, CCIE Candidate
Sent: Monday, June 19, 2000 1:31 AM
To: [EMAIL PROTECTED]
Subject: re: Help me catch a Hacker
Nabil,
I did not bother to backtrack your message, and I am giving you the
benefit of the doubt; however, your message has a distinct smell of
salmon about it. Either that, or my paranoid sense is tingling
(apologies to Spider Man).
First: Get an UPS!
Preferably one that you can lock. Take come hot glue, and glue the
power cord into the router, and into the UPS (do so in such a way you
can tell if the power cord was removed). Put a security tape (like the
"do not cross this line" tape used by the cops) over the power switch on
the router and on the UPS.
(I find it hard to believe that you would have a multi-kilo dollar
router that is not on at least 100 buck UPS).
That will help detect him/her at the physical layer.
I assume she/he gets in through the console port. Secure it, and
require a password only you know.
Put a modem on the AUX for yourself for OOB management.
Implement a TACACS/RADIUS, and assign this person a username/password.
Track the hell out of it: there are more ways to do this than to choke
a cat.
ACL! ACL! ACL! Use them! If this person is telneting, lock down your
telnet sessions.
And, of course, you have SNMP! I assume that you have some type of
monitoring software? If so, monitor the router: whenever it goes down,
you should be paged immediately, and have a phone in that room with teh
router so that you can call this person and tell them to get out of
there NOW. You should have a second number to their boss, and tell him
about this person. Then you should have a third number to the boss of
the boss.
Good luck catching your "hacker".
Skeptical Charles
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Posted At: Friday, June 16, 2000 6:05 PM
Posted To: cisco
Conversation: Help me catch a Hacker
Subject: Help me catch a Hacker
Greetings,
I've a 7000 router in a remote location and it seems
the local admin hacking in by using the power outage
excuse. He changes the password by rebooting the
router and peeks around. I'm trying to catch him in
the act or log his activities, any ideas?????
Thanks,
Nabil
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
---
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
