Here's a modification of rexec source that I call klaxon. It is
extremely useful for detecting portscanner attacks like those perpetrated
by ISS and SATAN, among others. It also has optional IDENT (RFC931)
support for finding out the remote user (where applicable).
IF YOU ENABLE IDENT SUPPORT, DO NOT PUT KLAXON ON THE IDENT PORT OR YOU
WILL THRASH YOUR MACHINE IN A NETWORK LOOP AS KLAXON CONTACTS KLAXON 
AD INFINITUM.

Ident is a protocol sometimes also called TAP which is based on RFC931.
If the machine that the scan attempt supports this protocol (usually out
of inet) you will get a username as well as the hostname of the attacking
machine. NOTE: This information should be taken with a grain of salt as
ident can be very easy to spoof. However, it can also be useful, so I have
left it as an option in the source. The current timeout for determining
if the remote machine supports ident is 3 seconds. You can adjust this
in the Makefile.
 Both ident-full and ident-free version of the executable are built from
one Makefile. Currently, it compiles out of the box on Solaris2.X, 
SunOS4.1.X, Digital Unix 3.2*, Linux, HPUX, AIX, and probably others.

Copy the version of the source (with or without ident) and rename it
to klaxon. Put it in a directory where you put the rest of your custom
non-OS executables. It's best to have it local to the machine rather than
on an NFS mounted partition, since it is a daemon run out of inetd.

For each service that you want to place a trap, you stick klaxon in
place of the normal executable. Here are some examples: 
(stick in /etc/inetd.conf)

#
# Local testing counterintelligence
#
rexec   stream  tcp     nowait  root    /etc/local/klaxon klaxon rexec
link    stream  tcp     nowait  root    /etc/local/klaxon klaxon link
supdup  stream  tcp     nowait  root    /etc/local/klaxon klaxon supdup
tcpmux  stream  tcp     nowait  root    /etc/local/klaxon klaxon tcpmux
rje     stream  tcp     nowait  root    /etc/local/klaxon klaxon rje
tftp    dgram   udp     wait    root    /etc/local/klaxon klaxon tftp


Now, you need to restart inetd. Do this by sending it a HUP signal.
ps -ax (SunOS4.X) or ps -ef (Solaris2.X) will tell you the process id
of inetd.  kill -HUP <process_id> to restart inetd.

(replace "/etc/local" with the location where you put klaxon)

BUILDING:  (example for SunOS)
	$(OS) = 4x or 5x on Sun machines.
	(You can look at the Makefile and modify the FLAGS for your machine
	 if it won't build just by typing make)

	Known to build correctly with gcc and Sun SparcWorks compilers

	1) Type make
	2)  a) Copy klaxon.$(OS).ident to klaxon if you want ident support
 	    b) Copy klaxon.$(OS) to klaxon if you do not care about ident support
	3) edit your inetd.conf as described above
	4) test it out by telneting to your machine on the tcpmux port.
	   (e.g. telnet localhost 1)

NOTES: 
	This works in place of any tcp or udp service, but it does NOT work
	in place of RPC based services.

	You can also build a static version by compiling with the appropriate
	static flag (-Bstatic or -static depending on compiler) by linking
	in mine.o (gcc -c mine.c, and then add it to the linking phase in
	the Makefile)

	On linux systems you can save about 700 bytes of executable size by
	doing an 'export CC=gcc; export CFLAGS=-O' before doing your build.

	Don't install too many klaxons. It's probably a bad idea to install
	klaxon on every conceivable port.  You may end up giving an attacker
	a convenient way to launch a denial of service attack against you.
	Pick a few key services that attackers are likely to probe. This will
	be enough to detect casual port scans, and security probes. (more below)

	Its best to install klaxon and all of your other security tools in
	a directory that does not have world access. Also, make sure your
	logs are in a safe place that nobody can get to either.

	If you have SunOS4 or Solaris2, I have a program called tocsin (probably
	available where you picked this copy of klaxon up) that works as
	a promiscuous network monitor. It will detect SYN and RST attacks
	against ports that klaxon will not. For klaxon to detect TCP/IP probes,
	ident must have completed the 3-way handshake before klaxon even
	gets called.  If the intruder is using something like strobe, he can
	detect TCP/IP services without completing the handshake, and klaxon
	is oblivious.  tocsin will detect these kinds of probes. On a regular
	Ethernet network (non switched) you only need one tocsin daemon running
	on one machine on any given subnet.

CONTRIBUTIONS:
	Don McLachlan (don@mars.dgrc.crc.ca) contributed code to log the
	first 128 bytes of an incoming probe. This could be useful to detect
	things like buffer overflow attacks with certain well-known signatures.
	I have not tested this code. If you wish to use it, add the 
	-DLOG_DATA line to the Makefile.

ACKNOWLEDGEMENTS:
	Wietse Venema - from whom I borrowed and modified the rfc931 support
	NetBSD - from whom I borrowed the original rexec code.
	Don McLachlan - contributed LOG_DATA code


PROBLEMS and COMMENTS:
	email Doug.Hughes@eng.auburn.edu
	I answer all email (unless it's SPAM)



A list of services to klaxon if not in use. These are common sources of
probes: (contributed by Paul Roberts - proberts@mimscorp.com)

	- These are good for ident 
     |- imap2 (Remote root exploit and common!)
     |- pop3 (Read overflow allowing access to other people's mail)
     |- nntp (INN exploit attempt)
     |- talk (There is an overflow exploit for this)
     |- ntalk (Some morons still try to 'flash' users)
     |- shell (something only shell users could use anyway)
     |- login (something only shell users could use anyway)
     |- systat (Barely useful, but can't hurt)
     |- netstat (Barely useful, but can't hurt)

	- These ports one should probably not have ident support on them
	 |- auth (This can cause a feedback loop and crash you and the other guy)
     |- echo (Usually the source is spoofed anyway; pepsi attack)
     |- chargen (Usually the source is spoofed anyway; pepsi attack)
     |- tftp (This is a rare assault, but an ident call from this would
     |        raise suspicion)
     |- uucp (Same reasons as tftp)
     |- ftpd (Your choice, really)

	- If you don't use RPC services, and you really want to obfuscate things,
	port 111 might be interesting.  (usually rpcbind/portmap/rpc.portmapper
	run on this port)

Contributed by Piotr Klaban - makler@man.torun.pl - Jul 14 1999
	Klaxon is a very good idea, but when I encounter
	messages like "someone tries to connect to the echoudp port",
	then I also need to know what is the source port of the attacker.
	Then if this is also echoudp, then I know that this is
	a DOS attack on the echoudp port:

	Jul 14 09:23:57 oryl klaxon[11240]: ALERT: user 0@localhost:42657 accessing
	port echotcp

