From owner-freebsd-security Wed Dec 1 13:36:26 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3B06E15111; Wed, 1 Dec 1999 13:36:21 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id A76B81CD80F; Wed, 1 Dec 1999 13:36:21 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 1 Dec 1999 13:36:21 -0800 (PST) From: Kris Kennaway To: Jason Hudgins Cc: freebsd-security@freebsd.org Subject: Re: logging a telnet session In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 1 Dec 1999, Jason Hudgins wrote: > > The problem with using the cracked box to watch itself is kind of obvious > > given that your intruder has the same level of privileges as you do. You > > really want to be doing this from a safe secondary system. > > And why is that exactly? Pardon me if I'm simply ignorant, but what is > the "problem", and why would a secondary system be perferrable. Because the attacker can simply disable all of your logging, and/or replace them with false logs - you have to assume they know what you're doing and will take steps against it (or they already have). A second system watching the packet stream can't be subverted without also breaking into _that_ one, which is much more difficult if you configure it restrictively. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message