Date: Wed, 01 Dec 1999 13:40:41 -0800 From: Deepwell Internet <freebsd@deepwell.com> To: freebsd-security@freebsd.org Subject: Re: logging a telnet session Message-ID: <4.2.0.58.19991201133811.014d5970@mail1.dcomm.net> In-Reply-To: <Pine.BSF.4.21.9912011334370.26230-100000@hub.freebsd.org> References: <Pine.BSF.4.10.9912011525590.16289-100000@eddie.incantations.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:36 PM 12/1/99 -0800, you wrote: >On Wed, 1 Dec 1999, Jason Hudgins wrote: > > > > The problem with using the cracked box to watch itself is kind of obvious > > > given that your intruder has the same level of privileges as you do. You > > > really want to be doing this from a safe secondary system. > > > > And why is that exactly? Pardon me if I'm simply ignorant, but what is > > the "problem", and why would a secondary system be perferrable. > >Because the attacker can simply disable all of your logging, and/or >replace them with false logs - you have to assume they know what you're >doing and will take steps against it (or they already have). A second >system watching the packet stream can't be subverted without also breaking >into _that_ one, which is much more difficult if you configure it >restrictively. > >Kris My suggestion was to go one step further and disable the machine from sending out any packets on the ethernet. This would not only keep that box secure from intrusion but because it wouldn't ARP announce itself or send anything out the intruder won't know it's on the segment. I assume you don't want him knowing you're watching. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19991201133811.014d5970>