From owner-freebsd-security  Wed Dec  1 13:42:14 1999
Delivered-To: freebsd-security@freebsd.org
Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12])
	by hub.freebsd.org (Postfix) with SMTP id 78A3F14FA3
	for <freebsd-security@freebsd.org>; Wed,  1 Dec 1999 13:42:02 -0800 (PST)
	(envelope-from freebsd@deepwell.com)
Received: (qmail 28093 invoked from network); 1 Dec 1999 22:32:10 -0000
Received: from proxy.dcomm.net (HELO terry) (209.63.175.10)
  by deepwell.com with SMTP; 1 Dec 1999 22:32:10 -0000
Message-Id: <4.2.0.58.19991201133811.014d5970@mail1.dcomm.net>
X-Sender: freebsd@mail.deepwell.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Wed, 01 Dec 1999 13:40:41 -0800
To: freebsd-security@freebsd.org
From: Deepwell Internet <freebsd@deepwell.com>
Subject: Re: logging a telnet session
In-Reply-To: <Pine.BSF.4.21.9912011334370.26230-100000@hub.freebsd.org>
References: <Pine.BSF.4.10.9912011525590.16289-100000@eddie.incantations.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 01:36 PM 12/1/99 -0800, you wrote:
>On Wed, 1 Dec 1999, Jason Hudgins wrote:
>
> > > The problem with using the cracked box to watch itself is kind of obvious
> > > given that your intruder has the same level of privileges as you do. You
> > > really want to be doing this from a safe secondary system.
> >
> > And why is that exactly? Pardon me if I'm simply ignorant, but what is
> > the "problem", and why would a secondary system be perferrable.
>
>Because the attacker can simply disable all of your logging, and/or
>replace them with false logs - you have to assume they know what you're
>doing and will take steps against it (or they already have). A second
>system watching the packet stream can't be subverted without also breaking
>into _that_ one, which is much more difficult if you configure it
>restrictively.
>
>Kris

My suggestion was to go one step further and disable the machine from 
sending out any packets on the ethernet.  This would not only keep that box 
secure from intrusion but because it wouldn't ARP announce itself or send 
anything out the intruder won't know it's on the segment.  I assume you 
don't want him knowing you're watching.







To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message