Date: Wed, 6 Oct 1999 03:27:26 -0400 (EDT) From: Mike Nowlin <mike@argos.org> To: The Mad Scientist <madscientist@thegrid.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Syslog over serial Message-ID: <Pine.LNX.4.05.9910060307590.15924-100000@jason.argos.org> In-Reply-To: <4.1.19991005185332.009763d0@mail.thegrid.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I figured all the normal rules of tcp/ip applied to a ptp connection over > parallel. This means that I've created a connection across my inner > firewall. I suppose one solution would be to run ipfw on the logging host > and allow only udp-port-514-traffic in. Of course, I might as well be > using ethernet. ^_^ Parallel lines add some protection from snooping > though. Perhaps encrypted syslog is a better alternative. (I remember the > pseudo-flame wars over secure syslog a few months ago. I'll go troll the > archives) > Thanks to all who replied (but don't let this email discourage you from > putting in your thoughts about running syslog over serial lines.) > -Dean As a general rule, if you can ping it, the IP rules do apply... One of the nice things about syslog is that you can have messages go to multiple places, although sometimes it takes a little creativity to make it work... All of the machines at work log to a common host using standard "*.* @1.2.3.4" notation in syslog.conf -- the common host records everything to a (really big) disk file, in addition to breaking it down depending on syslog facility into separate log files. The "/var/log/biglog" that syslog creates has a program running against it that does the equivalent of "tail -f", sent over an encrypted socket to one of the machines at my home. In addition, the common logger sends all the messages out via a serial line to a dumb terminal sitting behind my my chair - quick viewability (?) to keep track of what's going on, and the attached printer lets me grab stuff if I need to. (Two keystrokes to turn the printer on/off.) Along with all of this, the three big machines that I'm really concerned about each have a serial line connected to a serial line-buffering multiplexer, which is in turn connected to a DOS box that records everything they send out. This has been extremely beneficial in the past during breakins, etc. where Mr. Intruder thought he'd play it safe by wiping the log files -- good luck.... :) Serial comms play a big part in this scheme, but none of them run IP (except the serial line to the CSU/DSU to my home network). One of the key points to keep in mind when dealing with serial logging over IP is that if somebody trashes your IPFW rules or other essential info, your IP serial line suddenly goes dead, and your logging quickly stops. --mike P.S. - As a side idea, would IPFW rules blocking IP keep PPP from doing it's every-so-often handshaking? If not, PPP would happily keep running, while the IP layer of it would block syslog entries from being transmitted..... I know SLIP would do this......... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.9910060307590.15924-100000>