From owner-freebsd-security Fri Jul 31 16:01:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA18907 for freebsd-security-outgoing; Fri, 31 Jul 1998 16:01:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ruhrgebiet.individual.net (in-ruhr.ruhr.de [141.39.224.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA18869 for ; Fri, 31 Jul 1998 16:01:13 -0700 (PDT) (envelope-from bs@devnull.ruhr.de) Received: (from admin@localhost) by mail.ruhrgebiet.individual.net (8.8.5-r-beta/8.8.5) with UUCP id AAA02570; Sat, 1 Aug 1998 00:36:10 +0200 (MET DST) Received: from [192.168.22.75] (helo=rm.devnull.ruhr.de) by devnull.ruhr.de with esmtp (Exim 1.92 #1) id 0z2MD1-0000Ov-00; Fri, 31 Jul 1998 22:55:27 +0200 Received: from bs by rm.devnull.ruhr.de with local (Exim 1.92 #1) id 0z2MCz-0000Q2-00; Fri, 31 Jul 1998 22:55:25 +0200 To: Reidar Bratsberg Cc: security@FreeBSD.ORG Subject: Re: Where are your logs? Methods of logging? References: <3.0.32.19980731162500.00869ce0@trost.ravn.no> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit From: Benedikt Stockebrand Date: 31 Jul 1998 22:55:24 +0200 In-Reply-To: Reidar Bratsberg's message of "Fri, 31 Jul 1998 16:25:00 +0200" Message-ID: <87k94tyc3n.fsf@devnull.ruhr.de> Lines: 56 X-Mailer: Gnus v5.5/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Reidar Bratsberg writes: > Other options: Let syslog log to a serial port, and set up an > old machine with MS-DOS (or whatever) to receive them. There's a problem with this approach, though. If someone launches an attack that causes more log entries to be written than can be sent over the serial line at the same speed you may lock up the victim host due to full buffers. The syslog protocol uses UDP and therefore doesn't have this problem but may lose packages, i.e. log entries, if attacked this way. Anyway, if you're really serious about reliable logging you should consider buying two 100baseTX cards and a nullhub cable. > We've considered setting up an old matrix printer as well, but I'm not > sure it's worth the trouble (or paper!). A line printer is even slower than a serial line... Another Good Thing (TM) dealing with logs during attacks seems to write a perl script or whatever to read the logs and try to recognize unusual events. Used in conjunction with a sound card, some pager software or whatever you prefer to issue an alarm this can speed up your response to an attack quite considerably. > I haven't done it myself, but I've heard that some cut (!) the > "send"-wires on the TP-cable to the secure machine -- making it > impossible to reach it via the network. The syslog entries > get through though. That's in Cheswick & Bellovin, "Firewalls and Internet Security". They tried to tap the network traffic from an "invisible" machine and did it to suppress its ARP announcements. As Steinar points out this doesn't work with UTP. If you try to send your logs to such a machine you've got a problem: Its MAC (Ethernet) address must be known, either through the ARP protocol or some hardcoded /etc/ethers entries. In any case, once an attacker broke into the box he/she/it can find out about such a log machine. If you're really serious about it you'll send the log entries somewhere else and use tcpdump to sniff those log entries. But this may go way too far... So long, Ben -- Ben(edikt)? Stockebrand Un*x SA My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message