Date: Sun, 18 Feb 2001 13:40:21 -0500 From: Carroll Kong <damascus@home.com> To: Brian Reichert <reichert@numachi.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Remote logging Message-ID: <4.2.2.20010218133626.00c04f00@netmail.home.com> In-Reply-To: <20010218132255.L91352@numachi.com> References: <p04330104b6b573740812@[192.168.0.98]> <p04330104b6b573740812@[192.168.0.98]>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:22 PM 2/18/01 -0500, you wrote: >What? Syslog? > >Set up a secured box, with syslogd: > > loghost# syslogd -a 192.186/16 > >Have this machine configured to write many machines' logs into >whatever scheme you find useful for analysis. > >Have your other boxes have syslogd configured with something as >simple as: > > *.* @loghost > >There are additional steps you can take to keep syslogd immune from >DNS outages; read the manpages. > >Make sure all fo your boxes are syncroninzed via NTP. > > > > > Ragnar > >-- >Brian 'you Bastard' Reichert <reichert@numachi.com> That is a good idea, however, what is to stop the enemy from killing syslogd as his first option? I do not think syslogd logs when it gets killed? So, despite the secure log host, he might not get the valuable info he needs. I suppose you could then start speculating a break in if there are no more MARKs since syslogd is dead. Even that could be fabricated I suppose. Ugh. Security sure is tough to implement fully. Not trying to say you are wrong, just that I am curious how does one stop this possible problem? Have you found a way to avoid it? -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20010218133626.00c04f00>