From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 05:40:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52CEB16A4B3 for ; Tue, 16 Sep 2003 05:40:17 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4147743FBD for ; Tue, 16 Sep 2003 05:40:16 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [204.177.173.28]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h8GCdl6T091906; Tue, 16 Sep 2003 07:39:53 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3F67048F.90709@centtech.com> Date: Tue, 16 Sep 2003 07:39:43 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Nikolay Kanchev References: <20030916120621.X69601-100000@gandalf.raditex.se> <01e901c37c4f$646cfa30$0d00a8c0@amkdrives.bg> In-Reply-To: <01e901c37c4f$646cfa30$0d00a8c0@amkdrives.bg> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 12:40:17 -0000 Nikolay Kanchev wrote: >Thanks all > >I know that if someone have physical access to my servers can penetrade into >them. And this is a reason to test this guys with this fake server. Some of >them thinks that they are "hackers" and try to crack passwords, install >backdors and etc. For now not very successfully ;-) > >I will try to mod the kernel, hardware keylogers are expensive for me. > >Test complete after one week and I'm not sure that I have time to mod >kernel, but now I find one free security camera and will install it in the >room with box and capture guys activity, that I will have a proof :-) > > Why not start syslogd (even in single user mode) set to log to a remote server? I doubt they unplug the network cable when going into single user mode. You'll have to force the network interface up, and have it start syslogd, but that should be it. You can also force the / partition to be mounted rw in single user mode (for catching someone it's probably ok, but I wouldn't leave it like that). Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------