From owner-freebsd-security Sun Feb 18 14:30:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from europa.cox-internet.com (europa-cox.cox-internet.com [208.180.118.40]) by hub.freebsd.org (Postfix) with ESMTP id D307037B4EC for ; Sun, 18 Feb 2001 14:30:17 -0800 (PST) Received: from main ([66.76.48.87]) by europa.cox-internet.com (InterMail vK.4.02.00.10 201-232-116-110 license d1ebd4f8b91132ed01cf0e3e933da025) with SMTP id <20010218222854.RQEL29901.europa@main> for ; Sun, 18 Feb 2001 16:28:54 -0600 Message-ID: <008201c099fa$38ab5480$57304c42@main.cox-internet.com> From: "Brandon Hicks" To: Subject: Fw: Remote logging Date: Sun, 18 Feb 2001 16:29:13 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----Original Message----- From: Brandon Hicks To: Carroll Kong Date: Sunday, February 18, 2001 1:29 PM Subject: Re: Remote logging >My FreeBSD box is down, so i can't check this out.... We are moving around >some things in the new server room. But I'm about to have 8 FreeBSD Boxes >up, and plus one here in my office... with no daemon running on it and only >to monitor the others. So, I would like this Information as well. Can >someone see if syslogd says something when killed? If not can someone write >a patch for it, to make it says something like "Syslogd: Killed" at >least.... > >Brandon Hicks >bjh > > >-----Original Message----- >From: Carroll Kong >To: Brian Reichert >Cc: freebsd-security@FreeBSD.ORG >Date: Sunday, February 18, 2001 12:42 PM >Subject: Re: Remote logging > > >>At 01:22 PM 2/18/01 -0500, you wrote: >>>What? Syslog? >>> >>>Set up a secured box, with syslogd: >>> >>> loghost# syslogd -a 192.186/16 >>> >>>Have this machine configured to write many machines' logs into >>>whatever scheme you find useful for analysis. >>> >>>Have your other boxes have syslogd configured with something as >>>simple as: >>> >>> *.* @loghost >>> >>>There are additional steps you can take to keep syslogd immune from >>>DNS outages; read the manpages. >>> >>>Make sure all fo your boxes are syncroninzed via NTP. >>> >>> > >>> > Ragnar >>> >>>-- >>>Brian 'you Bastard' Reichert >> >>That is a good idea, however, what is to stop the enemy from killing >>syslogd as his first option? I do not think syslogd logs when it gets >>killed? So, despite the secure log host, he might not get the valuable >>info he needs. I suppose you could then start speculating a break in if >>there are no more MARKs since syslogd is dead. Even that could be >>fabricated I suppose. Ugh. Security sure is tough to implement >>fully. Not trying to say you are wrong, just that I am curious how does >>one stop this possible problem? Have you found a way to avoid it? >> >>-Carroll Kong >> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message