Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Dec 2004 08:24:09 -0800
From:      richard childers / kg6hac <fscked@pacbell.net>
To:        freebsd-security@freebsd.org
Subject:   re: need some advice on connections logs
Message-ID:  <41C1B6A9.5020405@pacbell.net>
In-Reply-To: <20041211120120.5204216A4D0@hub.freebsd.org>
References:  <20041211120120.5204216A4D0@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

>Date: Fri, 10 Dec 2004 19:01:59 -0500
>From: Bob Ababurko <ababurko@adelphia.net>
>Subject: need some advice on connections logs
>
>
>Hello-
>
>What is the best way to deal with getting logs for someone attacking my 
>box?  I am not really sure, but I think it may involve tcpdump.  Is 
>there any way to implement this so that it can be running before an 
>attack happens?.....see the problem is, that I do not have physical 
>access to the box and if it is taken down(unaccessible by remote means), 
>I cannot log in to start a dump.  What can I do in this case, or what 
>are my options, if I want to have the network connections dumped somehow 
>with no intervention?....is that a tall order?
>
>Thanks,
>Bob
>

Bob,

I would recommend that, along with the excellent recommendations for 
logging syslogd(8) output to another machine, that you install a 
firewall, if this is an option.

Although a firewall may not deter the attacks, it is an excellent 
mechanism for collecting forensic data, IE, the details you need to 
prosecute the person or persons whom are attacking your system. 
Consider, for instance, the massive amount of evidence created, in 
replicate, if every one of your servers has a firewall installed, and 
someone scans your network; it's difficult for a jury to argue with that 
sort of detail.

You can configure the firewall to log every single connection, 
separately from accepting or rejecting, so that you can in theory log 
successful as well as unsuccessful connections.

And, yes, if you want to log in even greater detail, you could set up a 
tcpdump(8) session that ran and collected all network traffic, too, and 
just leave it running, or turn it into a crontab entry that restarts it 
every hour, and manages each hour of logs, separately.

Naturally, all of this translates into a lot of data, so make sure you 
have a few gigabytes of space somewhere, ahead of time, and do some 
back-of-the-envelope calculations to see exactly how much you can 
accumulate before you need to start deleting logs. For instance, if it 
turns out that you have enough room to hold 30 days worth of data, in 
worst-case scenarios involving 7x24 denial-of-service attacks intended 
to create huge logs, you might want to add another crontab entry 
cleaning out all logs over 15 days.

It's a lot of work but when you are done you will be able to rest much 
more easily.

Good luck!


Regards,

-- richard

-- 

Richard Childers / Senior Engineer
Daemonized Networking Services
945 Taraval Street, #105
San Francisco, CA 94116 USA
[011.]1.415.759.5571
http://www.daemonized.com

'A well-schooled electorate, being necessary to the security of
 a free State, the right of the people to keep and read Books,
 shall not be infringed.' -- (Attributed to J. Neil Shulman)

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.4 (FreeBSD)

mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC
Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G
FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y
RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9
tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q
UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T
co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q
8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa
aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB
IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u
ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW
TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/
q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ
i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7
uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W
Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E
dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH
5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip
1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU
M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ
nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr
anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP
QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM
yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj
F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6
=ZaJO
-----END PGP PUBLIC KEY BLOCK-----





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41C1B6A9.5020405>