From owner-freebsd-security@FreeBSD.ORG Thu Dec 16 16:27:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEDD916A4CF for ; Thu, 16 Dec 2004 16:27:08 +0000 (GMT) Received: from smtp814.mail.sc5.yahoo.com (smtp814.mail.sc5.yahoo.com [66.163.170.84]) by mx1.FreeBSD.org (Postfix) with SMTP id 53FD843D5F for ; Thu, 16 Dec 2004 16:27:08 +0000 (GMT) (envelope-from fscked@pacbell.net) Received: from unknown (HELO pacbell.net) (fscked@pacbell.net@66.124.234.76 with plain) by smtp814.mail.sc5.yahoo.com with SMTP; 16 Dec 2004 16:27:08 -0000 Message-ID: <41C1B6A9.5020405@pacbell.net> Date: Thu, 16 Dec 2004 08:24:09 -0800 From: richard childers / kg6hac Organization: Daemonized Networking Services - http://www.daemonized.com User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <20041211120120.5204216A4D0@hub.freebsd.org> In-Reply-To: <20041211120120.5204216A4D0@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: re: need some advice on connections logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: fscked@pacbell.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Dec 2004 16:27:09 -0000 >Date: Fri, 10 Dec 2004 19:01:59 -0500 >From: Bob Ababurko >Subject: need some advice on connections logs > > >Hello- > >What is the best way to deal with getting logs for someone attacking my >box? I am not really sure, but I think it may involve tcpdump. Is >there any way to implement this so that it can be running before an >attack happens?.....see the problem is, that I do not have physical >access to the box and if it is taken down(unaccessible by remote means), >I cannot log in to start a dump. What can I do in this case, or what >are my options, if I want to have the network connections dumped somehow >with no intervention?....is that a tall order? > >Thanks, >Bob > Bob, I would recommend that, along with the excellent recommendations for logging syslogd(8) output to another machine, that you install a firewall, if this is an option. Although a firewall may not deter the attacks, it is an excellent mechanism for collecting forensic data, IE, the details you need to prosecute the person or persons whom are attacking your system. Consider, for instance, the massive amount of evidence created, in replicate, if every one of your servers has a firewall installed, and someone scans your network; it's difficult for a jury to argue with that sort of detail. You can configure the firewall to log every single connection, separately from accepting or rejecting, so that you can in theory log successful as well as unsuccessful connections. And, yes, if you want to log in even greater detail, you could set up a tcpdump(8) session that ran and collected all network traffic, too, and just leave it running, or turn it into a crontab entry that restarts it every hour, and manages each hour of logs, separately. Naturally, all of this translates into a lot of data, so make sure you have a few gigabytes of space somewhere, ahead of time, and do some back-of-the-envelope calculations to see exactly how much you can accumulate before you need to start deleting logs. For instance, if it turns out that you have enough room to hold 30 days worth of data, in worst-case scenarios involving 7x24 denial-of-service attacks intended to create huge logs, you might want to add another crontab entry cleaning out all logs over 15 days. It's a lot of work but when you are done you will be able to rest much more easily. Good luck! Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com 'A well-schooled electorate, being necessary to the security of a free State, the right of the people to keep and read Books, shall not be infringed.' -- (Attributed to J. Neil Shulman) -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.2.4 (FreeBSD) mQGiBECGpfsRBACoPJJfIIrWAqjlW92TtYCtY//e7OW8alWylr/1ygtSQzjCCdvC Ysa0fCcx01UenlWV+5YY/zC7KPsX2rQUKAs20fqs9et74dmgMGOj0vMjTzWEs29G FyAsIRSpFioa8zzrjXEUVnU6OFaD9a9eaC+LSTCiKgXjbQySDKM5T1c+vwCg8W3Y RZ83LRIUULGMPlY6zS4fQwUEAIIiTHDdWpbE+HeREJwH+4eDpGVf76XtNlOMXrt9 tJ3ExL+9ezLulg1nCrOYodOB7TEZqzV40R7emDZSX0hI9QEBCv6nW5aDVpw/bf+q UEHwxrUvE2LBi35hoqR2QwqNlagOauSorWj8Qm/31luxJVeLVy1A1czp6B/mvG1T co03A/9a5kzEAebJ5TzWXQC2/4gu/osXQnrw9B9FFpYOtLc0MNQuAFt8VLn5yO5Q 8T58w+FQvFI5FqzI5URmjQeEyWWuyIechknk4RnwIO1UPVjgRTuNgf9/TvNNfqpa aVlbNp+AG21D6VqsFN2zJFFJeUqiYdXw6i+ESL3SZRymIhwYWrQ8UmljaGFyZCBB IENoaWxkZXJzICh3d3cuZGFlbW9uaXplZC5jb20pIDxmc2NrZWRAcGFjYmVsbC5u ZXQ+iF4EExECAB4FAkCGpfsCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQjGqW TlNTP66KzQCgjf0SQbiK1rgu7hRsmLPSSaGF7X8AoL7Qw/E9kTZr0fntP0XXEnk/ q6nRuQINBECGpvkQCADFzFq+kYbk+KTIhcVBTjTWDbBnjGgmuGR3LGp9hOd6W9SJ i4GD5184ZnMbEgvDZcDEGDNgMcU+f1girwYI2v/o7QA7VQ5bpUbnfOBytzO+bvd7 uCOyJltg8AG5MFLxfhAMHofpNxGlFTEXdVp4M9xyBB+hdLHbJNJqkMGPf+iCUf1W Q86KncU2AK4Sf9I+WYBZwkjaIhi9dQzeEX1c0Um6LxXSBtkjZprIk1M13gVaIJ6E dDN6hrSMbXZL+7yURw38vHXCtRJAKEOyW178rI8MzJzvVNhobvC62uEWD9Idz8sH 5A06fqb2fKJYLQ1keGUpb/qpny7oTmAe0Hx9jOM7AAMGCACdTe1M4U++/7/OVGip 1gnWEtMhHeQQbS7KPh1w8/1kvs5Mml6uGYQI44lKTDP7OHJQ9hIT/+5tfKPHIPhU M/7Mqa8y81c/AK+WUOyY9+uZ0zUxFGMqeU9z5iqJFWSi9QR/f5q/khfmqi5RFVyQ nnVhxBMB8pY1vZHV1CoL7NLK4c/N8mpwCiZ57LTsP8pLfDMWF/OopmM2ulzlfWTr anAdxQohenq/zTgSySX/VGZYSYvyAoXTRuU4USAVGWcUQPnVooA1N7lZP3pawjNP QMSukx9jI1673BPsPXxyQZ1PmmPt9eHKI0G0hNJG+FCmSRLNT/R7hqTzTUmpgMWM yyWPiEkEGBECAAkFAkCGpvkCGwwACgkQjGqWTlNTP642KACeITHq0b42P3oMX7Nj F5U3EaqCgYoAn3HxUB7ELB6vMUugW4aSmZpBJOR6 =ZaJO -----END PGP PUBLIC KEY BLOCK-----