From owner-freebsd-security Sat Mar 25 10:33:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by hub.freebsd.org (Postfix) with ESMTP id AC2AD37B86D for ; Sat, 25 Mar 2000 10:33:47 -0800 (PST) (envelope-from fitz@jfitz.com) Received: from fitz (adsl-63-194-217-126.dsl.snfc21.pacbell.net [63.194.217.126]) by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with SMTP id KAA29387 for ; Sat, 25 Mar 2000 10:32:17 -0800 (PST) Message-ID: <003801bf9688$87418540$040ba8c0@fitz> From: "John Fitzgibbon" To: Subject: Publishing Firewall Logs Date: Sat, 25 Mar 2000 10:31:10 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I decided to start publishing my firewall logs on the web http://63.194.217.126/logs/ My thinking is that to identify the root, (excuse the pun), source of distributed attacks, administrators need access to a broad set of logs. If you can identify IP addresses that were banging on a lot of doors, (or banging on a particular door), prior to an attack, you should be able to narrow the search. My firewall box doesn't have anything much running on it and I don't use it to store anything sensitive, so I thought, "why not make the logs available?". I'm aware of the obvious counter-argument that any information you make available creates a risk. This is basically what I'm looking for feedback on -- Is this information useful? Is this a dumb idea? What specific vulnerabilities am I creating? John Fitzgibbon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message