Date: 31 Jul 1998 22:55:24 +0200 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: Reidar Bratsberg <reidar@ravn.no> Cc: security@FreeBSD.ORG Subject: Re: Where are your logs? Methods of logging? Message-ID: <87k94tyc3n.fsf@devnull.ruhr.de> In-Reply-To: Reidar Bratsberg's message of "Fri, 31 Jul 1998 16:25:00 %2B0200" References: <3.0.32.19980731162500.00869ce0@trost.ravn.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Reidar Bratsberg <reidar@ravn.no> writes:
> Other options: Let syslog log to a serial port, and set up an
> old machine with MS-DOS (or whatever) to receive them.
There's a problem with this approach, though. If someone launches an
attack that causes more log entries to be written than can be sent
over the serial line at the same speed you may lock up the victim
host due to full buffers.
The syslog protocol uses UDP and therefore doesn't have this problem
but may lose packages, i.e. log entries, if attacked this way.
Anyway, if you're really serious about reliable logging you should
consider buying two 100baseTX cards and a nullhub cable.
> We've considered setting up an old matrix printer as well, but I'm not
> sure it's worth the trouble (or paper!).
A line printer is even slower than a serial line...
Another Good Thing (TM) dealing with logs during attacks seems to
write a perl script or whatever to read the logs and try to recognize
unusual events. Used in conjunction with a sound card, some pager
software or whatever you prefer to issue an alarm this can speed up
your response to an attack quite considerably.
> I haven't done it myself, but I've heard that some cut (!) the
> "send"-wires on the TP-cable to the secure machine -- making it
> impossible to reach it via the network. The syslog entries
> get through though.
That's in Cheswick & Bellovin, "Firewalls and Internet Security".
They tried to tap the network traffic from an "invisible" machine and
did it to suppress its ARP announcements. As Steinar points out this
doesn't work with UTP.
If you try to send your logs to such a machine you've got a problem:
Its MAC (Ethernet) address must be known, either through the ARP
protocol or some hardcoded /etc/ethers entries. In any case, once an
attacker broke into the box he/she/it can find out about such a log
machine. If you're really serious about it you'll send the log
entries somewhere else and use tcpdump to sniff those log entries.
But this may go way too far...
So long,
Ben
--
Ben(edikt)? Stockebrand Un*x SA
My name and email address are not to be added to any list used for advertising
purposes. Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87k94tyc3n.fsf>