It is currently Mon, 18 Mar 2024 18:12:36 GMT



 
Author Message
 Doctored Logs
I've read that to make your system's log files secure from being tampered
with, one should set up a separate dedicated machine that's got all services
disabled and does nothing but store log files.  Here's where I read that
from:
http://www.**-**.com/ ~lspitz/enemy2.html

What I'm curious about is, how exactly do I set up this system (let's call
it system B) so that even if a hacker gains root to my web server (let's
call this system A) he isn't able to hack into B as well?  And how's system
A supposed to transfer the log files?



 Fri, 02 Aug 2002 03:00:00 GMT   
 Doctored Logs

Use a serial line and a null modem.  Have system B) read from its serial
port, and system A) write its syslog to its serial port.  Probably
something as simple as "tailf /var/log/messages >> /dev/ttyS0" on system
A and "cat /dev/ttyS0 >> logfile" on system B would work.  This is a
pretty good way to use some old 386 just sitting around, you can even do
this with an old DOS comm program like Telix or Procomm if you don't
want to set up Linux on system B.

--
Phil DeBecker

"Give me a lever long enough, and a place to stand, and I'll break the
lever."



 Fri, 02 Aug 2002 03:00:00 GMT   
 Doctored Logs
Be aware that it is possible for a hacker to flood the logging machine
(especially over a serial connect)...s/he could theoretically DoS the
logging box and then have at the main one...I wish I could find the
link to a good paper on this topic, it's actually been carefully
examined...You definately are better off though, and Phil's suggestion
keeps it as simple as it could be...

- Dardo

On Mon, 14 Feb 2000 16:57:09 -0500, Phil DeBecker



 Sat, 03 Aug 2002 03:00:00 GMT   
 Doctored Logs
I suppose another option might be to output it all to a printer, just make sure
you buy stock in the company you buy your paper from first..  :)
...then again - if they flood the printer till it runs out of paper that wouldn't
do any good either..


 Sat, 03 Aug 2002 03:00:00 GMT   
 Doctored Logs

Run ONLY syslog service on system B. If there is nothing else running it
will be next to impossible to hack system B because there's nothing to
attack, (unless there is a vulnerability in the syslogd running on B). I
guess the hacker could also try to fill /var on the syslog server but
even so you would probably still have the info you needed...

It doesnt copy whole files, it writes the logs in realtime to a remote
machine.

You setup system A to log remotely to system B by modifying the
syslog.conf on A, and you setup system B to listen for network syslog by
modifying /etc/rc.d/init.d/syslogd.

E.g on A, in syslog.conf you have;
*.info;mail.none;authpriv.none     /var/log/messages

you could add
*.info;mail.none;authpriv.none     @loghost.domain.com

so that the same info that is written to the messages file on the local
machine is also written to loghost. (See man syslog.conf)

On B you would add -r to /etc/rc.d/init.d/syslogd (and perhaps other
options - see man syslogd). If you need help modifying this script let
me know.

BTW - this remote logging is very cool shit for tracking lamer break in
attempts. Cisco routers also remote syslog - let me know if you want
more info on that. After you have this setup, look at swatch or a
similar syslog watcher so you can have loghost mail/page you, traceroute
to the remote host or whatever, when evil things occur.

Adam



 Sun, 04 Aug 2002 03:00:00 GMT   
 Doctored Logs

If you're really paranoid, you don't even have to put the logging
machine on your network.  Connect it via null-modem serial cable.  Have
system A write its logs to a serial port.  System B merely copies
everything from that port to a file.

Since the flow of data is unidirectional and no network protocol stacks
are involved, the log machine is effectively off-line as far as the
network is concerned.

But this is more paranoid than most people would consider necessary.

It also doesn't scale well, since the logging machine needs a separate
serial port for each computer it's receiving logs from.

-- David



 Sun, 04 Aug 2002 03:00:00 GMT   
 Doctored Logs
On Wed, 16 Feb 2000 23:21:13 GMT, Adam <Adam.Carter@diespa_m.tip.csiro.au>
wrote:

I JUST was reading about the in Practical UNIX and Internet Security.  Sounds
good.  One question that comes up, though.

If I write a program (script, whatever) to does something like (I don't know
syntax, sue me)
cat /dev/random >> @loghost.domain.com
won't that do lots of {*filter*} things to those logs?  Not to mention depleting
all that entropy, etc, etc.

Bill "Houdini" Weiss
---
Sig not here until I get backups.



 Mon, 05 Aug 2002 03:00:00 GMT   
 Doctored Logs
"Bill \"Houdini\" Weiss" <bill_we...@att.net> wrote:

: If I write a program (script, whatever) to does something like (I don't know
: syntax, sue me)
: cat /dev/random >> @loghost.domain.com
: won't that do lots of {*filter*} things to those logs?  Not to mention depleting
: all that entropy, etc, etc.

You can set up the loghost (ipchains, whatever) so it only accepts connects from the
machines that it's monitoring. So it would ignore junk from elsewhere.
Sure, if someone breaks into a monitored machine they could fill the log with junk.
They could kill syslogd, change the config, etc. etc. They can tinker with the system clock
and tinker with the local syslog, but they can't get at the remote loghost. I suspect that
modern systems have enough disk space to deal with most junk - though if the intruder knew
enough about the monitoring scripts to cause a mail/pager flood it could be interesting !!.
(Q. does syslogd have a throttle ?)

--
Andrew Daviel      
http://www.**-**.com/



 Tue, 13 Aug 2002 03:00:00 GMT   
 Doctored Logs
On Fri, 25 Feb 2000 09:04:42 GMT, Mara allowed and...@daviel.org to write:

I think that it can only accept so much info at one time.  So, if I could
flood it with enough bad information, it would either {*filter*}out or stop logging
the good stuff.  Just a thought.

Bill "Houdini" Weiss
---
Sig not here until I get backups.



 Tue, 13 Aug 2002 03:00:00 GMT   
 
   [ 9 post ] 

Similar Threads

1. Norton Disk Doctor error on Dual-boot Linux/NT machine

2. SciTech Display Doctor 1.0 for Linux BETA 4

3. Norton Disk Doctor like apps?

4. COMMERCIAL: SciTech Display Doctor 1.0 for Linux Preview

5. umsdos_ioctl:UMSDOS_GETVERSION invalide argument: Is it bad Doctor?

6. Join Prominent Doctor In No Risk Online Business 9860

7. Childbirth Kits - Israeli Army Doctor's

8. COMMERCIAL: SciTech Display Doctor for Linux Beta

9. COMMERCIAL: SciTech Display Doctor for Linux Beta


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software