stimits at idcomm.com
Tue Jul 31 11:54:59 MDT 2001
Ferdinand Schmid wrote:
> "D. Stimits" wrote:
> > Just a sample of separation. Not a good sample. But would you suggest
> > that an exact copy of the cracked firewall is a good place to hold logs,
> > when the cracked machine has a direct interface to it? I'm not talking
> > about script kiddies, I'm talking about real crackers. FYI, I agree that
> > there are a lot of holes in a lot of alternate schemes, and that
> > complexity makes it easier for something to go wrong. But I'm equally
> > convinced that a well secured RH 7.1 firewall, when compromised, can't
> > log to another RH 7.1 firewall safely.
> How about running BSD on the log recipient? Or just a significantly
> different distro of Linux? That should make you feel better!
Yes, this sort of difference would be helpful. If the only purpose is
for monitoring and notification, I'd probably use the NSA linux version.
> I see a much greater problem in reading the logs and interpreting them
> regularly than it is to keep them in a safe place. Remote logging is
> only a compliment to checking logs frequently, snort, tripwire, ...
> Otherwise you have a detailed log of what happened 6 months ago when
> your machine was first compromised.
I'm a bit strange, in that whenever my modem is connected, I have a tail
-f going on /var/log/messages at all times. But your right, it is hard
to monitor, especially on a machine with a static connection. Running a
diff between the remote and local logs would be interesting as an alarm
As for post-mortem, the logs might still be good to have, as an
indication of the original source or means of break-in.
D. Stimits, stimits at idcomm.com
> Ferdinand Schmid
> 303-444-4149 x231
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG