Firewall Wizards mailing list archives
More Syslog Questions
From: "Nathaniel Hall" <halln () otc edu>
Date: Mon, 19 Jul 2004 08:10:46 -0500
The only problem I have with chattr +a is that if an intruder gains access to the root account, they can change the attributes, change the log files, and the replace the append only attribute, making it appear that nothing was done to the log file. Since I started this post, I believe we came up with another solution, but I would still like your opinion. Here it goes... Server 1 is connected to the main network. Server 2 is connected to Server 1 using a cross over cable. Server 2 listens in promiscuous mode. Physically the servers are secure and the only way to access Server 2 is through KVM over IP. Server 1 receives all syslog messages and (using IPTables with DNAT) sends the messages to any IP address since Server 2 is listening in promiscuous mode it should pick up all of the messages. This does not allow anybody to compromise Server 1 and gain access to Server 2. How does that sound? ~~~~~~~~~~~~~~~~~~~~~~~~~~ Nathaniel Hall Intrusion Detection and Firewall Technician Ozarks Technical Community College -- Office of Computer Networking 417-799-0552 -----Original Message----- From: Tichomir Kotek [mailto:tichomir.kotek () lynx sk] Sent: Monday, July 19, 2004 4:54 AM To: Nathaniel Hall Subject: Re: [fw-wiz] More Syslog Questions Nathaniel Hall wrote:
Since someone asked a question about syslog, I thought I would add a couple of my own. I am in the process of setting up a centralized syslog server running RedHat AS3. Currently, I am using syslog as our daemon, but have heard there are other, better solutions. What do you suggest?
syslog-ng can sort messages to various files by regexp, and/or hostname/IP of originating device, etc.
In an effort to make the log server as secure as possible, I would like to find a way to use an append only file system. Unfortunately, if this is done, logs cannot be rotated using logrotate so the server must be taken down to single user mode to rotate the logs, causing the loss of many log entries. Does anybody know of a good append only file system or another solution to achieve the same results?
IMHO, chatr -a file works on ext2 in any runlevel, the only thing you have to do is put some prerotate/postrotate lines to logrotate configuration file it's not bulletproof but it makes smaller gap fo intruder to alter logfiles hope it helps tk -- Tichomír Kotek IT Security Senior Consultant LYNX, spol. s r.o. Masarykova 10 040 01 Kosice Tel: 055/633 55 11 Fax: 055/633 55 20 E-mail:tichomir.kotek () lynx sk http://www.lynx.sk ---------------------------Doverne--------------------------------- Tato elektronicka sprava je prisne doverna a urcena vyhradne adresatovi. Sprava moze obsahovat informacie z pravneho, profesionalneho alebo ineho dovodu vyhradene. Pokial nie ste urcenym adresatom, ziadame Vas, aby ste neprezradili, nezverejnili, nekopirovali a nepodnikali ziadne kroky suvisiace s touto spravou. Pokial Vam tato sprava bola dorucena omylom, informujte nas, prosim, o tom a ihned vymazte prijate udaje. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- More Syslog Questions Nathaniel Hall (Jul 15)
- Re: More Syslog Questions Frank Knobbe (Jul 19)
- Re: More Syslog Questions Devdas Bhagat (Jul 19)
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- Re: More Syslog Questions Brian Hatch (Jul 19)
- Re: More Syslog Questions Henning Brauer (Jul 20)
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- <Possible follow-ups>
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- More Syslog Questions Nathaniel Hall (Jul 19)
- Re: More Syslog Questions The Anarcat (Jul 19)
- Re: More Syslog Questions Bruce Smith (Jul 19)
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- Re: More Syslog Questions Chuck Swiger (Jul 19)
- Re: More Syslog Questions Devdas Bhagat (Jul 19)
- Re: More Syslog Questions The Anarcat (Jul 19)
- Re: More Syslog Questions iarenaza (Jul 19)