[fw-wiz] More Syslog Questions

• Previous message: Brian Ford: "Re: [fw-wiz] Syslog montioring and usage."
• Next in thread: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Maybe reply: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Reply: The Anarcat: "Re: [fw-wiz] More Syslog Questions"
• Reply: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Reply: Chuck Swiger: "Re: [fw-wiz] More Syslog Questions"
• Reply: Devdas Bhagat: "Re: [fw-wiz] More Syslog Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 19 Jul 2004 08:10:46 -0500

The only problem I have with chattr +a is that if an intruder gains access
to the root account, they can change the attributes, change the log files,
and the replace the append only attribute, making it appear that nothing was
done to the log file.

Since I started this post, I believe we came up with another solution, but I
would still like your opinion. Here it goes...

Server 1 is connected to the main network. Server 2 is connected to Server
1 using a cross over cable. Server 2 listens in promiscuous mode.
Physically the servers are secure and the only way to access Server 2 is
through KVM over IP.

Server 1 receives all syslog messages and (using IPTables with DNAT) sends
the messages to any IP address since Server 2 is listening in promiscuous
mode it should pick up all of the messages. This does not allow anybody to
compromise Server 1 and gain access to Server 2.

How does that sound?

~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathaniel Hall
Intrusion Detection and Firewall Technician

Ozarks Technical Community College -- Office of Computer Networking
417-799-0552

-----Original Message-----
From: Tichomir Kotek [mailto:tichomir.kotek@lynx.sk]
Sent: Monday, July 19, 2004 4:54 AM
To: Nathaniel Hall
Subject: Re: [fw-wiz] More Syslog Questions

Nathaniel Hall wrote:
> Since someone asked a question about syslog, I thought I would add a
> couple of my own.
>
>
>
> I am in the process of setting up a centralized syslog server running
> RedHat AS3. Currently, I am using syslog as our daemon, but have heard
> there are other, better solutions. What do you suggest?

syslog-ng can sort messages to various files by regexp, and/or hostname/IP
of originating device, etc.

> In an effort to make the log server as secure as possible, I would like
> to find a way to use an append only file system. Unfortunately, if this
> is done, logs cannot be rotated using logrotate so the server must be
> taken down to single user mode to rotate the logs, causing the loss of
> many log entries.
>
> Does anybody know of a good append only file system or another solution
> to achieve the same results?
>

IMHO, chatr -a file works on ext2 in any runlevel, the only thing you have
to do is put some prerotate/postrotate lines to logrotate configuration file
it's not bulletproof but it makes smaller gap fo intruder to alter logfiles

hope it helps

tk

-- 
Tichomír Kotek
IT Security Senior Consultant
LYNX, spol. s r.o.
Masarykova 10
040 01 Kosice
Tel:  055/633 55 11
Fax: 055/633 55 20
E-mail:tichomir.kotek@lynx.sk
http://www.lynx.sk
---------------------------Doverne---------------------------------
Tato elektronicka sprava je prisne doverna a urcena
vyhradne adresatovi. Sprava moze obsahovat informacie
z pravneho, profesionalneho alebo ineho dovodu vyhradene.
Pokial nie ste urcenym adresatom, ziadame Vas, aby ste
neprezradili, nezverejnili, nekopirovali a nepodnikali  ziadne
kroky suvisiace s touto spravou. Pokial Vam tato sprava bola
dorucena omylom, informujte nas, prosim, o tom a ihned
vymazte prijate udaje.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Brian Ford: "Re: [fw-wiz] Syslog montioring and usage."
• Next in thread: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Maybe reply: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Reply: The Anarcat: "Re: [fw-wiz] More Syslog Questions"
• Reply: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Reply: Chuck Swiger: "Re: [fw-wiz] More Syslog Questions"
• Reply: Devdas Bhagat: "Re: [fw-wiz] More Syslog Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Need to implemet Syslog server ... >On my network I need to implement a Syslog server ... Pretty much everything but Windows will ... likely talk to syslog if told to, ... A great many other managed network devices support syslogging, ... (Security-Basics) [HPADM] SUMMARY: syslog redirection ... server is down, entries will be lost. ... Syslog sends over UDP on a "broadcast and forget" concept. ... information that is subject to United States laws and regulations. ... I'm being asked to route syslog messages to a central server. ... (HP-UX-Admin) Re: How to allow port 514? ... a packet filter allows traffic into the server itself. ... If you want to run your syslog on the server you would use a packet filter. ... In ISA Policy Elements, right click Protocol Definitions, ... in Publishing, right click Server ... (microsoft.public.windows.server.sbs) RE: Syslog Server on Debian Etch ... Syslog was working fine on the clients, I had it installed to a diff ... Is anyone else monitoring Juniper Netscreen firewalls? ... Syslog Server on Debian Etch ... (Debian-User) SUMMARY: forwarded syslog messages are missing originating hostname ... I am running Solaris 9 with the latest_recommended. ... to send their syslog messages to a central server, ... as a relay server to forward all syslog messages to a third server. ... originating servers hostname and state that they are only from the relay ... (SunManagers)