Re: [fw-wiz] More Syslog Questions

From: The Anarcat (anarcat_at_anarcat.ath.cx)
Date: 07/19/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] iso 17799" 
    To: Nathaniel Hall <halln@otc.edu>
Date: Mon, 19 Jul 2004 15:55:43 -0400

    Nathaniel Hall wrote:
    > The only problem I have with chattr +a is that if an intruder gains access
    > to the root account, they can change the attributes, change the log files,
    > and the replace the append only attribute, making it appear that nothing was
    > done to the log file.

    Not quite. Under FreeBSD, if you have a sufficiently high securelevel,
    those attributes cannot be changed.

    > Since I started this post, I believe we came up with another solution, but I
    > would still like your opinion. Here it goes...
    >
    > Server 1 is connected to the main network. Server 2 is connected to Server
    > 1 using a cross over cable. Server 2 listens in promiscuous mode.
    > Physically the servers are secure and the only way to access Server 2 is
    > through KVM over IP.
    >
    > Server 1 receives all syslog messages and (using IPTables with DNAT) sends
    > the messages to any IP address since Server 2 is listening in promiscuous
    > mode it should pick up all of the messages. This does not allow anybody to
    > compromise Server 1 and gain access to Server 2.
    >
    > How does that sound?

    I like the serial port idea better. :)

    There's also a way to make a "listen-only" RJ-45 cable, iirc.

    A.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] iso 17799"