RE: Syslog over Internet

From: matt willson (mwillson_at_sbcglobal.net)
Date: 08/20/03

  • Next message: N30: "snort configuration tools" 
    To: "'Damian Menscher'" <menscher@uiuc.edu>, "'Vineet Mehta'" <vineet@linux.com.kw>
Date: Tue, 19 Aug 2003 18:27:46 -0700

    Altoh I do see the dreamy logic behind the plan, there are too many cons
    to even attempt to such a deal. From end to end, espicially from a
    country to the next, your personal data logs would probably go thru 20+
    routers, and networks.

    Home
    What if someone gets into your machine?
    They could find the syslog server easily, and quite possibly, get into
    it the same method as yours, if not another.
    If they were good. And I mean good. They could send a couple of packets
    and wipe/shutdown the log(s) and server out on the otherside.

    Freeway
    What if someone discovers the routing to the log server, and aims at a
    router somehwere inbetween you and them? Wham, bam thank you mam. Simple
    sniffer would pick it up in a heart beat, not to mention be able to
    poison the logs on their way to the server.

    Bank
    Ok, so your logs have made it this far, they're almost home free! Except
    that a guy with a ski mask is waiting behind a tree(or process list) and
    waiting to net your ass once in. You'll be broke as a joke, with no
    hope, when you realize your logs have all been edited.

    In that regards, I would strongly suggest against it. Research satellite
    signals, and communications, bwahaha if you really want to do somethin
    like that.

    Best of luck

    -----Original Message-----
    From: Damian Menscher [mailto:menscher@uiuc.edu]
    Sent: Monday, August 18, 2003 10:01 AM
    To: Vineet Mehta
    Cc: security-basics@securityfocus.com
    Subject: Re: Syslog over Internet

    On Mon, 18 Aug 2003, Vineet Mehta wrote:

    > I have hired a server located in a different country. I heard that its
    > better to log all your syslog messages on a different machine. As i
    dont
    > have access to any other machine on that network except in my own
    > country.
    >
    > My question is how safe and efficient it is to log Syslogd messages
    from
    > my server in other country to my server in this country?
    >
    > Is it really safe? is it adviced to do so, of not then why?

    The reason to do it is so an intruder can't remove evidence of their
    attack, since the evidence will be stored elsewhere. Normally, this is
    a good thing to do, if you want to be able to trace suspected
    intrusions.

    In your case, however, I don't recommend doing it in the default
    configuration. The problem is that syslog messages are typically sent
    in plaintext (over port 514/udp). And it's possible for logs to contain
    sensitive information. For example, what if you accidentally type your
    password at a login prompt? It will log a failed login attempt from
    unauthorized user <password>. Therefore your password will be sent
    across the internet in plaintext!

    It is possible to pipe syslog messages through a program (often used for
    advanced log filtering). In your case, you might consider piping them
    through a program that encrypts them before sending them over the wire.
    Be advised that the encryption algorithm should be secure against
    known-, chosen-, or repeated-plaintext attacks, since all log messages
    begin the same way, and an attacker can induce certain error messages to
    appear.

    Damian Menscher 

    -- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: N30: "snort configuration tools"