[lug] logs

[D. Stimits]

Sean Reifschneider wrote:
> 
> On Mon, Jul 30, 2001 at 01:47:47AM -0600, D. Stimits wrote:
> >out in the first place. Sending logs via email to a machine that is
> >completely isolated from the breached machine is a way to do that
> >(separate machines with no direct interface).
> 
> Sendmail has had more exploits than syslogd.  I don't see why moving to a
> more complex setup that's using software with a history of more exploits
> against it would make it more secure.
> 
> Sean
> --
>  Give me immortality or give me death!
> Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

It doesn't have to be sendmail. And the beauty is that the attacker
would have to disable the email sent to some ISP elsewhere the faster
than the email could be sent. The attacker would have to know to disable
this feature as the very first command run. And the machine doing the
final receive (e.g.,
firewall->ISP->log_machine_firewalled_from_firewall) can be totally
blocked from direct access by the firewall. One could even conceive of
receiving an encrypted email from the firewall that causes the inner
machines to throw up their own DENY rules against the firewall (yes,
potential DoS, but that is one of the points of the email being
encrypted to say "MayDay! I'm in trouble! Deleting my PGP key, you're on
your own!"). Sendmail is irrelevant here as the particular means of
communications. The point is that your log machine should not be easier
to break into than the firewall, while simultaneously being directly
attached to the firewall. There is very little security (and some danger
should the attacker figure it out) in logging to another machine that is
more vulnerable than the first. The logging machine would be screwed in
that case.

D. Stimits, stimits at idcomm.com