[lug] logs

D. Stimits stimits at idcomm.com
Tue Jul 31 00:47:54 MDT 2001


Sean Reifschneider wrote:
> 
> On Mon, Jul 30, 2001 at 04:47:40PM -0600, D. Stimits wrote:
> >used as a stepping stone to get to. The idea of logging through a direct
> >net connection to a less protected machine doesn't look good to me. I
> 
> This is what I don't understand.  You seem to be implying that simply
> because the logging machine is accepting UDP packets to syslog from the
> other machine, that it's less protected.  Presumably your firewall won't be
> compromised via a remote syslog attack, since it's syslogd won't be
> accepting packets on the syslogd port.
> 
> So, it's unlikely that the attack on a box that's acting as a logging
> server only would be the same as the one used to compromise the box where
> syslog isn't accepting incoming syslogd packets...
> 
> Sean
> --
>  Passionate hatred can give meaning and purpose to an empty life.
>                  -- Eric Hoffer
> Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

My assumption is that the machine doing the logging was probably inside
the firewall, and one of the machines probably being protected. If not,
then I assume that it is the same software as the firewall, and
vulnerable in the same way as the firewall was. It doesn't matter to me
that syslogd port is open at all, what matters (to me) is that it
appears that a moderately good firewall was broken by someone more than
a script kiddie breaking out of date software. My assumption is that
unless the machine being logged to is both sufficiently different from
the firewall, and also of firewall quality, then the UDP logging will be
an invitation to crack the logging machine as well. I consider it very
unlikely that the firewall had its syslogd port open to the outside, and
I suspect that someone that good at cracking won't be stopped by a log
on a machine configured the same way. As soon as it is said that the
logging is via UDP, then it sounds like this is on a direct connection
through an internal network (else you wouldn't be using UDP) card. But
the whole thing is about nothing more than saying that if someone broke
a secure machine, don't expect a similar machine holding logs to be
secure also. A lot of assumptions go in to that, none of which I claim
are any absolute, but I have faith in Murphy's laws.

D. Stimits, stimits at idcomm.com



More information about the LUG mailing list