[lug] logs
Tim Klein
teece at silverklein.net
Tue Jul 31 00:55:00 MDT 2001
On Monday 30 July 2001 12:38 am, Sean Reifschneider wrote:
>
> You can set up syslog to log via UDP packets to another host.
> You'll first have to set up the other host's syslogd to accept
> remote packets and your firewall to allow those in from your
> server. Then on your server you list the destination as
> "@host" and messages will be forwarded to that host. If you
> still want the log entries stored locally, just have two lines
> for the class listing local and remote.
Another interesting log protection idea that I read, I think it
was in Practical Unix & Internet Security from O'Reilly, was
this:
Compile your syslog form source, but before you do so, modify it
so that the config file is in a very non standard place (I
dunno, how about /usr/local/share/doc/hello). It will read the
syslog control file from there. To avoid making an intruder
suspicious, put a fake copy of the config file in its standard
/etc place. In the real file, in /usr/local/share/doc/hello/,
make it log to both the standard locations (/var/log) AND a
remote log machine, and perhaps even somewhere else on your file
system, like in /usr/local/share/doc/hello. The fake file in
/etc only shows your system logging to the standard place,
/var/log.
This way, you may trick an intruder into thinking that when they
modify your logs in /var/log/, they are covering their tracks.
Unless they are really paying attention, the might miss the real
config file and extra logging entirely.
I haven't ever done this, but I am planning on it for the near
future.
Tim
--
==============================================
== Timothy Klein || teece at silverklein.net ==
== ---------------------------------------- ==
== "Hello, World" 17 Errors, 31 Warnings... ==
==============================================
More information about the LUG
mailing list