Re: [Leaf-devel] [Leaf-user] Testing help needed
On 12/1/01 at 3:12 PM, Jack Coates [EMAIL PROTECTED] wrote: On Sat, 1 Dec 2001, Tony wrote: If so, wouldn't it be easier/safer/more secure to forward them to an internal syslog server? syslog-ng is supposed to fix a lot of these problems, but I've never gotten around to taking a look at it. syslog-ng is very nice; it's set up to act as our central UNIX log server for the corporation. It has a unique ability in that it can use TCP instead of UDP - allowing it to be tunneled via ssh to an external server where it can then receive log messages from a syslog-ng located on that side. This allows you to receive messages through a firewall that blocks UDP syslog traffic (as it ought to). -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-devel] [Leaf-user] Testing help needed
On Sat, 1 Dec 2001, Tony wrote: I guess I don't completely understand why you need a JFFS for something that under normal circumstances, isn't written to physically. If you have a crash/powerdown situation, with resumtion of service, you just reload your image and continue to firewall/route. Would the JFFS be in play to preserve the logs? If so, wouldn't it be easier/safer/more secure to forward them to an internal syslog server? I like doing this, but there are concerns with doing it in anything less than a perfectly trusted environment: If your log host is unavailable, you're not logging; if malicious listeners are on the LAN, they can see everything you log (could be quite useful when scanning or rooting a server); if malicious users are on the LAN, they can flood the listening syslog server and prevent real logs from getting through. syslog-ng is supposed to fix a lot of these problems, but I've never gotten around to taking a look at it. -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-devel] [Leaf-user] Testing help needed
I like doing this, but there are concerns with doing it in anything less than a perfectly trusted environment: If your log host is unavailable, you're not logging; if malicious listeners are on the LAN, they can see everything you log (could be quite useful when scanning or rooting a server); if malicious users are on the LAN, they can flood the listening syslog server and prevent real logs from getting through. syslog-ng is supposed to fix a lot of these problems, but I've never gotten around to taking a look at it. Or just grab a bunch of multi-port serial cards from e-bay, and setup a log-host using serial links. You can keep the log host disconnected from the net entirely (or more likely, keep it's interface un-configured, and bring it up/down manually if you ever need to network). I've got a bunch of serial cards I picked up for about $5 each, just no time to make it go :( Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-devel] [Leaf-user] Testing help needed
On Sat, 1 Dec 2001, Charles Steinkuehler wrote: I like doing this, but there are concerns with doing it in anything less than a perfectly trusted environment: If your log host is unavailable, you're not logging; if malicious listeners are on the LAN, they can see everything you log (could be quite useful when scanning or rooting a server); if malicious users are on the LAN, they can flood the listening syslog server and prevent real logs from getting through. syslog-ng is supposed to fix a lot of these problems, but I've never gotten around to taking a look at it. Or just grab a bunch of multi-port serial cards from e-bay, and setup a log-host using serial links. You can keep the log host disconnected from the net entirely (or more likely, keep it's interface un-configured, and bring it up/down manually if you ever need to network). I saw this suggested in one of my paranoiac books (maybe Network Intrusion Detection Analyst's Handbook?) -- but they went one better by suggesting that you then copy everything to lp on the loghost. Hook up an old dot matrix printer with a Costco-sized case of paper, and you've got court-admissible documentation of everything that happens on your network. -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
