[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure remote syslogging?

On Wed, Apr 23, 2003 at 07:43:36PM +0200, Stefan Neufeind wrote:
> Hi,
> 
> what is the best way to remotely syslog? In
> "RE: HELP, my Debian Server was hacked!" by James Duncan he wrote to 
> use "syslog to log locally AND remotely". This is a good idea. But I 
> wonder how to make it safe. Let's say I have two servers. Each could 
> keep a second, separate log as "backup-log" of the server. But how do 
> I make it secure that there can't exist any log-entries somebody 
> "faked" into our remote-syslog-file?

I don' know much about security issues for this one, but you might want
to take a look at syslog-ng...
as far as i understand, syslog(-ng) just collects the kernel-messages
and writes them (more exactly: appends them) to a specified file. 
If you log into another server you have another instance of syslog
running on that one which is collecting the messages that were given
to it.
An attacker needs to gain access to that file to remove treacherous
messages which were collected while he tried to break in. So when these
Messages were passed to another Machine, the attacker will have to crack
the other box as well.



Viele gruesse
Horst.

-- 
Have you noticed the way people's intelligence capabilities decline
sharply the minute they start waving guns around?
                -- Dr. Who
Reply to: