On Sat, 17 May 2003 at 03:25:58PM +1000, Mark Devin wrote: > I need to come up with some solutions for remotely monitoring the > security of a server which is off-site. There is no direct connection > from the main office to this box except using the internet backbone. > > I see two immediate issues: > > 1. I need to setup some method for receiving system logs from the > server. I can setup syslog to send logs to one of our office computers. > However, I am concerned that the logs should be encrypted. Maybe > setting up ipsec?, or using stunnel? Although I thought stunnel was > only for TCP connections and syslog uses UDP? Syslog-ng over ipsec (FreeSWan) works wonderfully. If you use iptables correctly it will prevent falsified logs from being inserted by a spoofed host on the net... > 2. Also, I need to setup some intrusion detection system like AIDE or > Tripwire. I don't have physical access to the machine so how can I be > sure that the AIDE program has not itself been compromised and thus > giving me a false sense of security. I can't for example, burn it to > CDROM and run it from CD. Everything has to be done remotely. Should I > look at LIDS instead? Can ipsec help me with this too? How can I run > the AIDE executable from a trusted source and ensure its database > remains trusted? Maybe an encrypted filesystem can be used to store the > AIDE binary and database, but if so, does anyone have any pointers? Also, consider snort for an IDS. Just don't use the snort in stable :) Take care, -- Phillip Hofmeister Network Administrator/Systems Engineer IP3 Inc. http://www.ip3security.com PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #171: Change your language to Finnish.
Attachment:
pgp68886eyBdM.pgp
Description: PGP signature