Re: Logauswertung (translation)
Hi Andreas, hello all@list,
> I'm at a company and would like to set up a Debian router/firewall.
yeah, that's what I'am also planning at the moment.
A firewall issue won't be my problem but I didn't install debian for
seven years as I updated the distribution from the net. Hope the
netinstaller works in the company in the case I get a job.
> Debian is minimally installed and I've chosed Shorewall as the firewall.
Did you read the tutorial from oscar andreason ?
> I would additionally like to send the logs over Syslog-ng to a log
> server.
I stronly recommend not to do this. We had a ccc (chaos computer club)
meeting while someone brought the logfile from his mailserver to
meetings.
By seeing the logfile without error messages it was quite easy to have a
look at the employees and and their key qualification.
By seeing logfiles unencrypted it's possible to have a look what's
running on your server so I strongly recommend not to do this.
Use logcheck local on your server and login over ssh which is quite
secure. (There was just one vulnerability in the past years).
I use a simple perl script fwlog to check the logfiles.
> My problem is what tool do I use to evaluate the logs for attacks and
> to for mail notifications?
Don't forget to install aide, prelude and snort or nagios in the case
it's a productive server system. (Nagios - There was a bug in nagios but you can
update yes monitory tools which are not the best decisision but there's no
workaround for this available).
As a workaround you should use an crypted logfile transfer to your
client. (Maybe something like netcat). You have to code a little bit
around don't know if you have time in your company.
AFAIK there no crypting tools available to handle logfile reading from
server to the client.
Found an Open Source Project to overcome this.
Hope it helps I wouldn't do what your tryhing to do for security
reasons.
--
Best Regards,
Mark
Reply to: