Bootable CD w/OS for firewall
miah
jjohnson at sunrise-linux.com
Wed Sep 15 11:16:00 EDT 2004
On Wed, Sep 15, 2004 at 11:10:50AM -0400, Jeff Kinz wrote:
> On Wed, Sep 15, 2004 at 10:54:45AM -0400, Don Levey wrote:
> DM:
> > > A potentially better solution is to log remotely to a different
> > > machine connected to your side of the firewall. Then if the machine
> > > is compromised, it''s much less likely (if you've taken apropriate
> > > measures) that the system's logs will be modified at the time of the
> > > compromise. They'll be on a different machine entirely, which may
> > > (should) not have easy attack vectors from the firewall box.
> >
> > Good points, both. I'd need to have the machine up so that I can figure out
> > what I need to fix, so hopefully after a reboot I'd have at least a little
> > time. How would I go about logging remotely? It's not as if I could
> > NFS-mount another drive, that'd be subject to the same problem.
> > -Don
>
> Example line - used in /etc/syslog.conf:
>
> *.emerg????@my.central.logserver.com
>
> This sends all emergency messages to the machine with the hostname
> my.central.logserver.com. Important note about this: Using the remote
> logging feature opens up a possible problem - if the /var/ directory is
> part of the root (/) filesystem, it would be easy to flood the logging
> server and possible bring it to a halt! One way to circumvent this is to
> have a seperate partition for /var (if you're logging to /var that is),
> or to use logrotation.
>
> logrotation is already set up on many distro's
>
Don't forget to enable log compression as well =).
-miah
More information about the Discuss
mailing list