On 30/10/02 18:52 +0100, Paul Gillingwater wrote: > Nice to see syslog getting some attention. For those who are > paranoiac (which should be most of us), I have four recommendations: > > 1) Send your security-related syslog stuff to a well-protected > dedicated syslog host, preferably with no external ports exposed. > Do all syslog processing locally on that box at the console, so > it\'s effectively write-only from the outside. This reminds me of an old post here (or some other secfocus list). Send the logs to a non existent remote server. Run a box without an ip sniffing all the syslog traffic and writing it to file. That way, an attacker will try to break into a non existent system, but the logs are actually being recorded on a totally diferent system. This will, at the very least, buy you time to respond to an incident. Devdas Bhagat ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 05:14:34 PST