[1048] in linux-security and linux-alert archive
Re: System log practicalities (was Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?)
daemon@ATHENA.MIT.EDU (Sam Quigley)
Thu Aug 22 07:12:14 1996
Date: Wed, 21 Aug 1996 14:28:53 -0700 (PDT)
From: Sam Quigley <poodge@econ.Berkeley.EDU>
To: Louis Mandelstam <louis@sacc.org.za>
cc: "Paul D. Robertson" <proberts@clark.net>,
Jonathan Larmour <JLarmour@origin-at.co.uk>,
Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.94.960820162538.280K-100000@lh1.sacc.org.za>
On Tue, 20 Aug 1996, Louis Mandelstam wrote:
> I don't know - apart from remote connections (which we can limit to some
> extent) what practical ways would there be for an attacker to really flood
> syslog?
>
> [REW: Trivial. Find anything that gets logged and repeat that.]
But surely a clever syslog would respond to this sort of repeated log by
saying something like:
Syslog: Last message repeats x times.
Each syslog entry needs to be unique, and there need to be a whole lot of
them. I don't immediately see how an attacker could flood syslog with
unique messages without leaving evidence of how those messages were sent.
(I am willing to concede that it's possible -- I'm just curious as to
how. In any case, a clever syslog like this isn't a great solution:
there needs to be some way to prevent this kind of attack altogether.)
[REW: Just make sure that there are two different messages that you
alternate. (for example by alternating telnet and rsh requests.) Or
find a deamon that logs two different lines. (e.g. rsh as root, which
gives you a tcpd line and a rsh line). Or find a deamon that puts a
unique identifier (pid) in the log (e.g. sendmail). ]
-sq