[421] in Intrusion Detection Systems
Re: your mail
daemon@ATHENA.MIT.EDU (John-David Childs)
Tue Nov 21 15:14:24 1995
Date: Mon, 20 Nov 1995 11:37:00 -0700 (MST)
From: John-David Childs <jdc@ism.net>
To: ids@uow.edu.au
In-Reply-To: <9511171643.AA05955@utopia.texmicro.com>
Reply-To: ids@uow.edu.au
On Fri, 17 Nov 1995, Max Heffler wrote:
> > When joining the list I ask you to briefly introduce yourself,
>
> I never did this when I joined the list many months ago.
Neither did I.
For many years, I built a reputation (whether tis good or bad remains to be
seen :-) "cracking" into systems which I shouldn't have had access to (the
machines were in work environments and/or were cracked by permission with
results given to responsible parties).
Now, I am the System Administrator for Internet Services Montana in
Missoula, MT. Despite running various free "attack checkers" posted by
members of this and other lists as well as using my previous cracking
experience, we were recently bitten by what I believe to be the
syslog bug (we were hit before my vendor came out with a patch...and I
don't have source code...and I missed one of the programs which uses
syslog...and I was very grumpy!)
As far as I can tell, the attackers left nothing more than a calling card
in my logfile (for which I was grateful...I wouldn't have known it
otherwise). I still resinstalled everything from the original CD and
restored user files after checking for insecurities.
The users on my system will tell you that I'm nothing short of rabid
about security...logging just about everything that's legal to log.
Unfortunately, I haven't developed a good system of analyzing these log
files except through scripts to check for certain key words and/or
egregious discrepancies in the network (e.g. the number of ICMP redirects
jumps by more than X%). It seems that a majority of freeware/shareware
log analyzers are written for SunOS/SVR4 (and also a predominant number
of known security bugs :-( but I don't have one (I'm using a BSD 4.4
variant). Anyone with any suggestions for a good log analyzer?
There isn't a lot of "stuff" on our system which would attract
crackers/hackers, thus I see no real need for things like Secure-ID or
system-wide encryption. I have a packet-level firewall in place. However,
I am considering employing Kerberos authentication.
My question to the group is this: if my customer travels to a remote
location which doesn't use Kerberos, what happens? Can they still get in
using alternate methods? I want to secure my system, but not make it
incredibly inconvenient.
--
John-David Childs http://www.ism.net/~jdc
Information Systems Tech University of Montana-Missoula (406)243-2321
System Administrator Internet Services Montana (406)542-0838
"I used up all my sick days... so I'm calling in dead"
