[829] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Dan Stromberg)
Thu Jan 2 13:06:48 1997
Date: Fri, 27 Dec 1996 20:26:38 -0800 (PST)
From: Dan Stromberg <strombrg@nis.acs.uci.edu>
To: ids@uow.edu.au
In-Reply-To: <009ACFB1.91A5DA2C.337@samba.cnb.uam.es>
Reply-To: ids@uow.edu.au
Small variation:
Rather than a "PC", I tend to favor an old workstation with modern
software (with the syslog hole patched anyway), or a 386 running linux.
Leave syslogd running, but empty out inetd.conf, and turn off rpcbind (or
portmap), sendmail/smail/qmail/exim, &c. strip down /etc/passwd (and
/etc/shadow, as applicable). Basically, shut stuff down until "strobe"
finds nothing but syslog.
Then consider starting up a tcp-wrappered steld, sshd or whatever, to
allow remote access to the data from a small number of hosts, and
for specific users.
The advantage? The convenient, secure remote access, mostly.
Such a machine could also nicely double as a "conserver" to handle the
consoles of N other machines, given a multiserial board - which allows not
just logging of syslog data, but everything on the consoles of those
machines, along with remote access to their consoles for authorized
individuals (which means you can sometimes reboot a system from home at
times that you couldn't otherwise).
BTW, I've fiddled with conserver until it compiles under linux, but
haven't had a chance to try the executables. We've used conserver for
some time under SunOS 4.1.x with great results, but it bothers me that...
it's such a holey old OS.
On Tue, 17 Dec 1996, J.R.Valverde (jr) wrote:
> Paper is OK, but HD is candy-dandy. Paper has many problems, besides
> The solution is simple: instead of a printer or a console, connect a
> personal computer with a big HD or a removable HD system, using a serial line
> as much as you would with the console, and a kermit-like program that logs
> everything to disk. There's no way anyone can access remotely your hard disk,
> it won't jam, it won't run slowly in a message storm, you can make as many
> backup copies as needed, take them home, to trial, to a fire-safe, etc... and
> you can process the data with automated tools. Moreover, you can have your
> program save the logs in encrypted form if you want to feel paranoic about
> co-workers. And you can always use it as a console at the same time (and BTW
> keep a log of your changes).
>
> The encryption bit is important: that ensures that no one with physical
> access to the logger can modify the logs. Someone may run with part of your
> paper, or throw a cartridge of toner/ink "accidentally" over your printout,
> but they can't selectively modify your encrypted log. They can turn the computer
> off, or type in a delete command, but there are hardware solutions to prevent
> that.
>
> It can fail, but not more than a printer, and has all the advantages.
> The only reason I can see for paper is if a judge could refuse anything not
> in paper during a trial, but you can still print your listings.
>
> So, please, help save the rainforest and use less paper.
>
> jr
