[Dshield] Syslog Server Software

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Wed Mar 15 19:42:52 GMT 2006


On Wed, 15 Mar 2006 12:02:04 EST, "Jon R. Kibler" said:

> If you are running a central logging server, I always recommend that you go
> out a buy a cheap 132 column dot matrix printer with variable font size and set
> the font to the smallest size you can easily read. Connect it to the central
> logging server. Then, put an entry in the central logging server's /etc/
> syslog.conf file to direct all 'interesting' output to the printer. For
> example:

> kern.warning,daemon.err,auth.info,local7.info,*.crit	/dev/lp0

Note that failure to keep the "interesting" list small enough so that a dot
matrix printer can keep up can be bad news - although an attacker can't send
white-out down the wire, he *can* flood the logs with meaningless messages and
then insert his nefarious activity in the section that gets dropped on the
floor.

What happens if the attacker does:

for i in `seq 1 10000`; do logger -d -p local7.info "Yo! D00dz!"; done;
<command that generates log messages he'd rather not have seen>

Also, the fact the printer keeps up during normal operations doesn't mean
it will keep up during a crisis - you get a dozen 0wned machines launching an
ssh brute-force attack on you, that 'auth.info' is going to get very chatty....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20060315/e6381f4e/attachment.bin


More information about the list mailing list