On Mon, May 08, 2000 at 11:44:55PM +0200, Simon Richter wrote:
> On Mon, 8 May 2000 allbery@kf8nh.apk.net wrote:
> > | Noone can escape a 9-dot printer on /dev/lp0.
> > Sure I can: cause it to syslog a lot of garbage so it runs out of
> > paper.
> Yes, but your login has already been recorded. Oh, I need to disable the
> reverse linefeed function... :-)
Fundamental problem... You can't do "grep" on greenbar.
And you can "flood" the syslog process before attacking. And
you can also overflow the bandwidth of the channel to the printer, and
you can do all sorts of other things which reduces the efficey of the
lp logger to gibberash.
I personally like the idea of simply retargeting the syslog
to both local storage AND a remote logging server (a long with using
a secure tamper evident log server). Except the remote logging server
is NOT what it seems. The remote logging server is a dummy. The REAL
log server is a steath server sniffing the net for syslog traffic and
logging it. That is still potentially vulnerable to overflow attacks
and flooding attacks depending on how it processes the data, but it does
not give itself away by any data on the sending host. On top of that,
a simple IDS watching for any anomolus traffic directed toward the
"sacrificial" syslog server makes for an effective early warning
system that something has been compromised. Beats the hell out of a
box of green-bar...
> Simon
Mike
-- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon May 15 2000 - 21:00:12 EST