Of all the days, it was on Sat, Apr 14, 2001 at 02:32:20PM -0400 that Jacob Kuntz quoth: > from the secret journal of Andy Bastien ([EMAIL PROTECTED]): > > > > Another technique is to use a separate logging server which has the > > transmit leads on it's ethernet connection snipped. It's capable of > > receiving (via UDP only, since it can't ACK!) log entries, but it's > > virtually impossible to start an interactive session remotely to shut > > it down or otherwise interfere with it. It's possible to attack the > > It also can't arp. You'll need to prime the arp cache from a file for every > host that needs immutable logs. Have you tried this? I wonder if you'll even > get a link light. > > A syslog that strips formfeeds and line feeds attached to a printer is a > little better, but I haven't found an efficient way to egrep with my eyes. >
I have to admit I've never done this myself, but I know people who do. If you have a hub that won't sent packets to the link because the transmit leads don't make a circuit, the leads can be looped back or some hubs will let you disable link detection. Here's a page that discusses how to make a receive-only cable (scroll down to 3.6): http://www.robertgraham.com/pubs/sniffing-faq.html This from a mailing list discussion about some problems that people have had with cutting the transmit wires. Be aware that the guy who starts the thread clipped the wrong wires: http://www.securityportal.com/list-archive/firewall-wizards/1998/Aug/0167.html Of course, you can use a standard cable with a dedicated logging network segment and disable all network services on the logging server except for syslog. Different networks are find that different solutions work the best for them. I also don't want to claim that there is anything wrong with logging to a printer, and some people might want to log to a printer and a remote server.
