begin quoting [EMAIL PROTECTED] as of Sun, Aug 13, 2006 at 04:06:28PM -0700: > I've been procrastinating doing a remote syslog-ng log server > for a while. > > Now I'm wondering if it is worth it. > > It seems the main idea is you can see logs of a break in > AFTER you've been hacked. (Yay! Let's put then in jail!) > > That sounds cool but prosecution of hackers is unlikely > and also doesn't undo fact you've been hacked. > > So *how* exactly will a remote duplicate syslog-ng > log server make you more safe and secure?
If your local network is perverted, you have a much better chance of determining where, and how, the intruders got in. Let's say I'm a Bad Guy. I compromise one of your machines, and decide to pervert your local network... so I find the logs, erase the evidence of how I got in, and instead plant some misdirecting evidence. I then install keyloggers and such, and eventually pervert your whole internal network, rewriting all the logs as necessary, and replacing often-used tools with trojans and traps. Now that I own your network, I can do what I want with your computing resources. If you don't have some other way of monitoring my activities (say, with an intrusion detection system), you're toast. You don't know what I've done, how I did it, or how long I've owned your network. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
