On Fri, 17 Nov 1995, Max Heffler wrote: > > When joining the list I ask you to briefly introduce yourself, > > I never did this when I joined the list many months ago. Neither did I. For many years, I built a reputation (whether tis good or bad remains to be seen :-) "cracking" into systems which I shouldn't have had access to (the machines were in work environments and/or were cracked by permission with results given to responsible parties). Now, I am the System Administrator for Internet Services Montana in Missoula, MT. Despite running various free "attack checkers" posted by members of this and other lists as well as using my previous cracking experience, we were recently bitten by what I believe to be the syslog bug (we were hit before my vendor came out with a patch...and I don't have source code...and I missed one of the programs which uses syslog...and I was very grumpy!) As far as I can tell, the attackers left nothing more than a calling card in my logfile (for which I was grateful...I wouldn't have known it otherwise). I still resinstalled everything from the original CD and restored user files after checking for insecurities. The users on my system will tell you that I'm nothing short of rabid about security...logging just about everything that's legal to log. Unfortunately, I haven't developed a good system of analyzing these log files except through scripts to check for certain key words and/or egregious discrepancies in the network (e.g. the number of ICMP redirects jumps by more than X%). It seems that a majority of freeware/shareware log analyzers are written for SunOS/SVR4 (and also a predominant number of known security bugs :-( but I don't have one (I'm using a BSD 4.4 variant). Anyone with any suggestions for a good log analyzer? There isn't a lot of "stuff" on our system which would attract crackers/hackers, thus I see no real need for things like Secure-ID or system-wide encryption. I have a packet-level firewall in place. However, I am considering employing Kerberos authentication. My question to the group is this: if my customer travels to a remote location which doesn't use Kerberos, what happens? Can they still get in using alternate methods? I want to secure my system, but not make it incredibly inconvenient. -- John-David Childs http://www.ism.net/~jdc Information Systems Tech University of Montana-Missoula (406)243-2321 System Administrator Internet Services Montana (406)542-0838 "I used up all my sick days... so I'm calling in dead"