Howdy, Just a couple comments. I agree paper logging is very safe, as dictated in"The Cuckoo's Egg," but I also remember reading in that book that Cliff ran into some paper jam problems, so that's one thing to keep in mind, phyisical reliablity of your logs. Another one is cost, how much paper would it take for a major ISP to log all connections? What if I knew they were logging to paper so I intentional created connection after connection, possibly legitimate connections, in order to use up there finite amount of paper before attacking for real? Now that ISP gets a call from another one letting them know they'd been attacked from a particular site, who's the unlucky sould who manual "greps" all connections, attempted or made, from that site, or sites similar. My point is that paper logging sounds cool but is often unrealistic. If it is realistic in your scenario, more power to you. As for the caveman attacking my site, I guess I should ignore him/her and only try to stop the high-tech folks that keep up with the latest bugs. Is there a mailing list that tells me when a security hole is considered old so I can quit checking on it? Personally I think it's a good idea to stick to the "paranoid" theme and check for *all* known problems. Maybe somebody has a program that goes through hundreds of known holes/bugs and tries to exploit them all. If that were the case the "wiz" "debug" attempts may come first and give me an early warning people are attacking. See ya, Al P.S. What are the actual odds on those "chances" you refer to, maybe we can all make some money in Vegas on this. :-) On Thu, 5 Dec 1996, BlackHeart wrote: > It would seem to me the most logical thing to do is to have a print log of > all port connections, including the site it is coming from. Sure, it is > definitely possibly that logs may be altered, but it's pretty hard to role > back the paper... > > Another interesting point that I've seen in this discussion is looking for > attempted commands like "wiz" and "debug"... chances are, if someone is > attempting these commands, they have either lived in a cave for the past > decade or have no idea what they are doing... what version of sendmail > actually contained the "wizard" backdoor? I know that it was fixed on most > systems as early as 1988, when the infamous worm used it as a method of > security breach... but anyways, i digress... later. > > -blak >