On Thu, 5 Dec 1996, "BlackHeart" wrote: > It would seem to me the most logical thing to do is to have a print log of > all port connections, including the site it is coming from. Sure, it is > definitely possibly that logs may be altered, but it's pretty hard to role > back the paper... The only problem with this is that you're going to get data overkill. And without computer readable media, there's no way to condense and process that information in a reasonable amount of time. Of course, if you're only interested in logging events, that's probably a good solution for you. > Another interesting point that I've seen in this discussion is looking for > attempted commands like "wiz" and "debug"... chances are, if someone is > attempting these commands, they have either lived in a cave for the past > decade or have no idea what they are doing... what version of sendmail > actually contained the "wizard" backdoor? I know that it was fixed on most > systems as early as 1988, when the infamous worm used it as a method of > security breach... but anyways, i digress... later. Actually, it's much more likely that if those commands are used, someone is running some sort of automated security scanner on your site. It's a good way to catch the unskilled tool-using attackers. Such an attack occurred at our site a few months ago. --- Mike Kienenberger Arctic Region Supercomputing Center Systems Analyst (907) 474-6842 mkienenb@arsc.edu http://www.arsc.edu "Yes, in 6.3 we finally gave in to the security demands of some of our customers. It is a major pain in the neck" --Martin Knoblauch of Silicon Graphics GmbH referring to the change requiring that xhost access be explicitly enabled.