Bootable CD w/OS for firewall

[lug at the-leveys.us (Don Levey)]

Jeff wrote:
> On Wed, Sep 15, 2004 at 10:54:45AM -0400, Don Levey wrote:
> 	DM:
>>> A potentially better solution is to log remotely to a different
>>> machine connected to your side of the firewall.  Then if the machine
>>> is compromised, it''s much less likely (if you've taken apropriate
>>> measures) that the system's logs will be modified at the time of the
>>> compromise.  They'll be on a different machine entirely, which may
>>> (should) not have easy attack vectors from the firewall box.
>>
>> Good points, both.  I'd need to have the machine up so that I can
>> figure out what I need to fix, so hopefully after a reboot I'd have
>> at least a little time.  How would I go about logging remotely?
>> It's not as if I could NFS-mount another drive, that'd be subject to
>>  the same problem. -Don
>
> Example line - used in /etc/syslog.conf:
>
>     *.emerg????@my.central.logserver.com
>
> This sends all emergency messages to the machine with the hostname
> my.central.logserver.com. Important note about this: Using the remote
> logging feature opens up a possible problem - if the /var/ directory
> is part of the root (/) filesystem, it would be easy to flood the
> logging server and possible bring it to a halt! One way to circumvent
> this is to have a seperate partition for /var (if you're logging to
> /var that is), or to use logrotation.
>
> logrotation is already set up on many distro's

I run logrotate, which gives me four backups (log, log.1, log.2... log.4).
I think I've got this set for once a week.  When I can, I try to keep /var
on another system for this reason, and to enable me to swap out for a larger
drive if I need to.  Thanks for the tips!
 -Don