Stealth Logservers

Lance Spitzner of the Honeynet Project (www.honeynet.org) suggests a trick that's useful for honey (decoy) nets and maybe even for production DMZs: stealth logging. This trick allows a host connected to a hub or other shared medium to send its log files to a non-IP-addressed system that sees and captures the log messages but can't be accessed directly over the network, making it much harder for an intruder on your network to tamper with log files.

The idea is simple: suppose you specify a bogus IP address in a syslog.conf action, i.e., an IP address legitimate for your host's LAN but that isn't actually used by any host running syslogd. Since syslog messages are sent using the connectionless (one-way) UDP protocol, the sending host doesn't expect any reply when it sends a log message.

Furthermore, assuming your DMZ hosts are connected to a shared medium such as a hub, any syslog messages sent over the network will be broadcast on the local LAN. Therefore, it isn't necessary for a central logserver on that LAN to have an IP address; the logserver passively can sniff the log messages via snort or some other packet sniffer (but not tcpdump, which looks at packet headers, not data payloads).

Obviously, since an IP-addressless stealth logger won't be accessible via your usual IP-based remote administration tools, you'll need console access to that host to view your logs (unless, of course, it prints its logs to a line printer).

In addition, to configure each DMZ host's syslog.conf file to log to the bogus IP, you'll also need a bogus ARP entry on each sending host. If you don't, each system will try in vain to learn the Ethernet address of the host with that IP, and it won't send any log packets.

For example, if you want a given host to pretend to send packets to the bogus IP 192.168.192.168, then in addition to specifying @192.168.192.168 as the action on one or more lines in /etc/syslog.conf, you'll also need to enter this command from a shell prompt:

arp -s 192.168.192.168 03:03:03:31:33:77

This is not necessary if you send log packets to a normal log host, that is, if 192.168.192.168 is the IP address of a host running syslogd with the -r flag.