Скачать или смотреть DEF CON 11 - Mick Bauer - Self-Abuse For Smarter Log Monitoring

Mick Bauer - Self-Abuse For Smarter Log Monitoring
Self-Abuse For Smarter Log Monitoring

Your Unix-based webserver has logs, and you know you should be keeping an eye on them. But what should you be looking for? Would you recognize an attack even if you saw one? What sort of automated log-watchers are available, and what if you need to tell those what to look for?

Attacking your own system while scanning its logs is a quick way to learn what anamolous log activity looks like. Plus, it's a fun excuse to run Nessus, nmap, and whisker against someone who won't call the cops on you (i.e., yourself). In my presentation I'll demonstrate this sort of productive self-abuse, using the aforemention tools plus less-glamorous but equally useful commands like telnet and wget. My groovy two-laptop demos will show both attacks and logged messages simultaneously, adding to the overall excitement.

In addition to all that, I'll discuss how to fine-tune the mechanisms that control logging, and how to use automated log-watchers such as swatch (which needs to be told what to look for) and logwatch (which doesn't necessarily).

The presentation will culminate in a challenging game of "You Be the K1d10t," in which Def Con attendees will be welcomed to take their best shot at my wireless-connected laptop, while the audience & I watch the log messages that result (or don't). Anybody who roots my box, or causes a really entertaining log message, will receive a piece of the donated junk arrayed on the stage for that purpose. (But if my box gets DoSed beyond salvage, I'll just ask some trivia questions and call it a day, so please play nice!)

This will be a fairly technical presentation. Attendees should have a
working knowledge of the Unix variant of their choice (my demo systems both run Linux), but my presentation should be comprehensible to most Unix newbies, while still being useful to intermediate and maybe even advanced users (hey, everybody knows different stuff).

Michael D. Bauer, CISSP, is Security Editor for Linux Journal, lead author of its monthly "Paranoid Penguin" security column, and an Information Security Consultant for Upstream Solutions in Minneapolis, MN. Mick's first book, "Building Secure Servers With Linux" was published by O'Reilly & Associates last October.