Hi hi,

I have recently been compromised, having the sucKIT rootkit installed after only using Linux for two weeks. So now i am on a big security binge (I even bought a SNORT guide ).

I was reading the "know your enemy" series provided at http://www.linuxvoodoo.com/resources/security/ and in the section noted as "tracking a blackhats moves" where it talks about securing your log information, it talked about recompiling the syslogd in order to spoof the true logfile location. This is what it says:

"For those of you who like to get sneaky, something I like to do is recompile syslogd to read a different configuration file, such as /var/tmp/.conf. This way the black-hat does not realize where the real configuration file is. This is simply done by changing the entry "/etc/syslog.conf" in the source code to whatever file you want. We then setup our new configuration file to log both locally and to the remote log server. Make sure you maintain a standard copy of the configuration file, /etc/syslog.conf, which points to all local logging. Even though this configuration file is now useless, this will throw off the black-hat from realizing the true destination of our remote logging."

Sounds like a great idea but the problem is..I have no idea how to recompile my syslog. I am not sure if that also involves recompiling the kernel, which I have done before - but unfortunately it was using a script that came with my Distrobution to specifically replace APM with ACPI..so my experience is lacking a bit, although I am generally able to understand what it is I am doing.

I am not really afraid to get messy with the system. I've actually set this up as a test box atm to fiddle with all this security stuffs before implementing it on my real machine. I am pretty much set on making a perminant switch to Linux, so I will do what I have to do and I am not too bad at getting around..

If it helps, I am running Libranet 2.8.1 which is a Debian-based distro with a kernel version of 2.4.21

I would appreciate any help, whether pointing me to a webpage with a guide on this (google turned up nothing, and i found nothing on tldp.org) or explaining the process. (which might be lengthy so I am very grateful).

Thanks so much! ^^

-Jeff

get the source-code of sysklogd from: http://www.infodrom.org/projects/sysklogd/

The address is taken from the LFS-Book where the way to compile it is also described - you would just have to make those changes suggested in the security-guide...

A better way may be to get the source from debian - and compile it with their tools to make .deb-packages from source - making the changes you want to incorporate... -it is not difficult to do in debian - provided that you have the necessary tools installed to create .deb-packages from source.

If you look for the package on the debian website - there is at the bottom of each page (where the packages and their dependencies are described) a link to the source-files these deb-packages where made from - you would download these...
...there are always 3 files which you need:
one is named name.orig.tar.gz
one is named name.dsc
and one is named name.diff or name.diff.gz

Ah, I was a bit confused at first because the name was a bit different, but I downloaded it and read the information and see that is because it has two deamons.

Thank you!

I am curious though, what is this LFS book you mentioned?

I am somewhat interested in making my own .deb files so that is something I will definately look into.

Thanks again for your response, it means alot

-Jeff

There is a forum on LQ which deals with issues relating to LFS...also links to info on it, I suppose

I have downloaded the books and don't know from where exactly - can only give you the primary address from where you will have to find your way to those books and anything you might be interested in...

here it is: http://www.linuxfromscratch.org/

Will do! I have examined the source and know what I am changing. Hopefully it will all work out, because I do not know if I need to re-add syslogd to init or remove the one I have already first, and even how to do that.

And thank you for the link; I will look at it later on, i am going to goto sleep now..i havent yet. My syslog source wont compile, generates alot of undeclared this, syntax error that, incomplete types...so I guess I will be just leaving it for now, I don't know enough to continue.

Thanks so much!

-Jeff

That is why I told you about the debian-way.
If you compile the package their way - using their tools - you will end up with an installable .deb package - just like the one you have installed right now.
You could install it via apt or dselect - which is just another frontend to apt, without having to worry about where you have to put things.
If you compile from the "normal" source - you will need to take care that everything gets to the place it was before - else you will get problems, because the package-management-system will not know how to deal with things installed by not using it to install software (will not even know that you did install anything and therefore make problems, for instance not letting you remove the original package because sysklogd is a pretty basic one)
I think the package name for the tools needed is "dpkg-source..." and maybe some dependant packages...
BTW: You can use the source from debian also to do a "normal" compile - it is the original source - the other two files are there to enable the debian tools to compile it - so it will be a .deb-package

Yeh sorry for the late reply. I slept for about 15 hours then had to go to work. So I am going to give making a .deb a try and see how it turns out.

Linux is so fun ^^

-Jeff