Hi hi,
I have recently been compromised, having the sucKIT rootkit installed after only using Linux for two weeks. So now i am on a big security binge (I even bought a SNORT guide
).
I was reading the "know your enemy" series provided at
http://www.linuxvoodoo.com/resources/security/ and in the section noted as "tracking a blackhats moves" where it talks about securing your log information, it talked about recompiling the syslogd in order to spoof the true logfile location. This is what it says:
"
For those of you who like to get sneaky, something I like to do is recompile syslogd to read a different configuration file, such as /var/tmp/.conf. This way the black-hat does not realize where the real configuration file is. This is simply done by changing the entry "/etc/syslog.conf" in the source code to whatever file you want. We then setup our new configuration file to log both locally and to the remote log server. Make sure you maintain a standard copy of the configuration file, /etc/syslog.conf, which points to all local logging. Even though this configuration file is now useless, this will throw off the black-hat from realizing the true destination of our remote logging."
Sounds like a great idea but
the problem is..I have no idea how to recompile my syslog. I am not sure if that also involves recompiling the kernel, which I have done before - but unfortunately it was using a script that came with my Distrobution to specifically replace APM with ACPI..so my experience is lacking a bit, although I am generally able to understand what it is I am doing.
I am not really afraid to get messy with the system. I've actually set this up as a test box atm to fiddle with all this security stuffs before implementing it on my real machine. I am pretty much set on making a perminant switch to Linux, so I will do what I have to do and I am not too bad at getting around..
If it helps, I am running Libranet 2.8.1 which is a Debian-based distro with a kernel version of 2.4.21
I would appreciate any help, whether pointing me to a webpage with a guide on this (google turned up nothing, and i found nothing on tldp.org) or explaining the process. (which might be lengthy so I am very grateful).
Thanks so much! ^^
-Jeff