Defenses for Log and
Accounting File Attacks
¨Activate logging on your critical systems
¨Set proper permissions on the log files, utmp, wtmp, lastlog, and users’ shell history files
¨Setup a a separate logging server
–Add line “syslog  514/udp”  to  /etc/services on logging server
–Modify /etc/syslog.conf on critical server  to redirect desired message types to logging server
–Hostname and IP address of logging server should be added to  /etc/hosts on critical server to thwart DNS attack
–In Windows NT/2000, replace EventLog service with an NT-compatible version of syslog to centralize logging
•Kiwi syslog for NT http://www.kiwi-enterprises.com