The next thing a sensible attacker would do is turn off logging or minimize the information going into logs. He would also turn off or corrupt log timestamps and eliminate the terminal command history. On the IOS router, the cracker would enter
clear logging and
clear logging xml (in case the XML logging buffer is present). Then he would go to the configuration mode, where a variety of options are available. The quickest and the dirtiest one is to turn all logging off with a
no logging on command. A more delicate attacker would turn off only the specific forms of logging that he thinks are threatening. In particular, this applies to executing
no logging host "IP address", since the attacker has no control over the remote syslog server unless he hacks into the centralized logging host. An even more considerate cracker would change the logging level to the minimum without turning off logging with commands like these:
- logging trap emergencies
- logging console emergencies
- logging buffered emergencies
- logging history emergencies
- logging monitor emergencies
Of course, it makes perfect sense to view the running device configuration with a command such as
show running-config and
show config (
CatOS), see which options are turned on that can make the attack detection possible, and start switching them off one by one, starting with the most threatening ones, such as logging to a remote host.
If SNMP information collection is used, it also makes sense to switch off SNMP traps and informs using the
no snmp-server enable traps and
no snmp-server enable informs commands. Then an attacker can turn off the log timestamps with
no service timestamps log datetime msec.
Alternatively, it is possible to alter the router's time without removing log timestamps to confuse future investigators and make logs practically useless. If the Network Time Protocol (
NTP) client is operational, it can be turned off with the
no ntp server command. Then the cracker would exit to the EXEC mode and set an incorrect time with clock set hh:mm:ss. Finally, terminal history would be switched off using terminal history size 0, also in the EXEC mode.
[*] reload in 5
b
iOos
No comments:
Post a Comment