[opensuse] Loggin internet activites
Hi list, - as I'm going to use OpenSuSE for this one, so it's not completely off topic. I think. - In Denmark a new law is being enforced by the 15th. of September this year. It states that all internet activity must be logged, if you run a hotel or similar. I do. - this means I have to have a router/switch that gives out fixed IP-adresses to fixed rooms. I can do that, we're not wireless but give guests access through cables. - I now need to log all internet access per IP-adress/room onto a central server - somewhere in the chain. - All in the name of anti-terrorism. Yes, I know, it's all in vain, it will not keep any taleban or criminal from doing what they do. But that's not up to me. I just have to log...however stupid this is. - has anyone any ideas as to how with what? -- ------------------------------------------------------------------------- Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verner Kjærsgaard wrote:
Hi list,
- as I'm going to use OpenSuSE for this one, so it's not completely off topic. I think.
- In Denmark a new law is being enforced by the 15th. of September this year. It states that all internet activity must be logged, if you run a hotel or similar. I do.
- this means I have to have a router/switch that gives out fixed IP-adresses to fixed rooms. I can do that, we're not wireless but give guests access through cables.
- I now need to log all internet access per IP-adress/room onto a central server - somewhere in the chain.
- All in the name of anti-terrorism. Yes, I know, it's all in vain, it will not keep any taleban or criminal from doing what they do. But that's not up to me. I just have to log...however stupid this is.
- has anyone any ideas as to how with what?
For Web and FTP Squid as proxy server... Use external firewall to lock external web access to machine hosting proxy server... Either set up an automatic proxy... or just give notes. With E-Mail one can setup a similar config with local server acting as relay for outgoing mail. Local cache DNS with appropriate logging Set up DHCP to deliver DNS settings, You can run all of the above on the same box... Static IP on network point managed by router is at best iffy for this, the kit can be expensive and for your situation probably very high maintenance. I would suggest a machine registration setup based on MAC of guests machine or more manageably a certificate, If you dont register you dont get access, I suspect most Hotel Front office procedures can be easily adapted to manage this... Charge for above :-) Logs can be backed to CD/DVD so can be as detailed as your law requires. I think the network equipment sector is in for some good time in Denmark. I will refrain from quotes from Hamlet :-) - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGxVQoasN0sSnLmgIRAj18AKCSQEqvB8wPyCU8l/+3I/bJVYn/fACbBxfi KUdS49hBRzF0vEAdjskgwsY= =jhJw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I assume everything goes through a central firewall system. Modify the firewall rules so that all NEW IP sessions are logged. Sessions that are established can be handled as currently handled. You will have to 'logrotate' fairly often but it is about the only place you can be assured of catching everything. You could exclude DNS or select just HTTP, FTP, SSH or whatever protocals of interest by splitting out to several rules. I would assume also that only OUTPUT activity would need to be logged unless you are looking for secret incoming messages with no outgoing activity associated.... Just a thought....Orwell would be proud of big brother :) Richard Verner Kjærsgaard wrote:
Hi list,
- as I'm going to use OpenSuSE for this one, so it's not completely off topic. I think.
- In Denmark a new law is being enforced by the 15th. of September this year. It states that all internet activity must be logged, if you run a hotel or similar. I do.
- this means I have to have a router/switch that gives out fixed IP-adresses to fixed rooms. I can do that, we're not wireless but give guests access through cables.
- I now need to log all internet access per IP-adress/room onto a central server - somewhere in the chain.
- All in the name of anti-terrorism. Yes, I know, it's all in vain, it will not keep any taleban or criminal from doing what they do. But that's not up to me. I just have to log...however stupid this is.
- has anyone any ideas as to how with what? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Verner Kjærsgaard wrote:
Hi list,
- as I'm going to use OpenSuSE for this one, so it's not completely off topic. I think.
- In Denmark a new law is being enforced by the 15th. of September this year. It states that all internet activity must be logged, if you run a hotel or similar. I do.
Do you also have data privacy laws in Denmark? If so, I would think you need to be quite careful with guarding access to these logs. If you have professional societies in Denmark (Dansk Dataforening or Dansk Selskab for Datalogi perhaps?) they may have guidance on how to comply with the law. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fredag 17 august 2007 12:27 skrev Dave Howorth:
Verner Kjærsgaard wrote:
Hi list,
- as I'm going to use OpenSuSE for this one, so it's not completely off topic. I think.
- In Denmark a new law is being enforced by the 15th. of September this year. It states that all internet activity must be logged, if you run a hotel or similar. I do.
Do you also have data privacy laws in Denmark? If so, I would think you need to be quite careful with guarding access to these logs. If you have professional societies in Denmark (Dansk Dataforening or Dansk Selskab for Datalogi perhaps?) they may have guidance on how to comply with the law.
Cheers, Dave
All technical aspects aside, I do agree. A law like this is terribly problematic. It opens up for who knows what. It does require a court order for the police to get to the records. But still... It's the same with your mobile cell phone. The telephone companies are recording of your whereabouts (roaming), records of which have been used in trivial cases (not just murder or something equally serious) in dahish courts. It is problematic, also because the department of justice and the majority of politicians don't know anything about what they are doing technically. I bet you could get certain politicians to catch the idea of taking a backup of the internet overnight... -- ------------------------------------------------------------------------- Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Verner Kjærsgaard wrote:
Fredag 17 august 2007 12:27 skrev Dave Howorth:
Verner Kjærsgaard wrote:
Hi list,
- as I'm going to use OpenSuSE for this one, so it's not completely off topic. I think.
- In Denmark a new law is being enforced by the 15th. of September this year. It states that all internet activity must be logged, if you run a hotel or similar. I do. Do you also have data privacy laws in Denmark? If so, I would think you need to be quite careful with guarding access to these logs. If you have professional societies in Denmark (Dansk Dataforening or Dansk Selskab for Datalogi perhaps?) they may have guidance on how to comply with the law.
Cheers, Dave
All technical aspects aside, I do agree. A law like this is terribly problematic. It opens up for who knows what.
It does require a court order for the police to get to the records. But still...
I wasn't so much thinking about police access but abuse by others. I guess you will need to provide physical and other security to prevent your staff or other guests or intruders from accessing logs that may contain personal details of guests. Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fredag 17 august 2007 14:35 skrev Dave Howorth:
Verner Kjærsgaard wrote:
Fredag 17 august 2007 12:27 skrev Dave Howorth:
Verner Kjærsgaard wrote:
Hi list,
- as I'm going to use OpenSuSE for this one, so it's not completely off topic. I think.
- In Denmark a new law is being enforced by the 15th. of September this year. It states that all internet activity must be logged, if you run a hotel or similar. I do.
Do you also have data privacy laws in Denmark? If so, I would think you need to be quite careful with guarding access to these logs. If you have professional societies in Denmark (Dansk Dataforening or Dansk Selskab for Datalogi perhaps?) they may have guidance on how to comply with the law.
Cheers, Dave
All technical aspects aside, I do agree. A law like this is terribly problematic. It opens up for who knows what.
It does require a court order for the police to get to the records. But still...
I wasn't so much thinking about police access but abuse by others. I guess you will need to provide physical and other security to prevent your staff or other guests or intruders from accessing logs that may contain personal details of guests.
Cheers, Dave
Yes, that's a problem also. I was thinking of loggin to a remote server (hosted) in Germany...making direct access a little harder. -- ------------------------------------------------------------------------- Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verner Kjærsgaard wrote:
Fredag 17 august 2007 14:35 skrev Dave Howorth:
Verner Kjærsgaard wrote:
Fredag 17 august 2007 12:27 skrev Dave Howorth:
Verner Kjærsgaard wrote:
Hi list,
- as I'm going to use OpenSuSE for this one, so it's not completely off topic. I think.
- In Denmark a new law is being enforced by the 15th. of September this year. It states that all internet activity must be logged, if you run a hotel or similar. I do. Do you also have data privacy laws in Denmark? If so, I would think you need to be quite careful with guarding access to these logs. If you have professional societies in Denmark (Dansk Dataforening or Dansk Selskab for Datalogi perhaps?) they may have guidance on how to comply with the law.
Cheers, Dave All technical aspects aside, I do agree. A law like this is terribly problematic. It opens up for who knows what.
It does require a court order for the police to get to the records. But still... I wasn't so much thinking about police access but abuse by others. I guess you will need to provide physical and other security to prevent your staff or other guests or intruders from accessing logs that may contain personal details of guests.
Cheers, Dave
Yes, that's a problem also. I was thinking of loggin to a remote server (hosted) in Germany...making direct access a little harder.
Apart from the additional logging requirement the configuration I suggested of using a proxy/mail relay/cache DMS tied to being the only machine that can communicate externally on certain protocols is probably the best solution in your case. Your are effectively running a public access network where the barbarians are not just at the gate, but probably carousing in the city as well. Firewalls have limited value in this context, as it quite possibly the bad guys are already in. I would take steps to ensure that your business systems are on a separate network, or if that is not possible strongly firewalled from the guest network. In the main this is not just about government requirements it is also about protecting you, your hotel and your hotel guest from the effects of other peoples criminality and/or stupidity. The kind of information which is probably being asked for (who connected to what and when) is not really for preventing terrorist or criminal activity, but is used to gather intelligence. If you read some of the commentary by some academic workers in this area there is a suggestion that some elements of the security community are already exploiting known security weaknesses to collate such material. All such legislation does is legitimise this activity and pass the bill on to the business community... Awaiting the knock on the door :-) - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGxrOhasN0sSnLmgIRApADAKDydkMv3FKt1nYWLwIGSg5hxNKmaQCeK6cG zcGiZjnCy/8AhTKOnk9h8yc= =xq58 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Verner Kjærsgaard wrote:
- All in the name of anti-terrorism. Yes, I know, it's all in vain, it will not keep any taleban or criminal from doing what they do. But that's not up to me. I just have to log...however stupid this is.
Just to prove how effective that sort of thing is, last winter, I was staying at a ski resort in Quebec. They wanted $14/day for internet access. They'd block browser access, but somehow they neglected to block OpenVPN. I was able to connect to my home network and to the internet from there. If anyone logged the data, all they'd see is a bunch of unintelligible UDP packets going to/from my home IP. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fredag 17 august 2007 13:26 skrev James Knott:
Verner Kjærsgaard wrote:
- All in the name of anti-terrorism. Yes, I know, it's all in vain, it will not keep any taleban or criminal from doing what they do. But that's not up to me. I just have to log...however stupid this is.
Just to prove how effective that sort of thing is, last winter, I was staying at a ski resort in Quebec. They wanted $14/day for internet access. They'd block browser access, but somehow they neglected to block OpenVPN. I was able to connect to my home network and to the internet from there. If anyone logged the data, all they'd see is a bunch of unintelligible UDP packets going to/from my home IP.
-- Use OpenOffice.org <http://www.openoffice.org>
I quite agree. See my former post. For people in the know, and all terrorists are... this will not prevent or stop anything. -- ------------------------------------------------------------------------- Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fri, 17 Aug 2007, by vk@os-academy.dk:
Fredag 17 august 2007 13:26 skrev James Knott:
Verner Kjærsgaard wrote:
- All in the name of anti-terrorism. Yes, I know, it's all in vain, it will not keep any taleban or criminal from doing what they do. But that's not up to me. I just have to log...however stupid this is.
Just to prove how effective that sort of thing is, last winter, I was staying at a ski resort in Quebec. They wanted $14/day for internet access. They'd block browser access, but somehow they neglected to block OpenVPN. I was able to connect to my home network and to the internet from there. If anyone logged the data, all they'd see is a bunch of unintelligible UDP packets going to/from my home IP.
-- Use OpenOffice.org <http://www.openoffice.org>
I quite agree. See my former post. For people in the know, and all terrorists are... this will not prevent or stop anything.
If only because it won't stop anyone from using a modem in your resort and just go around the LAN and logging proxy. (Or a transceiver with digital comms to a radio / internet gateway e.g.) Politicians (in whatever country) just assume averyone is as ignorant with technology as they are. If they have to think of something really effective against terrorists, like taking away the reasons for terrorist acts, they probably fry their Homer brains in the process. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Dave Howorth -
G T Smith -
James Knott -
Richard Creighton -
Theo v. Werkhoven -
Verner Kjærsgaard