Re: Secure remote syslogging?

To: Stefan Neufeind <stefan@neufeind.net>
Cc: debian-security@lists.debian.org
Subject: Re: Secure remote syslogging?
From: James Duncan <james.duncan@sheridanc.on.ca>
Date: Thu, 24 Apr 2003 09:52:24 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.4.53.0304240935440.27575@zeus>
In-reply-to: <[🔎] 3EA6ECE8.17046.1E3FFC@localhost>
References: <[🔎] 3EA6ECE8.17046.1E3FFC@localhost>

On Wed, 23 Apr 2003, Stefan Neufeind wrote:

> what is the best way to remotely syslog? In
> "RE: HELP, my Debian Server was hacked!" by James Duncan he wrote to
> use "syslog to log locally AND remotely". This is a good idea. But I
> wonder how to make it safe. Let's say I have two servers. Each could
> keep a second, separate log as "backup-log" of the server. But how do
> I make it secure that there can't exist any log-entries somebody
> "faked" into our remote-syslog-file?

There are a few general practices I like to follow for setting up a
loghost:

- if you have a seperate, protected VLAN for administration purposes, put
it there.  This VLAN should be blocked from access by the Outside World,
and ideally from the Inside World as well.  Typically I would say that
this vlan should have only admin servers, such as loghosts, monitoring
servers, etc on it, as well as the workstations of your system admins.
Throw a second (physical, not virtual) interface up on all the hosts that
will log to this box and attach it to this vlan.  These hosts should only
be able to contact the syslog port of the loghost on this vlan, and
nothing else.

- encrypt traffic on this vlan using IPSec, and use a firewall on the
loghost to block all incoming traffic that isn't AH/ESP.

- harden the loghost.  Preferably this should be running only syslog and
ssh for remote access, and these services should be accessible only from
the local vlan.  Follow whatever your standard procedures are for system
hardening... typically I would set a host like this up so that it has no
compilers (or, if one is necessary, to apply propolice patches), and
monitor it with tools like chkrootkit and tripwire, as well as the other
standard things one does.

- keep a third copy of important log information in your email.  setup
logcheck or some other tool to parse your syslogs on a cron'd basis, and
email the admins (and your information security officer, if you have one)
the results.

So at this point, you should have local copies on all the servers, remote
copies on the loghost, and pertinent information in your email.  Can this
still be bypassed?  Sure.  Is it harder than it was before?  Certainly.
That's what security is about.

As for choice of logging daemon, I personally prefer syslog-ng.  I like to
use its support for regexp's to log info for each host into it's own
files/directories, rather than dumping the logs for all of them into one
set of files.

Reply to:

References:
- Secure remote syslogging?
  - From: "Stefan Neufeind" <stefan@neufeind.net>

Prev by Date: Re: ptrace patch for vanilla kernel 2.4.20
Next by Date: Re: HELP, my Debian Server was hacked!
Previous by thread: Re: Secure remote syslogging?
Next by thread: Re: Secure remote syslogging?
Index(es):
- Date
- Thread