Re: server log centalized

[Stan Hoeppner <stan@hardwarefreak.com>]

On 7/15/2013 1:00 PM, Pol Hallen wrote:
>> Article about using stunnel with rsyslog
>> http://freecode.com/articles/ssl-encrypting-syslog-with-stunnel
> 
> hello again :-)
> 
> I've setup a server log centralized following the above link (and
> thanks). Whole connections fly on vpn.
> 
> I also read:
> 
>> Preventing Systems from Talking Directly to the rsyslog Server
>> It is possible for remote systems (or attackers) talk to the rsyslog
>> server by directly connecting to its port 61514. Currently, rsyslog
>> does not offer the ability to bind to the local host only. This
>> feature is planned, but as long as it is missing, rsyslog must be
>> protected via a firewall. This can easily be done via, for example,
>> iptables. Just be sure not to forget it.
> 
> So, to protect my self about the hackers attempts, I need only close
> 61514 port of centralized log server?

No.  With a VPN setup, what you need to do is limit remote access to
this port to only your rsyslog client machines.  And, limit access of
those hosts to only the rsyslog port.  I.e. the remote machines can
access only the rsyslog server and nothing else.

This is why a VPN is not the preferred method for what you're wanting to
accomplish.  TLS encrypted rsyslog is.  With this method, no client can
connect if it doesn't have the TLS certificate.  There are no firewall
rules to setup and maintain.  It very simple.  Complete instructions here:

http://www.rsyslog.com/doc/rsyslog_tls.html

> If an attacker has root access on a client, can talking with syslogd
> centralized log server?
> 
> If yes, how I protect that server?

See above for VPN case.  Using TLS prevents this, no firewall rules
required.

-- 
Stan