678 lines
12 KiB
HTML
678 lines
12 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Restrict console messages</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Remote Serial Console HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Security"
|
|
HREF="security.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Use or configure a dumb modem"
|
|
HREF="security-dumb.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Modem features to restrict usage"
|
|
HREF="security-modem.html"></HEAD
|
|
><BODY
|
|
CLASS="SECTION"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Remote Serial Console HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="security-dumb.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 9. Security</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="security-modem.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECTION"
|
|
><H1
|
|
CLASS="SECTION"
|
|
><A
|
|
NAME="SECURITY-MESSAGES"
|
|
></A
|
|
>9.4. Restrict console messages</H1
|
|
><DIV
|
|
CLASS="SECTION"
|
|
><H2
|
|
CLASS="SECTION"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-LOG"
|
|
></A
|
|
>9.4.1. Restrict console messages from the system log</H2
|
|
><P
|
|
>Generating a stready stream of console messages can easily
|
|
overwhelm a 9600<SPAN
|
|
CLASS="ABBREV"
|
|
>bps</SPAN
|
|
> link.</P
|
|
><P
|
|
>Although displaying all <SPAN
|
|
CLASS="APPLICATION"
|
|
>syslog</SPAN
|
|
>
|
|
messages on the console appears to be a good idea, this actually
|
|
provides the unprivileged user a simple method to deny effective
|
|
use of the remote console.</P
|
|
><P
|
|
>Configure system log messages to the console to the bare
|
|
minimum. Look in <TT
|
|
CLASS="FILENAME"
|
|
>/etc/syslog.conf</TT
|
|
> for lines
|
|
ending with <TT
|
|
CLASS="FILENAME"
|
|
>/dev/console</TT
|
|
>.</P
|
|
><P
|
|
>Consider sending all log messages to another machine for
|
|
recording and analysis. <A
|
|
HREF="security-messages.html#SECURITY-MESSAGES-SYSLOGCONF"
|
|
>Figure 9-2</A
|
|
> shows the standard
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/syslog.conf</TT
|
|
> from <SPAN
|
|
CLASS="PRODUCTNAME"
|
|
>Red Hat
|
|
Linux</SPAN
|
|
> <SPAN
|
|
CLASS="PRODUCTNUMBER"
|
|
>7.2</SPAN
|
|
> modified to
|
|
record log messages to a log server. Each line of
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>syslog.conf</TT
|
|
> has been repeated to send a copy
|
|
of the message to the log server. The log server has the
|
|
<SPAN
|
|
CLASS="ACRONYM"
|
|
>DNS</SPAN
|
|
> alias <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>loghost.example.edu.au</SPAN
|
|
>; using a
|
|
<SPAN
|
|
CLASS="ACRONYM"
|
|
>DNS</SPAN
|
|
> alias allows the log server to be moved
|
|
without updating the configuration of all the remote machines.
|
|
The local copy of the log message is no longer the only means of
|
|
determining the cause of a system failure, so we can gain some
|
|
performance advantage by disabling synchronous file writes,
|
|
although this increases the odds of an inconsistent filesystem (an
|
|
issue with filesystems that do not do journalling). Placing a
|
|
<TT
|
|
CLASS="LITERAL"
|
|
>-</TT
|
|
> before the filename disables synchronous file
|
|
writes.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-SYSLOGCONF"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-2. <TT
|
|
CLASS="FILENAME"
|
|
>/etc/syslog.conf</TT
|
|
> modified to copy log
|
|
messages to a log server</B
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
># Log anything (except mail) of level info or higher.
|
|
# Don't log private authentication messages!
|
|
*.info;mail.none;authpriv.none;cron.none @loghost.example.edu.au
|
|
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
|
|
|
|
# The authpriv file has restricted access.
|
|
authpriv.* @loghost.example.edu.au
|
|
authpriv.* /var/log/secure
|
|
|
|
# Log all the mail messages in one place.
|
|
mail.* @loghost.example.edu.au
|
|
mail.* -/var/log/maillog
|
|
|
|
# Log cron stuff
|
|
cron.* @loghost.example.edu.au
|
|
cron.* -/var/log/cron
|
|
|
|
# Everybody gets emergency messages
|
|
*.emerg @loghost.example.edu.au
|
|
*.emerg *
|
|
|
|
# Save news errors of level crit and higher in a special file.
|
|
uucp,news.crit @loghost.example.edu.au
|
|
uucp,news.crit -/var/log/spooler
|
|
|
|
# Save boot messages also to boot.log
|
|
local7.* @loghost.example.edu.au
|
|
local7.* -/var/log/boot.log</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>A log server is configured using the standard
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/syslog.conf</TT
|
|
> configured to allow the
|
|
reception of remote <SPAN
|
|
CLASS="APPLICATION"
|
|
>syslog</SPAN
|
|
> messages.
|
|
This configuration for <SPAN
|
|
CLASS="PRODUCTNAME"
|
|
>Red Hat Linux</SPAN
|
|
> is
|
|
shown in <A
|
|
HREF="security-messages.html#SECURITY-MESSAGES-SYSCONFIG"
|
|
>Figure 9-3</A
|
|
>. In
|
|
addition to configuring the system log daemon, also prevent denial
|
|
of service attacks by configuring <SPAN
|
|
CLASS="APPLICATION"
|
|
>IP
|
|
Tables</SPAN
|
|
> to restrict the sources of the syslog
|
|
messages; and also improve performance by checking that
|
|
<SPAN
|
|
CLASS="APPLICATION"
|
|
>nscd</SPAN
|
|
> is running to cache reverse
|
|
<SPAN
|
|
CLASS="ACRONYM"
|
|
>DNS</SPAN
|
|
> lookups.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-SYSCONFIG"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-3. Allowing remote log messages by setting options in
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/sysconfig/syslog</TT
|
|
></B
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
># Red Hat Linux default value, does not write timer mark messages
|
|
SYSLOGD_OPTIONS="-m 0"
|
|
# Add option to accept remote syslog messages
|
|
SYSLOGD_OPTIONS="${SYSLOGD_OPTIONS} -r"</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-IPTABLES"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-4. Restrict <SPAN
|
|
CLASS="APPLICATION"
|
|
>syslog</SPAN
|
|
> messages to
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>remote.example.edu.au</SPAN
|
|
></B
|
|
></P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="PROMPT"
|
|
> bash#</TT
|
|
> <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>chkconfig iptables on</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="PROMPT"
|
|
> bash#</TT
|
|
> <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>/etc/init.d/iptables restart</B
|
|
></TT
|
|
>
|
|
# Allow all IP traffic from this machine
|
|
<TT
|
|
CLASS="PROMPT"
|
|
> bash#</TT
|
|
> <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>iptables --append INPUT --source 127.0.0.0/8 --in-interface lo --jump ACCEPT</B
|
|
></TT
|
|
>
|
|
# Perhaps filter other traffic
|
|
…
|
|
# Accept syslog messages from remote.example.edu.au
|
|
<TT
|
|
CLASS="PROMPT"
|
|
> bash#</TT
|
|
> <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>iptables --append INPUT --source remote.example.edu.au --protocol udp --destination-port syslog -j ACCEPT</B
|
|
></TT
|
|
>
|
|
# Silently drop unexpected syslog messages
|
|
<TT
|
|
CLASS="PROMPT"
|
|
> bash#</TT
|
|
> <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>iptables --append INPUT --protocol udp --destination-port syslog -j DROP</B
|
|
></TT
|
|
>
|
|
# Save the running configuration
|
|
<TT
|
|
CLASS="PROMPT"
|
|
> bash#</TT
|
|
> <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>/etc/init.d/iptables save</B
|
|
></TT
|
|
></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-NSCD"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-5. Using <SPAN
|
|
CLASS="APPLICATION"
|
|
>nscd</SPAN
|
|
> to cache reverse
|
|
<SPAN
|
|
CLASS="ACRONYM"
|
|
>DNS</SPAN
|
|
> lookups</B
|
|
></P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="PROMPT"
|
|
>bash#</TT
|
|
> <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>chkconfig nscd on</B
|
|
></TT
|
|
>
|
|
<TT
|
|
CLASS="PROMPT"
|
|
>bash#</TT
|
|
> <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>/etc/init.d/nscd restart</B
|
|
></TT
|
|
></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECTION"
|
|
><H2
|
|
CLASS="SECTION"
|
|
><A
|
|
NAME="SECURITY-MESASGES-WALL"
|
|
></A
|
|
>9.4.2. Restrict broadcast messages to the console</H2
|
|
><P
|
|
>Users that are logged into the serial console should not
|
|
accept broadcast messages. Add new files to <TT
|
|
CLASS="FILENAME"
|
|
>/etc/profile.d</TT
|
|
> to do this. <A
|
|
HREF="security-messages.html#SECURITY-MESSAGES-SHLONG"
|
|
>Figure 9-6</A
|
|
> shows a file for use by the
|
|
Bourne shell.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-SHLONG"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-6. Restrict sending of messages to console user</B
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>#
|
|
# Do we have files referred to?
|
|
if [ -x /usr/bin/mesg -a -x /usr/bin/tty ]
|
|
then
|
|
# Are we on serial console?
|
|
if [ `/usr/bin/tty` = /dev/ttyS0 ]
|
|
then
|
|
# Do not accept broadcast messages
|
|
/usr/bin/mesg n
|
|
fi
|
|
fi</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>As this file is run frequently, we use a faster but less
|
|
readable version of <A
|
|
HREF="security-messages.html#SECURITY-MESSAGES-SHLONG"
|
|
>Figure 9-6</A
|
|
>,
|
|
shown in <A
|
|
HREF="security-messages.html#SECURITY-MESSAGES-SH"
|
|
>Figure 9-7</A
|
|
>.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-SH"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-7. Restrict sending of messages to console user,
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/profile.d/mesg.sh</TT
|
|
></B
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>#
|
|
# /etc/profile.d/mesg.sh -- prevent people hassling the serial console user
|
|
[ -x /usr/bin/mesg -a -x /usr/bin/tty -a `/usr/bin/tty` = /dev/ttyS0 ] && /usr/bin/mesg n</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>We also need a C shell version, shown in <A
|
|
HREF="security-messages.html#SECURITY-MESSAGES-CSH"
|
|
>Figure 9-8</A
|
|
>.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-CSH"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-8. Restrict sending of messages to console user,
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>/etc/profile.d/mesg.csh</TT
|
|
></B
|
|
></P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>#
|
|
# /etc/profile.d/mesg.csh -- prevent people hassling the serial console user
|
|
if (-X mesg && -X tty && `tty` == /dev/ttyS0) then
|
|
mesg n
|
|
endif</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
><P
|
|
>Although <TT
|
|
CLASS="FILENAME"
|
|
>mesg.sh</TT
|
|
> and
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>mesg.csh</TT
|
|
> are included by the parent shell
|
|
rather than executed, the files need the execute permission
|
|
set. The procedure in <A
|
|
HREF="security-messages.html#SECURITY-MESSAGES-INSTALL"
|
|
>Figure 9-9</A
|
|
>
|
|
installs the files and sets the permissions.</P
|
|
><DIV
|
|
CLASS="FIGURE"
|
|
><A
|
|
NAME="SECURITY-MESSAGES-INSTALL"
|
|
></A
|
|
><P
|
|
><B
|
|
>Figure 9-9. Install files into <TT
|
|
CLASS="FILENAME"
|
|
>/etc/profile.d</TT
|
|
></B
|
|
></P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
><TT
|
|
CLASS="PROMPT"
|
|
>bash#</TT
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>cp mesg.*sh /etc/profile.d/</B
|
|
>
|
|
<TT
|
|
CLASS="PROMPT"
|
|
>bash#</TT
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>chown root:root /etc/profile.d/mesg.*sh</B
|
|
>
|
|
<TT
|
|
CLASS="PROMPT"
|
|
>bash#</TT
|
|
> <B
|
|
CLASS="COMMAND"
|
|
>chmod u=rwx,g=rx,o=rx /etc/profile.d/mesg.*sh</B
|
|
></PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security-dumb.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security-modem.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Use or configure a dumb modem</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Modem features to restrict usage</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |