LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/solrhe/Securing-Optimizing-Linux-R.../chap5sec50.html

628 lines
12 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>&#13; Physical hard copies of all-important logs
</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
REL="HOME"
TITLE="Securing and Optimizing Linux"
HREF="index.html"><LINK
REL="UP"
TITLE="General System Security"
HREF="gen-syssecured.html"><LINK
REL="PREVIOUS"
TITLE="Disable Ctrl-Alt-Delete keyboard shutdown command"
HREF="chap5sec49.html"><LINK
REL="NEXT"
TITLE="Tighten scripts under /etc/rc.d/"
HREF="chap5sec51.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="chap5sec49.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. General System Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="chap5sec51.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="AEN3848"
>5.21. Physical hard copies of all-important logs</A
></H1
><P
>&#13; One of the most important security considerations is the integrity of the different log files under the <TT
CLASS="filename"
>/var/log</TT
> directory on your server. If despite each of the
security functions put in place on our server a cracker can gain access to it, our last defense is the log file system, so it is very important to consider a method of being sure of the integrity of our log files.
</P
><P
>&#13; If you have a printer installed on your server, or on a machine on your network, a good idea would be to have actual physical hard copies of all-important logs. This can be easily accomplished by using a continuous
feed printer and having the syslog program sending all logs you seem important out to <TT
CLASS="filename"
>/dev/lp0</TT
> the printer device. Cracker can change the files, programs, etc on your server, but can do nothing when
you have a printer that prints a real paper copy of all of your important logs.
</P
><DIV
CLASS="example"
><A
NAME="AEN3854"
></A
><P
><B
>Example 5-3. Print log reports </B
></P
><P
>&#13; For logging of all telnet, mail, boot messages and ssh connections from your server to the printer attached to this server, you would want to add the following line to the "/etc/syslog.conf" file:
Edit the syslog.conf file vi <TT
CLASS="filename"
>/etc/syslog.conf</TT
> and add at the end of this file the following line:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0
</PRE
></TD
></TR
></TABLE
>
Now restart your syslog daemon for the change to take effect:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# /etc/rc.d/init.d/syslog <B
CLASS="command"
>restart</B
>
</PRE
></TD
></TR
></TABLE
>
</P
><P
>&#13; For logging of all telnet, mail, boot messages and ssh connections from your server to the printer attached to a remote server in your local network, then you would want to add the following line
to <TT
CLASS="filename"
>/etc/syslog.conf</TT
> file on the remote server.
If you don't have a printer in your network, you can also copy all the log files to another machine; simply omit the first step below of adding <TT
CLASS="filename"
>/dev/lp0</TT
> to your <TT
CLASS="filename"
>syslog.conf</TT
> file
on remote and go directly to the <TT
CLASS="literal"
>-r</TT
> option step on remote. Using the feature of copying all the log files to another machine will give you the possibility to control all syslog messages on one
host and will tear down administration needs.
Edit the <TT
CLASS="filename"
>syslog.conf</TT
> file vi <TT
CLASS="filename"
>/etc/syslog.conf</TT
> on the remote server for example: <TT
CLASS="literal"
>mail.openna.com</TT
> and add at the end of this file the following line:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; authpriv.*;mail.*;local7.*;auth.*;daemon.info <TT
CLASS="filename"
>/dev/lp0</TT
>
</PRE
></TD
></TR
></TABLE
>
Since the default configuration of the syslog daemon is to not receive any messages from the network, we must enable on the remote server the facility to receive messages from the network. To enable the facility
to receive messages from the network on the remote server, add the following option <TT
CLASS="literal"
>-r</TT
> to your syslog daemon script file <EM
>only on the remote host</EM
>:
Edit the syslog daemon <B
CLASS="command"
>vi</B
> +24 <TT
CLASS="filename"
>/etc/rc.d/init.d/syslog</TT
> and change:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13;
<B
CLASS="command"
>daemon</B
> syslogd -m 0
</PRE
></TD
></TR
></TABLE
>
To read:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; <B
CLASS="command"
>daemon</B
> syslogd -r -m 0
</PRE
></TD
></TR
></TABLE
>
Now restart your syslog daemon on the remote host for the change to take effect:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@mail /]# /etc/rc.d/init.d/syslog <B
CLASS="command"
>restart</B
>
</PRE
></TD
></TR
></TABLE
>
</P
></DIV
><P
>&#13; Now, if we have a firewall on the remote server you are supposed to have one), we must add or verify the existence
of the following lines:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ <A
NAME="exin1"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
>
-s $SYSLOG_CLIENT \ <A
NAME="ipd1"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>
-d $IPADDR 514 -j ACCEPT <A
NAME="syse1"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>
</PRE
></TD
></TR
></TABLE
>
<DIV
CLASS="calloutlist"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="chap5sec50.html#exin1"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>&#13; Where EXTERNAL_INTERFACE="eth0" in the firewall file.
</DD
><DT
><A
HREF="chap5sec50.html#ipd1"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
></DT
><DD
>&#13; Where IPADDR="208.164.186.2" in the firewall file.
</DD
><DT
><A
HREF="chap5sec50.html#syse1"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
>&#13; Where SYSLOG_CLIENT="208.164.168.0/24" in the firewall file.
</DD
></DL
></DIV
>
</P
><P
>&#13; Now restart your firewall on the remote host for the change to take effect:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@mail /]# /etc/rc.d/init.d/firewall <B
CLASS="command"
>restart</B
>
</PRE
></TD
></TR
></TABLE
>
This firewall rule will allow incoming UDP packet on port 514 (syslog port) on the remote server that come from our internal client to
be accepted. For more information on Firewall see Chapter 7 <TT
CLASS="filename"
>Networking firewall</TT
>.
</P
><P
>&#13; Finally, edit the syslog.conf file <TT
CLASS="filename"
>vi /etc/syslog.conf</TT
> on the local server, and add at the end of this file the following line:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; authpriv.*;mail.*;local7.*;auth.*;daemon.info @mail
</PRE
></TD
></TR
></TABLE
>
Where mail is the hostname of the remote server. Now if anyone ever hacks your box and menaces to erase vital system logs, you still
have a hard copy of everything. It should then be fairly simple to trace where they came from and deal with it accordingly.
Now restart your syslog daemon for the change to take effect:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# /etc/rc.d/init.d/syslog <B
CLASS="command"
>restart</B
>
</PRE
></TD
></TR
></TABLE
>
Same as on the remote host, we must add or verify the existence of the following lines in our firewall script file on the local host:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ <A
NAME="exin2"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
>
-s $IPADDR 514 \ <A
NAME="ipd2"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
>
-d $SYSLOG_SERVER 514 -j ACCEPT <A
NAME="syse2"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
>
</PRE
></TD
></TR
></TABLE
>
<DIV
CLASS="calloutlist"
><DL
COMPACT="COMPACT"
><DT
><A
HREF="chap5sec50.html#exin2"
><IMG
SRC="../images/callouts/1.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(1)"></A
></DT
><DD
>&#13; Where EXTERNAL_INTERFACE="eth0" in the firewall file.
</DD
><DT
><A
HREF="chap5sec50.html#ipd2"
><IMG
SRC="../images/callouts/2.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(2)"></A
></DT
><DD
>&#13; Where IPADDR="208.164.186.1" in the firewall file.
</DD
><DT
><A
HREF="chap5sec50.html#syse2"
><IMG
SRC="../images/callouts/3.gif"
HSPACE="0"
VSPACE="0"
BORDER="0"
ALT="(3)"></A
></DT
><DD
>&#13; Where SYSLOG_SERVER="mail.openna.com" in the firewall file.
</DD
></DL
></DIV
>
</P
><P
>&#13; Now restart your firewall for the change to take effect:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# /etc/rc.d/init.d/firewall <B
CLASS="command"
>restart</B
>
</PRE
></TD
></TR
></TABLE
>
This firewall rule will allow outgoing UDP packet on port 514 syslog port on the local server destined to the remote syslog server to be accepted. For more information on
Firewall see chapter 7 Networking firewall.
</P
><DIV
CLASS="important"
><BLOCKQUOTE
CLASS="important"
><P
><B
><SPAN
CLASS="inlinemediaobject"
><IMG
SRC="./images/Important.gif"
ALT="Important"
></IMG
></SPAN
>: </B
>
Never use your Gateway Server as a host to control all syslog messages; this is a very bad idea. More options and strategies exist with the sysklogd program, see
the man pages about <SPAN
CLASS="citerefentry"
><SPAN
CLASS="refentrytitle"
>sysklogd</SPAN
>(8)</SPAN
>, <SPAN
CLASS="citerefentry"
><SPAN
CLASS="refentrytitle"
>syslog</SPAN
>(2)</SPAN
>,
and <SPAN
CLASS="citerefentry"
><SPAN
CLASS="refentrytitle"
>syslog.conf</SPAN
>(5)</SPAN
> for more information.
</P
></BLOCKQUOTE
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="chap5sec49.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="chap5sec51.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Disable <B
CLASS="keycap"
>Ctrl-Alt-Delete</B
> keyboard shutdown command</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="gen-syssecured.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Tighten scripts under <TT
CLASS="filename"
>/etc/rc.d/</TT
></TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink