Network Security Hacks [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Network Security Hacks [Electronic resources] - نسخه متنی

Andrew Lockhart

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید







Hack 54 Run a Central Syslog Server

Keep your logs safe from attackers by storing
them remotely.

Once
an intruder has gained entry into one
of your systems, how are you to know when or if this has happened? By
checking your logs, of course. What if the intruder modified the
logs? In this situation, centralized
logging definitely saves the day.
After all, if a machine is compromised but the log
evidence isn't kept on that machine,
it's going to be much more difficult for the
attacker to cover his tracks. In
addition to providing an extra level of protection,
it's also much easier to monitor the logs for a
whole network of machines when they're all in one
place.

To quickly set up a central syslog server, just start your
syslogd with the switch that causes it to listen
for messages from remote machines on a UDP port.

This is done under Linux by specifying the -r
command-line option:

# /usr/sbin/syslogd -m 0 -r

Under FreeBSD, run syslogd without the
-s command-line option:

# /usr/sbin/syslogd

The -s option causes FreeBSD's
syslogd to not listen for remote
connections.
FreeBSD's syslogd
also allows you to restrict what hosts it will receive messages from.
To set these restrictions, use the -a option,
which has the following forms:

     ipaddr/mask[:service] 
domain[:service]
*domain[:service]

The first form allows you to specify a single IP address or group of
IP addresses by using the appropriate netmask.
The service option allows you
to specify a source UDP port. If
nothing is specified, it defaults to port 514, which is the default
for the syslog service. The next two
forms allow you to restrict access to a specific domain name, as
determined by a reverse lookup of the IP address of the connecting
host. The difference between the
second and third is the use of the * wildcard
character, which specifies that all machines ending in
domain may connect.

Moving on, OpenBSD uses the -u option to listen
for remote connections:

# /usr/sbin/syslogd -a /var/empty/dev/log -u

whereas Solaris's syslogd uses
-T:

# /usr/sbin/syslogd -T

Now let's set up the clients.
If you want to forward all logging traffic from a machine
to your central log host, simply put the following in your
/etc/syslog.conf:

*.*            @loghost

You can either make this the only line in the configuration file, in
which case messages will be logged only to the remote host, or add it
to what is already there, in which case logs will be stored both
locally and remotely for safekeeping.

One drawback to remote logging is that the stock
syslogd for most operating systems fails to
provide any measure of authentication or access control with regard
to who may write to a central log host.
Firewalls can provide some protection, keeping out
everyone but those who are determined to undermine your logging
infrastructure; however, someone who has already gained access to
your local network can easily spoof his network connection and bypass
any firewall rules that you set up.
If you've determined that this is a
concern for your network, take a look at [Hack #59],
which discusses one method for setting up remote logging using
public-key authentication and SSL-encrypted connections.


/ 158