Section 4.10 The syslogd Service

Previous page
Table of content
Next page
   

4.10 The syslogd Service

graphics/twodangerlevel.gif

The syslogd facility is used by many of the daemons and the kernel to log error messages and advisory messages. It has a facility to accept messages from remote systems for logging over UDP port 514. This is a convenient way to consolidate messages from multiple systems and then just scan and review one set of log files. Recent versions of syslogd require the -r flag to enable it to listen on UDP port 514 for messages from remote systems to be logged. This is a welcome security enhancement that allows the large majority of systems that do not make use of this feature to be immune from crackers sending messages to this port.

The remote logging feature can increase security by logging activity on a system remotely. Thus, if a system is compromised and all log files destroyed, you still have the data on the remote system, assuming that the remote system is not also compromised. By having a special "high-security" system with minimal services supported (to reduce the likelihood of compromise) do the logging, the chance of all logs being destroyed is minimized. This is discussed in "Monitoring Activity" on page 605.

However, UDP packet spoofing is trivial. Fortunately, modern versions of syslogd (syslogd 1.3, since at least as far back as Red Hat 6.0) do not monitor UDP port 514 unless the -r flag is given. There have been some exploits that can cause a DoS by repeatedly sending packets to syslogd and deny access to legitimate clients or even to fill up disk space due to the volume of logged messages. Occasionally, a cracker will write fake log messages to various systems that have this port accessible from the Internet.

There even may be ways to gain root access, though hopefully these have been fixed by the time you read this, assuming that you have the latest syslogd. Certainly, some crackers will spoof their UDP source IP, which is trivial, and then send messages. These will be logged and certainly could confuse you. They may falsely indicate a break-in because any text may be placed in them.

The clear solution is to have your firewall block this port from access by sites outside the trusted network.

Do not use syslogd's -r flag unless you really need it and ensure that the firewall blocks access to UDP port 514. The nsyslogd program is a replacement for syslogd that offers SSL-wrapped TCP access for security. It may be downloaded from

http://coombs.anu.edu.au/~avalon/nsyslog.html


   
Top

Previous page
Table of content
Next page
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
Real World Linux Security Prentice Hall Ptr Open Source Technology Series
ISBN: N/A
EAN: N/A
Year: 2002
Pages: 260
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
CompTIA Project+ Study Guide: Exam PK0-003
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
802.11 Wireless Networks: The Definitive Guide, Second Edition
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy