The association of ip and name would be done on the server side by manipulating local hosts file or a local dns server owned by the server team. The generation of certificates and use of certificates would then be managed by the server management team. On the client side there would not be any control.. The association of ip and name would be fixed... the best way would be not having to use this association and having the control of the protocol ip and the subject ip address. Kind Regards Alexandre -----Original Message----- From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> On Behalf Of SZIGETVÁRI János Sent: 27 de julho de 2020 14:31 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Certificate ip authentication Hi Alexandre, AFAIK, there is no way to verify the certificate subjects of connecting clients on a syslog-ng server. A little over a month back I created this feature request: https://github.com/syslog-ng/syslog-ng/issues/3312 On the other hand, even if this part of the of the security picture would be spotless, the client machine's hostname could still be changed through a rewrite rule on the client machine if the user has any way of changing syslog-ng's configuration (through file permissions, being member of a group or through possessing administrative privileges). Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 LinkedIn: linkedin.com/in/janosszigetvari __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Alexandre Damas <alexandre.m.damas@nos.pt> ezt írta (időpont: 2020. júl. 27., H, 13:34):
Hi,
As my objective on the utilization of syslog-ng is the authentication and certification of received security and auditing events, I implemented an internal CA which generates a certificate per syslog-ng client.
Once there was someone that misconfigured a client and got a certificate for a different client. The funny part of it is that no one observed any problem as the certificate, which was generated for a client having an ip (different from the one configured on the machine), was working and communications (using ALTP with TLS) went up for the exchange of messages.
Has anyone experienced this? Does someone have a clue on how to prevent certificate reutilization on the client side?
On Linux side I did not find any way of preventing the utilization of a certificate for one machine, that was issued for a different machine, having a different ip. If there is no cross checking on the server for the ip addresses on the certificate with the ip address on the received event, I don’t have a way of non-repudiate a received event and the client can reuse the certificate for other machines, allowing the events to be received on the server.
Kind Regards
Alexandre Damas
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq