All, I've been sorting system information with syslog-ng just fine, but it happened in a LAN environment. Now I plan starting off with a public IPv6 address and that raises some concerns. What would you advice to check to be sure? How should remote logging be set up so that some mutual (or at least client) cryptographic authentication happens? Thanks...
Either use Syslog-NG Premium Edition with SSL transport or setup OpenVPN (or any other VPN) for the transport. It is a very bad idea to let anyone write logs to your system from the Internet. At the absolute minimum, use a firewall or iptables to only allow known-hosts to send logs. That's still poor protection if you're allowing UDP, as UDP can be spoofed. On Sat, Jul 9, 2011 at 4:44 AM, Kārlis Repsons <repsons@gmail.com> wrote:
All,
I've been sorting system information with syslog-ng just fine, but it happened in a LAN environment. Now I plan starting off with a public IPv6 address and that raises some concerns. What would you advice to check to be sure? How should remote logging be set up so that some mutual (or at least client) cryptographic authentication happens? Thanks... ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Martin Holste <mcholste@gmail.com> writes:
Either use Syslog-NG Premium Edition with SSL transport or setup OpenVPN (or any other VPN) for the transport.
You don't neccessarily need PE for SSL. syslog-ng 3.2 OSE supports TLS aswell, at least according to the documentation. I only have the sources for 3.3 at hand, and that includes TLS support for sure.
It is a very bad idea to let anyone write logs to your system from the Internet. At the absolute minimum, use a firewall or iptables to only allow known-hosts to send logs. That's still poor protection if you're allowing UDP, as UDP can be spoofed.
Either a VPN or syslog-ng's built in TLS support works like a charm. Although if one needs to use UDP for some reason, then VPN is pretty much the only option. The advantage of using syslog-ng's built-in TLS support over a VPN is that it's a single service. If an attacker gains root on a client, the best he can do is send fake logs. If he had control over that side of the VPN, that'd open up a few more possibilities (unless guarded against.. but then it's easier to use syslog-ng :P). -- |8]
On Sat, 2011-07-09 at 23:34 +0200, Gergely Nagy wrote:
Martin Holste <mcholste@gmail.com> writes:
Either use Syslog-NG Premium Edition with SSL transport or setup OpenVPN (or any other VPN) for the transport.
You don't neccessarily need PE for SSL. syslog-ng 3.2 OSE supports TLS aswell, at least according to the documentation.
I only have the sources for 3.3 at hand, and that includes TLS support for sure.
IIRC it was released in syslog-ng 3.0. -- Bazsi
participants (4)
-
Balazs Scheidler
-
Gergely Nagy
-
Kārlis Repsons
-
Martin Holste