[syslog-ng]Security and Integrity support?
Gregor Binder
gbinder@sysfive.com
Wed, 29 Nov 2000 02:35:44 +0100
William Yodlowsky on Tue, Nov 28, 2000 at 07:35:42PM -0500:
Hi,
> Could it perhaps link to TCP Wrappers' libwrap instead?
>
> Personally, I'd prefer that to most other options I can think of for
> basic control like this.
I agree. I think having to maintain packet filter configurations for
every system that serves a critical function is a bit much. Plus, the
wrappers are supported on and the configuration is portable to many
UNIX systems. Also, some commercial UNIX systems are not shipped with
packet filtering capabilities.
When I suggested this to Balazs, he correctly said that tcp PARANOID
checking could easily DoS your nameserver when it is used to control
access to your syslog/udp.
Obviously, the same goes for rfc931 (ident), spawn and other nice
hosts.* directives.
You could also produce nice effects by logging access to the syslog
port to a remote machine, which in turn for security reasons sends all
network access information to you as a replication means :)
I still think it would be really nice to have, especially because it's
portable, well tested and I believe lots of people still use it for
non-firewall machines. I do :)
Greetings,
Gregor.
--
Gregor Binder <gbinder@sysfive.com> http://www.sysfive.com/~gbinder/
sysfive.com GmbH UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482