[syslog-ng]How about a "passive" syslog server?

[Gregor Binder]

Jason Haar on Thu, Apr 03, 2003 at 02:50:05PM +1200:

Hi Jason,

> Linux's netfilter has the REDIRECT rulesets which could be used to do this
> as well. I mean, right now we use REDIRECT so that our Squid proxy server
> can act as a transparent proxy server, so what about syslog-ng?  As Squid
> requires you to enable it - I suppose syslog-ng would still need to be
> altered to support that option too?

I don't think you would need any special support in syslog-ng, this is
basically the same principle as used in setting up ssltunnel or sshd-for-
wardings. Personally, I have had no problems either to forward messages
to syslog-ng using OpenBSD pf.

Realize however, that if implemented like this, you're basically only ob-
scuring the service, it is still as reachable as any more "visible" service
would be. The good thing is, you can "sudo -u <unpriv> syslog-ng", which
then can be bound to localhost:>1024 and make a mapping for the priviledged
port 514.

> Anyone else tried to do this? The security advantage is that you could
> enable syslog in your DMZes, point them at a non-existant IP address, and
> your IDS could pick up those messages as they flow pass it. Any server
> compromise leads the hackers to believe there is a syslog server - but it's
> down...

As the mentionned passlogd and snort have shown recently, it is not
required to have a listening port of some kind to be exploitable. Grab-
bing data from the wire can be vulnerable to similar problems as inter-
active services.

If you're using udp-based syslog, you could try to get it to work with
a read-only ethernet cable .. if it's your IDS at the same time, this
would add some real security IMHO.

Regards,

-- 
 ____ ____ 
/  _/| -  >  Gregor Binder <gb@(rootnexus.net|sysfive.com)>
| / || _\ \
\__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B