[syslog-ng] Certificate ip authentication

Alexandre Damas alexandre.m.damas at nos.pt
Mon Jul 27 15:15:41 UTC 2020


The association of ip and name would be done on the server side by manipulating local hosts file or a local dns server owned by the server team.
The generation of certificates and use of certificates would then be managed by the server management team. On the client side there would not be any control.. The association of ip and name would be fixed... the best way would be not having to use this association and having the control of the protocol ip and the subject ip address.

Kind Regards
Alexandre


-----Original Message-----
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> On Behalf Of SZIGETVÁRI János
Sent: 27 de julho de 2020 14:31
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Certificate ip authentication

Hi Alexandre,

AFAIK, there is no way to verify the certificate subjects of connecting clients on a syslog-ng server.
A little over a month back I created this feature request:
https://github.com/syslog-ng/syslog-ng/issues/3312
On the other hand, even if this part of the of the security picture would be spotless, the client machine's hostname could still be changed through a rewrite rule on the client machine if the user has any way of changing syslog-ng's configuration (through file permissions, being member of a group or through possessing administrative privileges).

Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692

LinkedIn: linkedin.com/in/janosszigetvari

__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp

Alexandre Damas <alexandre.m.damas at nos.pt> ezt írta (időpont: 2020.
júl. 27., H, 13:34):
>
> Hi,
>
>
>
> As my objective on the utilization of syslog-ng is the authentication and certification of received security and auditing events, I implemented an internal CA which generates a certificate per syslog-ng client.
>
> Once there was someone that misconfigured a client and got a certificate for a different client. The funny part of it is that no one observed any problem as the certificate, which was generated for a client having an ip (different from the one configured on the machine), was working and communications (using ALTP with TLS) went up for the exchange of messages.
>
> Has anyone experienced this? Does someone have a clue on how to prevent certificate reutilization on the client side?
>
> On Linux side I did not find any way of preventing the utilization of a certificate for one machine, that was issued for a different machine, having a different ip. If there is no cross checking on the server for the ip addresses on the certificate with the ip address on the received event, I don’t have a way of non-repudiate a received event and the client can reuse the certificate for other machines, allowing the events to be received on the server.
>
>
>
> Kind Regards
>
> Alexandre Damas
>
> ______________________________________________________________________
> ________ Member info: 
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: 
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



More information about the syslog-ng mailing list