HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_56
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 56 Since the default configuration of the syslog daemon is to not receive any messages from the network, we must enable on the remote server the facility to receive messages from the network. To enable the facility to receive messages from the network on the remote server, add the following option “-r” to your syslog daemon script file (only on the remote host): · Edit the syslog daemon (vi +24 /etc/rc.d/init.d/syslog) and change: daemon syslogd -m 0  To read: daemon syslogd -r -m 0 · Now restart your syslog daemon on the remote host for the change to take effect: [root@mail /]# /etc/rc.d/init.d/syslog restart Now, if we have a firewall on the remote server (you are supposed to have), we must add or verify the existance of the following lines:     ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \              -s $SYSLOG_CLIENT \              -d $IPADDR 514 -j ACCEPT Where EXTERNAL_INTERFACE="eth0" in the firewall file. Where IPADDR="208.164.186.2" in the firewall file. Where SYSLOG_CLIENT=”208.164.168.0/24" in the firewall file. · Now restart your firewall on the remote host for the change to take effect: [root@mail /]# /etc/rc.d/init.d/firewall restart This firewall rule will allow incoming UDP packet on port 514 (syslog port) on the remote server that come from our internal client to be accepted. For more information on Firewall see the chapter 7 “Networking firewall”. Finally, edit the syslog.conf file (vi /etc/syslog.conf) on the local server, and add at the end of this file the following line: authpriv.*;mail.*;local7.*;auth.*;daemon.info @mail Where “mail” is the hostname of the remote server. Now if anyone ever hacks your box and menaces to erase vital system logs, you still have a hard copy of everything. It should then be fairly simple to trace where they came from and deal with it accordingly. · Now restart your syslog daemon for the change to take effect: [root@deep /]# /etc/rc.d/init.d/syslog restart Same as on the remote host, we must add or verify the existence of the following lines in our firewall script file on the local host:     ipchains -A output -i $EXTERNAL_INTERFACE -p udp \              -s $IPADDR 514 \              -d $SYSLOG_SERVER 514 -j ACCEPT Where EXTERNAL_INTERFACE="eth0" in the firewall file. Where IPADDR="208.164.186.1" in the firewall file. Where SYSLOG_SERVER="mail.openarch.com" in the firewall file. · Now restart your firewall for the change to take effect: [root@deep /]# /etc/rc.d/init.d/firewall restart