Securing-Optimizing-RH-Linux-1_2_56
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
56
Since the default configuration of the syslog daemon is to not receive any messages from the
network, we must enable on the remote server the facility to receive messages from the network.
To enable the facility to receive messages from the network on the remote server, add the
following option -r to your syslog daemon script file (only on the remote host):
·
Edit the syslog daemon (vi +24 /etc/rc.d/init.d/syslog) and change:
daemon syslogd -m 0
To read:
daemon syslogd -r -m 0
·
Now restart your syslog daemon on the remote host for the change to take effect:
[root@mail /]# /etc/rc.d/init.d/syslog restart
Now, if we have a firewall on the remote server (you are supposed to have), we must add or
verify the existance of the following lines:
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $SYSLOG_CLIENT \
-d $IPADDR 514 -j ACCEPT
Where EXTERNAL_INTERFACE="eth0" in the firewall file.
Where IPADDR="208.164.186.2" in the firewall file.
Where SYSLOG_CLIENT=208.164.168.0/24" in the firewall file.
·
Now restart your firewall on the remote host for the change to take effect:
[root@mail /]# /etc/rc.d/init.d/firewall restart
This firewall rule will allow incoming UDP packet on port 514 (syslog port) on the remote server
that come from our internal client to be accepted. For more information on Firewall see the
chapter 7 Networking firewall.
Finally, edit the syslog.conf file (vi /etc/syslog.conf) on the local server, and add at the end of this
file the following line:
authpriv.*;mail.*;local7.*;auth.*;daemon.info @mail
Where mail is the hostname of the remote server. Now if anyone ever hacks your box and
menaces to erase vital system logs, you still have a hard copy of everything. It should then be
fairly simple to trace where they came from and deal with it accordingly.
·
Now restart your syslog daemon for the change to take effect:
[root@deep /]# /etc/rc.d/init.d/syslog restart
Same as on the remote host, we must add or verify the existence of the following lines in our
firewall script file on the local host:
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 514 \
-d $SYSLOG_SERVER 514 -j ACCEPT
Where EXTERNAL_INTERFACE="eth0" in the firewall file.
Where IPADDR="208.164.186.1" in the firewall file.
Where SYSLOG_SERVER="mail.openarch.com" in the firewall file.
·
Now restart your firewall for the change to take effect:
[root@deep /]# /etc/rc.d/init.d/firewall restart