Re: Syslog over Internet

• Previous message: Kelly Martin: "SecurityFocus new article announcment"
• In reply to: Vineet Mehta: "Syslog over Internet"
• Next in thread: Arturo \: "Re: Syslog over Internet"
• Reply: Arturo \: "Re: Syslog over Internet"
• Reply: matt willson: "RE: Syslog over Internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 18 Aug 2003 12:00:33 -0500 (CDT)
To: Vineet Mehta <vineet@linux.com.kw>

On Mon, 18 Aug 2003, Vineet Mehta wrote:

> I have hired a server located in a different country. I heard that its
> better to log all your syslog messages on a different machine. As i dont
> have access to any other machine on that network except in my own
> country.
>
> My question is how safe and efficient it is to log Syslogd messages from
> my server in other country to my server in this country?
>
> Is it really safe? is it adviced to do so, of not then why?

The reason to do it is so an intruder can't remove evidence of their
attack, since the evidence will be stored elsewhere. Normally, this is
a good thing to do, if you want to be able to trace suspected
intrusions.

In your case, however, I don't recommend doing it in the default
configuration. The problem is that syslog messages are typically sent
in plaintext (over port 514/udp). And it's possible for logs to contain
sensitive information. For example, what if you accidentally type your
password at a login prompt? It will log a failed login attempt from
unauthorized user <password>. Therefore your password will be sent
across the internet in plaintext!

It is possible to pipe syslog messages through a program (often used for
advanced log filtering). In your case, you might consider piping them
through a program that encrypts them before sending them over the wire.
Be advised that the encryption algorithm should be secure against
known-, chosen-, or repeated-plaintext attacks, since all log messages
begin the same way, and an attacker can induce certain error messages to
appear.

Damian Menscher

-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Kelly Martin: "SecurityFocus new article announcment"
• In reply to: Vineet Mehta: "Syslog over Internet"
• Next in thread: Arturo \: "Re: Syslog over Internet"
• Reply: Arturo \: "Re: Syslog over Internet"
• Reply: matt willson: "RE: Syslog over Internet"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Syslog over Internet ... country to the next, your personal data logs would probably go thru 20+ ... They could find the syslog server easily, and quite possibly, get into ... > better to log all your syslog messages on a different machine. ... attack, since the evidence will be stored elsewhere. ... (Security-Basics) Re: Syslog over Internet ... >> I have hired a server located in a different country. ... >> better to log all your syslog messages on a different machine. ... > attack, since the evidence will be stored elsewhere. ... (Security-Basics) Re: Syslog over Internet ... > I have hired a server located in a different country. ... syslog messages will say a lot about your system to any sniffer around. ... A good start point to learn how to configure a VPN is the FreeS/Wan ... (Security-Basics) Syslog over Internet ... I have hired a server located in a different country. ... better to log all your syslog messages on a different machine. ... My question is how safe and efficient it is to log Syslogd messages from ... (Security-Basics)