Security Basics mailing list archives
Re: Syslog over Internet
From: "Arturo \"Buanzo\" Busleiman" <buanzo () buanzo com ar>
Date: Mon, 18 Aug 2003 18:48:47 -0300 (ART)
And we should not forget about NOT USING UDP for this. TCP would make a better transport. -- Arturo "Buanzo" Busleiman - www.buanzo.com.ar - GNU/Linux Documentation GNU's es_AR Team Leader - PGP/GnuPG Key available at horowitz.surfnet.nl Casilla de eMail _GRATIS_ de 21Mb Webmail/POP/IMAP/SMTP en www.daleclick.com On Mon, 18 Aug 2003, Damian Menscher wrote:
On Mon, 18 Aug 2003, Vineet Mehta wrote:I have hired a server located in a different country. I heard that its better to log all your syslog messages on a different machine. As i dont have access to any other machine on that network except in my own country. My question is how safe and efficient it is to log Syslogd messages from my server in other country to my server in this country? Is it really safe? is it adviced to do so, of not then why?The reason to do it is so an intruder can't remove evidence of their attack, since the evidence will be stored elsewhere. Normally, this is a good thing to do, if you want to be able to trace suspected intrusions. In your case, however, I don't recommend doing it in the default configuration. The problem is that syslog messages are typically sent in plaintext (over port 514/udp). And it's possible for logs to contain sensitive information. For example, what if you accidentally type your password at a login prompt? It will log a failed login attempt from unauthorized user <password>. Therefore your password will be sent across the internet in plaintext! It is possible to pipe syslog messages through a program (often used for advanced log filtering). In your case, you might consider piping them through a program that encrypts them before sending them over the wire. Be advised that the encryption algorithm should be secure against known-, chosen-, or repeated-plaintext attacks, since all log messages begin the same way, and an attacker can induce certain error messages to appear. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <menscher () uiuc edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Syslog over Internet Vineet Mehta (Aug 18)
- RE: Syslog over Internet David Gillett (Aug 18)
- Re: Syslog over Internet Damian Menscher (Aug 18)
- Re: Syslog over Internet Arturo "Buanzo" Busleiman (Aug 18)
- RE: Syslog over Internet matt willson (Aug 20)
- Re: Syslog over Internet Valter Santos (Aug 20)
- <Possible follow-ups>
- RE: Syslog over Internet Keith T. Morgan (Aug 18)
- RE: Syslog over Internet DeGennaro, Gregory (Aug 18)
- RE: Syslog over Internet DeGennaro, Gregory (Aug 19)
- Re: Syslog over Internet Eric Nelson (Aug 20)