LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-16-2002, 08:16 PM   #1
Supp0rtLinux
Member
 
Registered: Dec 2001
Location: Carlsbad
Distribution: LFS 4.0 (www.linuxfromscratch.org)
Posts: 44

Rep: Reputation: 15
Question messages file and other log files on NFS share


I just inherited a server room of about 20 linux servers... all very old, all very open to exploits, all needing to be VERY carefully updated 'cause of app dependencies. The boxes keep getting hacked and the hackers keep deleting everything in /var/log. I'm guessing they're using SSH exploits among on other things. Half the time I only know what happened cause they didn't delete their .bash_history behind them.

As stated above, I have to be very careful about upgrading packages so as not to break existing apps. In the meantime, I want to NFS mount volumes from a very secure box for /var/log so I can back them up hourly from a central point.

Here's my question: assuming that a local /var/log exists when the system starts up and files are written... specifically /var/log/messages, what happens when the network starts up and fs's are mounted and I now have /var/log as a mount of another servers NFS export. Specifically how will the 'messages' and other files that are presently being written to handle being in a new location without the services writing to them being stopped and restarted?

I'm open to ideas or alternative suggestions.

Thanks in advance,
Andrew
 
Old 04-16-2002, 09:19 PM   #2
aveng0
LQ Newbie
 
Registered: Apr 2002
Location: Montreal
Distribution: Debian
Posts: 7

Rep: Reputation: 0
Hey,
first of all, if they aren't "smart" enough to delete their .bash_history , I would think they would most probably be script kiddies.. and crackers with nothing else to do with their time : )

Anyways, instead of getting yourself all confused with NFS, I would try using the remote loghost system with Syslog, which is probably running on those machines.

First you should label all the machines with their hostnames. Then, install syslog (if some form of it isnt already there).
Now, designate a secure server as the "loghost".
add its hostname to the file /etc/hosts on each server
Then on each of the other servers, find the files called /etc/syslog.conf
In those files, add a line like one of these:
*.* @apple (for all messages to be sent to the loghost "apple")
OR kern.* @apple (for kernel messages to be sent... )
Etc... just do a search for syslog loghost on google.
now, start syslog on the loghost with the flag to accept remote logs...
i forget what that is, but just type "man syslogd" or "man syslog" for it...

any questions, just ask away!

-- good luck
David
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 06:39 PM
Deleted /var/log/messages, can't log any files-iptables chingyenccy Linux - Newbie 7 02-27-2005 04:03 PM
Executing files on an NFS share? zero79 Linux - Networking 6 11-17-2004 08:27 AM
syslog and firestarter - log messages to another file than messages mule Linux - Newbie 0 08-07-2003 03:35 AM
iptables, changing log file from /var/log/messages acid2000 Linux - Networking 3 03-11-2003 08:38 PM


All times are GMT -5. The time now is 02:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration