LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-25-2006, 02:53 AM   #1
unreal128
Member
 
Registered: Jun 2003
Distribution: SuSE, Slackware, Gentoo
Posts: 207

Rep: Reputation: 30
Hardening syslog-ng


I am running syslog-ng as my logging utility on Gentoo and was reading up on how the utility works; it provides a UDP port for remote logging. I am running the system on a laptop that is not part of any network or acting as a server.

My question is this, would it be okay just to disable this in /etc/services or do some local programs need this service up to perform logging correctly?

Also, as an aside, how would I write to the messages file via syslog-ng from the command line (eg. within a bash script.)
 
Old 09-25-2006, 03:21 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
by default syslog-ng normally only listens locally, on 127.0.0.1. you can check the syslog-ng.conf file yourself to see whichnetworks are being listened to.
 
Old 09-25-2006, 05:52 AM   #3
bulliver
Senior Member
 
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,762
Blog Entries: 4

Rep: Reputation: 78
Quote:
Also, as an aside, how would I write to the messages file via syslog-ng from the command line (eg. within a bash script.)
man logger

It is part of the 'util-linux' package so should already be installed on a Gentoo system.
 
Old 09-26-2006, 01:43 AM   #4
unreal128
Member
 
Registered: Jun 2003
Distribution: SuSE, Slackware, Gentoo
Posts: 207

Original Poster
Rep: Reputation: 30
Thanks Bulliver for the info on logging; this helps alot!

Acid Kewpie,
Thanks for the information regarding networking port access on the syslog-ng utility. I tried checking out syslog-ng.conf but couldn't find any information related to network configuration. (besides chain_hostnames.) I checked out syslog-ng's website and looking at the sample config code, it seems that Gentoo automatically loads the ebuild with network logging disabled.

Code:
options {
        chain_hostnames(off);
        sync(0);
        stats(43200);
};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };
destination console_all { file("/dev/tty12"); };

log { source(src); destination(messages); };
log { source(src); destination(console_all); };
 
Old 09-26-2006, 03:45 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
yes, in fact while i'm not using gentoo on my work systems, it's their really great documentation that got it set up. gentoo might be run by a bunch of backstabbing hippies, but they do write *very* good documentation.

Last edited by acid_kewpie; 09-26-2006 at 06:03 AM.
 
Old 09-26-2006, 04:47 AM   #6
JiYu
LQ Newbie
 
Registered: Sep 2006
Location: Germany
Distribution: FreeBSD
Posts: 29

Rep: Reputation: 15
Is there nothing like this?:

Code:
source s_external {
			tcp ( ip(0.0.0.0) port(514) keep-alive(yes));
};
 
Old 09-26-2006, 01:14 PM   #7
unreal128
Member
 
Registered: Jun 2003
Distribution: SuSE, Slackware, Gentoo
Posts: 207

Original Poster
Rep: Reputation: 30
Correct, there is no statement in the config file as mentioned above. What I pasted into my last reply is the entire configuration file.
 
Old 09-26-2006, 01:25 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
having something like syslog listening for external ip connections by default makes no sense whatsoever. it's just another security hole if that's the case, as 99.9%+ syslog instances in the world are only for the local host.
 
Old 09-26-2006, 06:26 PM   #9
bulliver
Senior Member
 
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,762
Blog Entries: 4

Rep: Reputation: 78
Quote:
gentoo might be run by a bunch of backstabbing hippies,
I see you follow gentoo-dev as well..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Centralized Syslog Server Using syslog-NG LXer Syndicated Linux News 0 04-28-2006 07:21 PM
Hardening Apache XaViaR Linux - Security 2 05-14-2005 07:25 PM
I need some ideas for hardening Bill Johns Linux - Security 2 05-01-2005 04:11 PM
Hardening RH 9 velan Red Hat 4 06-16-2004 08:40 AM
hardening my security Jalalabee Linux - Security 4 01-06-2004 03:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration