how unsecure is tail -f

WeNdeL · 03-06-2003, 09:20 AM

I want to monitor my kernel logging through the use of "tail -f"

I have set up multiple log prefixes in my iptable rules that log certain activity and I want to recieve an email when these are encountered.

My thoughts were to do soemthing like this:

tail -f /var/log/kernlog | egrep '(STEALTH|FRAGMENT|DROPPED)' | mail me@mydomain.com -s "KERNEL LOG MAIL"

I am going to look at swatch and some other logging utilities but I really only need something very simple in nature and don't want to bother with the overhead of using some complicated utility.

You're thoughts?

RolledOat · 03-06-2003, 11:11 AM

It will be as secure, or lacking thereof, as normal email. The tail itseld is harmless. The only insecure part is the email. Depending on traffic, you might get a large number of emails. You could look at encrypting it using pgp or something from your sendmail server.

RO

WeNdeL · 03-06-2003, 11:35 AM

cool... thanks man...

moses · 03-06-2003, 12:58 PM

There are potential problems, but probably not something you need to worry about:

Quote:

found at http://packetstormsecurity.nl/0006-exploits/
xterm denial of service attack - By sending the VT control characters to resize a window it is possible to cause an xterm to crash and in some cases consume all available memory. This is a problem because remote users can inject these control characters into your xterm in many different ways. This sample exploit injects these control characters into a web get request. If an admin were to cat this log file, or happened to be doing a "tail -f access_log" at the time of attack they would find their xterm crashed. Tested against rxvt v2.6.1 and xterm (XFree86 3.3.3.1b(88b).

RolledOat · 03-06-2003, 01:39 PM

With the firewall in place though, I don't see how they could ever get access to the xterm or resize it? Also, you wouldn't want to tie this to an xterm anyway. You want it in your startup services or at least
nohup tail -f ... &

That starts it as a free process not dependant on an xterm. You could even start it as a reswanable process in case it died, but don't personally know how to do that.

Goes to show ya though, there is nothing that can be done on a computer that is ever 100% safe.

RO

moses · 03-06-2003, 02:40 PM

Quote:

Originally posted by RolledOat
With the firewall in place though, I don't see how they could ever get access to the xterm or resize it? Also, you wouldn't want to tie this to an xterm anyway. You want it in your startup services or at least
nohup tail -f ... &

That starts it as a free process not dependant on an xterm. You could even start it as a reswanable process in case it died, but don't personally know how to do that.

Goes to show ya though, there is nothing that can be done on a computer that is ever 100% safe.

RO

The point wasn't the xterm, the point was that it's not
inconcievable for someone to use, for example, a malformed web
request to cause tail -f to perform something beyond its normal
duty. For what WeNdeL was proposing, it probably wouldn't
be a problem, since he seems interested in kernel messages, not
external messages.
Nothing is really ever 100% secure.

WeNdeL · 03-06-2003, 03:22 PM

well... I figured out a different way to do this... basically wrote a script (run via a cron job every minute) that greps my kernel log for all of my log-prefixes and then keeps count of each violation through the use of a tab delimited database file...

i compare the counts from the last run of this script to the present one and then email/page myself if someone is hitting my box in an undesirable way...

thanks for you're input though...