5.21. Physical hard copies of all-important logs

One of the most important security considerations is the integrity of the different log files under the /var/log directory on your server. If despite each of the security functions put in place on our server a cracker can gain access to it, our last defense is the log file system, so it is very important to consider a method of being sure of the integrity of our log files.

If you have a printer installed on your server, or on a machine on your network, a good idea would be to have actual physical hard copies of all-important logs. This can be easily accomplished by using a continuous feed printer and having the syslog program sending all logs you seem important out to /dev/lp0 the printer device. Cracker can change the files, programs, etc on your server, but can do nothing when you have a printer that prints a real paper copy of all of your important logs.

Example 5-3. Print log reports

For logging of all telnet, mail, boot messages and ssh connections from your server to the printer attached to this server, you would want to add the following line to the "/etc/syslog.conf" file: Edit the syslog.conf file vi /etc/syslog.conf and add at the end of this file the following line:

            authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0
            
Now restart your syslog daemon for the change to take effect:

            [root@deep] /# /etc/rc.d/init.d/syslog restart
            

For logging of all telnet, mail, boot messages and ssh connections from your server to the printer attached to a remote server in your local network, then you would want to add the following line to /etc/syslog.conf file on the remote server. If you don't have a printer in your network, you can also copy all the log files to another machine; simply omit the first step below of adding /dev/lp0 to your syslog.conf file on remote and go directly to the -r option step on remote. Using the feature of copying all the log files to another machine will give you the possibility to control all syslog messages on one host and will tear down administration needs. Edit the syslog.conf file vi /etc/syslog.conf on the remote server for example: mail.openna.com and add at the end of this file the following line:

            authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0
            
Since the default configuration of the syslog daemon is to not receive any messages from the network, we must enable on the remote server the facility to receive messages from the network. To enable the facility to receive messages from the network on the remote server, add the following option -r to your syslog daemon script file only on the remote host: Edit the syslog daemon vi +24 /etc/rc.d/init.d/syslog and change:

            
            daemon syslogd -m 0
            
            
To read:

            daemon syslogd -r -m 0
            
Now restart your syslog daemon on the remote host for the change to take effect:

            [root@mail /]# /etc/rc.d/init.d/syslog restart
            

Now, if we have a firewall on the remote server you are supposed to have one), we must add or verify the existence of the following lines:

            ipchains -A input  -i $EXTERNAL_INTERFACE -p udp \ (1)
            -s $SYSLOG_CLIENT \     (2)
            -d $IPADDR 514 -j ACCEPT (3)
             

(1)
Where EXTERNAL_INTERFACE="eth0" in the firewall file.
(2)
Where IPADDR="208.164.186.2" in the firewall file.
(3)
Where SYSLOG_CLIENT="208.164.168.0/24" in the firewall file.

Now restart your firewall on the remote host for the change to take effect:

            [root@mail /]# /etc/rc.d/init.d/firewall restart
            
This firewall rule will allow incoming UDP packet on port 514 (syslog port) on the remote server that come from our internal client to be accepted. For more information on Firewall see Chapter 7 Networking firewall.

Finally, edit the syslog.conf file vi /etc/syslog.conf on the local server, and add at the end of this file the following line:

            authpriv.*;mail.*;local7.*;auth.*;daemon.info @mail
             
Where mail is the hostname of the remote server. Now if anyone ever hacks your box and menaces to erase vital system logs, you still have a hard copy of everything. It should then be fairly simple to trace where they came from and deal with it accordingly. Now restart your syslog daemon for the change to take effect:

            [root@deep] /# /etc/rc.d/init.d/syslog restart
            
Same as on the remote host, we must add or verify the existence of the following lines in our firewall script file on the local host:

            ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ (1)
            -s $IPADDR 514 \   (2)
            -d $SYSLOG_SERVER 514 -j ACCEPT  (3)
            

(1)
Where EXTERNAL_INTERFACE="eth0" in the firewall file.
(2)
Where IPADDR="208.164.186.1" in the firewall file.
(3)
Where SYSLOG_SERVER="mail.openna.com" in the firewall file.

Now restart your firewall for the change to take effect:

            [root@deep] /# /etc/rc.d/init.d/firewall restart
            
This firewall rule will allow outgoing UDP packet on port 514 syslog port on the local server destined to the remote syslog server to be accepted. For more information on Firewall see chapter 7 Networking firewall.

Important: Never use your Gateway Server as a host to control all syslog messages; this is a very bad idea. More options and strategies exist with the sysklogd program, see the man pages about sysklogd(8), syslog(2), and syslog.conf(5) for more information.