Hello UNIX managers,
I have lately been tweaking one of our hosts, running TU4.0G with PK2
installed, trying to harden it against remote intrusion and DOS attacks.
While doing so, I found a couple of interesting quirks to both syslogd
and binlogd. I decided to present my observations as this summary.
binlogd: the executable is configured to hook to the "binlog/udp"
service listed in /etc/services. Trouble is, the /etc/services file does
not contain a "binlog" alias for the "binlogd/udp" service listed. So,
without a modification to /etc/services, binlogd will not be able to
listen for incoming (remote) messages to be logged on "this" host. The
logging/non-logging status of binlogd can be seen by starting the daemon
with the -d flag, which direct informational messages to stderr. Leaving
/etc/services unmodified is a nice way to prevent the abuse of the
system through port udp/binlogd, since no one listens there.
syslogd: trying to harden this one, I discovered that in the absence of
a /etc/syslog.auth file for restricting remote logging to a named list
of hosts, any host is **allowed** to write to the syslog daemon. This
can be seen by starting syslogd with the -d flag. Watch for a line
similar to this one in the diagnostic output: "The /etc/syslog.auth file
does not exist. Messages from all remote hosts will be accepted." Duh!
Best thing to do to prevent abuse of this is to touch an empty
/etc/syslog.auth file and -HUP the syslogd. On another note, the trick
applied to binlogd to disallow use of it's registered port is not
applicable to syslogd. If the daemon can not find an entry for
"syslog/udp" in /etc/services, it just quits. So, one has to run with
syslog/udp listening (e.g. will be discovered as such when the system is
port-scanned) if syslogd is required to run on you system.
Hope this information helps. If anyone has additonal stuff of this, drop
me a mail.
--
===============================================
Charles Vachon tel: (418) 627-6355 x2760
email: cvachon2_at_mrn.gouv.qc.ca
Administrateur de système
FRCQ/Ministère des Ressources
Naturelles du Québec
===============================================
Received on Mon Feb 26 2001 - 20:31:05 NZDT