9.4. Restrict console messages

9.4.1. Restrict console messages from the system log

Generating a stready stream of console messages can easily overwhelm a 9600bps link.

Although displaying all syslog messages on the console appears to be a good idea, this actually provides the unprivileged user a simple method to deny effective use of the remote console.

Configure system log messages to the console to the bare minimum. Look in /etc/syslog.conf for lines ending with /dev/console.

Consider sending all log messages to another machine for recording and analysis. Figure 9-2 shows the standard /etc/syslog.conf from Red Hat Linux 7.2 modified to record log messages to a log server. Each line of syslog.conf has been repeated to send a copy of the message to the log server. The log server has the DNS alias loghost.example.edu.au; using a DNS alias allows the log server to be moved without updating the configuration of all the remote machines. The local copy of the log message is no longer the only means of determining the cause of a system failure, so we can gain some performance advantage by disabling synchronous file writes, although this increases the odds of an inconsistent filesystem (an issue with filesystems that do not do journalling). Placing a - before the filename disables synchronous file writes.

Figure 9-2. /etc/syslog.conf modified to copy log messages to a log server

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none  @loghost.example.edu.au
*.info;mail.none;authpriv.none;cron.none  -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                @loghost.example.edu.au
authpriv.*                                /var/log/secure

# Log all the mail messages in one place.
mail.*                                    @loghost.example.edu.au
mail.*                                    -/var/log/maillog

# Log cron stuff
cron.*                                    @loghost.example.edu.au
cron.*                                    -/var/log/cron

# Everybody gets emergency messages
*.emerg                                   @loghost.example.edu.au
*.emerg                                   *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                            @loghost.example.edu.au
uucp,news.crit                            -/var/log/spooler

# Save boot messages also to boot.log
local7.*                                  @loghost.example.edu.au
local7.*                                  -/var/log/boot.log

A log server is configured using the standard /etc/syslog.conf configured to allow the reception of remote syslog messages. This configuration for Red Hat Linux is shown in Figure 9-3. In addition to configuring the system log daemon, also prevent denial of service attacks by configuring IP Tables to restrict the sources of the syslog messages; and also improve performance by checking that nscd is running to cache reverse DNS lookups.

Figure 9-3. Allowing remote log messages by setting options in /etc/sysconfig/syslog

# Red Hat Linux default value, does not write timer mark messages
SYSLOGD_OPTIONS="-m 0"
# Add option to accept remote syslog messages
SYSLOGD_OPTIONS="${SYSLOGD_OPTIONS} -r"

Figure 9-4. Restrict syslog messages to remote.example.edu.au

 bash# chkconfig iptables on
 bash# /etc/init.d/iptables restart
# Allow all IP traffic from this machine
 bash# iptables --append INPUT --source 127.0.0.0/8 --in-interface lo --jump ACCEPT
# Perhaps filter other traffic
…
# Accept syslog messages from remote.example.edu.au
 bash# iptables --append INPUT --source remote.example.edu.au --protocol udp --destination-port syslog -j ACCEPT
# Silently drop unexpected syslog messages
 bash# iptables --append INPUT --protocol udp --destination-port syslog -j DROP
# Save the running configuration
 bash# /etc/init.d/iptables save

Figure 9-5. Using nscd to cache reverse DNS lookups

bash# chkconfig nscd on
bash# /etc/init.d/nscd restart

9.4.2. Restrict broadcast messages to the console

Users that are logged into the serial console should not accept broadcast messages. Add new files to /etc/profile.d to do this. Figure 9-6 shows a file for use by the Bourne shell.

Figure 9-6. Restrict sending of messages to console user

#
# Do we have files referred to?
if [ -x /usr/bin/mesg -a -x /usr/bin/tty ]
then
  # Are we on serial console?
  if [ `/usr/bin/tty` = /dev/ttyS0 ]
  then
    # Do not accept broadcast messages
    /usr/bin/mesg n
  fi
fi

As this file is run frequently, we use a faster but less readable version of Figure 9-6, shown in Figure 9-7.

Figure 9-7. Restrict sending of messages to console user, /etc/profile.d/mesg.sh

#
# /etc/profile.d/mesg.sh -- prevent people hassling the serial console user
[ -x /usr/bin/mesg -a -x /usr/bin/tty -a `/usr/bin/tty` = /dev/ttyS0 ] && /usr/bin/mesg n

We also need a C shell version, shown in Figure 9-8.

Figure 9-8. Restrict sending of messages to console user, /etc/profile.d/mesg.csh

#
# /etc/profile.d/mesg.csh -- prevent people hassling the serial console user
if (-X mesg && -X tty && `tty` == /dev/ttyS0) then
  mesg n
endif

Although mesg.sh and mesg.csh are included by the parent shell rather than executed, the files need the execute permission set. The procedure in Figure 9-9 installs the files and sets the permissions.

Figure 9-9. Install files into /etc/profile.d

bash# cp mesg.*sh /etc/profile.d/
bash# chown root:root /etc/profile.d/mesg.*sh
bash# chmod u=rwx,g=rx,o=rx /etc/profile.d/mesg.*sh