Generating a stready stream of console messages can easily overwhelm a 9600bps link.
Although displaying all syslog messages on the console appears to be a good idea, this actually provides the unprivileged user a simple method to deny effective use of the remote console.
Configure system log messages to the console to the bare minimum. Look in /etc/syslog.conf for lines ending with /dev/console.
Consider sending all log messages to another machine for recording and analysis. Figure 9-2 shows the standard /etc/syslog.conf from Red Hat Linux 7.2 modified to record log messages to a log server. Each line of syslog.conf has been repeated to send a copy of the message to the log server. The log server has the DNS alias loghost.example.edu.au; using a DNS alias allows the log server to be moved without updating the configuration of all the remote machines. The local copy of the log message is no longer the only means of determining the cause of a system failure, so we can gain some performance advantage by disabling synchronous file writes, although this increases the odds of an inconsistent filesystem (an issue with filesystems that do not do journalling). Placing a - before the filename disables synchronous file writes.
Figure 9-2. /etc/syslog.conf modified to copy log messages to a log server
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none @loghost.example.edu.au *.info;mail.none;authpriv.none;cron.none -/var/log/messages # The authpriv file has restricted access. authpriv.* @loghost.example.edu.au authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* @loghost.example.edu.au mail.* -/var/log/maillog # Log cron stuff cron.* @loghost.example.edu.au cron.* -/var/log/cron # Everybody gets emergency messages *.emerg @loghost.example.edu.au *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit @loghost.example.edu.au uucp,news.crit -/var/log/spooler # Save boot messages also to boot.log local7.* @loghost.example.edu.au local7.* -/var/log/boot.log |
A log server is configured using the standard /etc/syslog.conf configured to allow the reception of remote syslog messages. This configuration for Red Hat Linux is shown in Figure 9-3. In addition to configuring the system log daemon, also prevent denial of service attacks by configuring IP Tables to restrict the sources of the syslog messages; and also improve performance by checking that nscd is running to cache reverse DNS lookups.
Figure 9-3. Allowing remote log messages by setting options in /etc/sysconfig/syslog
# Red Hat Linux default value, does not write timer mark messages SYSLOGD_OPTIONS="-m 0" # Add option to accept remote syslog messages SYSLOGD_OPTIONS="${SYSLOGD_OPTIONS} -r" |
Figure 9-4. Restrict syslog messages to remote.example.edu.au
bash# chkconfig iptables on bash# /etc/init.d/iptables restart # Allow all IP traffic from this machine bash# iptables --append INPUT --source 127.0.0.0/8 --in-interface lo --jump ACCEPT # Perhaps filter other traffic … # Accept syslog messages from remote.example.edu.au bash# iptables --append INPUT --source remote.example.edu.au --protocol udp --destination-port syslog -j ACCEPT # Silently drop unexpected syslog messages bash# iptables --append INPUT --protocol udp --destination-port syslog -j DROP # Save the running configuration bash# /etc/init.d/iptables save |
Users that are logged into the serial console should not accept broadcast messages. Add new files to /etc/profile.d to do this. Figure 9-6 shows a file for use by the Bourne shell.
Figure 9-6. Restrict sending of messages to console user
# # Do we have files referred to? if [ -x /usr/bin/mesg -a -x /usr/bin/tty ] then # Are we on serial console? if [ `/usr/bin/tty` = /dev/ttyS0 ] then # Do not accept broadcast messages /usr/bin/mesg n fi fi |
As this file is run frequently, we use a faster but less readable version of Figure 9-6, shown in Figure 9-7.
Figure 9-7. Restrict sending of messages to console user, /etc/profile.d/mesg.sh
# # /etc/profile.d/mesg.sh -- prevent people hassling the serial console user [ -x /usr/bin/mesg -a -x /usr/bin/tty -a `/usr/bin/tty` = /dev/ttyS0 ] && /usr/bin/mesg n |
We also need a C shell version, shown in Figure 9-8.
Figure 9-8. Restrict sending of messages to console user, /etc/profile.d/mesg.csh
# # /etc/profile.d/mesg.csh -- prevent people hassling the serial console user if (-X mesg && -X tty && `tty` == /dev/ttyS0) then mesg n endif |
Although mesg.sh and mesg.csh are included by the parent shell rather than executed, the files need the execute permission set. The procedure in Figure 9-9 installs the files and sets the permissions.