home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 8.10 Domain Name System (DNS) Chapter 8
Configuring Internet Services
Next: 8.12 Network Management Services
 

8.11 syslog

syslog is used to manage log messages in a centralized way. syslog got its start as a way of centrally recording messages for a set of UNIX machines, but many network devices (routers, hubs, etc.) now use syslog to report status and usage information. Such devices often don't even have a way to record this information locally, because they don't have any writable storage media; if you want to know what they're reporting, something has to be listening to their syslog messages.

Attackers will often attempt to flood a site's syslog server in order to cover their tracks, so that the server runs out of disk space and stops logging new messages, or so that the evidence of their activities is lost in the noise.

8.11.1 Packet Filtering Characteristics of syslog

syslog is a UDP -based service. syslog servers (which record messages logged by other systems) listen on UDP port 514. syslog clients generally (but not always) use ports above 1023 to talk to servers. syslog servers never send messages back to clients. syslog servers can be configured to pass messages along to other syslog servers; in such cases, the sending server generally uses port 514 as the client port.

Direc- Source Dest. Pro- Source Dest. ACK
tion Addr. Addr. tocol Port Port Set Notes

In

Ext

Int

UDP

>1023[41]

514

[42]

External client contacting internal syslog server

Out

Int

Ext

UDP

>1023[41]

514

[42]

Internal client contacting external syslog server

In

Ext

Int

UDP

514

514

[42]

External syslog server passing message to internal syslog server

Out

Int

Ext

UDP

514

514

[42]

Internal syslog server passing message to external syslog server

[41] Some syslog clients sometimes use ports below 1024.

[42] UDP packets do not have ACK bits.

8.11.2 Proxying Characteristics of syslog

syslog is a self-proxying protocol; that is, syslog servers can generally be configured to simply pass messages they receive on to other syslog servers.

8.11.3 Summary of syslog Recommendations

  • Do not allow syslog in from the outside world. In this way, you'll prevent attackers from attempting to flood your syslog servers.


Previous: 8.10 Domain Name System (DNS) Building Internet Firewalls Next: 8.12 Network Management Services
8.10 Domain Name System (DNS) Book Index 8.12 Network Management Services