Tuesday, 7 July 2009

Using Ubuntu Syslog with Cisco

Today I decided to show you how to log your cisco to a syslog server on ubuntu.

Before we begin, backup the files as you never know when you'll change something you didn't mean to
cp /etc/syslog.conf /etc/syslog.conf.ididamistake

sudo /etc/syslog.conf
Add the following lines:
#router logging
local6.debug /var/log/cisco.log

This means send all messages from facility local6, with a priority of debug or greater, to /var/log/cisco.log

if this is not enough for you can always use local6.* this can be overkill but very useful

if you haven't already then you'll need to create the logfile
sudo touch /var/log/cisco.log

you'll need to enable syslog to accept messages from remote machines by editing
sudo nano /etc/default/syslogd

to add the -r option:

Now restart the syslog daemon.
sudo /etc/rc2.d/S10sysklogd restart

you can now create a test message into the syslog to see if it's logging
logger -p local6.debug "is this working?"

cat /var/log/cisco.log, you should see the line above.

Now, we have a little problem the message as also been posted to other log files in /etc/syslog.conf (such as /var/log/syslog, /var/log/messages, and /var/log/debug).
We don’t want the messages from the router mixed in with the system messages.
Edit /etc/syslog.conf to include exceptions for local6 anywhere we have an *.[whatever], like so:

auth,authpriv.none -/var/log/syslog

Restart the syslog daemon again.

Test that your config is working as expected for each in debug info notice warn err crit alert emerg panic
so run do
logger -p local6.debug "is this working?"
logger -p local6.warn "is this working?"
logger -p local6.info "is this working?"
logger -p local6.err "is this working?"
these should only go to cisco.log

Check /var/log/cisco.log, /var/log/syslog, /var/log/debug, and /var/log/messages - messages should only be in cisco.log.

Now that your syslog server is setup you need to configure the router to send the messages to the server.

Configure your router to send messages to the log host couldn't be easier.
config t
logging [ip address of your ubuntu box]
logging facility local6
logging history [severity]
logging on

Your version of IOS may require different commands. Have fun with that.

Logging severity level
emergencies System is unusable (severity=0)
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
errors Error conditions (severity=3)
warnings Warning conditions (severity=4)
notifications Normal but significant conditions (severity=5)
informational Informational messages (severity=6)
debugging Debugging messages (severity=7)

Normally I stick with informational (sev=6) debugging can create too much info and unless you have an issue with a router I wouldn't use it.

Compare the logging buffer on your router (”sh logging”) with the file on your log server; messages, since you made the change, should also be going to the server.
If not, make sure you can reach the log server from the router, and that port 514 isn’t blocked anywhere, otherwise, this won't work.

Now we don't want the log file to get too big so we'll setup a log rotation
Add this to sudo nano /etc/logrotate.conf below the “system-specific logs may be configured here”

/var/log/cisco.log {
rotate 7
size 5M

Remember you many need to change this depending on the number of messages you get, you can expand the size of the file as well and if you have access-list that have the logging option on the file can get quite large.
If you'd like to lean more about the logging options here is a useful link

Wednesday, 1 July 2009

Apache Security

As web servers go Apache is one I like allot, its stable and very light foot print is great. After install its ready to run no big mods needed, however on this that does need to be addressed is security of the account, it runs under.

I'm noticed that a number of people do not setup any user account for Apache leaving it to run under services, this can open up services to web hackers that can then read the list of running services and use this to find other exploits of the system.

Create an account with a name such as: apache, which runs the web server software. Since this account will never be used to log into for shell access, we do not need to create the normal user account login files

On Ubuntu this is done like so sudo groupadd apache && useradd apache -g apache -d /dev/null -s /sbin/nologin

before editing the apache2.conf I would recommend you make a but up of the file
cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.dontmessthisup

Now add the user to the apache2.conf file for Apache to use.
sudo nano /etc/apache2/apache2.conf

add the following lines to the apache2.conf
User apache
Group apache

save and close the file and then you'll need to restart Apache to take affect
sudo /etc/init.d/apache2 restart

Another good security tip for websites that have transactions and other internet sales related activity is to change the logging to use syslog this can be done by editing apache2.conf to change the ErrorLog line from;

ErrorLog /var/log/apache2/error.log

To syslog

ErrorLog syslog:local7

This will log to syslog now as local7
You will need to add a few lines to syslog.conf for it to handle the new logging information.

Again I recommended you create a copy of the syslog.conf before editing it.
cp /etc/syslog.conf /etc/syslog.conf.dontmessthisup

Now to edit the syslog
sudo nano /etc/syslog.conf

At the bottom of the file add the following lines
#Apache Logging
local7.* /var/log/apache2/error.log

you'll need to restart the syslog for the change to take affect
sudo /etc/rc2.d/S10sysklogd restart

you can now test the syslog by creating a message into the log
logger -p local7.debug "this is working"

we can now check the log
cat /var/log/apache2/error.log

You should now see your test line something like this
server root: this is working

Reblog this post [with Zemanta]