On Mon, Mar 20, 2006 at 01:00:58AM -0500, Nick Guenther wrote:
> Hi list,
>
> I want to log things remotely (from a consumer-grade router running
> linux that keeps dying on me). I think the proper way to do this is to
> do "syslogd -u" but I am not sure because the manpage only vaguely
> mentions how insecure the -u option is and doesn't really explain it.
> I've found a page that describes using -u for OS X, and the linux
> manpage for sysklogd has a -r. RFC 3164 says "syslog uses the user
> datagram protocol (UDP) [1] as its underlying transport layer
> mechanism" so it seems like this is correct, but it seems odd.
>
> If I just run syslogd like this on my home LAN what are the risks I
> need to think about? I can't think of any except maybe that if someone
> can get into the LAN then they can fill up my disks.
>
> What other network logging 'solutions' are there, if any? Google only
> seems to know about syslog and IIS.
Syslog is nice, but the -u option has the disadvantage that effectively
everyone can syslog to you. pf(4) can solve that, but unless you
hardcode a MAC address (arp(4), arp(8)) this can be gotten around by
spoofing (since UDP does not have a 'handshake', it is possible to let
packets pretend to be from whereever you want).
Of course, a trusted network path (ipsec(4) and friends, for instance)
is also a good way to secure this.
There are some syslogd replacements that use TCP, or, even better, some
form of authentication. A few are in ports.
Joachim
