Re: Encrypting/emailing logs and configs
On Wednesday, 2002-10-30 at 13:07:31 -0500, Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? I'm doing something similar on a firewall I set up. It uses find/cpio to make an incremental dump (--newer SOME-MARK-FILE) and encrypts it. The dump is put in a directory that is part of a chroot jail. It gets encrypted with a public key in gpg. I pick it up from an internal machine with scp with a key without passphrase. The account used on the firewall has scponlyc as shell. (If you don't know scponly, it permits only certain ssh operations, and the scponlyc variant puts itself in a chroot jail. Which in my case contains only the scp executables. http://sublimation.org/scponly/ The dump can only be decrypted with a special secret key, and access to it's passphrase is controlled. This is the dump script (BTW, this is a FreeBSD machine, you have to adjust the pathes): #!/bin/sh LD_LIBRARY_PATH=/usr/local/bin export LD_LIBRARY_PATH /bin/rm -f /jail/backup/level1.cpio.gpg \ /usr/bin/find / /var -xdev -newer /jail/backup/Level0.mark -print0 | \ /usr/bin/cpio --create --format=newc --null --io-size=32768 --quiet | \ /usr/local/bin/gpg --encrypt --output /jail/backup/level1.cpio.gpg --recipient [EMAIL PROTECTED] And this is the fetch script (SuSE box): #!/bin/sh LOCALFILE=/data/backup/cabernet/level1.cpio-`date +%Y%m%d-%a`.gpg REMOTEFILE=backup/level1.cpio.gpg KEYFILE=/root/.ssh/cabernet-backup-id /usr/bin/scp -B -q -i $KEYFILE backup@cabernet:$REMOTEFILE $LOCALFILE HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: I have | | thith great unthinkable conthept ... | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypting/emailing logs and configs
On Wednesday, 2002-10-30 at 13:07:31 -0500, Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? I'm doing something similar on a firewall I set up. It uses find/cpio to make an incremental dump (--newer SOME-MARK-FILE) and encrypts it. The dump is put in a directory that is part of a chroot jail. It gets encrypted with a public key in gpg. I pick it up from an internal machine with scp with a key without passphrase. The account used on the firewall has scponlyc as shell. (If you don't know scponly, it permits only certain ssh operations, and the scponlyc variant puts itself in a chroot jail. Which in my case contains only the scp executables. http://sublimation.org/scponly/ The dump can only be decrypted with a special secret key, and access to it's passphrase is controlled. This is the dump script (BTW, this is a FreeBSD machine, you have to adjust the pathes): #!/bin/sh LD_LIBRARY_PATH=/usr/local/bin export LD_LIBRARY_PATH /bin/rm -f /jail/backup/level1.cpio.gpg \ /usr/bin/find / /var -xdev -newer /jail/backup/Level0.mark -print0 | \ /usr/bin/cpio --create --format=newc --null --io-size=32768 --quiet | \ /usr/local/bin/gpg --encrypt --output /jail/backup/level1.cpio.gpg --recipient [EMAIL PROTECTED] And this is the fetch script (SuSE box): #!/bin/sh LOCALFILE=/data/backup/cabernet/level1.cpio-`date +%Y%m%d-%a`.gpg REMOTEFILE=backup/level1.cpio.gpg KEYFILE=/root/.ssh/cabernet-backup-id /usr/bin/scp -B -q -i $KEYFILE [EMAIL PROTECTED]:$REMOTEFILE $LOCALFILE HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be| | unsinkable. The designer had a speech impediment. He said: I have | | thith great unthinkable conthept ... |
Re: Encrypting/emailing logs and configs
Greetings! Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? If you don't have the space/equipment/systems/security to use rsync via ssh (as suggested a number of times already), tar and gpg just do fine. bzip2 is not really necessary as gpg compresses the input per default (okay rate, comparable to gzip). Advantage of tar+gpg+mail is that you don't have DSA keys to your machines lying around on your management system as you will have with rsync over ssh. If you want to use rsync/ssh you should really lock down and protect your management system. For the tar+gpg+mail solution (nearly) any client PC will do - as long as you don't unpack the mails and keep your GPG keyring safe... Bye Volker Tanger IT-Security Consulting -- discon gmbh WrangelstraĆe 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypting/emailing logs and configs
Greets, On Wed, 30 Oct 2002 at 01:07:31PM -0500, Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? Round about way...but set up IPSec and FTP them over the IPSec tunnel...or tthere is always SCP w/ keys w/o passphrases. You trap the SSH in a chroot jail at the recieving end... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP -- Excuse #41: Bank holiday - system operating credits not recharged pgp1gCdro2s61.pgp Description: PGP signature
Re: Encrypting/emailing logs and configs
Greetings! Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? If you don't have the space/equipment/systems/security to use rsync via ssh (as suggested a number of times already), tar and gpg just do fine. bzip2 is not really necessary as gpg compresses the input per default (okay rate, comparable to gzip). Advantage of tar+gpg+mail is that you don't have DSA keys to your machines lying around on your management system as you will have with rsync over ssh. If you want to use rsync/ssh you should really lock down and protect your management system. For the tar+gpg+mail solution (nearly) any client PC will do - as long as you don't unpack the mails and keep your GPG keyring safe... Bye Volker Tanger IT-Security Consulting -- discon gmbh WrangelstraĆe 100 D-10997 Berlin fon+49 30 6104-3307 fax+49 30 6104-3461 [EMAIL PROTECTED] http://www.discon.de/
Encrypting/emailing logs and configs
Hello, I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? -- Sean McAvoy Network Analyst Megawheels Technologies Inc. Phone: 416.360.8211 Fax: 416.360.1403 Cell: 416.616.6599 signature.asc Description: This is a digitally signed message part
RE: Encrypting/emailing logs and configs
How about setting up loghost server with syslog-ng ? You should send these logs via stunnel (secure way), sort them, compress/gpg them :) Config files problem: set up a Coda server (reliable and secure) on this loghost and write a script to daily copy your config files. Cheers, Domonkos Czinke -Original Message- From: Sean McAvoy [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 30, 2002 7:08 PM To: [EMAIL PROTECTED] Subject: Encrypting/emailing logs and configs Hello, I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? -- Sean McAvoy Network Analyst Megawheels Technologies Inc. Phone: 416.360.8211 Fax: 416.360.1403 Cell: 416.616.6599 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypting/emailing logs and configs
On Wednesday, 30 October 2002, at 13:07:31 -0500, Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? Maybe the followinf is too ad-hoc for your liking, but should work ok and be reasonably easy to setup, apart from being quite secure IMO. I am thinking about rsync over ssh, initiated from the destination backup server to the production VPN/Firewall machine. rsync does wonders updating trees of files in an optimal (bytes transferred wise) way. Running over ssh, provides you with an encrypted (and if using RSA keys authentication) authenticated connection. Sync the times in the backup server and the firewall with (for example) ntp o ntpdate, and create a cron job in the backup server to initiate the backup at a certain time of the day. If both boxes are synchronized, you could also have your iptables firewall on the VPN/firewall box be updated to allow this backup at exactly the time of the day you have configured.* If the backup script, when finished, return the remote firewall ruleset to the original state, your vulnerability window will be even shorter. I hope to have explained myself in an understandable way ;-) -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Encrypting/emailing logs and configs
Greets, On Wed, 30 Oct 2002 at 01:07:31PM -0500, Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? Round about way...but set up IPSec and FTP them over the IPSec tunnel...or tthere is always SCP w/ keys w/o passphrases. You trap the SSH in a chroot jail at the recieving end... -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP -- Excuse #41: Bank holiday - system operating credits not recharged msg07597/pgp0.pgp Description: PGP signature
Encrypting/emailing logs and configs
Hello, I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? -- Sean McAvoy Network Analyst Megawheels Technologies Inc. Phone: 416.360.8211 Fax: 416.360.1403 Cell: 416.616.6599 signature.asc Description: This is a digitally signed message part
RE: Encrypting/emailing logs and configs
How about setting up loghost server with syslog-ng ? You should send these logs via stunnel (secure way), sort them, compress/gpg them :) Config files problem: set up a Coda server (reliable and secure) on this loghost and write a script to daily copy your config files. Cheers, Domonkos Czinke -Original Message- From: Sean McAvoy [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 30, 2002 7:08 PM To: debian-security@lists.debian.org Subject: Encrypting/emailing logs and configs Hello, I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? -- Sean McAvoy Network Analyst Megawheels Technologies Inc. Phone: 416.360.8211 Fax: 416.360.1403 Cell: 416.616.6599
Re: Encrypting/emailing logs and configs
On Wednesday, 30 October 2002, at 13:07:31 -0500, Sean McAvoy wrote: I was looking at configuring a few of my VPN/Firewall systems to send me daily backups of vital config files, and selected log files. I was wondering what would be the easiest method of accomplishing this? I was thinking something along the lines of just tar/bzip and then gpg to encrypt. What other possibilities are there? And has anyone else setup something similar? Maybe the followinf is too ad-hoc for your liking, but should work ok and be reasonably easy to setup, apart from being quite secure IMO. I am thinking about rsync over ssh, initiated from the destination backup server to the production VPN/Firewall machine. rsync does wonders updating trees of files in an optimal (bytes transferred wise) way. Running over ssh, provides you with an encrypted (and if using RSA keys authentication) authenticated connection. Sync the times in the backup server and the firewall with (for example) ntp o ntpdate, and create a cron job in the backup server to initiate the backup at a certain time of the day. If both boxes are synchronized, you could also have your iptables firewall on the VPN/firewall box be updated to allow this backup at exactly the time of the day you have configured.* If the backup script, when finished, return the remote firewall ruleset to the original state, your vulnerability window will be even shorter. I hope to have explained myself in an understandable way ;-) -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1)