Posts Tagged ‘stunnel’

How To Avoid Source Spoofing In Centralized Syslog Environments

An obvious weakness of the syslog network protocol is the ease of spoofing messages into a central syslog server.   The default use of UDP as a transport and lack of any sort of authentication, in fact, make it trivial to spoof any part of a syslog message.

The most concerning issue with spoofing is faking the sending host.  An attacker can create a lot of chaos by stuffing log files with bogus errors, creating a denial of service potential or an opportunity for the attacker to distract administrators with false alarms while an attack takes place.

The most basic way to improve the situation is to transport syslog over TCP rather than UDP.  Both the syslog-ng and rsyslog servers support this natively.

Alternatively, syslog can be tunneled over stunnel, as described here.

Be the first to comment - What do you think?  Posted by admin - May 17, 2009 at 4:04 pm

Categories: Security   Tags: ,

Recent Posts in the Syslog Forum

RSS Error: A feed could not be found at http://www.syslog.org/forum/.xml/?type=rss. A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.