Privacy Policy

edit SideBar


Privacy Policy

edit SideBar

Main: Syslog Security Tip

Your syslog log files contain data that are useful to diagnosing system problems and security events. Generally, it is the only record of what is happening with a system. As such, it is important to protect those logs, particularly in an environment where people regularly use shell access, such as a web server, shell server, etc.

When an attacker is trying to compromise your system, one of the first things he will probably do is completely erase the log files, or erase evidence of his tresspass out of those files. To protect against that, there are two things you should do:
1. Change the file mode to 600 (writeable & readable only by the owner) This will ensure that unauthorized people are not purusing your log files to gain potentially useful information about your system, and it also prevents someone who has or is in the process of compromising your system (with non-root access) from altering the log files.
2. Send a copy of your syslogs to another host. This is generally very eas to set up, and provides an alternate location to find out what happened in the event of a complete root-level compromise, or a system failure.