Syslog Server Linux Part 2




Syslog Configuration
OK, now I'll give you an example of the application of the System Log this in real based on what ever I do.

An example is a case in point, I was asked to secure a client computer at my college. The form of his security in the form of identifying intruders who entered into the computer. We have to know that an intruder is smart is an intruder who infiltrated without leaving any traces of its existence, so we don't know that place we've been hacked by intruders.

Well, if I were to be an intruder, then after I managed to get into the computer I want to steal the data, then I will delete some lines on the security files are in "/var/log/secure", so when an Admin Central check the server, traces of my existence is erased completely, and I managed to trick the server Admins.



With that logic, I designed a trap on a client computer and the server so that when an intruder trying to enter into a client computer, file security on the client computer can be specified on the server backups without being noticed by the intruders.

Well, we just practice
First, we have to do the configuration in the file "syslog.conf" who is in, the file "/etc/syslog.conf" contains our syslog configuration. Things related to syslog, can we set here.

Previously, it should be noted, in this case I'm using a client computer with the IP address 192.168.5.15, and server IP address 192.168.5.14.

OK, now we get into the file syslog. conf by way of:
"vim /etc/syslog.conf"


The contents of the file "syslog.conf"

Description:
1. "*.info;mail.none;authpriv.none;cron.none /var/log/messages", is the location where information about e-mail, cron, and with regard to the system as well as the service will be displayed. May we set bit are not shown in the file, by changing its directory file.

2. "authpriv.* /var/log/secure", well this is a continuation of the above line. The function of this line also to determine the location of information about an intruder is shown. We can also change the file location if we want to. In the same way as above.

And the next lines also has the same information as the location of the display of file2 that was mentioned. If we do not want to bring up the information, we love the sign "#" at the beginning of each line, then any information will not appear in the files which are already allocated.

Well, now since I want to secure the data on the client computer, in the file syslog.conf we add a line:
"authpriv.* 192.168.5.14 authpriv.* @begin"

After the line:
"authpriv.* /var/log/secure"

What does it do?
the line "authpriv.* 192.168.5.14" serves as the determination of IP address we are headed, or the computer where we are headed. While the line "authpriv.* @begin" is the hostname of the client computer. I use hostname hostname to begin on the client and the server.

Then, we went into the embedded syslog files in /etc/sysconfig/syslog by:
vim /etc/sysconfig/syslog


Add the "-r" in the "-m 0" at line SYSLOGD_OPTIONS="-m 0" so that it becomes SYSLOGD_OPTIONS="-m 0 -r", and then save by typing colons wq (:wq). Then typing service syslog restart.

Then, we give its hostname. Type the hostname begin and then enter, then the hostname has been formed. Then add the 192.168.5.14 begin on a file that resides in the /etc/hosts by way of:
vim /etc/hosts, then save.

as shown in the image:
Test connectivity between computers by performing the client with the server computer, do I type ping (IP address of the server).
ping 192.168.5.14

If connected then the configuration already approached successfully.

It is now our duty of residence give hostname on the server in accordance with the hostname that we give at the client, do I simply by entering hostname begin on the server computer.

If it is, it's still on the server computer, please test if these safeguards have succeeded or not, by the way: used another computer to infiltrate to the client computer, by typing the "ssh 192.168.5.15", then on the server computer, open the file security at "/var/log/secure". If we succeed, then the configuration not only the client, but the server will perform the intruder's IP address to the client computer.


Next
Previous
Click here for Comments

0 comments: