CSF v6.41 now seeing: WARNING: RESTRICT_SYSLOG is disabled. See SECURITY WARNING in F

Discussion in 'Security' started by unknownhost, Jan 30, 2014.

  1. unknownhost

    unknownhost New Member

    What is appropriate course of action for this?
    Have not knowingly changed anything ...running as vps cam out of the box

    ConfigServer Security & Firewall - csf v6.41
    Firewall Status: Enabled and Running
    WARNING: RESTRICT_SYSLOG is disabled. See SECURITY WARNING in Firewall Configuration
     
  2. unknownhost

    unknownhost New Member

    Reading more I see the attached below, What is recommended setting?:

    SECURITY WARNING
    ================

    Unfortunately, syslog and rsyslog allow end-users to log messages to some
    system logs via the same unix socket that other local services use. This
    means that any log line shown in these system logs that syslog or rsyslog
    maintain can be spoofed (they are exactly the same as real log lines).

    Since some of the features of lfd rely on such log lines, spoofed messages
    can cause false-positive matches which can lead to confusion at best, or
    blocking of any innocent IP address or making the server inaccessible at
    worst.

    Any option that relies on the log entries in the files listed in
    /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
    vulnerable to exploitation by end-users and scripts run by end-users.

    NOTE: Not all log files are affected as they may not use syslog/rsyslog

    The option RESTRICT_SYSLOG disables all these features that rely on affected
    logs. These options are:
    LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
    LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
    LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
    PORTKNOCKING_ALERT

    This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
    ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG

    The following options are still enabled by default on new installations so
    that, on balance, csf/lfd still provides expected levels of security:
    LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT

    For advice on how to help mitigate these issues, see /etc/csf/readme.txt

    If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
    above, it should be done with the knowledge that any of the those options
    that are enabled could be triggered by spoofed log lines and lead to the
    server being inaccessible in the worst case. If you do not want to take that
    risk you should set RESTRICT_SYSLOG to "1" and those features will not work
    but you will not be protected from the exploits that they normally help block

    0 = Allow those options listed above to be used and configured
    1 = Disable all the options listed above and prevent them from being used
    2 - Disable only alerts about this feature and do nothing else
    RESTRICT_SYSLOG = Default: 0 [0-2]
     
  3. KH-Mathew

    KH-Mathew Systems Administration Staff Member

    Hi,

    Since the logs would be modified by writing the the syslog socket, and not the flat files themselves, the possible vulnerability is that a user could add data to syslog which could be interpreted by CSF/LFD, but I don't see how this would allow them to modify what is written by other processes. This means that while you could have some spoof lines entered into log files users could not do something like remove login failures from /var/log/secure to allow themselves unlimited tries at bruteforcing the root account, or anything along those lines. It would be possible for someone to add some misleading information to logs like /var/log/messages, /var/log/secure/, etc (intended to be read literally, not as the directory /etc), but not remove pertinent information in these logs. I would leave this at "0" as having the chance of the log being less than 100% reliable is better than no logging at all in my opinion. If someone does write arbitrary data to any of these logs via syslogd then you will know that it is a user with an account on the machine and a process that is running under their UID, which might make it easier to find. I have never seen anyone exploit this myself.
     
  4. unknownhost

    unknownhost New Member

    Thanks. That is what i read, with my limited comprehension, into that myself.

    I imagine how this error is presented, that this could result in numerous support tickets.
    untitled.png
     
  5. KH-Mathew

    KH-Mathew Systems Administration Staff Member

    True, that does look alarming at first glance. I think it is great that they are making their warnings catch the eye though. It will make users aware of something that may be of some use to understand in the future. Keep on using up the forums anytime you have a concern like this though. Hopefully it will explain the same warning to other users.
     
  6. Kdean

    Kdean New Member

    If you set RESTRICT_SYSLOG to 2 rather than 0, it will hide that alert message.
     
  7. Dave G

    Dave G Member

  8. Afsal

    Afsal New Member

Share This Page