CSF v6.41 now seeing: WARNING: RESTRICT_SYSLOG is disabled. See SECURITY WARNING in F

unknownhost

New Member
What is appropriate course of action for this?
Have not knowingly changed anything ...running as vps cam out of the box

ConfigServer Security & Firewall - csf v6.41
Firewall Status: Enabled and Running
WARNING: RESTRICT_SYSLOG is disabled. See SECURITY WARNING in Firewall Configuration
 
Reading more I see the attached below, What is recommended setting?:

SECURITY WARNING
================

Unfortunately, syslog and rsyslog allow end-users to log messages to some
system logs via the same unix socket that other local services use. This
means that any log line shown in these system logs that syslog or rsyslog
maintain can be spoofed (they are exactly the same as real log lines).

Since some of the features of lfd rely on such log lines, spoofed messages
can cause false-positive matches which can lead to confusion at best, or
blocking of any innocent IP address or making the server inaccessible at
worst.

Any option that relies on the log entries in the files listed in
/etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
vulnerable to exploitation by end-users and scripts run by end-users.

NOTE: Not all log files are affected as they may not use syslog/rsyslog

The option RESTRICT_SYSLOG disables all these features that rely on affected
logs. These options are:
LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
PORTKNOCKING_ALERT

This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG

The following options are still enabled by default on new installations so
that, on balance, csf/lfd still provides expected levels of security:
LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT

For advice on how to help mitigate these issues, see /etc/csf/readme.txt

If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
above, it should be done with the knowledge that any of the those options
that are enabled could be triggered by spoofed log lines and lead to the
server being inaccessible in the worst case. If you do not want to take that
risk you should set RESTRICT_SYSLOG to "1" and those features will not work
but you will not be protected from the exploits that they normally help block

0 = Allow those options listed above to be used and configured
1 = Disable all the options listed above and prevent them from being used
2 - Disable only alerts about this feature and do nothing else
RESTRICT_SYSLOG = Default: 0 [0-2]
 
Hi,

Since the logs would be modified by writing the the syslog socket, and not the flat files themselves, the possible vulnerability is that a user could add data to syslog which could be interpreted by CSF/LFD, but I don't see how this would allow them to modify what is written by other processes. This means that while you could have some spoof lines entered into log files users could not do something like remove login failures from /var/log/secure to allow themselves unlimited tries at bruteforcing the root account, or anything along those lines. It would be possible for someone to add some misleading information to logs like /var/log/messages, /var/log/secure/, etc (intended to be read literally, not as the directory /etc), but not remove pertinent information in these logs. I would leave this at "0" as having the chance of the log being less than 100% reliable is better than no logging at all in my opinion. If someone does write arbitrary data to any of these logs via syslogd then you will know that it is a user with an account on the machine and a process that is running under their UID, which might make it easier to find. I have never seen anyone exploit this myself.

VPS hosting solutions from US company KnownHost - The US VPS Experts.
 
Thanks. That is what i read, with my limited comprehension, into that myself.

I imagine how this error is presented, that this could result in numerous support tickets.
untitled.png
 
True, that does look alarming at first glance. I think it is great that they are making their warnings catch the eye though. It will make users aware of something that may be of some use to understand in the future. Keep on using up the forums anytime you have a concern like this though. Hopefully it will explain the same warning to other users.
 
Top