Admit it. You, just like me, use Google every day to answer those tough questions that we face daily.
Sometimes we will ask it how to get us home from somewhere we have never been before – “OK Google, take me home” – other times we might be close to starvation (relatively speaking) – “show me interesting recipes” or “OK Google, give me directions to the nearest drive through McDonalds”, but were I use it most, is at work, where I search for such mundane things as; “rsyslog remote server configuration”. Yes, I know, I could just look at the man page for rsyslog.conf but Google seems to have worked its way into my head so much that it is often the first place I look.
Right… back to the topic at hand – Security Broken by Design.
So whilst Googling how to set up a remote syslog server I read through one persons blog post and an alarm bell started to ring!
This particular post had correctly suggested the configuration for rsyslog on both the client and server but then went on (in a very generic way), instructing readers to opening up firewall ports on the clients.
This highlighted a fundamental lack of understanding on the part of the individual whose blog I was reading. You only need to open up ports 514/tcp or 514/udp to enable rsyslog to function on the server-side. The connection is initiated from the client NOT the server. Granted, in a completely hardened installation it is likely that outbound ports will need to be enabled. BUT, where security is concerned, I feel that things should not be taken for granted or worse, assumed!
This generic discussion about security seems completely idiotic! The likes of Red Hat, Ubuntu and almost all other distributions now enable firewalls by default. And the normal fashion for such a thing, is to allow “related” and “established” traffic to flow out of your network card to the LAN and potentially beyond. But (and more importantly) to block none essential traffic inbound to your machine.
If you are working in a hardened environment then one of the two options below would be better suited for your server;
So in short.
Please think before you apply make potentially unnecessary changes to your workstations and servers!