9.4.1. Restrict console messages from the system log
Generating a stready stream of console messages can easily
overwhelm a 9600bps link.
Although displaying all syslog
messages on the console appears to be a good idea, this actually
provides the unprivileged user a simple method to deny effective
use of the remote console.
Configure system log messages to the console to the bare
minimum. Look in /etc/syslog.conf for lines
ending with /dev/console.
Consider sending all log messages to another machine for
recording and analysis. Figure 9-2 shows the standard
/etc/syslog.conf from Red Hat
Linux 7.2 modified to
record log messages to a log server. Each line of
syslog.conf has been repeated to send a copy
of the message to the log server. The log server has the
DNS alias loghost.example.edu.au; using a
DNS alias allows the log server to be moved
without updating the configuration of all the remote machines.
The local copy of the log message is no longer the only means of
determining the cause of a system failure, so we can gain some
performance advantage by disabling synchronous file writes,
although this increases the odds of an inconsistent filesystem (an
issue with filesystems that do not do journalling). Placing a
- before the filename disables synchronous file
writes.
A log server is configured using the standard
/etc/syslog.conf configured to allow the
reception of remote syslog messages.
This configuration for Red Hat Linux is
shown in Figure 9-3. In
addition to configuring the system log daemon, also prevent denial
of service attacks by configuring IP
Tables to restrict the sources of the syslog
messages; and also improve performance by checking that
nscd is running to cache reverse
DNS lookups.
9.4.2. Restrict broadcast messages to the console
Users that are logged into the serial console should not
accept broadcast messages. Add new files to /etc/profile.d to do this. Figure 9-6 shows a file for use by the
Bourne shell.
As this file is run frequently, we use a faster but less
readable version of Figure 9-6,
shown in Figure 9-7.
We also need a C shell version, shown in Figure 9-8.
Although mesg.sh and
mesg.csh are included by the parent shell
rather than executed, the files need the execute permission
set. The procedure in Figure 9-9
installs the files and sets the permissions.