1 / 85

Advanced Unix

Advanced Unix. Review Test 2. Logging. Need to know: where they are and what they contain permissions and ownership how often they are rotated You need to: Review logfile contents regularly Archive important logs. Logging. Pages 600-601 list most of the common logs

ferris
Download Presentation

Advanced Unix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Unix Review Test 2

  2. Logging • Need to know: • where they are and what they contain • permissions and ownership • how often they are rotated • You need to: • Review logfile contents regularly • Archive important logs

  3. Logging • Pages 600-601 list most of the common logs • These logs are found in the /var/log directory • Some of the more important are: • /var/log/messages • /var/log/boot.log • /var/log/wtmp • /var/log/dmesg

  4. Logging • What do I look for in a log? • Unusual activity • Take a look at your logs daily • /var/log/messages • /var/log/maillog • /var/log/httpd/* • Other service related logs like ftpd, etc.

  5. Logging • Some common things logged: • Sendmail messages • received and delivered • SSH logins/logouts • FTP logins/logouts • Based on what you see regularly, you will know when something is amuck. • Common logchecking utilities are also an excellent way to keep tabs on your logs

  6. Syslog Daemon • syslogd - the system event logger • how syslog works • its configuration file • the software that uses syslog • debugging syslog

  7. What gets logged? • The accounting system • The kernel • Various utilities and applications • many produce data that needs to be logged • most of the data has a limited useful lifetime, and needs to be summarized, compressed, archived and eventually deleted

  8. Logging policies • Log data immediately • Reset log files at periodic intervals • Rotate log files, keeping data for a fixed time • Compress and archive to tape or other permanent media

  9. Managing Logging Options • Depends on : • how much disk space you have • how security-conscious you are • How important the system is • Whatever scheme you select, regular maintenance of log files should be automated using cron (seelogrotate)

  10. Throwing away log files • Not recommend • security problems ( accounting data and log files provide important evidence of break-ins) • helpful for alerting you to hardware and software problems. • In general, keep one or two months • in a real world, it may take one or two weeks for SA to realize that site has been compromised by a hacker and need to review the logs

  11. Rotating log files • Keep backup files that are one day old, two days old, and so on. • logfile, logfile.1 , logfile.2, … logfile.7 • Each day rename the files to push older data toward the end of the chain • script to archive three days files

  12. Archiving log files • Some sites must archive all accounting data and log files as a matter of policy, to provide data for a potential audit • Log files should be first rotate on disk, then written to tape or other permanent media

  13. Finding log files • To locate log files, read the system startup scripts : /etc/rc* or /etc/init.d/* • if logging is turned on when daemons are run • where messages are sent • Some programs handle logging via syslog • check /etc/syslog.conf to find out where this data goes

  14. Finding log files • Different operating systems put log files in different places: • /var/log/* • /var/cron/log • /usr/adm • /var/adm … • On linux, all the log files are in /var/log directory.

  15. What is syslog • A comprehensive logging system, used to manage information generated by the kernel and system utilities. • Allow messages to be sorted by their sources and importance, and routed to a variety of destinations: • log files, users’ terminals, or even other machines.

  16. Syslog: three parts • Syslogd and /etc/syslog.conf • the daemon that does the actual logging • its configuration file • openlog, syslog, closelog • library routines that programs use to send data to syslogd • logger • user-level command for submitting log entries

  17. Configuration file • Inserting timestamps at regular intervals into logs can be useful • Allows you to figure out that your server crashed between 3:00 and 3:20 am, not just “sometime last night”. • This can be a big help if debugging problems occur on a regular basis.

  18. syslog-aware programs /dev/log /dev/klog syslogd /etc/syslog.conf Other machines Log files Users’s terminals

  19. Configuring syslogd • The configuration file /etc/syslog.conf controls syslogd’s behavior. • It is a text file with simple format, blank lines and lines beginning with ‘#’ are ignored. • Selector <TAB> action • eg. mail.info /var/log/maillog

  20. Configuration file (Selector) • Identify • source -- the program (‘facility’) that is sending a log message • importance -- the messages’s severity level • eg. mail.info /var/log/maillog • Syntax • facility.level • facility names and severity levelsmustchosen from a list of defined values

  21. Configuration file (Selector) • Can include multiple facilities separated with ‘,’ commas • daemon,auth,mail.level action • Multiple selectors can be combined with ‘;’ • daemon.level1; mail.level2 action • Selector are ‘|’ –OR’ed together, a message matching any selector will be subject to the action. • Can contain ‘*’ or ‘none’, meaning all or nothing.

  22. Configuration file (Selector) • Levels indicate the minimum importance that a message must have in order to be logged • mail.warning, would match all the messages from mail system, at the minimum level of warning • Level of ‘none’ will exclude the listed facilities regardless of what other selectors on the same line may say. • *.level1;mail.none action • all the facilities, except mail, at the minimum level 1 will subject to action

  23. Configuration file (Severity Level) Level Approximate meaning emerg (panic) Panic situation alert Urgent situation crit Critical condition err Other error conditions warning Warning Will Rogers notice Unusual things that may need investigation info Informational messages debug For debugging

  24. Configuration file (Action) (Tells what to do with a message) Action Meaning filename Write message to a file on the local machine @hostname Forward message to the syslogd on hostname @ipaddress Forward message to the host at IP address user1, user2,… Write message to users’ screens if they are logged in * Write message to all users logged in

  25. Configuration file (Action) • If a filename action used, the filename must be absolute path. The file must exist, syslogd will not create it. • /var/log/messages • If a hostname is used, it must be resolved via a translation mechanism such as DNS or NIS • While multiple facilities and levels are allowed in a selector, multiple actions are not allowed.

  26. Config file examples # Small network or stand-alone syslog.conf file # emergencies: tell everyone who is logged on *.emerg * # important messages *.warning;daemon,auth.info /var/adm/messages # printer errors lpr.debug /var/adm/lpd-errs

  27. # network client, typically forwards serious messages to # a central logging machine # emergencies: tell everyone who is logged on *.emerg;user.none * #important messages, forward to central logger *.warning;lpr,local1.none @netloghost daemon,auth.info @netloghost # local stuff to central logger too local0,local2,local7.debug @netloghost # card syslogs to local1 local1.debug @syslog.rose.edu # printer errors, keep them local lpr.debug /var/adm/lpd-errs # sudo logs to local2 - keep a copy here local2.info /var/adm/sudolog

  28. Sample syslog output Dec 27 02:45:00 x-wing netinfod [71]: cann’t lookup child Dec 27 02:50:00 bruno ftpd[27876]: open of pid file failed: not a directory Dec 27 02:50:47 anchor vmunix: spurious VME interrupt at processor level 5 Dec 27 02:52:17 bruno pingem[107]: server.rose.edu has not answered 34 times Dec 27 02:55:33 bruno sendmail [28040] : host name/address mismatch: 192.93.110.26 != host.domain.edu

  29. Syslog ‘s functions • Liberate programmers from the tedious mechanics of writing log files • Put SA in control of logging • before syslog, SA had no control over what info was kept or where it was stored. • Can centralize the logging for a network system

  30. Syslogd (cont.) • A hangup signal (HUP, signal 1) cause syslogd to close its log files, reread its configuration file, and start logging again. • If you modify the syslog.conf file, you must HUP syslogd to make your changes take effect. • Kill -1 pid

  31. Debugging syslog • The logger program can be useful for submitting log entries from shell scripts • Can also use it to test changes in syslogd’s configuration file. • For example.. • logger “This is a test message” • tail /var/log/messages

  32. Quick Syslog Lab • Add line to syslog.conf: • local5.warning /var/log/test.log • verify it is working, run • logger -p local5.warning “test messages” • a line containing “test messages” should be written to /var/log/test.log • If this doesn’t happen: • did you create the test.log file • did you send syslogd a hangup signal

  33. IPSec—An Overview

  34. Outline • A quick IPsec overview • Heads Up - Alphabet soup being served… • Security Associations (SA) & SPI’s • Authentication Header (AH) protocol • Encapsulating Security Payload (ESP) protocl • Internet Key Exchange (IKE) • IPsec pitfalls • IPsec vs tunneling (PPTP, L2TP)

  35. IPSec Architecture Encapsulating Security Payload Authentication Header ESP AH IPSec Security Policy IKE The Internet Key Exchange

  36. IPSec Overview • IPSec is a suite of protocols for securing network connections • The details and variations are overwhelming • One cause of the complexity is that IPSec provides a mechanism, not policy • A framework that allows implementation possible that both ends can agree on

  37. Virtual Private Network (VPN) • Secure communications between two hosts or networks • VPN, is the buzzword that solves all you problems • IPsec is one of the more popular VPN technology's

  38. What can IPSEC Provide • Authentication • Integrity • Access control • Confidentiality • Replay protection (Partial)

  39. Types of VPNs • Host To Host • We’ll did this in class • Host To Security or Secure Gateway • Routing needed to make this work • Secure Gateway To Secure Gateway • Secure Gateway = Firewall or VPN router • Also referred to as Network To Network • Routing needed to make this work

  40. Security Associations (SA) • A group of security settings related to a specific VPN • Stored in the SPD (Security Policy Database) • Uniquely Identify IPsec sessions by: • SPI (Security Parameter Index) a unique number that identifies the session • The destination IP address • A security protocol or encryption method • Normally AH or ESP • A shared secret

  41. Types of IPSEC Connections • Transport Mode • Does not encrypt the entire packet • Uses original IP Header • Faster • Tunnel Mode • Encrypts entire packet including IP Header (ESP) • Creates a new IP header • Slower

  42. IKE (Internet Key Exchange) • UDP port 500 • Negotiates connection parameters • ISAKMP (Internet Security Association and Key Management Protocol) • Oakley (Diffie-Helmen key exchange)

  43. IPsec Pitfalls • Complicated • many different ways to configure • Can be configured insecurely • Client security is an issue • Performance in IPv4 implementation

  44. Advantages of IPSec • Encrypts the entire packet, including IP Header (not just layer 4 and higher) • Can Encrypt any protocol • No Impact on users when using Secure Gateway to Secure Gateway • Acts independent of IP address

  45. IPsec Guidelines • Always use: • 3des or blowfish • SHA1 over SHA and MD5 • NEVER USE DES • Tunnel Mode • Main Mode • AH and ESP together • Certificates for production environments

  46. OS Support for IPsec • OpenBSD, FreeBSD, NetBSD • Linux • Solaris • Windows 2000 (Native) • Windows NT/95/98/Me (Add-on) • Cisco IOS (PIX and Routers) • Others as well....

  47. Squid Proxy Server

  48. Squid Features • Its a caching proxy for: • HTTP, HTTPS • FTP • Gopher • A full-featured Web proxy cache • Designed to run on Unix systems • Free, open-source software

  49. Squid Supports • Proxying and caching of HTTP, FTP, and other URLs • Proxying for SSL • Cache hierarchies • ICP, HTCP, CARP, Cache Digests • Transparent caching • Extensive access controls • HTTP server acceleration • SNMP • Caching of DNS lookups

  50. Other proxies (besides Squid) Commercial • Netscape Proxy • Microsoft Proxy Server • NetAppliance’s NetCache (shares some code history with Squid in the distant past) • CacheFlow (http://www.cacheflow.com/) • Cisco Cache Engine

More Related