Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -1 articles for you...
102
data protectionGnuPGemail encryptionHow to Securely Send Encrypted Emails on Linux for Data Protection
Email encryption is a great way to enhance your organization’s communication security by protecting your email content and ensuring unauthorized individuals can’t read the information. . Research shows that 94% of organizations have experienced phishing attacks . However, only some take these risks seriously until an incident happens with them. In the words of Edward Snowden, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different from saying you don’t care about free speech because you have nothing to say.” With increasing data security and privacy risks, organizations must implement advanced security measures like encrypted emails. This article will explore encrypted emails, their importance, and how to send them. Understanding Encrypted vs. Secure Email Encrypted emails are different from secure emails. Understanding their differences is vital if you want to implement email security. It will help you choose a suitable security mechanism based on your communication needs and your required confidentiality level. What’s an Encrypted Email? An encrypted email is an email whose message content is encoded and transformed into an unreadable, secure format called ciphertext through an encryption technique. This ensures only those senders and receivers with appropriate keys or access permissions view and access the content. Encoding an email’s content is called email encryption, which helps protect sensitive data from harmful exposure or cyberattacks. Tools like GnuPG , S/MIME , etc., are used for end-to-end email encryption. In end-to-end encryption, emails are encrypted at the sender’s end and are meant only for the intended receiver to decrypt them on their system and view the content. The recipient and the sender must typically have an encryption code or key to access the email. This process happens automatically if both sides leverage an email client supporting encryption. An encrypted email typically hasthese features: Cryptographic keys - one public (that the sender uses for encryption) and one private (that the recipient uses for email decryption) Transport Layer Security (TLS) to protect data transmission between servers Secure/multipurpose Internet mail extensions (S/MIME) for email encryption Digital signatures for email verification What Is a Secure Email? A secure email has protective measures implemented for its safe transmission over networks. It employs security protocols like Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to secure the connection between the user’s web browser and web server. This protects data from malicious intent and ensures an email’s integrity, authenticity, and confidentiality. “Secure email” is an umbrella term that includes securing emails through various protection mechanisms rather than the content itself. A secure email doesn’t necessarily use end-to-end encryption but also many other security mechanisms, such as: Multi-factor authentication (MFA) to add another security layer through OTPs, facial recognition, fingerprint scans, etc. Strong, lengthy, and unguessable passwords make it challenging for hackers to access accounts Personalized security questions (or choosing one from the given list and using a wrong answer) to prevent account hacks Digital signatures to validate email integrity Access controls so that only authorized people have the email’s access Malware protection to scan links and attachments for threats Anti-phishing tools to prevent phishing attacks In addition, email security involves making users aware of cybersecurity risks, recognizing attacks, maintaining secure communications, and meeting compliance requirements. Differences Between an Encrypted and Secure Email Parameter Encrypted Email Secure Email Focus Anencrypted email is encrypted to secure content so only authorized people can access it. A secure email is an umbrella term that includes different protocols and secure measures to protect an email’s integrity and keep it confidential. Priority Securing the content of an email Securing the connection in which the email is being transmitted over a network Security mechanisms Mainly uses end-to-end encryption email security mechanism. It can also include TLS. Apart from end-to-end encryption, it can have several email security mechanisms such as SSL, multi-factor authentication, anti-phishing and anti-malware, and digital signatures. Goal Email encryption safeguards an email’s content from eavesdropping, data exposure, and cyberattacks. Even if someone intercepts it, they can’t read the email content without the decryption key. Its goal is to provide email and connection security from malware, data breaches, phishing attacks, and other cybersecurity risks. What Is the Importance of Encrypted Email and Secure Email in Data Protection? Both encrypted email and secure email are essential. The main focus is data security and these two are just two ways to achieve it and avoid data exposure, phishing threats, and other cyberattacks. Importance of Encrypted Email In encrypted emails, the content is first scrambled or encrypted with the help of an encryption key to make the email unreadable without the decryption key. Unlike a secure email, an encrypted one is not sent in plain text. It then gets transmitted over the network to reach the intended recipient. Thus, your email message is safe even if the email connection security breaks at any point in the network. Even if someone successfully accesses the mail server or intercepts the network,they can’t read the email message, thanks to end-to-end encryption. Encrypted emails are helpful for these scenarios: Individuals who want to protect their personal or professional communication from hackers and identity thieves Organizations that host email services on their own must use email encryption Enterprises that send or receive sensitive information must use encryption email since cyberattack risks are higher for them Organizations that operate under heavily regulated industries, such as finance, health, military, etc., need strong email encryption Companies that must meet solid regulatory compliance requirements need email encryption to secure their communications Email service providers to protect their client’s information Importance of Secure Emails Sending secure emails is vital to protect your data privacy and security. They are helpful for the following scenarios: Protecting your personal or professional data against government-led surveillance, which is common in many countries from the US and UK to Germany, China, and Australia Safeguarding data from cybercriminals that may steal your identity, or money, or compromise your social accounts Securing your personal or business data from anti-parties and competitors who may misuse your data or discover your business secrets and strategies Preventing email service providers from monitoring your emails, sharing your information with advertisers, or selling your data to third parties. What Are the Benefits and Drawbacks of Sending Encrypted Email? Knowing the potential benefits and drawbacks of sending encrypted emails will help you make informed decisions when implementing email encryption in your communication network. Benefits Enhanced Security Research reveals that 95% of business leaders are stressed about email security. Hackers who can access your email content may expose confidential data and trade secrets to competitors or sell customer data onthe dark web. They can also use the data to carry full-blown attacks, such as phishing attacks, identity theft, etc., devastating a company based on reputation, money, and customer trust. Encrypted emails protect against email interception, ensuring only the designated receiver and sender read the email content. Even if someone can access your account, they can’t read the data without the decryption key. Data Privacy Security researchers have found that only 14% of email users encrypt their email communication, and 33% of users update their email passwords after a specific interval of time. Data privacy is instrumental for every individual or business. You don’t want your personal data, like social security numbers, health information, credit card details, personal photos, etc., to go public. Similarly, no company would want their internal matters exposed, which may harm their business. If you implement email encryption, you essentially keep your email content private from unauthorized people. Compliance with Regulations Businesses, especially from highly regulated industries, must adhere to regulatory requirements applicable in their areas, such as GDPR , HIPAA, PCI DSS , etc. These regulations ensure that businesses use customer data responsibly and adequately. Sending encrypted emails allows you to support the cause and stay compliant with these regulations. It also avoids the risk of penalties and upholds customers’ trust in your business. Identify Genuine Emails from Spam In 2022, 162 billion spam emails were sent to people every day in the same year. Encrypted emails help you identify genuine emails from spam or phishing emails. You can use an email encryption service with a digital signing feature to ensure an email has an authentic sender. This way, you can reduce malware and security risks. Drawbacks of Sending Encrypted Email Setup and Usage Complexity Implementing email encryption in your communication can be a time-consuming andcomplex process. Organizations generally use end-to-end encryption, S/MIME, or PGP for configuration, which are difficult for anyone and might introduce specific vulnerabilities. Compatibility Issues Encrypted emails require recipients to use a compatible decryption method to read the email content. The sender and receiver can have different or incompatible email clients or systems, hindering decryption. Possible Inconvenience for Recipients Many recipients, especially non-tech staff, may find accessing emails inconvenient as they require decryption keys. If a recipient has lost the keys, they can’t read the email. If the email content is crucial or time-sensitive, desired actions can’t be taken on time. Key Management Challenges Managing encryption keys can be challenging for many users. If they don’t know the implications and store them on public servers, hackers may access them and harm the organization. It happened in the real world when sensitive US military information was spilled online due to human error. Thus, users must be made aware of what email encryption is and how it works through proper training. Open Source Tools for Email Encryption Linux and information security (infosec) professionals prefer using open-source tools because their source code is publicly available and can be modified according to individual needs. So, if you want to implement email encryption in your communications, let’s explore some of the best open-source email encryption tools for Linux. GnuPG (GPG) GnuPG (GPG) is an open-source, accessible, and user-friendly command-line tool for Linux systems that helps implement end-to-end email encryption. This universally accepted tool lets you encrypt data and works across various email clients, including Apple Mail, Microsoft Outlook, and Thunderbird. Major GNU/Linux Oses have this tool installed by default. GPG fully implements the OpenPGP standard defined by PGP or RFC4880. This free software was introduced in1997 and has a GNU General Public license. It allows anyone to freely use, distribute, and modify it under the GNU terms. GnuPG’s latest version is 2.4.5. GPG’s key management system is versatile and has an access module with several public key directories. It’s feature-rich, boasting many front-end libraries and applications, a graphical user interface, front-end scripting tools, and more. GPG also supports Secure Shell (SSH) and S/MIME and easily integrates with various applications. How GPG implements end-to-end email encryption GPG utilizes public key encryption to safeguard emails. It combines symmetric cryptology (Secret Key) and asymmetric cryptography (Public Key + Private Key) to ensure high protection. To encrypt email content, you can utilize someone’s public key so that only the person with the corresponding private key can decrypt the email content. Here’s how to use GPG for email encryption. It also leverages embedded digital signatures to address the risks related to non-repudiation and data authentication. Download and install GPG on your Linux system Generate a public-private key pair Share the public key securely with the intended receiver Obtain the public key from the receiver Import into GPG the receiver’s public key Compose an email In the email client you use, choose the “Encrypt” button. GPG will encrypt the email message automatically. Send your email. GPG Benefits Highly secure with asymmetric cryptographic and symmetric cryptology Customizable to meet your needs and works with various email clients Easy to use and learn and widely supported Integrates with multiple applications and tools Reliability and performance Drawbacks Can be complex to set up Requires a public key exchange Use Cases GPG is preferred by organizations that are heavily regulated and require high security, such as financial institutions, healthcare organizations, banks,government bodies, activists, and individuals to protect sensitive information. S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME) is a public key encryption standard. It’s compatible with major enterprise-level email clients like Outlook, Gmail, etc. S/MIME offers two services: Email encryption to protect email content Digital signatures to verify the sender's identity How Does S/MIME Work? S/MIME leverages asymmetric encryption using a pair of Public and Private keys. These key pairs are different but mathematically related and are used for encryption and decryption. Install a S/MIME certificate on both email clients to enable email encryption on both the sender and receiver sides. When the sender sends an email, they ask the recipient for their public key and encrypt it using this public key. When the email reaches the recipient, they decrypt it with their private key. To ensure only an authorized sender can send an email, S/MIME affixes a digital signature to it. Thus, obtain the recipient's digital signature if you want to send an email with S/MIME encryption. In addition, you’ll need S/MIME certificates. Certified authorities and third-party authorities provide these S/MIME certificates. S/MIME Benefits Native support for email clients like Outlook, Gmail, etc. High-security with encryption keys Email content confidentiality and integrity Secure digital signatures for sender authentication Safety net in legal proceedings as S/MIME voluntarily offers signature non-repudiation by the sender Drawbacks Dependency on certificate authorities Cost of obtaining certificates Use Cases S/MIME is preferred mainly in the corporate environments. Businesses need it for identity verification and to prevent unauthorized access. Other Tools Other tools for email encryption include: Mailvelope Mailvelope is an open-source add-on for Chrome, Firefox, and Edge web browsers. It allows you toencrypt emails via PGP using a webmail provider. This browser extension provides end-to-end email encryption without changing your current email provider. In this tool, encryption and decryption works on endpoints, keeping data private and secure. Enigmail Enigmail is a free, open-source security extension for Postbox, Epyrus, and SeaMonkey. It lets you utilize OpenPGP to digitally sign and encrypt your email through a simple, intuitive user interface. It also allows you to decrypt emails and verify them. You can use, distribute, and modify the tool under the Mozilla Public License terms. Digital Certificates and Encryption Digital certificates ensure sender authentication, which is why it’s crucial to obtain them. As discussed earlier, you can get them from a certified authority of a third-party provider. Let’s now understand how to obtain and manage digital certificates using providers like Let's Encrypt and OpenSSL. Let's Encrypt Let's Encrypt is an open and automated Certificate Authority (CA) that offers free SSL/TLS certificates to enable secure email transmission. Provided by the Internet Security Research Group (ISRG), Let's Encrypt certificates help protect email servers. How Let’s Encrypt Works The ACME protocol and Let’s Encrypt allow you to configure an HTTPS server and obtain a digital certificate automatically. Let’s Encrypt checks that the person who controls that domain makes the certification request. To verify this, it sends a unique token only to retrieve a key from the token later by creating a DNS or web request. If the CA verifies the client, the client can request, revoke, or renew certificates for the domain. Let's Encrypt Advantages Cost-effectiveness as it offers digital certificates for free Ease of certificate management and renewal Promotes widespread encryption adoption, making the internet safer for all Automatic digital certificate generation, configuration, and usage Offers transparency ascertificates are recorded publicly, allowing anyone to inspect them Limitations Let’s Encrypt offers domain-validated certificates, meaning validating only ownership, not the entity 90-day expiration, but are renewed automatically 5 duplicate certificates per week Lacks dedicated support Use Cases Let’s Encrypt is ideal for server authentication but not directly applicable to personal email encryption. This service helps individuals and organizations who want to enable HTTPS on their websites. OpenSSL OpenSSL is an open-source, powerful, and fully-featured toolkit for enabling SSL/TLS encryption. It helps you perform general-purpose cryptography to protect your communications. The software is developed and maintained by the OpenSSL Project. It has an Apache-style license, meaning you can use it for free for your commercial and non-commercial needs under the license terms. Its core library is coded in C and offers multiple utility functions. It also has wrappers for using the OpenSSL library in different computer languages. OpenSSL is used by many web servers and major HTTPS sites and helps secure your emails. This security toolkit has three major components: The libcrypto library comes with many APIs for cryptography The libssl library comes with functions to enable peer-to-peer communication security The command-line utility performs cryptographic tasks like encrypting or decrypting files, generating certificates, etc. How to use OpenSSL to create self-signed certificates Generate a private key for encryption using OpenSSL by entering the following command: openssl genrsa -out yourdomain.key 2048 Create your Certificate Signing Request (CSR) using the private key generated above. Here’s the command to do that: openssl req -new -key yourdomain.key -out yourdomain.csr After this, you’ll be asked to fill in some information. Enter that. Create your self-signedcertificate that uses its own private key: openssl x509 -req -days 3650 -in your domain.csr -signkey yourdomain.key -out yourdomain.crt Advantages of OpenSSL Feature-rich tool Flexibility as you’ll retain complete control over the certificate attributes and parameters Wide usage and strong community support Cost-friendly as it’s free and open-source Platform independent - Linux, Windows, and macOS Limitations and Considerations Trust issues, as self-signed certificates, are not verified by an external CA Complexity, as it requires technical knowledge to generate and manage certificates. Use Cases OpenSSL is used by organizations across the world, from startups to enterprises. Some significant users include Infosys, Panasonic Corp, Fujitsu Ltd, and more. Challenges and Solutions When Sending Encrypted Email Key Management and Exchange Managing and distributing public and private encryption keys while sending encrypted emails and keeping them secure from attackers is challenging. Solution: To overcome this challenge: Store encryption keys on a secure public cloud server like AWS, GCP, etc. It’s cheaper, convenient, and user-friendly, but it might pose compliance issues in specific legislation. Store keys on a private cloud or on-premises server in the same country for better data security and compliance with applicable laws. This could be expensive, though. Exchange encryption keys manually without relying on a third party. User Education and Adoption Using email encryption is generally difficult to use, impacting the adoption rate. Solution: To overcome this challenge, address the learning curve. Invest in training your employees on using email encryption and best practices. For example, they must know how to encrypt and decrypt emails to read email content, store keys on a private server, and more. Instead of troubling users with extra account creations, logins, orquestions, prioritize user experience. Simplify email encryption by: Leveraging user-friendly resources and tools, like ProtonMail or Hushmail, to ease the adoption process. Adjusting protocols based on different environments Enabling decryption via a web browser and verifying emails to authenticate identity Implementing data access permissions and controls to encrypted emails for information security Practical Tips for Email Encryption Best Practices for Email Encryption Encrypt your emails, all of them, for greater data security and privacy Choose a suitable email encryption system and method based on your organization’s needs. Authenticate encryption indicators while transmitting emails Backup your encryption keys and certificates Be cautious about key management and storage. Store only on secured, private servers or on-premises. Educate users on email encryption and instruct them to follow best practices. What to do if a key compromise is suspected? In case your private key is compromised or stolen: Immediately change your email passwords and modify security settings. Change the passwords of your crypto wallets or accounts Quickly move your assets or data to another, secure wallet Notify your wallet provider or crypto exchange Report the incident to regulatory bodies in your region Backup and Recovery of Encryption Keys and Certificates Consider backing up your encryption keys and certificates in a secure, private server, on-premises system, or an off-site location. If you have the backup encryption certificate, you can restore your backups. Unfortunately, if you don’t, it’s not possible. Our Final Thoughts on the Importance of Sending Secure or Encrypted Email on Linux Encrypted and secure emails are essential to protect your email and the content from unauthorized access. So, implement email encryption and secure email practices to secure your organization’s communications, keepdata private, and prevent cyberattacks. With the practical advice offered in this article, you should be well on your way to improving your email security and securing your critical data against leaks and breaches. . Adopt encryption protocols and employ secure emailing techniques to safeguard correspondence and ensure information stays protected against breaches.. Encrypted Email, Email Security, Data Protection, GnuPG, S/MIME. . Brittany Day
Jun 22, 2024
•
102
email securityemail encryptionsecure communicationGPG Encryption: Secure Email Communication on Linux Systems
Much of today’s communication in the professional world occurs via email. What could be worse than sending an email to the wrong recipient or having an email intercepted by an attacker? . There are many reasons that emails should not contain information, especially confidential or personal identifiable information, in plain text. Doing so could put a full organization at risk. Is there a solution? Yes, encryption. Asymmetric cryptography, also known as public-key cryptography, is a cryptography process that is done through a public key and a private key. In asymmetric cryptography, the encryption of data is done with the public key. Once a person encrypts the data with the recipient’s public key, and sends the data, it can only be decrypted using the private, or secret, key. No one should have access to your private key, that way even if communication is intercepted or data is sent to an unintended person, they will not be able to decrypt and read the contents of the message. GPG, or GnuPG , is an implementation of PGP that can be used with different operating systems, including Linux. It is a software that allows for secure communication. GPG is also easily integrated with other applications, making it very simple to encrypt emails and share keys. This article will introduce GPG as a great way to keep private files private on Linux. How Does GPG Work? Using GPG on Linux is extremely uncomplicated. All you need to do is install it, generate your keys, share them, and then you can start using it. To install GPG, you can run sudo apt-get install gnupg in your command line. Once that is complete, run gpg --gen-key to generate a key pair. To allow people to send you encrypted data that you can decrypt using the private key, you need to share the public key. This is done by typing gpg --output ~/mygpg.key --armor --export
Nov 21, 2022
•
102
secure communicationsquid proxyhashing techniqueImplementing Digest Authentication For Squid Proxy Security
Digest AuthenticationDigest Authentication hashes the password before transmitting over the wire. Essentially it sends a message digest generated from multiple items including username, realm and nonce value. If you want to know more see (RFC 2617). . Thing to remember is both Basic and Digest are on the weak end of the authentication security spectrum. If your only choice is Basic and Digest, the lesser of two evils is Digest. Digest is very similar to Basic from a configuration perspective. Squid uses an external helper program to facilitate the authentication process. From a Squid configuration perspective, the following pieces are required in the . Thing to remember is both Basic and Digest are on the weak end of the authentication security spectr. digest, authenticationdigest, authentication, hashes, password, transmitting. . Anthony Pell
Dec 01, 2011
•
102
intrusion detectionsecure communicationsnortComprehensive Guide to Secure Syslog-ng and Snort Integration for Logging
A Comprehensive Guide to Building Encrypted, Secure Remote Syslog-ng Servers with the Snort Intrusion Detection System . Introduction The precursor to this article, Creating Secure Remote Log Servers, was the first in a series of papers focused on walking readers through configuring and deploying secure remote log servers. This second paper in the series offers a much more robust alternative to first generation SYSLOG servers; providing a much more reliable remote logging facility that is effective for use within Honeynets ( ) and Intrusion Detection System deployments. Remote log servers can provide centralized logging capability for IDS' spread across large network environments. I have proposed this approach for centralized logging in large IDS deployments on government networks that typically consist of multiple CLASS A networks. What this paper hopes to accomplish is to walk its readers through building next generation secure remote log servers to use in any environment, more specifically those wanting to utilize this form of logging with the Snort Intrusion Detection System ( https://www.snort.org/ ). For those of you who follow my papers regularly, you know that my writing style is that of precise detail without any real expectations from its readers of intimate knowledge on how to configure and use the utilities I write about. This proves the same for this paper as well. I will walk you through installing and configuring the Snort IDS as well as downloading, installing, and configuring Syslog-ng (Syslog, Next Generation). I will detail how to configure Snort to log to syslog for alerts to be generated locally and remotely to the offsite Syslog-ng server over an encrypted SSL tunnel. This will be the most comprehensive paper available to the community; offering a step-by-step guide to configuring Secure Remote Log Servers and interaction with Intrusion Detection Systems. Preparing Your Systems Ok, the first thing you're going to want to do is setup both systems and identify which one willbe the (CLIENT); the Snort box running Syslog-ng that will send its logs to the (SERVER); the system that listens for incoming connections for logs from the Syslog-ng client. Let's lay out a few ground rules to set the foundation for this paper. I will be referring to each system accordingly as outlined above. The IP addresses for each system are: CLIENT 192.168.0.1 SERVER 192.168.0.2 The Client The first task we'll accomplish is downloading and configuring Syslog-ng for use as the client. Now if you remember, the client must be configured to send the Syslog alerts remotely to the other server. Syslog-ng stands for Syslog Next Generation. As the name implies, Syslog-ng was designed to meet higher standards of stability in logging as well as added security and encryption functionality. A unique feature of Syslog-ng is its capability to offer TCP logging, which all of you should hopefully already know is different from first generation SYSLOG as its predecessor utilizes UDP only. To download Syslog-ng hop over in your favorite lynx browser ;) to and download. As of this writing, the current version is 1.4.15. You will also need to download libol as the instructions imply. pa-obsd01# pwd /export/syslog-ng-1.4.14 pa-obsd01# ./configure && make && make install Alright, for some reason when I installed and configured Syslog-ng, it didn't create the /etc/syslog-ng directory, nor provide me any default configuration files. So for obvious reasons you won't have to worry about that because I'll be providing the configurations for you. Go ahead and mkdir the /etc/syslog-ng directory and untar Syslog-ng after installing libol. Once completed you should have a binary for syslog-ng in your /usr/local/sbin directory. The following configuration information should be stored as /etc/syslog-ng/syslog-ng.conf ################################################### # # This is a working Syslog-ng file for a Syslog-ng # CLIENTsystem only. # # Refer to the comments below for some of the # syntax being used. # File: /etc/syslog-ng/syslog-ng.conf # # Syslog-ng configuration file created by # Eric "Loki" Hines # Email: loki@fatelabs.com # # Syslog-ng is # Copyright (c) 1999 Balazs Scheidler # #################################################### # This identifies the source machine (gateway) and # gives it a name. You can name the identifier anything # you want, e.g. source barney.localhost # { unix-dgram("/dev/log"); internal(); }; or whatever you # want. Have fun, but make sure to remember what name # you give it for the log statement. source gateway { # If you are not using OpenBSD, you will need to change # this to your specific syslog device file. # The different options for each OS is provided at # https://www.oneidentity.com unix-dgram("/dev/log"); internal(); }; # What I've done here (thanks Jason Ish), is configured # Syslog-ng to log locally to our /var/log directory as well as # remotely to the remote Syslog-ng SERVER. This is an awesome # idea as it creates 2 locations for log files to eliminate # single points of failure. (Also an awesome idea with # honeynets, dig? J destination localhost { file("/var/log/syslog-ng.all"); }; destination shell { tcp("192.168.0.2" port(514)); }; # This ties our source and destination together, think of it # this way (src + dst = logging) log { source(gateway); destination(localhost); source(gateway); destination(shell); }; You should now have a working configuration file for the sylsog-ng client, let's go ahead and setup Snort for logging to the Syslog server. This will actually be more trivial than you might think. Go ahead and download Snort from https://www.snort.org/ . As of this writing, the current version is 1.8.6. If you are worried about the new fragroute IDS evasion tool and protectingagainst these types of attacks, currently, Snort offers a stable-snapshot release for download. The next release of Snort will evidently provide these enhancements, so choose your poison. Go ahead and untar Snort and let's walk through the configuration. 192.168.0.1 pa-obsd01# pwd /export/snort-1.8.6 pa-obsd01# ./configure && make && make install I feel kind of ridiculous pasting in those ./configure commands but some of you would be surprised with the kind of emails I get after writing a paper :D So that table is for some of you that don't yet know how to compile and install a program. Then again, if you already didn't know that I'd question your idea of building a secure remote log server at this early in the game ;) But we've all got to start somewhere right? Moving on. We're going to go ahead and make a quick modification to the Snort configuration file. # or you can specify the variable to be any IP address # like this: var HOME_NET 192.168.0.1 # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET any Lets go ahead and start up Snort to log to syslog. The Snort development team made this extremely simple for us. Because we've configured Syslog-ng to log remotely for us, Snort doesn't have to do ANYTHING but log locally to syslog. This is accomplished merely by using the following syntax 192.168.0.1 pa-obsd01# adduser Snort pa-obsd01# passwd Snort pa-obsd01# ./snort –D –A full –c snort.conf –d –D –e –u snort –g snort –s (Please don't run snort as root.) The other flags can be omitted without any problems, but making sure to leave the –s flag in tact as that is what enables Snort logging to Syslog. Upon initiation of Snort, our Syslog-ng will now be trapping those alerts and sending them over the wire to the remote Syslog-ng server. However, because it isn't yet configured those alerts will be lost,maybe I should have done this step last :D, hah, man I crack myself up. The Server Let's go ahead and configure the remote Syslog-ng server now for receipt of those alerts. For obvious reasons, go ahead and download Syslog-ng again for the server and run through the configure and make install again. After doing so, we'll go ahead and configure Syslog-ng to accept alerts from the Client. 192.168.0.2 source shell { unix-dgram("/dev/log"); internal(); # Listen on public interface, port 514 for incoming connections tcp(ip(192.168.0.2) port(514) max-connections(1)); }; destination localhost { file("/var/log/syslog-ng.all")); }; # Again, we tie both statements together with the log function. log { source(shell); destination(localhost); }; To start up Syslog-ng we'll go ahead and execute /usr/local/sbin/syslog-ng. Oh, go ahead and start up Syslog-ng on the CLIENT as well. You should now be successfully logging Snort alerts from the remote system as demonstrated below. 192.168.0.2 pa-obsd01# tail –f /var/log/syslog-ng.all May 14 02:37:18 localhost/localhost/192.168.0.1 Snort: [1:1002:4] WEB-IIS cmd.exe access [Classification: Web Application Attack] [Priority: 1]: {TCP} 192.168.0.2:3434 -> 192.168.0.1:80 May 14 02:37:19 localhost/localhost/192.168.0.1 Snort: [1:1002:4] WEB-IIS cmd.exe access [Classification: Web Application Attack] [Priority: 1]: {TCP} 192.168.0.2:3458 -> 192.168.0.1:80 May 14 02:37:19 localhost/localhost/192.168.0.1 Snort: [1:1002:4] WEB-IIS cmd.exe access [Classification: Web Application Attack] [Priority: 1]: {TCP} 192.168.0.2:3474 -> 192.168.0.1:80 May 14 02:37:20 localhost/localhost/192.168.0.1 Snort: [1:1002:4] WEB-IIS cmd.exe access [Classification: Web Application Attack] [Priority: 1]: {TCP} 192.168.0.2:3496 -> 192.168.0.1:80 May 14 02:37:20 localhost/localhost/192.168.0.1 Snort: [1:1002:4] WEB-IIS cmd.exe access[Classification: Web Application Attack] [Priority: 1]: {TCP} 192.168.0.2:3515 -> 192.168.0.1:80 May 14 02:37:20 localhost/localhost/192.168.0.1 Snort: [1:1002:4] WEB-IIS cmd.exe access Priority: 1]: {TCP} 192.168.0.2:3547 -> 192.168.0.1:80 May 14 02:37:21 localhost/localhost/192.168.0.1 Snort: [102:7:1] (spp_http_decode) Overlong Unicode character received {TCP} 192.168.0.2:3565 -> 192.168.0.1:80 May 14 02:37:21 localhost/localhost/192.168.0.1 Snort: [1:1002:4] WEB-IIS cmd.exe access [Classification: Web Application Attack] [Priority: 1]: {TCP} 192.168.0.2:3565 -> 192.168.0.1:80 May 14 02:37:21 localhost/localhost/192.168.0.1 Snort: [102:7:1] (spp_http_decode) Overlong Unicode character received {TCP} 192.168.0.2:3585 -> 192.168.0.1:80 The Firewall Now we will want to install a firewall on the remote Syslog-ng server. This will allow us to specify what systems are and are not allowed to connect to our system as well as specify an ACL for what IP's are allowed to log to our Syslog port. We will be accomplishing this through a simple PF (Packet Filter) config file. I have provided mine below. For you other users of IPF, the syntax should work the same. 192.168.0.2 #### #### SET VARIABLES. CHANGE THIS TO YOUR NIC INTERFACE ID #### ifconfig -a EXT="de0" #### #### BLOCK IN ALL RFC 1918 #### block in quick on $EXT inet from 192.168.0.0/16 to any block in quick on $EXT inet from 172.16.0.0/12 to any block in quick on $EXT inet from 10.0.0.0/8 to any block out quick on $EXT inet from any to 192.168.0.0/16 block out quick on $EXT inet from any to 172.16.0.0/12 block out quick on $EXT inet from any to 10.0.0.0/8 #### #### EXPLICITY ALLOW ONLY 192.168.0.1 TO PORT 514 (syslog-ng) #### IF YOU USE THIS FIREWALL CONFIG FOR STUNNEL, CHANGE IT TO #### THE INCOMING STUNNEL PORT WE SET, 5140 pass in quick on $EXT inet proto tcp from { 192.168.0.1/32 } to any port = 514 #### ####EXPLICITY BLOCK ALL OTHER TRAFFIC AND LOG #### ALLOW ALL OUTGOING #### block in log quick on $EXT from any to any pass out quick on $EXT from any to any keep state Stunnel I have decided to break this paper up into (2) two sections. The following section and configuration files for Syslog-ng will only be for those of you who want to encrypt the syslog data over SSL. For those of you who have your own ways of handling the encryption (vpn, etc), feel free to ignore this section and only use the configuration files provided previously. Client Your first task, should you choose to accept it, is to download and configure Stunnel J. You can download Stunnel from . Now, for some reason I keep getting the same compile errors when compiling on OpenBSD 3.0. So for those of you who are experiencing the same problems, simply install stunnel from ports, RPM, or whatever alternative or binary distribution your platform offers. I did in fact install from ports, so aside from the ./configure and make install, I think all of you can pretty much handle this on your own. After the installation has completed, you will want to configure Syslog-ng to log to LOCALHOST to a port where Stunnel will be awaiting connections. Stunnel will then be the carrier of the data over to the SERVER where another Stunnel daemon will be waiting for connections. Use the following configuration file for Syslog-ng located in /etc/syslog-ng/syslog-ng.conf 192.168.0.1 ########################################################################## # # This is a working Syslog-ng file for a Syslog-ng CLIENT system using # STUNNEL only. # Refer to the comments below for some of the syntax being used. # File: /etc/syslog-ng/syslog-ng.conf # # Syslog-ng configuration file created by Eric "Loki" Hines # Email:
May 29, 2002
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More