Additional Security Measures for Syslog over SSH

Posted by Eric on Server Fault See other posts from Server Fault or by Eric
Published on 2012-04-04T16:16:10Z Indexed on 2012/04/04 17:31 UTC
Read the original article Hit count: 385

Filed under:

ssh

|

ssh-tunnel

|

syslog

I'm currently working on setting up some secure syslog connections between a few Fedora servers. This is my currently setup

192.168.56.110 (syslog-server) <----> 192.168.57.110 (syslog-agent)

From the agent, I am running this command:

ssh -fnNTx -L 1514:127.0.0.1:514 [email protected]

This works just fine. I have rsyslog on the syslog-agent pointing to @@127.0.0.1:1514 and it forwards everything to the server correctly on port 514 via the tunnel. My issue is, I want to be able to lock this down. I am going to use ssh keys so this is automated because there will be multiple agents talking to the server. Here are my concerns.

Someone getting on the syslog-agent and logging into the server directly.
- I have taken care of this by ensuring that syslog_user has a shell of /sbin/nologin so that user can't get a shell at all.
I don't want someone to be able to tunnel another port over ssh. Ex. - 6666:127.0.0.1:21.
- I know my first line of defense against this is to just not have anything listening on those ports and it's not an issue. However I want to be able to lock this down somehow.

Are there any sshd_config settings on the server that I can use to make it where only port 514 can be tunneled over ssh? Are there any other major security concerns I'm overlooking at this point? Thanks in advance for your help/comments.

© Server Fault or respective owner

Related posts about ssh

Problem with hadoop start-dfs.sh

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I installed and configured hadoop on my Ubuntu 14.04 server, virtualized inside of hyper-v, however I am getting an issue when i run start-dfs.sh root@sUbuntu01:/var/log# start-dfs.sh 14/06/04 15:27:08 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java… >>> More
SSH problems (ssh_exchange_identification: read: Connection reset by peer)

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I was running 11.10 and decided to do the full upgrade and come up to 12.04 after the update SSH (not SSHD) is now misbehaving when attempting to connect to other OpenSSH instances. I say OpenSSH as I am running a DropBear sshd on my router and I am able to connect to it. When attempting to connect… >>> More
SSH main process ended

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a running ubuntu server 10.04.1. When I tried to login to the server via ssh, I could not. Instead, I got connection refused error. I tried to ping the machine and I got reply! So, the clear reason is that SSH daemon is stopped. After reboot, I was able to login to my server via ssh. After… >>> More
SSH server not working (respawns until stopped)

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have a running Ubuntu Server 10.04.1. When I tried to login to the server via ssh, I could not. Instead, I got connection refused error. I tried to ping the machine and I got reply! So, the clear reason is that SSH daemon is stopped. After reboot, I was able to login to my server via ssh. After… >>> More
Cannot SSH after resetting firewall on VPS

as seen on Server Fault - Search for 'Server Fault'
I'm having trouble trying to SSH to my Debian 5 VPS with blacknight. It was working fine until I did the following: Logged into 'Parallels Infrastructure Manager' - Container - Firewall - Set to 'Normal Firewall settings'. It told me there was an error with the IPTables and offered the option again… >>> More

Related posts about ssh-tunnel

Use Windows/Mac MySQL GUI over SSH Tunnel

as seen on Server Fault - Search for 'Server Fault'
I am working on a client's website and he has hosting through 1and1. They don't allow connecting directly to their mySQL server from anywhere. I can't for instance load up a mySQL GUI on windows and just connect and work on the databases, it says host not found. His hosting account on the other hand… >>> More
SSH tunnels with multiple outbound IPs

as seen on Server Fault - Search for 'Server Fault'
I have a VPS with multiple IP addresses allocated to it (we can use debian, centos or ubuntu). I can ssh into the server using any of the IP addresses. However, any ssh tunnel I set up always uses just one of the IP addresses as its origination IP. How do I configure the server so that when I ssh… >>> More
chef clients behind firewall

as seen on Server Fault - Search for 'Server Fault'
I am currently learning about chef. What I understood so far: I have to install chef-server on an own server or use the hosted chef. I have to install chef-client on the servers that I want to manage aka nodes (manually or using knife bootstrap). I installed several chef tools on my own PC that… >>> More
VNC over SSH on open Tunnel

as seen on Server Fault - Search for 'Server Fault'
Is it possible to bind VNC server to a open SSH tunnel? I have a tablet that has initiated a reverse ssh tunnel to my server. This works fine over port 8080. I need to now bind to this port from my local machine. It looks like Ubuntu has some "remote desktop viewier" that has ssh built in capabilities… >>> More
How to set up a SSH tunnel and/or reverse SSH tunnel?

as seen on Super User - Search for 'Super User'
I'm located in Shanghai China and am trying to set up an SSH tunnel (or a reverse ssh tunnel?) to my brother's server located in the States. I'm using windows xp and he has a mac. We are both using wireless routers (not sure if this is relevant). He's given me the address and password (for his… >>> More