Remote Serial Console HOWTO
PrevChapter 9. SecurityNext

9.4. Restrict console messages

9.4.1. Restrict console messages from the system log

Generating a stready stream of console messages can easily overwhelm a 9600bps link.

Although displaying all syslog messages on the console appears to be a good idea, this actually provides a nice method to deny effective use of the remote console.

Configure log messages to the console to the bare minimum, especially if the machine is sending syslog messages to a remote log server. Look in /etc/syslog.conf for lines ending with /dev/console.

None of the above prevents all log messages being sent to another machine for recording and analysis. Figure 9-2 shows the standard /etc/syslog.conf from Red Hat Linux 7.2 modified to record log messages to a log server. Each line of syslog.conf has been repeated to send a copy of the message to the log server. The log server has the DNS alias loghost.example.edu.au; this allows the log server to be moved without updating the configuration of all the remote machines. The local copy of the log message is no longer the only means of determining the cause of a system failure, so we can gain some performance advantage by disabling synchronous file writes, although this increases the odds of an inconsistent filesystem (an issue with filesystems that do not do journalling). Placing a - before the filename disables synchronous file writes.

Figure 9-2. /etc/syslog.conf modified to copy log messages to a log server

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none  @loghost.example.edu.au
*.info;mail.none;authpriv.none;cron.none  -/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                @loghost.example.edu.au
authpriv.*                                /var/log/secure

# Log all the mail messages in one place.
mail.*                                    @loghost.example.edu.au
mail.*                                    -/var/log/maillog

# Log cron stuff
cron.*                                    @loghost.example.edu.au
cron.*                                    -/var/log/cron

# Everybody gets emergency messages
*.emerg                                   @loghost.example.edu.au
*.emerg                                   *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                            @loghost.example.edu.au
uucp,news.crit                            -/var/log/spooler

# Save boot messages also to boot.log
local7.*                                  @loghost.example.edu.au
local7.*                                  -/var/log/boot.log

A log server is configured using the standard /etc/syslog.conf and also allowing remote syslog messages, shown for Red Hat Linux in Figure 9-3. Additionally, denial of services attacks are prevented by configuring IP Tables to restrict the sources of the syslog messages; and performance is improved by checking that nscd is running to cache reverse DNS lookups.

Figure 9-3. Allowing remote log messages by setting options in /etc/sysconfig/syslog

# Red Hat Linux default value, does not write timer mark messages
SYSLOGD_OPTIONS="-m 0"
# Add option to accept remote syslog messages
SYSLOGD_OPTIONS="${SYSLOGD_OPTIONS} -r"

Figure 9-4. Restrict syslog messages to remote.example.edu.au

 bash# chkconfig iptables on
 bash# /etc/init.d/iptables restart
# Allow all IP traffic from this machine
 bash# iptables --append INPUT --source 127.0.0.0/8 --in-interface lo --jump ACCEPT
# Allow other traffic you may like
…
# Accept syslog messages from remote.example.edu.au
 bash# iptables --append INPUT --source remote.example.edu.au --protocol udp --destination-port syslog -j ACCEPT
# Silently drop unexpected syslog messages
 bash# iptables --append INPUT --protocol udp --destination-port syslog -j DROP
# Save the running configuration
 bash# /etc/init.d/iptables save

Figure 9-5. Using nscd to cache reverse DNS lookups

bash# chkconfig nscd on
bash# /etc/init.d/nscd restart

9.4.2. Restrict console messages from broadcast messages

Users that are logged into the serial console should not accept broadcast messages. Add new files to /etc/profile.d to do this. Figure 9-6 shows a file for use by the Bourne shell.

Figure 9-6. Restrict sending of messages to console user

#
# Do we have files referred to?
if [ -x /usr/bin/mesg -a -x /usr/bin/tty ]
then
  # Are we on serial console?
  if [ `/usr/bin/tty` = /dev/ttyS0 ]
  then
    # Do not accept broadcast messages
    /usr/bin/mesg n
  fi
fi

As this file is run frequently, we use a faster but less readable version of Figure 9-6, shown in Figure 9-7.

Figure 9-7. Restrict sending of messages to console user, /etc/profile.d/mesg.sh

#
# /etc/profile.d/mesg.sh -- prevent people hassling the serial console user
[ -x /usr/bin/mesg -a -x /usr/bin/tty -a `/usr/bin/tty` = /dev/ttyS0 ] && /usr/bin/mesg n

We also need a C shell version, shown in Figure 9-8.

Figure 9-8. Restrict sending of messages to console user, /etc/profile.d/mesg.csh

#
# /etc/profile.d/mesg.csh -- prevent people hassling the serial console user
if (-X mesg && -X tty && `tty` == /dev/ttyS0) then
  mesg n
endif

Although mesg.sh and mesg.csh are included by the parent shell rather than executed, the files need the execute permission set. The procedure in Figure 9-9 installs the files and sets the permissions.

Figure 9-9. Install files into /etc/profile.d

bash# cp mesg.*sh /etc/profile.d/
bash# chown root:root /etc/profile.d/mesg.*sh
bash# chmod u=rwx,g=rx,o=rx /etc/profile.d/mesg.*sh
PrevHomeNext
Use or configure a dumb modemUpModem features to restrict usage