Monitoring logs and security
Configuring a Debian container to act as a logging server to centralize all logging. It will only run this in hope to minimize attack surface. It will be in a container so it can be moved easily to other machines if needed. Following this guide. Following that will be a log analyser and email setup for emergency.
Security
apt update apt dist-upgrade -y apt install ufw vim #Firewall #systemctl enable ufw ufw allow 514/udp ufw allow 514/tcp ufw allow 22/tcp ufw enable ufw reload
Disable password login from ssh
/etc/rsyslog.conf for receiver system
$ModLoad imuxsock
$ModLoad imklog
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#$AllowedSender TCP, 127.0.0.1, 10.110.50.0/24, *.yourdomain.com
#Rules for processing logs
template(name="FileFormat" type="list") {
property(name="timestamp" dateFormat="rfc3339")
constant(value=" ")
property(name="hostname")
constant(value=" ")
property(name="syslogtag")
property(name="msg" spifno1stsp="on" )
property(name="msg" droplastlf="on" )
constant(value="\n")
}
#template (name="DynFile" type="string" string="/var/log/system-%HOSTNAME%.log")
$template Messages,"/var/log/clients/%fromhost%/%programname%.log"
*.* ?Messages
# An other way to do it
# Log each remote host into it's own directory and then discard remote server logs:
#$template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log"
#Discard remote server logs
if ($hostname != '<ServerName>') then ?RemoteHost
& ~
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
#
# Where to place spool and state files
# I think this is only for local logs as remote logs where flushed
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
# Some "catch-all" log files.
#
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages
#Special catchall
*.emerg /var/log/emerg.log
*.alert /var/log/alert.log
*.crit /var/log/crit.log
#IPTABLES logging of --log-level 7
*.*;auth,authpriv,kern.none /var/log/syslog
kern.* /var/log/kern.log
kern.debug stop
*.=debug;\
auth,authpriv.none;\
news.none;mail.none /var/log/debug
#
# Emergencies are sent to everybody logged in.
#
#*.emerg :omusrmsg:*
#
Riux tech blog 