diff options
Diffstat (limited to 'doc/tls_cert_udp_relay.html')
| -rw-r--r-- | doc/tls_cert_udp_relay.html | 105 |
1 files changed, 0 insertions, 105 deletions
diff --git a/doc/tls_cert_udp_relay.html b/doc/tls_cert_udp_relay.html deleted file mode 100644 index f4740ce..0000000 --- a/doc/tls_cert_udp_relay.html +++ /dev/null @@ -1,105 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head><title>TLS-protected syslog: UDP relay setup</title> -</head> -<body> - -<h1>Encrypting Syslog Traffic with TLS (SSL)</h1> -<p><small><i>Written by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer -Gerhards</a> (2008-07-03)</i></small></p> - -<ul> -<li><a href="rsyslog_secure_tls.html">Overview</a> -<li><a href="tls_cert_scenario.html">Sample Scenario</a> -<li><a href="tls_cert_ca.html">Setting up the CA</a> -<li><a href="tls_cert_machine.html">Generating Machine Certificates</a> -<li><a href="tls_cert_server.html">Setting up the Central Server</a> -<li><a href="tls_cert_client.html">Setting up syslog Clients</a> -<li><a href="tls_cert_udp_relay.html">Setting up the UDP syslog relay</a> -<li><a href="tls_cert_summary.html">Wrapping it all up</a> -</ul> - -<h3>Setting up the UDP syslog relay</h3> -<p>In this step, we configure the UDP relay ada.example.net. -As a reminder, that machine relays messages from a local router, which only -supports UDP syslog, to the central syslog server. The router does not talk -directly to it, because we would like to have TLS protection for its sensitve -logs. If the router and the syslog relay are on a sufficiently secure private -network, this setup can be considered reasonable secure. In any case, it is the -best alternative among the possible configuration scenarios. -<span style="float: left"> -<script type="text/javascript"><!-- -google_ad_client = "pub-3204610807458280"; -/* rsyslog doc inline */ -google_ad_slot = "5958614527"; -google_ad_width = 125; -google_ad_height = 125; -//--> -</script> -<script type="text/javascript" -src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> -</script> -</span> -<p><center><img src="tls_cert_100.jpg"></center> -<p>Steps to do: -<ul> -<li>make sure you have a functional CA (<a href="tls_cert_ca.html">Setting up the CA</a>) -<li>generate a machine certificate for ada.example.net (follow instructions in - <a href="tls_cert_machine.html">Generating Machine Certificates</a>) -<li>make sure you copy over ca.pem, machine-key.pem ad machine-cert.pem to the client. -Ensure that no user except root can access them (<b>even read permissions are really bad</b>). -<li>configure the client so that it checks the server identity and sends messages only -if the server identity is known. -</ul> -<p>These were essentially the same steps as for any -<a href="tls_cert_client.html">TLS syslog client</a>. We now need to add the -capability to forward the router logs: -<ul> -<li>make sure that the firewall rules permit message recpetion on UDP port 514 (if you use -a non-standard port for UDP syslog, make sure that port number is permitted). -<li>you may want to limit who can send syslog messages via UDP. A great place to do this -is inside the firewall, but you can also do it in rsyslog.conf via an $AllowedSender -directive. We have used one in the sample config below. Please be aware that this is -a kind of weak authentication, but definitely better than nothing... -<li>add the UDP input plugin to rsyslog's config and start a UDP listener -<li>make sure that your forwarding-filter permits to forward messages received -from the remote router to the server. In our sample scenario, we do not need to -add anything special, because all messages are forwarded. This includes messages -received from remote hosts. -</ul> -<p><b>At this point, please be reminded once again that your security needs may be quite different from -what we assume in this tutorial. Evaluate your options based on your security needs.</b> -<h3>Sample syslog.conf</h3> -<p>Keep in mind that this rsyslog.conf sends messages via TCP, only. Also, we do not -show any rules to write local files. Feel free to add them. -<code><pre> -# start a UDP listener for the remote router -$ModLoad imudp # load UDP server plugin -$AllowedSender UDP, 192.0.2.1 # permit only the router -$UDPServerRun 514 # listen on default syslog UDP port 514 - -# make gtls driver the default -$DefaultNetstreamDriver gtls - -# certificate files -$DefaultNetstreamDriverCAFile /rsyslog/protected/ca.pem -$DefaultNetstreamDriverCertFile /rsyslog/protected/machine-cert.pem -$DefaultNetstreamDriverKeyFile /rsyslog/protected/machine-key.pem - -$ActionSendStreamDriverAuthMode x509/name -$ActionSendStreamDriverPermittedPeer central.example.net -$ActionSendStreamDriverMode 1 # run driver in TLS-only mode -*.* @@central.example.net:10514 # forward everything to remote server -</pre></code> -<p><font color="red"><b>Be sure to safeguard at least the private key (machine-key.pem)!</b> -If some third party obtains it, you security is broken!</font> -<h2>Copyright</h2> -<p>Copyright © 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer -Gerhards</a> and -<a href="http://www.adiscon.com/en/">Adiscon</a>.</p> -<p> Permission is granted to copy, distribute and/or modify this -document under the terms of the GNU Free Documentation License, Version -1.2 or any later version published by the Free Software Foundation; -with no Invariant Sections, no Front-Cover Texts, and no Back-Cover -Texts. A copy of the license can be viewed at -<a href="http://www.gnu.org/copyleft/fdl.html">http://www.gnu.org/copyleft/fdl.html</a>.</p> -</body></html> |