Task I - Enabling the syslog facility to report Login, Telnet and FTP activity. In this task, you will configure syslog to capture to a log file important information like root login attempts and inbound IP addresses for service like Telnet and FTP. 1) Edit the /etc/syslog.conf file and tell syslog to log all login activity to a file called /var/adm/authlogs. Tell syslog to log all inbound telnet and ftp sessions to a log file called /var/adm/inetdlogs. # vi /etc/syslog.conf auth.info /var/adm/authlogs daemon.notice /var/adm/inetdlogs 2) Create two empty files called /var/adm/authlogs and /var/adm/inetdlogs. # touch /var/adm/authlogs # touch /var/adm/inetdlogs 3) Edit the /etc/init.d/inetsvc script and add the -t option to start inetd in tcp tracing mode. The inetd daemon is invoked on the last line of the /etc/init.d/inetsvc script. # vi /etc/init.d/inetsvc < /usr/sbin/inetd -s -t & 4) Edit the /etc/inetd.conf file and add -dl (debugging and logging) to the end of the ftp service line. # vi /etc/inetd.conf ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd -dl 5) Restart the inetd daemon via /etc/init.d # cd /etc/init.d # ./inetsvc stop # ./inetsvc start 6) Stop the syslog daemon via /etc/init.d. DO NOT RESTART IT YET! 7) Open up three additional terminal windows. In window #1, tail the /var/adm/authlogs. In window #2, tail the /var/adm/inetdlogs. In window #3, start syslog in debug mode in the foreground. Observe the output of the debug and look for any possible errors. [1] # tail -f /var/adm/authlogs [2] # tail -f /var/adm/inetdlogs [3] # syslogd -d 8) Open a fourth terminal window. Telnet to your own host and complete a succsessful root login. [4] # telnet localhost 9) Note the output in all three terminal windows. What kind of information was captured for: terminal window #1 (/var/adm/authlogs) Jan 30 13:32:30 hostname login: [ID 254462 auth.notice] ROOT LOGIN /dev/pts/5 FROM localhost terminal window #2 (/var/adm/inetdlogs) Jan 30 13:06:46 hostname inetd[441]: [ID 317013 daemon.notice] telnet[588] from 127.0.0.1 32870 terminal window #3 (syslogd -d) writemsg(5): Logging msg 'Jan 30 13:59:42 inetd[441]: [ID 317013 daemon.notice] telnet[625] from 127.0.0.1 32873' to FILE /var/adm/messages writemsg(7): Logging msg 'Jan 30 13:59:42 inetd[441]: [ID 317013 daemon.notice] telnet[625] from 127.0.0.1 32873' to FILE /var/adm/inetdlogs writemsg(4): Logging msg 'Jan 30 13:59:45 login: [ID 254462 auth.notice] ROOT LOGIN /dev/pts/12 FROM localhost' to CONSOLE /dev/sysmsg writemsg(6): Logging msg 'Jan 30 13:59:45 login: [ID 254462 auth.notice] ROOT LOGIN /dev/pts/12 FROM localhost' to FILE /var/adm/authlogs For terminal windows #1 and #2, what facility and level was logged to the log files? terminal window #1 auth.notice terminal window #2 daemon.notice 10) Exit out of your telnet session in the fourth terminal window. [4] # exit 11) In terminal window #4, edit the /etc/default/login file and have syslog generate a message after 3 failed login attempts. [4] # vi /etc/default/login SYSLOG_FAILED_LOGINS=2 12) In terminal window #4, telnet to your host and attempt 3 unsuccsessful root logins. Which file did syslog write to? Both. What was the facility and level of the auth messages? auth.notice 13) In terminal window #4, send a kill signal to syslogd. Start syslogd in terminal window #3 via the /etc/init.d run control script. Exit the two tail sessions in terminal windows (crontrol c) #1 and #2. Close all terminal windows. [4] # pkill -9 syslogd [3] # cd /etc/init.d [3] # ./syslog start [1] ^c [1] # exit [2] ^c [2] # exit [3] # exit [4] # exit Task II - Enabling syslog facility for remote logging In this task you will learn how to consolidate syslog messages for security auditing. Depending on class size, you may need to do this exercise with a partner. Your host will be the server and your terminal windows will be denoted with an x. The other host will be the client and it's terminal windows will be denoted by a y. If you choose not to have a partner, be sure that steps 3-5 have been completed on the client host BEFORE you start this task. 1) Open two terminal windows on the both hosts. On the client host terminal window #1, edit the syslog.conf file and instruct syslog to forward all login, telnet, and ftp information to the server host. [y1] # vi /etc/syslog.conf auth.info @server daemon.notice @server 2) On the client host terminal window #1, stop the syslog service via /etc/init.d. DO NOT RESTART IT YET! [y1] # cd /etc/init.d [y1] #./syslog stop 3) On the client host terminal window #2, start the syslog service in debug mode in the foreground. Check for any debug errors. [y2] # syslogd -d 4) On the server host terminal window #1, stop the syslog service via /etc/init.d. DO NOT RESTART IT YET! [x1] # cd /etc/init.d [x1] #./syslog stop 5) On the server host terminal window #2, start the syslog service in debug mode in the foreground. Check for any debug errors. [x2] # syslogd -d 6) On the client host terminal window #1, telnet to the client host and successfully complete a root login. [y1] # telnet localhost 7) Note the debug output of syslogd on the client host. How many messages were generated by syslogd on the client host? Four messages were generated Where did syslogd send the messages? Two messages stayed local and two were forwarded 8) Note the debug output of syslogd on the server host. How can you tell that the server host received messages from the client host? net_poll(14): received message from 12.22.215.93.128.34 writemsg(7): Logging msg 'Jan 30 14:04:54 inetd[340]: [ID 317013 daemon.notice] telnet[360] from 127.0.0.1 32787' to FILE /var/adm/inetdlogs Are there entries in the /var/adm/authlogs or /var/adm/inetdlogs? How do you know they are from the client host? 9) On the client and sever hosts, send a kill signal to syslogd. Start syslogd in terminal window #3 via the /etc/init.d run control script. Close all terminal windows.y1 [y1] # pkill -9 syslogd [y1] # cd /etc/init.d [y1] # ./syslog start [y1] # exit [y2] # exit [x1] # pkill -9 syslogd [x1] # cd /etc/init.d [x1] # exit [x2] # exit