Securing Your Web Server

Although the default configuration is acceptable, the /etc/syslog.conf file is still worth exploring, as you’ll see in Example4-2.

Example 4-2. The /etc/syslog.conf file

# /etc/syslog.conf    Configuration file for syslogd.
#
#                     For more information see syslog.conf(5)
#                     manpage.

#
# First some standard logfiles.  Log by facility .
#

auth.info,authpriv.*       /var/log/auth.log
*.*;auth,authpriv.none   -/var/log/syslog
#cron.*                  /var/log/cron.log
daemon.*                -/var/log/daemon.log
kern.*                  -/var/log/kern.log
lpr.*                   -/var/log/lpr.log
mail.*                  -/var/log/mail.log
user.*                  -/var/log/user.log
uucp.*                  /var/log/uucp.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info             -/var/log/mail.info mail.warn             -/var/log/mail.warn mail.err              /var/log/mail.err

# Logging for INN news system
#
news.crit          /var/log/news/news.crit news.err           /var/log/news/news.err news.notice       -/var/log/news/news.notice

#
# Some `catch-all' logfiles.

#
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none  -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none    -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         *

#
# I like to have messages displayed on the console, but only
#on a virtual console that I usually leave idle.
#
#daemon,mail.*;\
#       news.=crit;news.=err;news.=notice;\
#       *.=debug;*.=info;\
#       *.=notice;*.=warn      /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility. To
#use it, you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have
a reasonably
#      busy site..
#
daemon.*;mail.*;\
        news.crit;news.err;news.notice;\
        *.=debug;*.=info;\
        *.=notice;*.=warn    |/dev/xconsole

At the very least, the auth facility should have a priority of info or higher:

  auth.info      /var/log/auth.log

Disk space is cheap, so capturing everything is not completely out of the question:

  *.*         /var/log/all_messages

Decide what is important to you and run with it.

Logs mean nothing unless you do something with them. They must be processed, monitored, and reviewed. Sometimes logs are all that you have after an attack—if you’re lucky, and the attacker didn’t destroy or alter them.

With that in mind, decide for what things it is worth interrupting din ner, and which ones can go unnoticed.