Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Logging

Logging is one of the most powerful techniques you can use to keep a constant eye on your system. In addition to system logs, we recommend that you set up your VPN server to log all connections to your VPN, whether successful or not.

Usually, you can specify different debugging levels to your VPN software when starting it or put them into configuration files. For example, if you use FreeS/WAN, you can use the following options in its ipsec.conf to determine the amount of debugging info that is written:

[...]
# Debug-logging
# See ipsec_klipsdebug(8), ipsec_pluto(8) for details
klipsdebug=esp
plutodebug=all

We suggest that you replicate your logs on a machine removed from VPN activity. Having the logs from your VPN server stored on a different machine ensures that if the VPN server is compromised, the attackers will not be able to cover their tracks easily by modifying log files.

For example, on our system, we use the following lines in /etc/syslog.conf to log all authentication events, including successes and failures. The events are logged both locally and to a dedicated logger machine, Blackhawks (192.168.1.30):

auth.debug            /var/log/messages
auth.debug            @192.168.1.30
authpriv.debug        /var/log/secure 
authpriv.debug        @192.68.1.30

The auth facility is used for authentication events viewable by everyone. Authpriv is used for private authentication events, meaning authentication events that might have privileged or sensitive information in them. That is why authpriv events are sent to /var/log/secure, which is usually set so that only root can view it. The facilities you need to log depend on your VPN software. See syslogd(1) man page for more details.

Note

Although this is a good practice to keep your logs safe, all the remote messages will be stored in a single file on the logging machine. To make things a little easier, you can look into syslog-ng. This new implementation of syslogd enables you to log to a destination based on pattern matching. Thus, all logs from a specific remote machine can be kept in a separate file. More info can be found at http://www.balabit.hu/en/products/syslog-ng/.

  • + Share This
  • 🔖 Save To Your Account