'Syslog: The Hidden Security Risk'

Thu 18 March 2010 Category: Security

People sometimes forget that there are also a number of UDP-based services that may pose a threat to the security of your systems. SNMP is a well-known service, notorious for being configured with a default password (or community string).

But there is another service that is often not seen as a risk. This is the syslog service. Syslog is used on virtually all UNIX-like platform for logging messages of the system to one or more log files to disk. The syslog service often listens on the network, on UDP-port 514. Please note that syslog does not perform any authentication of data that is sent to it.

So what does this mean?

An attacker can:

  1. Create a denial-of-service condition (DoS) by sending large amounts of data to the syslog service, filling up disk space.

  2. Once the disk is full, logs can no longer be saved, thus any attack that would leave a trail within the logs would go unnoticed.

  3. by sending large amounts of specially crafted messages, an attacker can cause chaos if logs are monitored by intrusion detection systems or other systems that create alerts.

How to attack? Just use netcat:

nc -u [IP-address] 514

Once you are connected, anything you type will be logged in a log file.

How to mitigate this issue?

  1. Firewall access to UDP-port 514

  2. Make sure that the syslog service does not listen on the network if not required, only on localhost.