RESTRICT_SYSLOG Security Option In ConfigServer Firewall CSF
lfd relies on /syslog auth.log/ /messages secure/
As you can read in the CSF readme.txt file any end- user on the server can maliciously trigger applications that
monitor the logs of syslog/rsyslog.
Red Hat family distributions (CentOS and Fedora) use /var/log/messages and /var/log/secure where Debian-family distributions use /var/log/syslog and /var/log/auth.log.
The option RESTRICT_SYSLOG disables all these features that rely on affected logs. These features are:
LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
PORTKNOCKING_ALERT
The Possible RESTRICT_SYSLOG Values
Here are the possible values of RESTRICT_SYSLOG in csf.conf
- RESTRICT_SYSLOG = “0”
Allow features listed above to be used
- RESTRICT_SYSLOG = “1”
Disable all the features above
- RESTRICT_SYSLOG = “2”
Disable only alerts about this feature and do nothing else
- RESTRICT_SYSLOG = “3”
Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP
As you can see the only recommendable options are 0 and 3. The default installation option is 0. If you want to use the features above, choose the option 3. It restricts the write access to the syslog/rsyslog unix socket(s) to the local group you setup with RESTRICT_SYSLOG_GROUP option.
RESTRICT_SYSLOG_GROUP Value
In order to work, choose RESTRICT_SYSLOG_GROUP that doesn’t exist in your /etc/group yet.
For example:
RESTRICT_SYSLOG_GROUP = "syslog"
You can add users to this group by changing /etc/csf/csf.syslogusers and then restarting lfd. This will create the system group and add the users from csf.syslogusers if they exist to that group. This list will include all the system, ControlPanel, or DirectAdmin users. It will include root, daemon,sshd, etc. For complete list of all users on a linux system use the command:
cut -d: -f1 /etc/passwd