Ralph Moeritz wrote:
Why do you have firewall rules that allow IPs that you don't manage to send
messages to your syslog server?
The same reason my web APIs allow requests from any machines & use JWT auth to
reject unauthorized requests: because I don't know the IPs beforehand (the machines
sending the logs are short-lived VMs).
are your spamming systems on the same subnets as your legitimate systems? just
about all shared environments include prohibitions against attacking other
systems on the same network.
This has the feel of trying to solve a non-technical problem with technology
(something that's a very easy trap for people to fall into)
David Lang
From: David Lang
Ralph Moeritz wrote:
I have an Rsyslog server to which I am forwarding logs from several machines,
currently using UDP via omfwd. The problem with this is that it's insecure and
I'm falling victim to spam messages being sent to my Rsyslog server.
Why do you have firewall rules that allow IPs that you don't manage to send
messages to your syslog server?
Even if you do implement cert checking, exposing rsyslog like this gives your
attackers a way to DOS you by forcing you to spend a lot of CPU checking the
certs.
David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
