Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
16 septembre 2013 1 16 /09 /septembre /2013 16:26

We'll see here the use of a Syslog Server and Mail Notifications to enhance the security of a network, with a special focus over IPv6.

We'll be using a Dlink DIR-626L and a Cisco Small Business RV110W to see their settings and possibilities in this field.

 

 

 

Using an IPv6 Syslog Server

Using a Syslog Server is an invaluable tool for the security of a network.
The Syslog Server will centrally collect and log datas from the network routers, including system activity, computers joining Lans ( including Wifi ), packets dropped by firewalls, logins to the admin webpage of any of the routers, debugging informations, ...

Unauthorised access to the Lan ( including a neighbor unlawfully using a mistakenly un-protected wifi ) are saved in the Syslog Server Log, so trace-cleaning for intruders is really hardened ( it would need them accessing the Syslog Server Computer ).

Let's see a free, lightweight, Syslog Server software : TFTPD32

 

 

TFTPD32

TFTPD32 is free, lightweight, IPv6 compatible and portable ( no installation ). Its homepage is here ( http://tftpd32.jounin.net/ ). There is a service version too.

 

S9a.gif

 

Virustotal lists this software with a 4-6/47 risk. I believe this is because being so leightweight, the binaries have been used by viruses. TFTP32 is often labeled as a 'riskware' or 'PUP' ( Potentially unwanted program ). Anyway, use it with mind.


Here are the basic step of TFTP32D Syslog Server setup :

1. uncheck the unneeded services :

 

S9b.gif

 

 

 

 

2. enable logging :

 

S9c.gif

 

3. select the listening interface in the drop-down menu :

 

S9d

 

This is it!

You can view real-time syslog messages, or you can browse to check the recorded log ( syslog.txt, located in the installation folder ). Please note that the recorded log ( syslog.txt ) is appended with time, as tftpd32 is running, so you can go back in time.
Do notice too that when the software isn't running, the logging is suspended. When the software is restarted, it restarts appending to the syslog.txt file. That's why for a real 24H protection, we need to run this on a 24H machine ( a light server ... or a RaspberryPI running Linux... ? )

 

 

 

DIR-626L Syslog service

Setting up the syslog server on the DIR-626L is pretty straightforward.

First, we enable syslog server logging and enter the IPv4 address of the server ( Yes, IPv4 Syslog Server only ) :

S9h



Then, in Status/Logs check the fields you want to be logged :

 

S9i.gif


( Do tick Debug Information only temporary, for debugging of a particular situation, because it is way too verbose for daily use ). Here is the Syslog Server in action :

 

S9k.gif


This is quite all there is to know about the DIR-626L Syslog Server functionning. Do notice that we have to use an IPv4 address for the Syslog Server, and that IPv6 dropped packets are not logged, so on the IPv6 side we're pretty limited to IPv6 Wifi access / System functionning / Admin login logging. But this is still a valuable security asset.

 

 

 

DIR-626L EMail notifications

The DIR-626L do allow email notifications. A few things to note :

. The 626L uses IPv4 only for email notifications.
. The 626L doesn't support SSL ( so using a WebMail like Gmail or Outlook.com may prove impossible )
. The email notification can be triggered either/both on schedule or log full. No cycling notifications ( daily, hourly, ... ) or triggered notifications ( Syslog warning, ... )

Here is an example setup, using hMail Server ( See this post, for hMail Server tutorial ) :

 

S9o.gif


Here is the Hmail Server Setup, with SSL unchecked for SMTP :

S9n.gif


Here is a sum up of the DIR-626L capabilities :

 

S9s.gif

 


RV110W Syslog Server

Setting up the RV110W Syslog service is very easy.

We just have to :

 

. enable logging

. set the Log Severity for Local Log and Email

. add a row in the Remote Log Server Table, with a Log Severity Level

 

S9l.gif


Three things to note :

 

. The RV110W can only log to an IPv4 Syslog Server
. Only Wifi join is fully logged ( MAC address ), Lan join only logs physical ports connect/disconnect
. Several Rows, thus several Syslog Server with distinct Severity Levels can be set up :

 

S9m.gif

 

 

 

RV110W EMail Notifications

The RV110W do allow Email notifications too.

Here is a basic setup, using hMail Server with SSL ( see this post for a hMail Server tutorial ) :

 

S9q.gif


A few things to note :

. The RV110W uses only IPv4 for EMail notifications
. The RV110W does support SSL
. The RV110W Email Notification can be triggered either/both cycling ( hourly, daily ), scheduled or triggered ( syslog-level triggered )

. There is a very convinient ' Test ' to easily test the mail good delivery

. As for now, I haven't yet managed to trigger an Email notification ( either having Firewall dropping packets, Intensive Zenmap scan over the RV110W Wan Interface or unplugging the its Wan port, no Email was sent ).

Here is a sum up of the RV110W capabilities :

 

S9t.gif

 

 

Professionnal Syslog Servers softwares

Pro-grade Syslog Servers softwares offer lots of functionnalities :
. syslog messages filters can trigger email notifications
. log messages can be sorted by source IP, severity, ...

They offer free, personnal licences, with some limitations ( number of source IPs, daily messages volume, ... ).

Here are some interesting one you may want to check :

. Syslog Watcher 4
. Kiwi Syslog Server
. Splunk
. Logzilla

 

 

 

A few conclusion notes

First, here is a comparaison chart of the DIR-626L and RV110W capabilities ( although they don't belong to the same audience profile and price-zone ) :

 

S9r.gif

 

The Syslog Server is an invaluable tool for a network security, and works very well with these two models.

As for email notifications, the options offered by these two entry-level routers ( DIR-626L and RV110W ) don't allow real-time security, they only automate the logs transferts.basic remote logging. The use of a professionnal syslog server is the only way to have real-time email notifications of network events.
As for IPv6 support, we're still at the dawn of ages : no IPv6 dropped packets for the DIR-626L, no logging to an IPv6 Syslog Server for both, no IPv6 email notification for both. There is still a long way to go for full IPv6 Support.

 

Partager cet article

Repost 0
Published by computer outlines - dans IPv6
commenter cet article

commentaires

Säkerhet Stockholm 08/08/2016 14:09

Nice and useful article you share because i want to improve my ipv security and it seems the correct way to do it, thank you for the information

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens