I recently built a Ubuntu syslog-ng server that is behind a firewall. I have opened TCP ports 514, 515, and 516. I have noticed that hackers are writing to my syslog-ng server, they are from China. How do I hack proof my syslog server to only recieve log entries from specific servers? What is the best way? Should I do it via iptables (this can be tedious) or through the syslog-ng.conf file on the syslog-ng server?
SnapOverflow
You forgot the main rule when creating firewall policies: the principle of least privilege.
Your firewall policies/exceptions should only allow access to known systems, not the complete internet, unless you are indeed providing a public service.
A syslog server is an internal auditing tool that in most network designs should not be accessible from the internet at all but if it needs to be, it should only be available to specific systems.
In general a firewall is more suitable to maintain IP-address based ACL's.
Not all applications have native support to do so in the first in place and for those applications that do allow you to configure IP-address based access controls, they will all use a different syntax, making it difficult to quickly and accurately change your ACL's when you need to.