I'm currently working on setting up some secure syslog connections between a few Fedora servers. This is my currently setup
192.168.56.110 (syslog-server) <----> 192.168.57.110 (syslog-agent)
From the agent, I am running this command:
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected]
This works just fine. I have rsyslog on the syslog-agent pointing to @@127.0.0.1:1514 and it forwards everything to the server correctly on port 514 via the tunnel. My issue is, I want to be able to lock this down. I am going to use ssh keys so this is automated because there will be multiple agents talking to the server. Here are my concerns.
- Someone getting on the syslog-agent and logging into the server directly.
- I have taken care of this by ensuring that syslog_user has a shell of /sbin/nologin so that user can't get a shell at all.
- I don't want someone to be able to tunnel another port over ssh. Ex. - 6666:127.0.0.1:21.
- I know my first line of defense against this is to just not have anything listening on those ports and it's not an issue. However I want to be able to lock this down somehow.
Are there any sshd_config settings on the server that I can use to make it where only port 514 can be tunneled over ssh? Are there any other major security concerns I'm overlooking at this point? Thanks in advance for your help/comments.
There is a sshd option permitopen: