[CentOS] access to httpd logs

Thu Dec 1 21:57:58 UTC 2005
Bryan J. Smith <thebs413 at earthlink.net>

James Pifer <jep at obrien-pifer.com> wrote:
> The analyzing software runs on windows.

Setting up cygwin with the SSH service is easy on NT.

> It's connection options for looking at logs is file, http,
> or ftp.

Then use file.  Use another, automated process on your
servers to send them file to the system -- or at least an
intermediate system the analyzing system then pulls from via
HTTP or FTP.

> What's worse, is I just found that it apparently does not
> support passive ftp. I'm trying to get vsftpd to do active,
> but either I'm not getting it configured right, or more
> likely, the firewall is messing it up.

Another reason to consider SSH.

Have your Internet systems SCP the files to a SSH server on
your LAN, or in your DMZ.  Run the SSH server on a different
port than port 22, and _only_ allow public key authentication
(or Kerberos if you wish to set that up instead of
maintaining SSH key rings).

> I used to run windows ftp server for providing the logs
when
> it ran on windows, and ftp'ing was no problem.

Then keep that system to FTP from, and just install Cygwin
with the SSH service.  I assume this is on your LAN (which
probably means this is more of a firewall issue -- and not
the FTP service on the systems outside the firewall).

BTW, if you're running ADS, you can use it's Kerberos service
for SSH authentication!  You only need to open (or
proxy/redirect) port 88 for the external systems.  Although
there might be some security considerations in that regard.

I.e., maybe your Windows FTP server is a new DC, with its own
domain (separate from your LAN), and that's where you have
the Kerberos authentication/trusts (possibly in your DMZ)?

> Anyway, that's where I'm at right now. 

Golden Rule:  Do _not_ let the limitations of an application
dictate your end-to-end security.  Shortcut the ends if
needed, put the less secure/more problematic points on your
LAN, but keep your Internet traffic secure, and easier to
manage at the same time.  ;->

-- Bryan

P.S.  This would be so much easier to diagram on a
whiteboard. 


-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)