generate an audit log when a non-whitelist IP is trying to access
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
generate an audit log when a non-whitelist IP is trying to access
I have removed the SSH service from firewalld
Code:
firewall-cmd --zone=public --remove-service=ssh
Using rich rule I'm allowing particular IP to access SSH service
Code:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.163.14.10" service name="ssh" accept'
Now I want to generate an audit log when a non-whitelist IP is trying to access my host. The host should generate an audit log for access denied. Something like Error: Network access denied. Unauthorized IP 111.111.111.111 is trying to access my host.
In /var/log/messages, I found, when ssh service was present in firewalld
Quote:
Mar 19 00:03:09 sshd[6628]: Accepted password for cliadmin from <ip> port 62886 ssh2
Mar 19 00:03:11 sshd[6631]: Accepted password for cliadmin from <ip> port 62888 ssh2
for the wrong it gives log
Quote:
Mar 19 00:06:15 sshd[6697]: Failed password for cliadmin from <ip> port 63004 ssh2
Now, I removed the SSH service from firewalld
Quote:
firewall-cmd --zone=public --remove-service=ssh
And try to ssh uesr@<ip-host> from machine X, will get
Quote:
error : ssh: connect to host <ip-host> port 22: No route to host
Here I'm supposed to get log message in /var/log/messages saying that
Quote:
Network access denied. Unauthorized IP machine X trying to access <ip-host>.
ssh user@<host-x>
ssh: connect to host <host-x> port 22: No route to host
That error says that host y can't find host x, so it can't even attempt to connect to it...there's no way that host x can log a connection attempt when no connection was made.
Check the name resolution and routing on host y.
When you are removing ssh service from firewalld, you are basically blocking off the ssh port. Hence the "no route" message.
Are you familiar with hosts.allow and hosts.deny files?
Try putting a known ip in the blacklist (hosts.deny ) and see what happens.
(I forgot the preference order for these two files, I am leaving that part on u to figure out.)
Make sure you have access to console so that you can undo changes easily.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.