Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
I am in need of a quick tutorial on adding iptables logging to my existing rules. I haven't found a clear distinct description on how to do basic logging.
Can anyone help or point me in the right direction.
So far all I have done is "modprobe ipt_LOG"
# Log the rest of the incoming messages (all of which are dropped)
# with a maximum of 15 log entries per minute
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
--log-level 7 --log-prefix "Dropped by firewall: "
# Reject any packets that do not meet the specified criteria
/sbin/iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
In /etc/syslog.conf, I have
Code:
kern.=debug /var/log/firewall
The "log-level" specified in my firewall script is the "debug" level, so the syslog.conf file reflects this fact and sets up the file /var/log/firewall to capture all of these messages. You have to issue a "/sbin/service syslog restart", and then the file "/var/log/firewall" will appear, and will quickly start filling up. The "Dropped by firewall: " prefix is something I use to separate the firewall entries from the other (though very few) entries that inevitably get assigned the debug level.
You can also set up rules this way as well, just create the chain then send the packets too it, this way it's easy to change only a couple of variables rather than having to go through the whole script.
Not sure the use of the 15/minute rather a long time, I prefer a much shorter time. But the idea is to limit the amount of logging so you don't fill your logs up. If there is no limit to reach log files can grow by quite a few MB's in a day. You will also be tying up lots of processing power writing logs 24/7, if the same ip-address keeps hammering you, there is little sense in loging it all, you only need a small amount to see the pattern and record it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.