Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-21-2005, 11:23 PM
|
#1
|
LQ Newbie
Registered: Jan 2005
Posts: 4
Rep:
|
APF and /var/log/secure.1...
I posted this in rfxnetworks forum but I havent received any replies. Can someone who used APF and BFD please help.
APF and /var/log/secure.1...
Im new to linux so bare with me. Everything seems to be working fine when i first installed APF and BFD. All bad logging attempts shown in /var/log/messages and /var/log/secure were getting blocked.
I noticed that the system logs have rotated to bfd_log.1, /var/log/secure.1 and /var/log/messages.2 among other things like /var/log/maillog.1. And the recent attempts shown in secure.1 and messages.2 are not getting blocked.
Can someone post a Step by Step solution to this ... things i might need to change or add?
|
|
|
03-22-2005, 02:33 PM
|
#2
|
Member
Registered: Jan 2003
Location: Atlanta, Ga., USA
Distribution: Gentoo, Mandrake, ~others
Posts: 157
Rep:
|
Noticing the 'rotates' above, just to be sure know, this is normal & usually at about once per week.
Don't recognize APF and BFD, but if I assume correctly from all you said that these are firewalls, I do not know the 'advanced' tools, I just use hand-coded iptables scripts. Iptables usually underlies all else, and can do *anything*, but does take *some* learning and care writing.
LOL,
|
|
|
03-22-2005, 11:16 PM
|
#3
|
LQ Newbie
Registered: Jan 2005
Posts: 4
Original Poster
Rep:
|
I read some info about using iptables manually. But I was afraid of messing things up, specially since Im still learning linux. After searching around and seeing what some people are recommending... APF/BFD seem to be a lot easier to use for beginners such as myself.
Everything was working fine until now. Can someone help?
|
|
|
03-23-2005, 12:31 PM
|
#4
|
Member
Registered: Jan 2003
Location: Atlanta, Ga., USA
Distribution: Gentoo, Mandrake, ~others
Posts: 157
Rep:
|
How about posting some of the contens from your logfiles, that you think has to do with all this -- both before & after woudl be good. Most graphical (gui, desktop, etc) file browsers can display the contents of the rotated files, and you can copy/paste from them.
Maybe I or someone else can help you better with these. It probably will need a couple more question/answer exchanges to get there.
And yes, I did mean that iptables takes significant learning, but it will quite possibly be worth your time in the long run.
|
|
|
03-24-2005, 11:45 AM
|
#5
|
LQ Newbie
Registered: Jan 2005
Posts: 4
Original Poster
Rep:
|
Basically im getting a bunch of bruteforce attempts like this in /var/log/secure.1:
Mar 23 18:27:29 sshd[20758]: Illegal user master from ::ffff:xxx.xxx.xx.xxx
Mar 23 18:27:32 sshd[20758]: Failed password for illegal user master from ::ffff:xxx.xxx.xx.xxx port 34918 ssh2
March 23 18:27:33 sshd[20763]: Illegal user account from ::ffff:xxx.xxx.xx.xxx
Mar 23 18:27:36 sshd[20763]: Failed password for illegal user account from ::ffff:xxx.xxx.xx.xxx port 34978 ssh2
I noticed that once the logs are rotated back to /var/log/secure, /var/log/messages, /var/log/maillog... APF and BFD starts working normal again. And it adds the ips with all the bad login attempts to /etc/apf/deny_hosts.rules. But it stops functioning again when it goes back to /var/log/secure.1.
Last edited by tilt32; 03-24-2005 at 11:51 AM.
|
|
|
03-28-2005, 08:19 AM
|
#6
|
Member
Registered: Jan 2003
Location: Atlanta, Ga., USA
Distribution: Gentoo, Mandrake, ~others
Posts: 157
Rep:
|
tilt32,
Sorry delay -- rather busy here now!
THe ".1", ".2" etc should be the saves of the previous, 2nd-prev, etc, and the 'no-dot-anything's should always be the latest files.
Are you sayng that the *newest* logs are the ".1"'s??!!??
(Rotating through 'no-dot' to '.1' to ... ?? If so, there is some kind of strange setup issue thee -- never heard of that before, but!, if that is the case, I'd have to guess that someone got enough through the firewall to cause this, and maybe this is somehow causing the fw to fail except when the correct log-names are in use.
As for firming up the firewall, like I said, I don't know those tools, so I can't help there.
|
|
|
All times are GMT -5. The time now is 03:48 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|