LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-21-2005, 11:23 PM   #1
tilt32
LQ Newbie
 
Registered: Jan 2005
Posts: 4

Rep: Reputation: 0
APF and /var/log/secure.1...


I posted this in rfxnetworks forum but I havent received any replies. Can someone who used APF and BFD please help.

APF and /var/log/secure.1...

Im new to linux so bare with me. Everything seems to be working fine when i first installed APF and BFD. All bad logging attempts shown in /var/log/messages and /var/log/secure were getting blocked.

I noticed that the system logs have rotated to bfd_log.1, /var/log/secure.1 and /var/log/messages.2 among other things like /var/log/maillog.1. And the recent attempts shown in secure.1 and messages.2 are not getting blocked.

Can someone post a Step by Step solution to this ... things i might need to change or add?
 
Old 03-22-2005, 02:33 PM   #2
Robert G. Hays
Member
 
Registered: Jan 2003
Location: Atlanta, Ga., USA
Distribution: Gentoo, Mandrake, ~others
Posts: 157

Rep: Reputation: 30
Noticing the 'rotates' above, just to be sure know, this is normal & usually at about once per week.

Don't recognize APF and BFD, but if I assume correctly from all you said that these are firewalls, I do not know the 'advanced' tools, I just use hand-coded iptables scripts. Iptables usually underlies all else, and can do *anything*, but does take *some* learning and care writing.

LOL,
 
Old 03-22-2005, 11:16 PM   #3
tilt32
LQ Newbie
 
Registered: Jan 2005
Posts: 4

Original Poster
Rep: Reputation: 0
I read some info about using iptables manually. But I was afraid of messing things up, specially since Im still learning linux. After searching around and seeing what some people are recommending... APF/BFD seem to be a lot easier to use for beginners such as myself.

Everything was working fine until now. Can someone help?
 
Old 03-23-2005, 12:31 PM   #4
Robert G. Hays
Member
 
Registered: Jan 2003
Location: Atlanta, Ga., USA
Distribution: Gentoo, Mandrake, ~others
Posts: 157

Rep: Reputation: 30
How about posting some of the contens from your logfiles, that you think has to do with all this -- both before & after woudl be good. Most graphical (gui, desktop, etc) file browsers can display the contents of the rotated files, and you can copy/paste from them.

Maybe I or someone else can help you better with these. It probably will need a couple more question/answer exchanges to get there.

And yes, I did mean that iptables takes significant learning, but it will quite possibly be worth your time in the long run.
 
Old 03-24-2005, 11:45 AM   #5
tilt32
LQ Newbie
 
Registered: Jan 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Basically im getting a bunch of bruteforce attempts like this in /var/log/secure.1:

Mar 23 18:27:29 sshd[20758]: Illegal user master from ::ffff:xxx.xxx.xx.xxx
Mar 23 18:27:32 sshd[20758]: Failed password for illegal user master from ::ffff:xxx.xxx.xx.xxx port 34918 ssh2
March 23 18:27:33 sshd[20763]: Illegal user account from ::ffff:xxx.xxx.xx.xxx
Mar 23 18:27:36 sshd[20763]: Failed password for illegal user account from ::ffff:xxx.xxx.xx.xxx port 34978 ssh2

I noticed that once the logs are rotated back to /var/log/secure, /var/log/messages, /var/log/maillog... APF and BFD starts working normal again. And it adds the ips with all the bad login attempts to /etc/apf/deny_hosts.rules. But it stops functioning again when it goes back to /var/log/secure.1.

Last edited by tilt32; 03-24-2005 at 11:51 AM.
 
Old 03-28-2005, 08:19 AM   #6
Robert G. Hays
Member
 
Registered: Jan 2003
Location: Atlanta, Ga., USA
Distribution: Gentoo, Mandrake, ~others
Posts: 157

Rep: Reputation: 30
tilt32,
Sorry delay -- rather busy here now!

THe ".1", ".2" etc should be the saves of the previous, 2nd-prev, etc, and the 'no-dot-anything's should always be the latest files.

Are you sayng that the *newest* logs are the ".1"'s??!!??
(Rotating through 'no-dot' to '.1' to ... ?? If so, there is some kind of strange setup issue thee -- never heard of that before, but!, if that is the case, I'd have to guess that someone got enough through the firewall to cause this, and maybe this is somehow causing the fw to fail except when the correct log-names are in use.


As for firming up the firewall, like I said, I don't know those tools, so I can't help there.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/var/log/secure format Latem Linux - Security 1 07-24-2005 09:00 PM
/var/log/secure ??? MikeFoo1 Linux - Security 2 06-22-2005 04:42 AM
/var/log/secure allelopath SUSE / openSUSE 3 02-15-2005 09:56 AM
entries in /var/log/secure zepplin611 Linux - Newbie 1 07-20-2004 06:57 PM
/var/log/secure dragon Linux - Security 6 12-02-2003 09:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration