LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-28-2005, 09:42 AM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
IPTABLES - Logging


I am trying to understand IPTABLES -log-prefix in a rule. Here is an example:

Invalid Packet rule

$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "

TCP-Packets with one more bad flags

$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "

In the first rule the part that says " -j LOG --log-prefix "fp=INVALID:1 a=DROP ". What does that -LOG --log-prefix mean and is the LOG another rule and is it saying jump to that LOG rule. where does this log information go? ex /var/log/messages

what does "fp=BADFLAG:1 a=DROP " mean and will this show up in the log.

third, how can I custom my logging to where I can create different files for each log rule or can I just have all of these logs go to one file instead of the /var/log/messages log. thanks
 
Old 09-29-2005, 06:38 AM   #2
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 47
Quote:
In the first rule the part that says " -j LOG --log-prefix "fp=INVALID:1 a=DROP ". What does that -LOG --log-prefix mean and is the LOG another rule and is it saying jump to that LOG rule. where does this log information go? ex /var/log/messages
Its actually -j LOG --log-prefix and the -j means jump to the LOG chain. Yes the logging should be in /var/log/messages but that is probably determined in /etc/syslog.conf file.

Quote:
what does "fp=BADFLAG:1 a=DROP " mean and will this show up in the log.
that is only a prefix which the kernel will put on the message and yes it will show up in the log.

Quote:
third, how can I custom my logging to where I can create different files for each log rule or can I just have all of these logs go to one file instead of the /var/log/messages log. thanks
I'm sure the logs will all be in the same file, that is determined by the priority of the kernel message and all iptables logs will be at the same priority (I think). But as I said before you can edit /etc/syslog.conf and set where the messages go, if you want they can all go to a console.

<edit>man syslog.conf

Last edited by /bin/bash; 09-29-2005 at 06:39 AM.
 
Old 09-29-2005, 07:41 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If I may add to /bin/bash reply: The kernel prints messages only using the facility.priority. Logprefixes are part of the whole message string and do not help determine where that specific message should go. Iptables messages are printed at "kern.info" (but they're not the only ones at that facility.priority level in case you go for redirecting to /dev/console which you shouldn't). The route of the facility.priority is set up in syslog.conf, making it either go to a file, fifo or host. Between syslog and file there is no nice way you can grep for iptables messages. From a syslog fifo you could get messages (and have a nice fat errorprone regex to grep for iptables messages but IMHO any DIY solution that AND slows down the logging process AND isn't 100% foolproof AND isn't 100% errorproof shouldn't be used). Maybe SyslogNG has better facilities but when I tried it some years ago it wasn't good enough.

So, to cut things short, if the only thing you're after is reporting, you could install a daemon like fwlogwatch. It'll extract the loglines from whatever logfile you specify and provide you with a report w/o worrying.
 
Old 09-29-2005, 05:43 PM   #4
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Part of the reason I was asking was because I just overhauled my iptables set of rules and I added alot of extra anti-DDOS,port scans and etc rules to my firewall and I noticed that before I did this upgrade, I was always getting these ssh attempts from script kiddies and now I am not. I also changed my ssh port to another port other then 22.

Jul 19 21:04:33 server sshd[28379]: Illegal user test from XXX.XXX.XXX.XXX
Jul 19 21:04:34 server sshd[28381]: Illegal user guest from XXX.XXX.XXX.XXX
Jul 19 21:04:36 server sshd[28383]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:37 server sshd[28385]: Illegal user admin from XXX.XXX.XXX.XXX
Jul 19 21:04:38 server sshd[28387]: Illegal user user from XXX.XXX.XXX.XXX

With my new firewall I have alot of logging enabled and I was wondering why now I am not seeing these ssh attempts fill my logs. Could it be that they are still be added to my logs but just under another format like:

Sep 28 06:46:48 68-67-253-163 kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=00:01:02:5f:50:06:00:90:f8:01:58:3b:08:00 SRC=xxx.yyy.aaa.ee DST=aa.bb.ccc.ddd LEN=497 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=UDP SPT=32867 DPT=1026 LEN=477
Sep 28 06:47:00 68-67-253-163 kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=00:01:02:5f:50:06:00:90:f8:01:58:3b:08:00 SRC=xxx.lll.aaa.ee DST=jj.rrr.ddd.ggg LEN=346 TOS=0x00 PREC=0x00 TTL=38 ID=0 DF PROTO=UDP SPT=44384 DPT=1027 LEN=326

before it was logging sshd crack attempts and now it is not! I dont know right now if what I have done is stopping these attempts or are they still happening and I dont have my firewall configured correctly to log ssh crack attempts?

Last edited by metallica1973; 09-29-2005 at 05:45 PM.
 
Old 09-29-2005, 09:35 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I was always getting these ssh attempts from script kiddies and now I am not. I also changed my ssh port to another port other then 22.
If someone/something doesn't take the time to do some minor bannergrabbing / fw recon then they won't find your sshd on a non-standard port ("security by obscurity"). BTW, the log excerpt you show is from sshd itself, not the firewall, the logs below that are UDP. To test your fw logging just make some bogus logins on the non-standard port sshd yourself.
 
Old 10-02-2005, 09:35 AM   #6
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS7
Posts: 267

Rep: Reputation: 58
I wrote a couple of scripts to tail the /var/log/secure and append iptables rules to drop IPs that I perceive are attacking my machine. The plan is here: http://www.maplepark.com/%7Edrf/cons...llit_Plan.html

I have found it effective

Last edited by david1941; 05-24-2008 at 11:46 PM. Reason: Change link -
 
Old 10-04-2005, 05:58 PM   #7
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
compariing my loging from var/log/mesages from before, why has it changed and I am has the attemps stopped. Can youo tell from what I have posted?
 
Old 10-24-2005, 10:16 PM   #8
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
From my var/log/messages

Oct 24 11:12:45 68-67-253-163 kernel: fp=UDP:2 a=DROP IN=eth0 OUT= MAC=00:01:02:5f:50:06:00:90:f8:01:58:3b:08:00 SRC=208.253.1
15.11 DST=68.67.253.163 LEN=28 TOS=0x00 PREC=0x00 TTL=41 ID=16895 PROTO=UDP SPT=12118 DPT=8723 LEN=8

what does the fp=UDP:2 and a=DROP mean ?
 
Old 10-26-2005, 07:45 PM   #9
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Quote:
what does the fp=UDP:2 and a=DROP mean ?
Well, that would be the log-prefix specified in the log rule...
If your rule said '--log-prefix "any arbitrary string"' then your log would look like:

Oct 24 11:12:45 68-67-253-163 kernel: any arbitrary string IN=eth0 OUT= MAC=00:01:02:5f:50:06:00:90:f8:01:58:3b:08:00 SRC=208.253.1
15.11 DST=68.67.253.163 LEN=28 TOS=0x00 PREC=0x00 TTL=41 ID=16895 PROTO=UDP SPT=12118 DPT=8723 LEN=8


It looks as though whoever wrote these LOG rules you are using used the --log-prefix to log why the packet was logged (fp=UDP:2) and what will happen to it (a=DROP)

Quote:
Maybe SyslogNG has better facilities but when I tried it some years ago it wasn't good enough.
I am using syslog-ng on my systems and it has an excellant filtering mechanism, which I use to filter my iptables log messages to a dedicated file, using the --log-prefix rule the OP is asking about to set a unique identifier.

So: lets say my log prefix is "Dropped and Logged". Now in syslog-ng.conf I set up a filter:
Code:
filter dropped { match("Dropped and Logged"); };
and then simply apply the filter to all messages:
Code:
log { source(src); filter(dropped); destination(droplog); };
where "src" is the previously defined source of all messages and "droplog" is the previously defined file to log the messages that pass the filter. This is just a simple example, but there are many different filtering methods which allow you to zero in on pretty much any message, and dispatch it accordingly (including sending it to /dev/null if it suits your purposes).

Combining the filter mechanism with its simple but powerful remote logging facilities really puts syslog-ng light years ahead of regular old syslog IMHO.

Last edited by bulliver; 10-26-2005 at 08:08 PM.
 
Old 10-27-2005, 08:24 AM   #10
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 441

Rep: Reputation: 141Reputation: 141
the LOG target logs using kernel facility. You can change the priority (with --log-level ) but not the facility.
So possible solutions:

1) Choose a priority which has very few/none kernel messages (e.g notice) and send kernel.notice to firewall.log
* Not very good because you can't be sure you won't have kernel messages *

2) Use a shell script to filter all logs that have the prefix you choose (with --log-prefix) to go to a file (firewall.log ?)
* Almost good solution *

3) Use syslog-ng or other syslog daemon which has good filters
* Better solution than 2) *

4) Use ULOG target and ulogd so you have only firewall messages where you want them (file,mysql,etc)
* The best solution IMHO *

5) Use netlink if you use 2.6.14-rcX kernel and new iptables (pkttables)
* Same as 4) *
 
Old 10-27-2005, 05:17 PM   #11
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Gentlemen, that is good stuff. I'll take a look at syslog-ng. thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables Logging doublejoon Linux - Security 8 01-09-2006 04:20 AM
iptables logging laotalax Linux - Networking 1 10-25-2005 09:55 AM
Iptables and logging bennethos Linux - Security 1 10-18-2004 12:40 AM
Logging for IPTABLES logo Linux - Networking 4 10-11-2004 09:23 AM
Iptables logging Mogwa_ Linux - Security 2 08-01-2004 02:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration