Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-27-2006, 05:12 AM
|
#16
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
can you post the contents of your /etc/syslog.conf file??
also, the output of this command (as root):
Code:
lsof | grep ^syslog
|
|
|
08-27-2006, 10:14 AM
|
#17
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
In my script I directed all my iptables logs with the debug option. First setup syslog with a logging action for your iptables, by adding this to the /etc/syslog.conf file:
Code:
kern.=debug -/var/log/iptables.log
Create a file for logrotation, the log files from iptables can grow extremely quick so you want to rotate them often, create the script:
Code:
touch /etc/logrotate.d/firewall
Now add this text to it:
Code:
/var/log/iptables.log {
rotate 30
daily
compress
notifempty
create 0640 root adm
delaycompress
create
}
Now just add some logging rules to iptables and you should now have all the logging rules going to one location. I not too sure it this is the best way to do the logging, I made this script over a year or more ago. It gets all debugging information but atleast 80% will be iptables related:
Some rules at the bottom of your script similar to this should help, you will probably need to adjust to your system, plus it's been so long since I used this script:
iptables -A INPUT -p tcp -j LOG --log-level debug --log-prefix "TCP LOGDROP: "
iptables -A INPUT -p udp -j LOG --log-level debug --log-prefix "UDP LOGDROP: "
iptables -A INPUT -p icmp -j LOG --log-level debug --log-prefix "ICMP LOGDROP: "
iptables -A INPUT -f -j LOG --log-level debug --log-prefix "FRAGMENT LOGDROP: "
iptables -A INPUT -j DROP # catch anything that cannot be recognised
Also forgot you will have to restart the syslog daemon for the logging to take affect
Last edited by fotoguy; 08-27-2006 at 10:19 AM.
|
|
|
08-27-2006, 12:01 PM
|
#18
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
i mentioned earlier no syslog or syslog.conf file exists. this is on a VPS. i have a feeling creating these files would casue confusion or do nothing.
im not sure what to do about finding what my VPS is using instead of syslog / syslog.conf
|
|
|
08-27-2006, 01:04 PM
|
#19
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
here is ....
# lsof | grep ^syslog
syslogd 13743 root cwd DIR 0,16 1024 328695901 /
syslogd 13743 root rtd DIR 0,16 1024 328695901 /
syslogd 13743 root txt REG 0,16 32188 328704320 /sbin/syslogd
syslogd 13743 root mem REG 0,16 105213 328704048 /lib/ld-2.3.4.so
syslogd 13743 root mem REG 0,16 1451366 328704200 /lib/tls/libc-2.3.4.so
syslogd 13743 root mem REG 0,16 45800 328704103 /lib/libnss_files-2.3.4.so
syslogd 13743 root 0u unix 0x376a9580 18392871 /dev/log
syslogd 13743 root 2w REG 0,16 82471 893034498 /var/log/messages
syslogd 13743 root 3w REG 0,16 144239 893034500 /var/log/secure
syslogd 13743 root 4w REG 0,16 4768 893034501 /var/log/maillog
syslogd 13743 root 5w REG 0,16 1444 893034518 /var/log/cron
syslogd 13743 root 6w REG 0,16 0 893034502 /var/log/spooler
syslogd 13743 root 7w REG 0,16 0 893034530 /var/log/boot.log
syslogd 13743 root 8w REG 0,16 0 893034513 /var/log/bandwidth
(as before there is no syslog or syslog.conf file on the VPS. i even tried 'find / syslog' and sat through the whole thing
|
|
|
08-28-2006, 05:55 PM
|
#20
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
ok it seems it IS writing somehtingin /var/log/messages. i cant tell if its only part of it or what (maybe writing to a different file also?
in /var/log/messages i do have a few lines with
Aug 28 17:33:11 vps iptables: succeeded
Aug 28 17:37:48 vps iptables: succeeded
(i think this is just saying it applied the rules)
im using this rule for logging (only logging related rule)
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
what kind of syntax should i use for it to log ANYTHING dropped for any reason on any occation?
|
|
|
08-28-2006, 07:07 PM
|
#21
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Quote:
Originally Posted by MrSako
ok it seems it IS writing somehtingin /var/log/messages. i cant tell if its only part of it or what (maybe writing to a different file also?
in /var/log/messages i do have a few lines with
Aug 28 17:33:11 vps iptables: succeeded
Aug 28 17:37:48 vps iptables: succeeded
(i think this is just saying it applied the rules)
im using this rule for logging (only logging related rule)
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
what kind of syntax should i use for it to log ANYTHING dropped for any reason on any occation?
|
Just place a DROP rule after logging it, just make sure the drop rule comes after you ACCEPT rules otherwise nothing will get through
Code:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A INPUT -j DROP
|
|
|
08-28-2006, 09:01 PM
|
#22
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by fotoguy
Just place a DROP rule after logging it, just make sure the drop rule comes after you ACCEPT rules otherwise nothing will get through
Code:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A INPUT -j DROP
|
the DROP rule isn't needed... remember that the policy is set to DROP, so by appending the LOG rule at the end of the chain you are already logging any packets that didn't match any rules above - and you are doing so right before they run smack into the chain's policy of DROP...
having a DROP and a LOG within the chain is useful when you want to LOG and DROP a *certain* kind of packet... for example, perhaps i want to log and DROP all potential DNS connection attemps:
Code:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP -m multiport --dports \
21,22,25,80,110,3784,10000,14534,51234 \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -m multiport --dports \
3785,8767 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP --dport 53 \
-m state --state NEW -j LOG --log-prefix "DNS ATTEMPT: "
$IPT -A INPUT -p UDP --dport 53 \
-m state --state NEW -j DROP
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
all non-53/UDP packets which were not sent to ACCEPT will still get logged with the normal prefix and sent to DROP when they reach the end of the chain...
Last edited by win32sux; 08-28-2006 at 09:04 PM.
|
|
|
08-29-2006, 02:10 AM
|
#23
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Quote:
Originally Posted by win32sux
the DROP rule isn't needed... remember that the policy is set to DROP, so by appending the LOG rule at the end of the chain you are already logging any packets that didn't match any rules above - and you are doing so right before they run smack into the chain's policy of DROP...
|
Yes, since the default policy is set to drop you don't need to place the drop rule, for myself I like to add them for human readability and understanding. A new person to iptables may then be able to read and understand how the rules are working. I don't think it will hurt to have the drop rule at the end of the chain.
|
|
|
08-29-2006, 07:38 AM
|
#24
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by fotoguy
Yes, since the default policy is set to drop you don't need to place the drop rule, for myself I like to add them for human readability and understanding. A new person to iptables may then be able to read and understand how the rules are working. I don't think it will hurt to have the drop rule at the end of the chain.
|
okay... well, the reason i explained the issue a little further was because in post # 21 you were quite vague about this, and i didn't want anyone to get the impression that a DROP rule like that is *needed* in any way shape or form...
|
|
|
08-29-2006, 08:41 PM
|
#25
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Quote:
Originally Posted by win32sux
okay... well, the reason i explained the issue a little further was because in post # 21 you were quite vague about this, and i didn't want anyone to get the impression that a DROP rule like that is *needed* in any way shape or form...
|
Yes I was rather vague, I think I forget sometimes and assume others have the same level of understanding, after years of do it, I forget how much a struggle it is in the beginning. And thanks to your point you made earlier, I'm still learning about it.
|
|
|
All times are GMT -5. The time now is 07:17 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|