LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-27-2006, 05:12 AM   #16
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380

can you post the contents of your /etc/syslog.conf file??

also, the output of this command (as root):
Code:
lsof | grep ^syslog
 
Old 08-27-2006, 10:14 AM   #17
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
In my script I directed all my iptables logs with the debug option. First setup syslog with a logging action for your iptables, by adding this to the /etc/syslog.conf file:

Code:
kern.=debug	-/var/log/iptables.log
Create a file for logrotation, the log files from iptables can grow extremely quick so you want to rotate them often, create the script:

Code:
touch /etc/logrotate.d/firewall
Now add this text to it:

Code:
/var/log/iptables.log {
rotate 30
daily
compress
notifempty
create 0640 root adm
delaycompress
create
}
Now just add some logging rules to iptables and you should now have all the logging rules going to one location. I not too sure it this is the best way to do the logging, I made this script over a year or more ago. It gets all debugging information but atleast 80% will be iptables related:

Some rules at the bottom of your script similar to this should help, you will probably need to adjust to your system, plus it's been so long since I used this script:

iptables -A INPUT -p tcp -j LOG --log-level debug --log-prefix "TCP LOGDROP: "
iptables -A INPUT -p udp -j LOG --log-level debug --log-prefix "UDP LOGDROP: "
iptables -A INPUT -p icmp -j LOG --log-level debug --log-prefix "ICMP LOGDROP: "
iptables -A INPUT -f -j LOG --log-level debug --log-prefix "FRAGMENT LOGDROP: "
iptables -A INPUT -j DROP # catch anything that cannot be recognised

Also forgot you will have to restart the syslog daemon for the logging to take affect

Last edited by fotoguy; 08-27-2006 at 10:19 AM.
 
Old 08-27-2006, 12:01 PM   #18
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
i mentioned earlier no syslog or syslog.conf file exists. this is on a VPS. i have a feeling creating these files would casue confusion or do nothing.

im not sure what to do about finding what my VPS is using instead of syslog / syslog.conf
 
Old 08-27-2006, 01:04 PM   #19
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
here is ....

# lsof | grep ^syslog
syslogd 13743 root cwd DIR 0,16 1024 328695901 /
syslogd 13743 root rtd DIR 0,16 1024 328695901 /
syslogd 13743 root txt REG 0,16 32188 328704320 /sbin/syslogd
syslogd 13743 root mem REG 0,16 105213 328704048 /lib/ld-2.3.4.so
syslogd 13743 root mem REG 0,16 1451366 328704200 /lib/tls/libc-2.3.4.so
syslogd 13743 root mem REG 0,16 45800 328704103 /lib/libnss_files-2.3.4.so
syslogd 13743 root 0u unix 0x376a9580 18392871 /dev/log
syslogd 13743 root 2w REG 0,16 82471 893034498 /var/log/messages
syslogd 13743 root 3w REG 0,16 144239 893034500 /var/log/secure
syslogd 13743 root 4w REG 0,16 4768 893034501 /var/log/maillog
syslogd 13743 root 5w REG 0,16 1444 893034518 /var/log/cron
syslogd 13743 root 6w REG 0,16 0 893034502 /var/log/spooler
syslogd 13743 root 7w REG 0,16 0 893034530 /var/log/boot.log
syslogd 13743 root 8w REG 0,16 0 893034513 /var/log/bandwidth

(as before there is no syslog or syslog.conf file on the VPS. i even tried 'find / syslog' and sat through the whole thing
 
Old 08-28-2006, 05:55 PM   #20
MrSako
Member
 
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185

Original Poster
Rep: Reputation: 30
ok it seems it IS writing somehtingin /var/log/messages. i cant tell if its only part of it or what (maybe writing to a different file also?

in /var/log/messages i do have a few lines with

Aug 28 17:33:11 vps iptables: succeeded
Aug 28 17:37:48 vps iptables: succeeded

(i think this is just saying it applied the rules)


im using this rule for logging (only logging related rule)

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "


what kind of syntax should i use for it to log ANYTHING dropped for any reason on any occation?
 
Old 08-28-2006, 07:07 PM   #21
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Quote:
Originally Posted by MrSako
ok it seems it IS writing somehtingin /var/log/messages. i cant tell if its only part of it or what (maybe writing to a different file also?

in /var/log/messages i do have a few lines with

Aug 28 17:33:11 vps iptables: succeeded
Aug 28 17:37:48 vps iptables: succeeded

(i think this is just saying it applied the rules)


im using this rule for logging (only logging related rule)

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "


what kind of syntax should i use for it to log ANYTHING dropped for any reason on any occation?
Just place a DROP rule after logging it, just make sure the drop rule comes after you ACCEPT rules otherwise nothing will get through

Code:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A INPUT -j DROP
 
Old 08-28-2006, 09:01 PM   #22
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by fotoguy
Just place a DROP rule after logging it, just make sure the drop rule comes after you ACCEPT rules otherwise nothing will get through

Code:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A INPUT -j DROP
the DROP rule isn't needed... remember that the policy is set to DROP, so by appending the LOG rule at the end of the chain you are already logging any packets that didn't match any rules above - and you are doing so right before they run smack into the chain's policy of DROP...

having a DROP and a LOG within the chain is useful when you want to LOG and DROP a *certain* kind of packet... for example, perhaps i want to log and DROP all potential DNS connection attemps:
Code:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -m multiport --dports \
21,22,25,80,110,3784,10000,14534,51234 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP -m multiport --dports \
3785,8767 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP --dport 53 \
-m state --state NEW -j LOG --log-prefix "DNS ATTEMPT: "

$IPT -A INPUT -p UDP --dport 53 \
-m state --state NEW -j DROP

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
all non-53/UDP packets which were not sent to ACCEPT will still get logged with the normal prefix and sent to DROP when they reach the end of the chain...

Last edited by win32sux; 08-28-2006 at 09:04 PM.
 
Old 08-29-2006, 02:10 AM   #23
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Quote:
Originally Posted by win32sux
the DROP rule isn't needed... remember that the policy is set to DROP, so by appending the LOG rule at the end of the chain you are already logging any packets that didn't match any rules above - and you are doing so right before they run smack into the chain's policy of DROP...
Yes, since the default policy is set to drop you don't need to place the drop rule, for myself I like to add them for human readability and understanding. A new person to iptables may then be able to read and understand how the rules are working. I don't think it will hurt to have the drop rule at the end of the chain.
 
Old 08-29-2006, 07:38 AM   #24
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by fotoguy
Yes, since the default policy is set to drop you don't need to place the drop rule, for myself I like to add them for human readability and understanding. A new person to iptables may then be able to read and understand how the rules are working. I don't think it will hurt to have the drop rule at the end of the chain.
okay... well, the reason i explained the issue a little further was because in post #21 you were quite vague about this, and i didn't want anyone to get the impression that a DROP rule like that is *needed* in any way shape or form...
 
Old 08-29-2006, 08:41 PM   #25
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
Quote:
Originally Posted by win32sux
okay... well, the reason i explained the issue a little further was because in post #21 you were quite vague about this, and i didn't want anyone to get the impression that a DROP rule like that is *needed* in any way shape or form...
Yes I was rather vague, I think I forget sometimes and assume others have the same level of understanding, after years of do it, I forget how much a struggle it is in the beginning. And thanks to your point you made earlier, I'm still learning about it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there a line limit with the sort utility? Trying to sort 130 million lines of text gruffy Linux - General 4 08-10-2006 09:40 PM
Can't get "sort' to work on a particular column smkamene Programming 11 06-30-2006 11:37 AM
Some sort of redirect with iptables? zooper Linux - Networking 2 09-22-2005 03:11 AM
What sort of work is involved in k3b? robhargreaves Programming 5 05-04-2004 03:08 PM
IPTABLES doesn't work!!! help... saruman666 Linux - Networking 11 08-16-2003 05:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration