Link to home
Create AccountLog in
Avatar of MSJoe
MSJoe

asked on

WatchGuard Firewall and Syslog

I have a Watch Guard firewall model X1000. I have been having problems where someone is slamming our FTP server until they get in. As of now I have been able to catch it fast enough that I can block the IP. The IP that I blocked seems to have gone from about 10 attempts a minute to 1, but a new IP attempted the same thing but is hitting the server about 100 times a minute.

Two things I was thinking to make my life easier it would be great if I could setup some sort of Syslog server that would email me if the number of hits to a packet filter say FTP reaches 10 connections per minute from a single IP. That would allow me to react faster. Second if I could some how setup a rule that would automatically block FTP connections by IP if the command was too long, or too many connections from an IP reached a certain counter that would be great. I think I might be able to do the second with a function called PAD in Watch Guard but I can't find how to configure PAD rules, I can only find in the FTP Proxy settings how to enable the default rule listed. The default rule listed is to block commands that are too long.

I am completely unfamiliar with Syslog and I attempted to set one up but I couldn't figure out how to get the logs out of the firewall, so I began to wonder if I had to use a Watch Guard branded firewall Syslog program or something.

*NOTE We use WS_FTP for our FTP Access. I was debating on changing this over to a Microsoft FTP so I would have the added functionality of account lockouts but we use some none integrated FTP accounts for general public purposes.
Avatar of Alan Huseyin Kayahan
Alan Huseyin Kayahan
Flag of Sweden image

 Hi MSJoe
      In following link, locate to "Adding a syslog host" section.
          http://www.watchguard.com/support/faqs/edge/edge86/edge_log_config-log-host.htm
    Above is configuration for your WatchDog. Following is how to setup one of the common syslog servers used. You can download Kiwi Syslog in same web site
   http://www.kiwisyslog.com/index.php?option=com_kb&page=articles&articleid=85&Itemid=244
    Sylog server listens on UDP 514 port, so make sure it is not blocked by a software firewall like microsoft firewall.
    GFI Events manager's syslog server does have the ability to send emails in case the set condition is met. Maybe Kiwi also does.

Regards
Avatar of MSJoe
MSJoe

ASKER

I'm having problems setting it up. I am running Firebox System Manager 7.30.X and for me to turn on syslog I had to find the option under Setup>Logging>Syslog. The only options I found were to enable it, set a syslog server IP, and a syslog facility which I left at LOG_LOCAL0. I assume it is enabled, but I need help setting up Kiwi.

It isn't really doing anything, and I can't figure out how to point it to the Firewall.
"It isn't really doing anything, and I can't figure out how to point it to the Firewall. "
   You shouldnt be pointing syslog to firewall, you should be pointing firewall to syslog server. In my very first post, there is a tutorial on how to setup kiwi syslog server.
  And I assume log facility should be set to a higher value to collect all information. I would tell you the exact steps for Cisco firewalls, but I am not used to Watchguard
Avatar of MSJoe

ASKER

Ok I get it now. Well I did enable and point the firewall to the syslog. The problem is now that the syslog Kiwi program is acting funny and it looks like someone installed it on the server before, and that some settings were pulled over. I deleted the program foler and reinstalled it, but why the heck did it still pull in the old settings!?!?
Avatar of MSJoe

ASKER

Ok, I loaded defaults of everything but when I change things in setup to test the syslog server like sent a test message it fails to update the service. What I did was Setup>Test Message I change the alert location to local0. I did this on my local pc and everything worked fine and I received the test. On the actual server running the Kiwi Syslog to even update the service failed. Baaahhh, what is going on!
   Is service in server in Started state? Also make sure udp port 514 is in LISTENING state when you type netstat -an in command line
Avatar of MSJoe

ASKER

The server/service is in the started state, but nothing is listening on port 514.
Avatar of MSJoe

ASKER

I made sure that the Windows Firewall or any other software was not blocking the syslog. The only firewall software would be the Windows built in, which is disabled. I reinstalled the Syslog server, but no go. ;(
Avatar of MSJoe

ASKER

2008-03-07 09:54:17      Unable to connect to Service socket on TCP port 3300
2008-03-07 09:54:47      Service running, but Service/Manager comm link is not connecting.
2008-03-07 09:55:22      Service running, but Service/Manager comm link is not connecting.
2008-03-07 09:58:08      Service running, but Service/Manager comm link is not connecting.
2008-03-07 11:08:00      Service running, but Service/Manager comm link is not connecting.
2008-03-07 11:33:43      Unable to connect to Service socket on TCP port 3300

Thats the error log.
Avatar of MSJoe

ASKER

Ok so Kiwi Syslog doesn't really work. I can't figure out what happened, I sent their support several emails and they just reply with their KB articles. I was unable to get support for presales or for the freeware version so at this point I am looking for another Syslog program. I can't figure out what happened, but the Kiwi Syslog software would not work on the server, I encountered several problems and I have error logs if someone would like me to explain. I installed it on another system and it worked just fine so it seems likely that it was another piece of software that was causing problems. As to what I don't know, and there wasn't anything installed that wasn't installed on the other system I installed Kiwi and it worked. (shrugs)
but you said that it works on a different computer?
Avatar of MSJoe

ASKER

Yes, but the problem with that is it works on a workstation. I only have 1 server available to install it on for security and performance issues, and that is the one server that had a problem running it. I can't install it on a workstation, as it would work, but it is requiring that workstation to act as a Syslog server. That will not work in my environment.
ASKER CERTIFIED SOLUTION
Avatar of Alan Huseyin Kayahan
Alan Huseyin Kayahan
Flag of Sweden image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of MSJoe

ASKER

I don't think it is syslog software relating either, but I can't figure out what is going on, and Kiwi support has not been available to assist me at all.
Can you upload the output of
      1)netstat -an in command line of "working workstation"! while Kiwi is "not running"!
      2)netstat -an in command line of "working workstation"! while Kiwi is "running"!
      3)netstat -an in command line of "not working server" while Kiwi is "running"!

you can take the output to a txt file by typing the command in following syntax
netstat -an >>c:\1.txt
Avatar of MSJoe

ASKER

I spoke to Kiwi support and they are clueless as you what is happening but I discovered that it works fine when installing it as an application. It fails to work properly when installed as a service which doesn't seem to be an issue related to ports being used by other programs as the ports used for the Syslog service is the same regardless if you install it as an application or a service.

As part of my troubleshooting I installed it as a service with domain admin prilveledges as well as a local administrator but still the service installation of Kiwi did not work on my server and I have no idea why.
Ah, totally forgot about that question, sorry about that MSJoe.
   Lol so installing Solarwinds Syslog was going to resolve the issue :)
Avatar of MSJoe

ASKER

I looked for Solarwinds Syslog and I came up with Orion which has Syslog built in. If this is the product you are referring me to, NO WAY! I delt with the people from Solarwinds before and let me tell you they never stop calling! I tried there software once and their sales force didn't take a hint and literally called me 3 times a week for several weeks. Not to mention if the software you are referring me to is not free, I'm not interested if it cost $2,000.
Avatar of MSJoe

ASKER

If I wam wrong, please link me to the free syslog you are referring me to.