?
Solved

centos 5.6 iptable logging of port 110 to /var/log 110.log and logging of port 25 to /var/log/25.log

Posted on 2011-09-26
11
Medium Priority
?
617 Views
Last Modified: 2012-06-21
I am trying to get a box running centos 5.6 to log all connections to port 110 and 25 to separate logs in /var/log.  I dont want to change any of the current logging already being done.  I have found articles like:
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
http://www.linuxquestions.org/questions/linux-security-4/iptables-logging-385165/
http://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/
 which point in the direction of where i want to go(especially #1).  I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
Comment
Question by:knightdogs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 40

Expert Comment

by:noci
ID: 36710696
The Linux kernel (and other tools)  use the syslog mechanism to log issues.

You can select the fascility & severity when you issue a log statement.
Any syslog server can discriminate per fascility.severity to log files.

So as you found out you need to configure iptables with the right info & syslog to drop it in a file.
Depending on what you have now a such detail instructions could be written.

Maybe there is a better way. Try syslog-ng as the syslog of choice.

There you can create filters and attach a source through a filter to a destination.
The source can be the kernel log
The filter can be a match string for DPT=110 and DPT=25 resp.
The output files can be made as you which or even with a date/time stamp in the name with renewal in syslog-ng. Or just drop them in a database, then you can select on all kinds of criteria...
0
 
LVL 31

Expert Comment

by:farzanj
ID: 36713996
There are many different ways of creating separate logging.

1.  iptables as you mentioned.
2.  Service itself.  For example SMTP program like sendmail or postfix may be configured to produce separate logs.
3.  TCP wrappers can also be used to produce separate logging. It is easy to configure but the daemon should support TCP wrappers.
4.  Xinet just like TCP wrappers.
0
 

Author Comment

by:knightdogs
ID: 36719112
I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 40

Expert Comment

by:noci
ID: 36719509
Is this home work or what.
It really, really looks like it is.

If you known how to ask this you can find the finish the task with the information given.

0
 

Author Comment

by:knightdogs
ID: 36719594
No this is not home work.  
The things im up against are
1-this is on a production server
2-I have made changes before thinking they are "Easy" only to find out i opened up the server to a huge foot print of vulnerabilities
3-The article(#1) was done by" Vivek Gite on October 3, 2006 ", OS's change and procedures change very fast, what was done one way in 2006 might be totally wrong now
4-Some of the examples I have looked at say
vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log

and otheres say
vi /etc/syslog.conf
Append following line
kern.=debug     /var/log/iptables.log

which one is right (back to this is a production machine so i cant just be gussing, changing stuff and hoping for the best,,,,,,)

5. is the logging part correct?

I am sorry it sounds like home work and really easy to you, to some of us the path down Linux is a little more rocky than others.
0
 

Author Comment

by:knightdogs
ID: 36719629
I guess i could try to show my age......
let me see if i can answer this from my BB......

(-;
0
 
LVL 31

Expert Comment

by:farzanj
ID: 36757459
What SMTP and POP daemons are you using?  Sendmail and Dovecot?
0
 

Author Comment

by:knightdogs
ID: 36768157
postfix
0
 
LVL 40

Expert Comment

by:noci
ID: 36813145
Postfix is SMTP, what is the POP server?
0
 
LVL 40

Accepted Solution

by:
noci earned 2000 total points
ID: 36813295
Ok so you need to know more.
And you definitely need a test system (can be run in a virtual machine).

3) a lot of software still works the same.. but the manuals are mostly in man,

syslog has a few options (can be found through: man 5 syslog.conf)

4) syslog config

[fascility].[level]
fascility is stuff like mail, kern... these are hardcoded names.
level can be *, X or =X  or !X where X = (debug, info, warn, err, crit)
X means the level and higher (so mention info yields info, warning, error & crit)
=X mean exact that level  
!X means not that level.


Append following line
kern.warning /var/log/iptables.log              #- so log all kernel warnings , errors, & criticals to iptables.log & flush
kern.=debug     /var/log/iptables.log          #- log kernel debug only to iptables.log

it depends on the iptables statements used
man iptables searching for the LOG target yields:

   LOG
       Turn  on  kernel logging of matching packets.  When this option is set for a rule, the Linux kernel will
       print some information on all matching packets (like most IP header fields) via the kernel log (where
       it can be read with dmesg or syslogd(8)).  This is a "non-terminating target", i.e. rule traversal continues
       at the next rule.  So if you want to LOG the packets you refuse, use two separate rules with  the
       same matching criteria, first using target LOG then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

The fascility = kern by virtue of the kernel log buffer.
the level can be set. by selecting debug you can achieve logging using the debug level with --log-level debug on an iptables LOG statement. (last line in item 4)

5) easy well not exactly.. but in 30 years in ICT you tend to pick something up.
But even then knowing & understanding what you intend to do is way more valuable that trying to demanding some flawless installation script.
It's allways a good practice to backup a certian config file before you change it. So changes can be undone.
0
 
LVL 40

Expert Comment

by:noci
ID: 36902810
any more questions?
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question