Solved

centos 5.6 iptable logging of port 110 to /var/log 110.log and logging of port 25 to /var/log/25.log

Posted on 2011-09-26
11
578 Views
Last Modified: 2012-06-21
I am trying to get a box running centos 5.6 to log all connections to port 110 and 25 to separate logs in /var/log.  I dont want to change any of the current logging already being done.  I have found articles like:
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
http://www.linuxquestions.org/questions/linux-security-4/iptables-logging-385165/
http://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/
 which point in the direction of where i want to go(especially #1).  I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
Comment
Question by:knightdogs
  • 5
  • 4
  • 2
11 Comments
 
LVL 39

Expert Comment

by:noci
ID: 36710696
The Linux kernel (and other tools)  use the syslog mechanism to log issues.

You can select the fascility & severity when you issue a log statement.
Any syslog server can discriminate per fascility.severity to log files.

So as you found out you need to configure iptables with the right info & syslog to drop it in a file.
Depending on what you have now a such detail instructions could be written.

Maybe there is a better way. Try syslog-ng as the syslog of choice.

There you can create filters and attach a source through a filter to a destination.
The source can be the kernel log
The filter can be a match string for DPT=110 and DPT=25 resp.
The output files can be made as you which or even with a date/time stamp in the name with renewal in syslog-ng. Or just drop them in a database, then you can select on all kinds of criteria...
0
 
LVL 31

Expert Comment

by:farzanj
ID: 36713996
There are many different ways of creating separate logging.

1.  iptables as you mentioned.
2.  Service itself.  For example SMTP program like sendmail or postfix may be configured to produce separate logs.
3.  TCP wrappers can also be used to produce separate logging. It is easy to configure but the daemon should support TCP wrappers.
4.  Xinet just like TCP wrappers.
0
 

Author Comment

by:knightdogs
ID: 36719112
I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
 
LVL 39

Expert Comment

by:noci
ID: 36719509
Is this home work or what.
It really, really looks like it is.

If you known how to ask this you can find the finish the task with the information given.

0
 

Author Comment

by:knightdogs
ID: 36719594
No this is not home work.  
The things im up against are
1-this is on a production server
2-I have made changes before thinking they are "Easy" only to find out i opened up the server to a huge foot print of vulnerabilities
3-The article(#1) was done by" Vivek Gite on October 3, 2006 ", OS's change and procedures change very fast, what was done one way in 2006 might be totally wrong now
4-Some of the examples I have looked at say
vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log

and otheres say
vi /etc/syslog.conf
Append following line
kern.=debug     /var/log/iptables.log

which one is right (back to this is a production machine so i cant just be gussing, changing stuff and hoping for the best,,,,,,)

5. is the logging part correct?

I am sorry it sounds like home work and really easy to you, to some of us the path down Linux is a little more rocky than others.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:knightdogs
ID: 36719629
I guess i could try to show my age......
let me see if i can answer this from my BB......

(-;
0
 
LVL 31

Expert Comment

by:farzanj
ID: 36757459
What SMTP and POP daemons are you using?  Sendmail and Dovecot?
0
 

Author Comment

by:knightdogs
ID: 36768157
postfix
0
 
LVL 39

Expert Comment

by:noci
ID: 36813145
Postfix is SMTP, what is the POP server?
0
 
LVL 39

Accepted Solution

by:
noci earned 500 total points
ID: 36813295
Ok so you need to know more.
And you definitely need a test system (can be run in a virtual machine).

3) a lot of software still works the same.. but the manuals are mostly in man,

syslog has a few options (can be found through: man 5 syslog.conf)

4) syslog config

[fascility].[level]
fascility is stuff like mail, kern... these are hardcoded names.
level can be *, X or =X  or !X where X = (debug, info, warn, err, crit)
X means the level and higher (so mention info yields info, warning, error & crit)
=X mean exact that level  
!X means not that level.


Append following line
kern.warning /var/log/iptables.log              #- so log all kernel warnings , errors, & criticals to iptables.log & flush
kern.=debug     /var/log/iptables.log          #- log kernel debug only to iptables.log

it depends on the iptables statements used
man iptables searching for the LOG target yields:

   LOG
       Turn  on  kernel logging of matching packets.  When this option is set for a rule, the Linux kernel will
       print some information on all matching packets (like most IP header fields) via the kernel log (where
       it can be read with dmesg or syslogd(8)).  This is a "non-terminating target", i.e. rule traversal continues
       at the next rule.  So if you want to LOG the packets you refuse, use two separate rules with  the
       same matching criteria, first using target LOG then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

The fascility = kern by virtue of the kernel log buffer.
the level can be set. by selecting debug you can achieve logging using the debug level with --log-level debug on an iptables LOG statement. (last line in item 4)

5) easy well not exactly.. but in 30 years in ICT you tend to pick something up.
But even then knowing & understanding what you intend to do is way more valuable that trying to demanding some flawless installation script.
It's allways a good practice to backup a certian config file before you change it. So changes can be undone.
0
 
LVL 39

Expert Comment

by:noci
ID: 36902810
any more questions?
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now