Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

centos 5.6 iptable logging of port 110 to /var/log 110.log and logging of port 25 to /var/log/25.log

Posted on 2011-09-26
11
Medium Priority
?
628 Views
Last Modified: 2012-06-21
I am trying to get a box running centos 5.6 to log all connections to port 110 and 25 to separate logs in /var/log.  I dont want to change any of the current logging already being done.  I have found articles like:
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
http://www.linuxquestions.org/questions/linux-security-4/iptables-logging-385165/
http://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/
 which point in the direction of where i want to go(especially #1).  I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
Comment
Question by:knightdogs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 40

Expert Comment

by:noci
ID: 36710696
The Linux kernel (and other tools)  use the syslog mechanism to log issues.

You can select the fascility & severity when you issue a log statement.
Any syslog server can discriminate per fascility.severity to log files.

So as you found out you need to configure iptables with the right info & syslog to drop it in a file.
Depending on what you have now a such detail instructions could be written.

Maybe there is a better way. Try syslog-ng as the syslog of choice.

There you can create filters and attach a source through a filter to a destination.
The source can be the kernel log
The filter can be a match string for DPT=110 and DPT=25 resp.
The output files can be made as you which or even with a date/time stamp in the name with renewal in syslog-ng. Or just drop them in a database, then you can select on all kinds of criteria...
0
 
LVL 31

Expert Comment

by:farzanj
ID: 36713996
There are many different ways of creating separate logging.

1.  iptables as you mentioned.
2.  Service itself.  For example SMTP program like sendmail or postfix may be configured to produce separate logs.
3.  TCP wrappers can also be used to produce separate logging. It is easy to configure but the daemon should support TCP wrappers.
4.  Xinet just like TCP wrappers.
0
 

Author Comment

by:knightdogs
ID: 36719112
I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 40

Expert Comment

by:noci
ID: 36719509
Is this home work or what.
It really, really looks like it is.

If you known how to ask this you can find the finish the task with the information given.

0
 

Author Comment

by:knightdogs
ID: 36719594
No this is not home work.  
The things im up against are
1-this is on a production server
2-I have made changes before thinking they are "Easy" only to find out i opened up the server to a huge foot print of vulnerabilities
3-The article(#1) was done by" Vivek Gite on October 3, 2006 ", OS's change and procedures change very fast, what was done one way in 2006 might be totally wrong now
4-Some of the examples I have looked at say
vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log

and otheres say
vi /etc/syslog.conf
Append following line
kern.=debug     /var/log/iptables.log

which one is right (back to this is a production machine so i cant just be gussing, changing stuff and hoping for the best,,,,,,)

5. is the logging part correct?

I am sorry it sounds like home work and really easy to you, to some of us the path down Linux is a little more rocky than others.
0
 

Author Comment

by:knightdogs
ID: 36719629
I guess i could try to show my age......
let me see if i can answer this from my BB......

(-;
0
 
LVL 31

Expert Comment

by:farzanj
ID: 36757459
What SMTP and POP daemons are you using?  Sendmail and Dovecot?
0
 

Author Comment

by:knightdogs
ID: 36768157
postfix
0
 
LVL 40

Expert Comment

by:noci
ID: 36813145
Postfix is SMTP, what is the POP server?
0
 
LVL 40

Accepted Solution

by:
noci earned 2000 total points
ID: 36813295
Ok so you need to know more.
And you definitely need a test system (can be run in a virtual machine).

3) a lot of software still works the same.. but the manuals are mostly in man,

syslog has a few options (can be found through: man 5 syslog.conf)

4) syslog config

[fascility].[level]
fascility is stuff like mail, kern... these are hardcoded names.
level can be *, X or =X  or !X where X = (debug, info, warn, err, crit)
X means the level and higher (so mention info yields info, warning, error & crit)
=X mean exact that level  
!X means not that level.


Append following line
kern.warning /var/log/iptables.log              #- so log all kernel warnings , errors, & criticals to iptables.log & flush
kern.=debug     /var/log/iptables.log          #- log kernel debug only to iptables.log

it depends on the iptables statements used
man iptables searching for the LOG target yields:

   LOG
       Turn  on  kernel logging of matching packets.  When this option is set for a rule, the Linux kernel will
       print some information on all matching packets (like most IP header fields) via the kernel log (where
       it can be read with dmesg or syslogd(8)).  This is a "non-terminating target", i.e. rule traversal continues
       at the next rule.  So if you want to LOG the packets you refuse, use two separate rules with  the
       same matching criteria, first using target LOG then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

The fascility = kern by virtue of the kernel log buffer.
the level can be set. by selecting debug you can achieve logging using the debug level with --log-level debug on an iptables LOG statement. (last line in item 4)

5) easy well not exactly.. but in 30 years in ICT you tend to pick something up.
But even then knowing & understanding what you intend to do is way more valuable that trying to demanding some flawless installation script.
It's allways a good practice to backup a certian config file before you change it. So changes can be undone.
0
 
LVL 40

Expert Comment

by:noci
ID: 36902810
any more questions?
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Fine Tune your automatic Updates for Ubuntu / Debian
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question