Solved

centos 5.6 iptable logging of port 110 to /var/log 110.log and logging of port 25 to /var/log/25.log

Posted on 2011-09-26
11
600 Views
Last Modified: 2012-06-21
I am trying to get a box running centos 5.6 to log all connections to port 110 and 25 to separate logs in /var/log.  I dont want to change any of the current logging already being done.  I have found articles like:
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
http://www.linuxquestions.org/questions/linux-security-4/iptables-logging-385165/
http://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/
 which point in the direction of where i want to go(especially #1).  I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
Comment
Question by:knightdogs
  • 5
  • 4
  • 2
11 Comments
 
LVL 40

Expert Comment

by:noci
ID: 36710696
The Linux kernel (and other tools)  use the syslog mechanism to log issues.

You can select the fascility & severity when you issue a log statement.
Any syslog server can discriminate per fascility.severity to log files.

So as you found out you need to configure iptables with the right info & syslog to drop it in a file.
Depending on what you have now a such detail instructions could be written.

Maybe there is a better way. Try syslog-ng as the syslog of choice.

There you can create filters and attach a source through a filter to a destination.
The source can be the kernel log
The filter can be a match string for DPT=110 and DPT=25 resp.
The output files can be made as you which or even with a date/time stamp in the name with renewal in syslog-ng. Or just drop them in a database, then you can select on all kinds of criteria...
0
 
LVL 31

Expert Comment

by:farzanj
ID: 36713996
There are many different ways of creating separate logging.

1.  iptables as you mentioned.
2.  Service itself.  For example SMTP program like sendmail or postfix may be configured to produce separate logs.
3.  TCP wrappers can also be used to produce separate logging. It is easy to configure but the daemon should support TCP wrappers.
4.  Xinet just like TCP wrappers.
0
 

Author Comment

by:knightdogs
ID: 36719112
I need step - by - step
1. vi /etc/aaa.config
2. add line  bla bla bla
3. restart /etc/init.d/bla restart
4. vi iptables
5. add bla bla bla     --for logging prot 110 connections to /var/log/110.log
6. add bla bla bla     ---for logging port 25 connections to /var/log25.log

there should be some sort of log rotation for this also 7 day rotation.
this is at the bottom of one of the links and i think should work:

Configure iptables Log Rotation

Finally, since we’re logging to a new file, it’s useful to create a log rotation rule. Create a file /etc/logrotate.d/iptables with the following contents:

/var/log/iptables.log
{
      rotate 7
      daily
      missingok
      notifempty
      delaycompress
      compress
      postrotate
            invoke-rc.d rsyslog reload > /dev/null
      endscript
}

The preceding script tells logrotate to rotate the firewall log daily and keep logs from the past seven days.
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 40

Expert Comment

by:noci
ID: 36719509
Is this home work or what.
It really, really looks like it is.

If you known how to ask this you can find the finish the task with the information given.

0
 

Author Comment

by:knightdogs
ID: 36719594
No this is not home work.  
The things im up against are
1-this is on a production server
2-I have made changes before thinking they are "Easy" only to find out i opened up the server to a huge foot print of vulnerabilities
3-The article(#1) was done by" Vivek Gite on October 3, 2006 ", OS's change and procedures change very fast, what was done one way in 2006 might be totally wrong now
4-Some of the examples I have looked at say
vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log

and otheres say
vi /etc/syslog.conf
Append following line
kern.=debug     /var/log/iptables.log

which one is right (back to this is a production machine so i cant just be gussing, changing stuff and hoping for the best,,,,,,)

5. is the logging part correct?

I am sorry it sounds like home work and really easy to you, to some of us the path down Linux is a little more rocky than others.
0
 

Author Comment

by:knightdogs
ID: 36719629
I guess i could try to show my age......
let me see if i can answer this from my BB......

(-;
0
 
LVL 31

Expert Comment

by:farzanj
ID: 36757459
What SMTP and POP daemons are you using?  Sendmail and Dovecot?
0
 

Author Comment

by:knightdogs
ID: 36768157
postfix
0
 
LVL 40

Expert Comment

by:noci
ID: 36813145
Postfix is SMTP, what is the POP server?
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 36813295
Ok so you need to know more.
And you definitely need a test system (can be run in a virtual machine).

3) a lot of software still works the same.. but the manuals are mostly in man,

syslog has a few options (can be found through: man 5 syslog.conf)

4) syslog config

[fascility].[level]
fascility is stuff like mail, kern... these are hardcoded names.
level can be *, X or =X  or !X where X = (debug, info, warn, err, crit)
X means the level and higher (so mention info yields info, warning, error & crit)
=X mean exact that level  
!X means not that level.


Append following line
kern.warning /var/log/iptables.log              #- so log all kernel warnings , errors, & criticals to iptables.log & flush
kern.=debug     /var/log/iptables.log          #- log kernel debug only to iptables.log

it depends on the iptables statements used
man iptables searching for the LOG target yields:

   LOG
       Turn  on  kernel logging of matching packets.  When this option is set for a rule, the Linux kernel will
       print some information on all matching packets (like most IP header fields) via the kernel log (where
       it can be read with dmesg or syslogd(8)).  This is a "non-terminating target", i.e. rule traversal continues
       at the next rule.  So if you want to LOG the packets you refuse, use two separate rules with  the
       same matching criteria, first using target LOG then DROP (or REJECT).

       --log-level level
              Level of logging (numeric or see syslog.conf(5)).

The fascility = kern by virtue of the kernel log buffer.
the level can be set. by selecting debug you can achieve logging using the debug level with --log-level debug on an iptables LOG statement. (last line in item 4)

5) easy well not exactly.. but in 30 years in ICT you tend to pick something up.
But even then knowing & understanding what you intend to do is way more valuable that trying to demanding some flawless installation script.
It's allways a good practice to backup a certian config file before you change it. So changes can be undone.
0
 
LVL 40

Expert Comment

by:noci
ID: 36902810
any more questions?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Choosing CentOS 16 107
ifconfig 4 69
Quickest way to query Windows Event ID from a Linux Device 3 51
Linux mount of Windows Shared Now Fails 8 75
If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question