HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)
-   -   iptables syslog (http://www.howtoforge.com/forums/showthread.php?t=1883)

stefanr 31st December 2005 15:07

iptables syslog
 
Hello,

my installation of the ispconfig work fine, and my welcome messages works now also, thank's on falko.
I have another question of iptables the firewall of the ipconfig works fine (think so) but i got no log information in any log files in /var/log/.

I have no ideas how i change this problem. How can i start the firewall of the ispconfig tool that the message from the firewall logs to /var/log/firewall.log?

my iptables -L on the consol list this:

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
DROP all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level notice
LOG all -- anywhere anywhere LOG level debug
LOG all -- anywhere anywhere limit: avg 5/min burst 3 LOG level debug

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (16 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:www
PAROLE tcp -- anywhere anywhere tcp dpt:81
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:10000
PAROLE tcp -- anywhere anywhere tcp dpt:imap2
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
PAROLE tcp -- anywhere anywhere tcp dpt:socks
PAROLE tcp -- anywhere anywhere tcp dpt:14534
PAROLE tcp -- anywhere anywhere tcp dpt:8767
PAROLE tcp -- anywhere anywhere tcp dpt:1452
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere


my /etc/syslog.conf

# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.

#
# First some standard logfiles. Log by facility.
#

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
#kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
kern.notice;kern.!warn /var/log/firewall.log
kern.warn -/var/log/kern.log


#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

I anyone a idea what can i do to log the firewall message in /var/log/firewall.log

i wish anyone a happy new year.

STEFAN

till 31st December 2005 15:51

You can enable logging in the bastille firewall configuration. You must chnage the file in:

/etc/Bastille/bastille-firewall.cfg

and the master template:

/root/ispconfig/isp/conf/bastille-firewall.cfg.master

Then restart the firewall:

/etc/init.d/bastille-firewall restart

stefanr 31st December 2005 16:22

Quote:

Originally Posted by till
You can enable logging in the bastille firewall configuration. You must chnage the file in:

Thanks vor your fast replay..
my file
/etc/Bastille/bastille-firewall.cfg

schnip
# 2) services for which we want to log access attempts to syslog (all systems)
# Note this only audits connection attempts from public interfaces
#
# Also see item 12, LOG_FAILURES
#
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# anyone probing for BackOrifice?
#UDP_AUDIT_SERVICES="31337"
# how about ICMP?
#ICMP_AUDIT_TYPES=""
#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
#
# To enable auditing, you must have syslog configured to log "kern"
# messages of "info" level; typically you'd do this with a line in
# syslog.conf like
# kern.info /var/log/messages
# though the Bastille port monitor will normally want these messages
# logged to a named pipe instead, and the Bastille script normally
# configures syslog for "kern.*" which catches these messages
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
#UDP_AUDIT_SERVICES="31337"
#ICMP_AUDIT_TYPES=""

and this entry

IP_LOG_LEVEL=6 # iptables/netfilter default

schnap

Quote:

Originally Posted by till
and the master template:

/root/ispconfig/isp/conf/bastille-firewall.cfg.master

Then restart the firewall:

/etc/init.d/bastille-firewall restart


i understood this as the files ok and the logging must go, but no entry will come in anyfiles aof /var/log/

my file /etc/sysconfig i have also changed in

# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.

#
# First some standard logfiles. Log by facility.
#

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
#kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
kern.notice;kern.!warn;kern.info /var/log/firewall.log
kern.warn -/var/log/kern.log


what can also goes wrong?

after all i changes i restart /etc/init.d/sysklogd restart, and the firewall

what can goes wrong?

STEFAN

till 31st December 2005 16:40

I guess you have to uncomment e.g. this line in the bastille configuration:

TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"

to log connection attempts to the listed services.

Or you set the line:

LOG_FAILURES="N"

to:

LOG_FAILURES="Y"

if you want to log connection failures.

stefanr 31st December 2005 17:22

Quote:

Originally Posted by till
I guess you have to uncomment e.g. this line in the bastille configuration:

TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"

to log connection attempts to the listed services.

Or you set the line:

LOG_FAILURES="N"

to:

LOG_FAILURES="Y"

if you want to log connection failures.


Hey till very kind of you, but i have change the things that you say and i can't find any logs :-( what do i wrong?
I've open iptables -A INPUT -j LOG --log-level notice,
can this the problem i think before that the firewall is only a iptables commant..

FeraTechInc 11th March 2007 01:51

Uhh... well I did all this. Now... where is the log file?

I can't find anything in /var/log There is not iptables or bastille log file?

Can somebody help me out?

falko 11th March 2007 20:47

What's in /etc/Bastille/bastille-firewall.cfg?
Have you tried to restart the firewall?

wpwood3 29th January 2008 20:43

Answer to an old question
 
I know this is an old thread but I recently enabled logging in Bastille and finally found where it logs.

The log entries appear in /var/log/messages

I made some iptables rule changes and wanted to verify they were working so I edited /etc/Bastille/bastille-firewall.cfg and changed LOG_FAILURES to "Y" and then restarted Bastille with /etc/init.d/bastille-firewall restart

Since I only plan to allow logging temporarily, I did not edit /root/ispconfig/isp/conf/bastille-firewall.cfg.master. As till mentioned, you have to edit this file, too if you don't want your changes to be overwritten when you reboot.

A word of warning...
Turning this on can generate LOTS of log entries in a very short period of time. I would not advise setting LOG_FAILURES="Y" and forgetting about it!


All times are GMT +2. The time now is 05:42.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.