#1  
Old 31st December 2005, 14:07
stefanr stefanr is offline
HowtoForge Supporter
 
Join Date: Dec 2005
Posts: 48
Thanks: 0
Thanked 1 Time in 1 Post
Default iptables syslog

Hello,

my installation of the ispconfig work fine, and my welcome messages works now also, thank's on falko.
I have another question of iptables the firewall of the ipconfig works fine (think so) but i got no log information in any log files in /var/log/.

I have no ideas how i change this problem. How can i start the firewall of the ispconfig tool that the message from the firewall logs to /var/log/firewall.log?

my iptables -L on the consol list this:

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info
DROP all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level notice
LOG all -- anywhere anywhere LOG level debug
LOG all -- anywhere anywhere limit: avg 5/min burst 3 LOG level debug

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain PAROLE (16 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PUB_IN (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:www
PAROLE tcp -- anywhere anywhere tcp dpt:81
PAROLE tcp -- anywhere anywhere tcp dptop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:10000
PAROLE tcp -- anywhere anywhere tcp dpt:imap2
PAROLE tcp -- anywhere anywhere tcp dpt:imaps
PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
PAROLE tcp -- anywhere anywhere tcp dpt:socks
PAROLE tcp -- anywhere anywhere tcp dpt:14534
PAROLE tcp -- anywhere anywhere tcp dpt:8767
PAROLE tcp -- anywhere anywhere tcp dpt:1452
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain PUB_OUT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere


my /etc/syslog.conf

# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.

#
# First some standard logfiles. Log by facility.
#

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
#kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
kern.notice;kern.!warn /var/log/firewall.log
kern.warn -/var/log/kern.log


#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

# Logging for INN news system
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

I anyone a idea what can i do to log the firewall message in /var/log/firewall.log

i wish anyone a happy new year.

STEFAN
Reply With Quote
Sponsored Links
  #2  
Old 31st December 2005, 14:51
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

You can enable logging in the bastille firewall configuration. You must chnage the file in:

/etc/Bastille/bastille-firewall.cfg

and the master template:

/root/ispconfig/isp/conf/bastille-firewall.cfg.master

Then restart the firewall:

/etc/init.d/bastille-firewall restart
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 31st December 2005, 15:22
stefanr stefanr is offline
HowtoForge Supporter
 
Join Date: Dec 2005
Posts: 48
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by till
You can enable logging in the bastille firewall configuration. You must chnage the file in:
Thanks vor your fast replay..
my file
/etc/Bastille/bastille-firewall.cfg

schnip
# 2) services for which we want to log access attempts to syslog (all systems)
# Note this only audits connection attempts from public interfaces
#
# Also see item 12, LOG_FAILURES
#
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# anyone probing for BackOrifice?
#UDP_AUDIT_SERVICES="31337"
# how about ICMP?
#ICMP_AUDIT_TYPES=""
#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
#
# To enable auditing, you must have syslog configured to log "kern"
# messages of "info" level; typically you'd do this with a line in
# syslog.conf like
# kern.info /var/log/messages
# though the Bastille port monitor will normally want these messages
# logged to a named pipe instead, and the Bastille script normally
# configures syslog for "kern.*" which catches these messages
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
#UDP_AUDIT_SERVICES="31337"
#ICMP_AUDIT_TYPES=""

and this entry

IP_LOG_LEVEL=6 # iptables/netfilter default

schnap

Quote:
Originally Posted by till
and the master template:

/root/ispconfig/isp/conf/bastille-firewall.cfg.master

Then restart the firewall:

/etc/init.d/bastille-firewall restart

i understood this as the files ok and the logging must go, but no entry will come in anyfiles aof /var/log/

my file /etc/sysconfig i have also changed in

# /etc/syslog.conf Configuration file for syslogd.
#
# For more information see syslog.conf(5)
# manpage.

#
# First some standard logfiles. Log by facility.
#

auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
#kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log
uucp.* /var/log/uucp.log
kern.notice;kern.!warn;kern.info /var/log/firewall.log
kern.warn -/var/log/kern.log


what can also goes wrong?

after all i changes i restart /etc/init.d/sysklogd restart, and the firewall

what can goes wrong?

STEFAN

Last edited by stefanr; 31st December 2005 at 15:24.
Reply With Quote
  #4  
Old 31st December 2005, 15:40
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

I guess you have to uncomment e.g. this line in the bastille configuration:

TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"

to log connection attempts to the listed services.

Or you set the line:

LOG_FAILURES="N"

to:

LOG_FAILURES="Y"

if you want to log connection failures.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 31st December 2005, 16:22
stefanr stefanr is offline
HowtoForge Supporter
 
Join Date: Dec 2005
Posts: 48
Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by till
I guess you have to uncomment e.g. this line in the bastille configuration:

TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"

to log connection attempts to the listed services.

Or you set the line:

LOG_FAILURES="N"

to:

LOG_FAILURES="Y"

if you want to log connection failures.

Hey till very kind of you, but i have change the things that you say and i can't find any logs :-( what do i wrong?
I've open iptables -A INPUT -j LOG --log-level notice,
can this the problem i think before that the firewall is only a iptables commant..
Reply With Quote
  #6  
Old 11th March 2007, 00:51
FeraTechInc FeraTechInc is offline
Senior Member
 
Join Date: Feb 2007
Posts: 134
Thanks: 3
Thanked 5 Times in 5 Posts
Default

Uhh... well I did all this. Now... where is the log file?

I can't find anything in /var/log There is not iptables or bastille log file?

Can somebody help me out?
Reply With Quote
  #7  
Old 11th March 2007, 19:47
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
Default

What's in /etc/Bastille/bastille-firewall.cfg?
Have you tried to restart the firewall?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 29th January 2008, 19:43
wpwood3 wpwood3 is offline
Senior Member
 
Join Date: Oct 2007
Location: Atlanta, GA USA
Posts: 197
Thanks: 21
Thanked 30 Times in 20 Posts
 
Post Answer to an old question

I know this is an old thread but I recently enabled logging in Bastille and finally found where it logs.

The log entries appear in /var/log/messages

I made some iptables rule changes and wanted to verify they were working so I edited /etc/Bastille/bastille-firewall.cfg and changed LOG_FAILURES to "Y" and then restarted Bastille with /etc/init.d/bastille-firewall restart

Since I only plan to allow logging temporarily, I did not edit /root/ispconfig/isp/conf/bastille-firewall.cfg.master. As till mentioned, you have to edit this file, too if you don't want your changes to be overwritten when you reboot.

A word of warning...
Turning this on can generate LOTS of log entries in a very short period of time. I would not advise setting LOG_FAILURES="Y" and forgetting about it!
__________________
CentOS 5.4 64bit (the Perfect Setup)
ISPConfig 2.2.40
WP3 Photography

Last edited by wpwood3; 29th January 2008 at 19:47.
Reply With Quote
The Following User Says Thank You to wpwood3 For This Useful Post:
falko (30th January 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPtables / Bastille jlaughy Installation/Configuration 7 15th November 2005 09:44
iptables aolex Suggest HOWTO 9 29th October 2005 23:08
ProFTPD Logins and Authentication pete General 9 14th August 2005 23:24
Problem opening firewall port weedguy General 15 12th August 2005 01:05
iptables leon Installation/Configuration 1 19th May 2005 10:33


All times are GMT +2. The time now is 21:16.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.