Saturday, December 10, 2011

alix - logging

As i already mentioned in a previous post, i use my alix as a firewall. Usually a firewall's job is also to log attacks against the firewall.
But logging means writing to a log-file and since the hard-disk is a compact-flash card i tried to avoid that. But syslog-ng is quite powerful and it has the feature to log to another host. That's why i set up my server to receive log's from other host. Right now everything is without encryption, but for example with net-misc/stunnel you could even encrypt your live logging. The setup looks like this right now:


On the firewall i have this in syslog-ng.conf:

source s_local { internal(); unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); };
destination d_loghost {tcp("$serverip" port(514));};
log { source(s_local); destination(d_loghost); };

Every other log { } event is commented out on the firewall, so that syslog-ng doesn't write anything on the compact-flash card. On the server i had to change the config also a bit. First, it has to accept connections from outside which looks like this:

source src {
    unix-stream("/dev/log" max-connections(256));
    ...
};

Secondly, I've created some filters especially for the firewall rules:

filter f_iptables_drop { match("^iptables: INPUT DROPPED" value("MESSAGE")); };
filter f_iptables_access { match("^iptables: ACCESS*" value("MESSAGE")); };

The first filter, logs all the failed connection against a closed ports. The second one logs all the accepted connections against an open port. To separate them in different files i also have this in my config:

destination d_firewall_drop { file("/var/log/clients/$HOST/$HOST-firewall-drop"); };
destination d_firewall_access { file("/var/log/clients/$HOST/$HOST-firewall-access"); };

The rest goes logged into:

destination d_clients { file("/var/log/clients/$HOST/$FACILITY"); };

To be able to filter the log in such way you also have to mark the dropped and accepted packages so that syslog-ng can differ them. To do that you have to add the following to your firewall:

iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "iptables: INPUT DROPPED: "
iptables -t nat -A PREROUTING -i ${NET_ETH} -p ${PROTO} -d ${NET_IP} --dport ${PORT} -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "iptables: ACCESS ${PORT} "


That configuration works well for already some time now. Maybe someone finds the information useful.

No comments:

Post a Comment