Re: DMZ for logging



On Sun, 29 Jan 2012 23:35:05 -0500, Harry Putnam <reader@xxxxxxxxxxx> wrote:
I hope to find experienced iptables users here who can tell me if this
idea is something I could setup with iptables.

I'd like to get a real good idea of what is coming at me from the
internet. Is there a technique where all incoming connections are
copied to a separate server that uses iptables to sort categorize and
log incoming traffic, but then drops it. At least the portion that is
at all suspect in any way.

After a while I would start to know what is just taking up log space
for no good reason and what is actually something likely to be
malicious in intent.

I want a first hand look at what comes down the pipe.

You can easily set up a log-before-drop rule using iptables itself,
and the logging then goes to wherever syslog sends kernel messages
(typically, on the machine running iptables). For example, on my
firewalls, the default rule for the INPUT chain is drop:
# Default policy: DROP
/sbin/iptables -P INPUT DROP
and then I have rules to accept all the traffic I want, and
finally a rule to log any traffic that remains (thus, unwanted):
# Log all else before default DROP
# (Perhaps add "-m limit" before -j LOG?)
/sbin/iptables -A INPUT -j LOG --log-prefix "iptables INPUT: "
Then, since the default policy is DROP, the packet is dropped.

In my case, the logging is done to /var/log/messages, for example:
Jan 29 20:17:24 <systemname> kernel: iptables INPUT: IN=eth1 OUT=
MAC=<macaddress> SRC=<ipaddress> DST=<ipaddress>
LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=61372 DF PROTO=TCP
SPT=3091 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
I have logwatch running, and I get daily messages summarizing all
of the dropped messages, for example:
Logged 65 packets on interface eth1
From <ipaddress> - 1 packet to udp(5060)
From <ipaddress> - 1 packet to udp(5060)
From <ipaddress> - 5 packets to tcp(135)
...
So I have a good idea of which ip addresses are trying to
get in using whatever kinds of packets.

I also have logrotate running, so I keep 4 weeks worth of
/var/log/messages.

(The actual ip and mac addresses have been replaced with
<ipaddress> and <macaddress> in the notes above.)

I don't see why you need a DMZ machine for this.

--
Dale Dellutri <ddelQQQlutr@xxxxxxxxxxxx> (lose the Q's)
.



Relevant Pages

  • Re: SSH2
    ... > I wonder why though the firewall (iptables) doesn't automatically ... example you can set up for example you can specify: ... Limits the rate of incoming connections. ... Limit connection to certain addresses. ...
    (RedHat)
  • Re: Comment on iptables for a home computer?
    ... iptables --policy OUTPUT DROP ... Strictly it allows incoming connections that are RELATED to previous outgoing ones as well: Typically a DNS request over UDP from port X to remote port 53 will 'allow' a connection from remote port 53 back to the originating port X, though it can't be considered established because UDP never gets 'established'. ...
    (comp.os.linux.misc)
  • Re: DMZ for logging
    ... idea is something I could setup with iptables. ... internet. ... Is there a technique where all incoming connections are ...
    (comp.os.linux.networking)
  • X & Gnome crashes the system with iptables
    ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
    (comp.os.linux.setup)
  • X & Gnome crashes the system with iptables
    ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
    (alt.linux)