Re: DMZ for logging



On Sun, 29 Jan 2012 23:35:05 -0500, Harry Putnam <reader@xxxxxxxxxxx> wrote:
I hope to find experienced iptables users here who can tell me if this
idea is something I could setup with iptables.

I'd like to get a real good idea of what is coming at me from the
internet. Is there a technique where all incoming connections are
copied to a separate server that uses iptables to sort categorize and
log incoming traffic, but then drops it. At least the portion that is
at all suspect in any way.

After a while I would start to know what is just taking up log space
for no good reason and what is actually something likely to be
malicious in intent.

I want a first hand look at what comes down the pipe.

You can easily set up a log-before-drop rule using iptables itself,
and the logging then goes to wherever syslog sends kernel messages
(typically, on the machine running iptables). For example, on my
firewalls, the default rule for the INPUT chain is drop:
# Default policy: DROP
/sbin/iptables -P INPUT DROP
and then I have rules to accept all the traffic I want, and
finally a rule to log any traffic that remains (thus, unwanted):
# Log all else before default DROP
# (Perhaps add "-m limit" before -j LOG?)
/sbin/iptables -A INPUT -j LOG --log-prefix "iptables INPUT: "
Then, since the default policy is DROP, the packet is dropped.

In my case, the logging is done to /var/log/messages, for example:
Jan 29 20:17:24 <systemname> kernel: iptables INPUT: IN=eth1 OUT=
MAC=<macaddress> SRC=<ipaddress> DST=<ipaddress>
LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=61372 DF PROTO=TCP
SPT=3091 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
I have logwatch running, and I get daily messages summarizing all
of the dropped messages, for example:
Logged 65 packets on interface eth1
From <ipaddress> - 1 packet to udp(5060)
From <ipaddress> - 1 packet to udp(5060)
From <ipaddress> - 5 packets to tcp(135)
...
So I have a good idea of which ip addresses are trying to
get in using whatever kinds of packets.

I also have logrotate running, so I keep 4 weeks worth of
/var/log/messages.

(The actual ip and mac addresses have been replaced with
<ipaddress> and <macaddress> in the notes above.)

I don't see why you need a DMZ machine for this.

--
Dale Dellutri <ddelQQQlutr@xxxxxxxxxxxx> (lose the Q's)
.