Red Hat / Fedora :: Logging Connection Attempts With Iptables
Mar 8, 2010
I'm having a lot of problems getting NIS set up with our firewall. I've looked online and no one seems to have any answers. When the firewall is off, NIS works. When it's on, it doesn't.I would like to know which ports NIS needs by logging connection attempts on the server, since I would swear the right ports seem open already. Right now I'm using this to generate the log entries:
iptables -I INPUT -m state --state NEW -j LOG --log-prefix "New Connection: "
iptables -I OUTPUT -m state --state NEW -j LOG --log-prefix "New Connection: "
However, I think it must only work for successful connections, because I'm not seeing any new entries when I try running the NIS client on another machine (ypbind).
View 5 Replies
ADVERTISEMENT
Mar 28, 2011
I am wondering if it's possible to log the number of bytes a connection transfered when the connection is complete with iptables. I know I've seen this sort of information in Cisco FWSM logs, where the "Teardown" entry of the logs has the bytes transferred for that connection. Is it possible to have something similar to that with iptables? Where the initial connection attempt is logged (i.e. NEW, which I have logging fine) AND an entry for that connection that includes the bytes transferred?
View 6 Replies
View Related
Dec 1, 2015
I'm trying to use these cookie cutter rules that I found. But every time I use them, after a few seconds my wifi connection goes dead. The exception was the first time I used then. Which lasted me a couple of minutes.
By dead I mean I can no longer open a webpage or ping google.
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
View 9 Replies
View Related
Jun 27, 2011
Does anyone know if vsftpd logs successful and failed logon attempts anywhere? I grep'd my /var/log directory and didnt find anything. or if it can, do you know how to enable it?
View 12 Replies
View Related
Jul 22, 2010
After reading this pdf on top 5 things to log for security, ive decided to attempt this for my webserver. how i might setup some logging systems to do these tasks. Basic things i need to be able to do: Record things like password attempts on htaccess files, from what IP address, and how many attempts there were. Any useful links anyone can think of to get me started? Im a student programmer at university so any programming i should be able to cope fine.
View 2 Replies
View Related
Jul 21, 2010
Whether I use ufw or firestarter to populate my iptables, my firewall logs get written to 3 different log files:/var/log/messages/var/log/kern.log/var/log/syslogI want to keep the logging turned on, but I'd rather it not log to syslog, as it's obscuring other events in syslog that I'd like to see. I'm using rsyslog on Ubuntu. I looked around online and found one person suggesting I add this to the top of rsyslog.conf:kern.* -/var/log/kern.logkern.* ~I did that and restarted rsyslog, but it's still logging to the same 3 files.
View 4 Replies
View Related
Aug 6, 2010
Im stuck on why iptables wont log to syslog.Syslog is working fine and log every other event on the server.Here is my Configs:
/etc/syslog.conf
Code:
*.* /var/log/iptables
[code]...
View 1 Replies
View Related
Sep 11, 2015
I would like to log and drop outgoing connection attempts, but the log is not showing the destination IPs.I have the following Iptable rules for my browser:
Code: Select alliptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -j LOG --log-prefix "browser connections: " --log-level 6
iptables -A LOGGING -j DROP
Only after removing the DROP line it works.
View 14 Replies
View Related
Feb 17, 2011
I am trying to write a little port knocking daemon that needs to see every failed connection attempt on every port on the system. The primary way to do this (as the Wikipedia page points out) is to monitor the firewall log file. I am using UFW and reading its output in /var/log/kern.log. Typically, when UFW blocks something, it prints a little line like this:
Quote:
Feb 17 10:42:42 serin kernel: [323588.279588] [UFW BLOCK INPUT]: IN=eth0 OUT= MAC=00:0b:e6:00:85:96:00:09:5b:9f:41:a4:08:00 SRC=192.168.0.4 DST=192.168.0.8 LEN=60 TOS=0x00 PREC=0x20 TTL=49 ID=46945 PROTO=TCP SPT=56849 DPT=1723 WINDOW=5840 RES=0x00 SYN URGP=0
But it seems that whenever UFW experiences a significant "load" (my client sends eight packets over the span of about 25 seconds, not too significant if you ask me), it just kind of "gives up" after 10 or so attempts. Log messages stop appearing in kern.log. I know the packets are coming; wireshark confirms this.
It seems to me that a buffer of some sort is filling up, because if I give the system a breather and try sending my sequence again in, say, three minutes, it prints log messages for 10-12 straight attempts before giving up again. I've tried sending packets at longer intervals and reading from other logs like /var/log/messages, but none of this has helped. Does anyone have any idea why UFW would fail to log all blocked connection attempts?
View 1 Replies
View Related
Jun 21, 2010
Brief overview of my current setup:
Code:
The ip_blacklist chain is used to immediately drop any traffic from specified address ranges, while the tcp_, udp_, and icmp_packets chains contain rules for further processing of those protocols. The last rule in each of the latter three chains drops all packets that didn't match any rules above it; so tcp, udp, and icmp packets should NOT get caught by the default INPUT policy (DROP). The goal of the last rule on the INPUT chain is to then log any packets that are picked up by the default policy. However, it's not working.
I can tell that there are packets being picked off by the default policy because the counters are being incremented, but nothing is logged by that last rule. My conclusion is that it's only looking for tcp, udp, and icmp packets and ignoring everything else.
How to get iptables to log all the other protocols (or whatever is being caught by the default policy)?
View 5 Replies
View Related
Mar 2, 2010
Since yesterday Firestarter has been prompting me that it is blocking external connection attempts as shown in the picture below:I'm not even going to bother covering the IP addresses because I personally don't see why I should care but as you can see, there has been loads of them attempting to connect to ports 3674 - 3675. I ran nmap 127.0.0.1 and it came back as 631 being the only one open. So then I thought maybe lsof -i would mention much more but all it shown was:
@boris:~$ cat meh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 1644 root 5u IPv6 14329 0t0 TCP localhost:ipp (LISTEN)
[code]...
View 1 Replies
View Related
Mar 8, 2010
I am building 1 system includes 1 firewall server using iptables 1 Webserver && 1 FTP server. On FTP server IP: 192.168.1.2 - GW: 192.168.1.1, I installed ProFTPD successfully. In LAN I do everything successful.
On Firewall server <IP PUBLIC> on eth0 && IP LAN eth1: 192.168.1.1
Iptables rules:
Code: # Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d <IP PUBLIC> -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.2:21
-A POSTROUTING -s 192.168.1.2 -o eth0 -j SNAT --to-source <IP PUBLIC>
COMMIT
# Completed on Sun Mar 7 21:01:16 2010
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
# Completed on Sun Mar 7 21:01:16 2010 In FTP server i access to internet good.
I check port 21 on IP PUBLIC , it's return Open.
But when I using ftp command then it's show Code: Connected to <IP PUBLIC>.
220 ProFTPD 1.3.3 Server (FTP Server) [192.168.1.2]
User (<IP PUBLIC>:(none)): longvnit
331 Password required for longvnit
Password:
230 User longvnit logged in
ftp> dir
200 PORT command successful
Aborting any active data connections...
ftp> bye
C:Documents and SettingsLONGVNIT>ftp <IP PUBLIC>
Connected to <IP PUBLIC>.
220 ProFTPD 1.3.3 Server (FTP Server) [192.168.1.2]
User (<IP PUBLIC>:(none)): longvnit
331 Password required for longvnit
Password:
230 User longvnit logged in
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out
ftp> dir
200 PORT command successful
425 Unable to build data connection: Connection timed out
ftp>
View 5 Replies
View Related
Feb 3, 2010
I've set up a transparrent squid box with two nics. Eth1 = Internet eth0= LAN +Dchp my question is, can I log the data usage of a skype call. My proxy server already records all http an https requests but doesn't record some programs like skype. I know that it is not http traffic, but can I tell my system to record data use by an ip address over a nic with the help of iptables for example?
View 1 Replies
View Related
Jun 4, 2009
if I use the final flag, postfix loggs to /var/log/messages, not to /var/log/maillog.What I am doing wrong?regards ralfHere my config:
options {
sync (0);
time_reopen (10);
[code]....
View 2 Replies
View Related
Jul 14, 2011
In our development box we are configured postgresql to work with Jboss. The thing is we have firewall iptables in our linux box. when the iptables is stopped we can connect the postgres db locally using -h option, also we can connect thru a weblink we have created using Jboss. But when the iptables is started we can't connect the db locally using the -h option and the web is giving the below error. Caused by:
org.postgresql.util.PSQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
at org.postgresql.core.v3.ConnectionFactoryImpl.openC
[code]....
View 1 Replies
View Related
Nov 10, 2010
Wondering if anyone can point me in the right direction to setup some form of network connection monitoring and logging?As Australia has CRAP broadband and ISP's utilize Peak & Off-Peak download limits I schedule downloads for my Off-Peak times. Well recently my connection drops out exactly when my off-peak time kicks in and requires my modem to be reset to re-establish my connection.
My ISP is denying they are doing this but I happens everyday now and is getting really frustrating. What I want to try and set up is some sort of monitoring to ping my ISP's default gateway so I can prove it drops at a specific time each day. I am sure there would be something I could configure in Ubuntu but I am a newbie to Ubuntu so don't really know how to achieve this.
View 2 Replies
View Related
Dec 8, 2010
We have an Asterisk machine that we suspect periodically loses internet connectivity, causing all calls to drop. First, would this sort of thing be logged anywhere out of the box? I haven't noticed anything in /var/log, but that doesn't mean it's not there. If this is not typically logged, how I might go about logging it? I'm currently running a bash script from cron every 5 or 10 minutes which pings Google and writes success or failure messages to a log file. This works fine for extended outages, but if the internet connection drops and comes back between cron runs, it won't be caught.
View 4 Replies
View Related
Oct 20, 2010
I am creating this script which will login to a server with ssh and check if a particular exists there, if not it will create the user.This is the script:Quote:
ssh 192.168.100.5
cat /etc/passwd|grep -i $1 > /dev/null
if [ $? -eq 0 ];
[code]...
View 9 Replies
View Related
Nov 26, 2010
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
View 2 Replies
View Related
Jul 17, 2010
IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
View 11 Replies
View Related
Apr 28, 2009
I know this is probably easy and if I only took a while to figure it out maybe I could but I have some stuff that needs to happen soon and I can't figure this out. I was wondering how I could have a log monitor that would email me whenever someone tries to login over ssh to my system. I'm open to everything daemons/scripts or cron itl works as I am not running a production server (but I might be starting that soon). Oh and just a side how do I get sent an email when I get port scanned
View 6 Replies
View Related
Jun 9, 2009
When i try to partition the disk i get this error, on the live and the install dvd. I have googled but have not found solution?"cannot commit to disk after 5 attempts"
View 14 Replies
View Related
Nov 15, 2009
I have a server box behind my ISP router at home, and I need to allow ssh access to my server. My ISP router doesn't let me allow selectively ssh from some IP. It allows ssh to everyone.
I have fedora10 and openssh-server-5.1p1-3. How can I configure openssh to allow just from 1 IP?
Does it use xinetd at all and the hosts.allow and .deny mechanism?
View 14 Replies
View Related
Jun 25, 2009
I googled this, to no avail. I've restarted cups, to no avail.This is a Networked Printer, but i have little doubt that can be ruled out as an issue.If i want to print an Image or Plain Text file, i get this error; if i print with OpenOffice, i do NOT get this error and it prints fine.I have also gotten a similar error, like "permission denied" or something, but i cannot recall exactly what it said, and cannot seem to recreate it at the moment.I have been getting this for quite some time now (months), but never found out why. Any ideas?
View 14 Replies
View Related
Sep 26, 2009
I'm having an issue installing Fedora 11 on my system. After the install, I remove the DVD media, reboot the system, and it reports an error stating that Windows cannot start, missing or corrupted hal.dll file. I appologize if this is a common problem or has already been answered. My searches haven't yielded helpful information, mostly what I've found is people attempting to setup dual-boot machines or boot Fedora via the Windows Boot Loader.I have experience in computers, although I am completely new to Linux/Fedora. Through my work, I have experience using AIX, but no experience installing or managing drive partitions.The system in question is a 5 year old Windows XP system that I built myself. The system has two drives (C: and D: in Windows). The C: drive was the Windows install drive and the D: drive was added later for additional storage. I am attempting to completely overwrite Windows on this machine. I want it to single boot into Fedora 11, I am not looking for a dual-boot system. The system will become a network file server.
The specs of the system are...
Processor: AMD Athlon 64 3500+
Mobo: Gigabyte GA-K8NSNXP-939
RAM: 2GB
I downloaded the DVD iso for Fedora 11 x86_64 via Bit Torrent, burned the ISO to DVD and booted the system from DVD. I ran through the install (Anaconda 11.5.0.59) and see the following information on the screens..
View 2 Replies
View Related
Feb 1, 2011
I am trying to share internet connection with Fedora12 as default gateway and XP machine hooked up via NIC using iptables commands as shown in Mark Sobell's book 'A Practical Guide To Fedora And Red Hat Enterprise Linux' These are the commands as placed in /etc/rc.local
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -j LOG
iptables -t NAT -A POSTROUTING -o eth1 -j MASQUERADE
I did flip the in and out parameters to match my NIC configuration ( as opposed to example from book ) but other than that followed example. One thing to note is that Sobell did not mention whether this should work with mix of Linux and XP. One other note ( maybe meaningless ) is that I do have samba working between the two machines.
View 2 Replies
View Related
Feb 2, 2010
I am configuring an internal only IMAP server for archival emails. I am absolutely baffled why my connection is being refused. UFW is disabled and IPTABLES has a rule to allow all connections on 143 and 993. When I telnet this response is given:
Code:
telnet localhost 143
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
Even nmap shows the port closed. Here is my iptables rule:
HTML Code:
-A ufw-user-input -p udp -m udp --dport 143 -j ACCEPT
View 3 Replies
View Related
Mar 12, 2011
I have several CS servers running on ubuntu server, and sometimes someone is trying to brute server's RCON password with the program called HLBrute. I've found the following rules to prevent such hack attacks, but they don't work What can be wrong in these rules?
Quote:
iptables -A INPUT -p udp -m multiport --dport 26000:30000 -m string --algo kmp --string "HLBrute" -m limit --limit 1/hour --limit-burst 5 -j LOG --log-prefix " HLBrute_Ataka "
iptables -A INPUT -p udp -m multiport --dport 26000:30000 -m string --algo kmp --string "HLBrute" -j DROP
View 3 Replies
View Related
Oct 29, 2010
my iptables Policy is Drop..my server ports is open just for httpd,ssh .Is there any rule which can allow all connection from a specific program for ex. i want to scan an ip Address ports.as you know nmap connect to every known port to see if that is open or not so, if i want to allow nmap to connect, i need to include all ports for that, or i can allow connection from localhost to outside in all ports .my server is very secure . i dont want other programs (probably a backdoor) use those ports to connect outside i want to know is there any ability in iptables which can rule connections by name of program like "Allow any Connection from /usr/bin/nmap to everywhere " ?
View 2 Replies
View Related
Jan 31, 2011
an ubuntu with address 192.168.1.100 an OpenSuse with address 192.168.1.106a windows xp with address 192.168.1.102And these are connected via a DSL router/switch (4 ports eth) .My purpose is config the ubuntu as a Firewall and NAT server for investigating the network layer packet with specific policies .well, I've used the following script :
Code:
#!/bin/sh
IPTABLES=/sbin/iptables
[code]...
View 3 Replies
View Related
