Ubuntu Security :: Resolving IP Addresses In Iptables Logs?
Jan 19, 2010
whether iptables logs can be set to automatically resolve IP addresses? I am running the firewall on a network with DDNS/DHCP, and this ability would really help quickly identify hosts with suspect traffic.Failing this, I guess the simplest solution will be to simply set static addresses!
View 1 Replies
ADVERTISEMENT
Feb 1, 2011
I have a (headless) Debian (Linux debian 2.6.26-2-486) system running on an old Pentium machine in our home network. I use it as a Samba share, among other things. I recently noticed some Samba log files that I cannot explain the origin of. In /var/log/samba there are a couple of files like this one:/var/log/samba/log.istvan (Note: there is no machine named 'istvan' in my local network)
Code:
[2011/01/04 21:15:34, 1] smbd/service.c:make_connection_snum(1198)
istvan (::ffff:78.92.155.185) connect to service boeken initially as user nobody
[code]...
View 9 Replies
View Related
Jul 11, 2010
so the firewall rules I am currently using are displayed below.
Code:
# DROP ALL FORWARDED PACKETS
iptables -P FORWARD DROP # DROP ALL PACKETS
# ALLOW DHCP THROUGH THE FIREWALL
[code]....
View 6 Replies
View Related
Apr 5, 2011
In an effort to learn more about firewalls and iptables I have left behind gui set-up tools and have setup a firewall using iptables that logs to its own file. The firewall is as follows:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
[Code]...
View 8 Replies
View Related
Aug 15, 2010
What the following means?
Code:
Does this mean that connections from those IP's have been blocked or what?
View 3 Replies
View Related
Dec 23, 2010
I'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
[Code]...
Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
View 10 Replies
View Related
Dec 7, 2009
I want to use iptables to automatically block all IP addresses who send UDP packets with length 11 more than 3 times per 10 seconds.
View 1 Replies
View Related
Jun 3, 2011
iptables and multiple public-facing IP addresses. With the current setup I have a public-facing firewall with iptables which will then forward traffic to a LAN IP. I will hopefully be allotted 1 private IP per public IP, which I hope will make this much more simple. For example, I have server A with the LAN IP of 10.0.0.1 which I would like to have traffic forwarded from 5.0.0.1, the public IP. I also have server B with LAN IP of 10.0.0.2 which I would like to have forwarded from 5.0.0.2, the second public IP. From what I have read and understood, this should be a simple task, however I would just like to double check to make sure that it is in fact possible, and if so, how would it be recommended that I go about doing so. Essentially, I need to forward each public IP to a corresponding LAN IP with all ports.
View 3 Replies
View Related
Oct 6, 2010
I'm trying to configure a process triggered by an SVN post-commit hook which will log into a different host and carry out an SVN update on a file path on that host before exiting. An earlier attempt mounted the remote filepath on the SVN host using sshfs and performed the update locally. This worked but it was incredibly slow (minutes to complete an SVN update).
So, Plan B was to set-up a passwordless login for the user the script runs as and then use pam-script to script a checkout from a repository using the same credentials. The problem is, passwordless SSH login using private/public keys appears to bypass the PAM authentication system or at least interact with it in a way that no environment variables (including the SSH user's name and pass) are resolved by the authentication script being used by pam-script.
I've tested the pam-script behaviour for normal log-ins and it exposes these variables fine. This leaves me in a Catch-22 with trying to script access on one host to perform actions on another while avoiding user/pass prompts or the need to store plaintext passwords on the remote host.
Anyone know if there's a way to resolve a user account password via PAM when using passwordless SSH or, another approach I could take to perform scripted tasks on the remote system requiring authentication? Ideally without storing the passwords on the remote system (at least in unencrypted form).
View 1 Replies
View Related
Jul 19, 2011
I just putup the fedora15 on my PC. there are several msg coming up from selinux saying permission denied, though I am not doing any administrative activity. the PC being a workstation for reaserch. how can I know the denial is for an security intrusion attempt. how can I set conditions to see the logs of all security intrusions. how can I set exclusive msg-ing from selinux that the denial is for a security intrusion attempt.
View 5 Replies
View Related
May 14, 2011
possible to use a gpg key registered on a different email account than the account I have linked to evolution. As is now, I have entered the key id into evolution, but it does not decrypt my mails. It does not even ask for a password.simply opens the message and displays a page of code.
View 2 Replies
View Related
Mar 22, 2010
Does anyone know the ubuntu update servers IP addresses. I am trying to fine tune my firewall rules and was unsure of what ip addresses to use for the update servers. I believe they are us.archive.ubuntu.com and security.ubuntu.com. However, I could be wrong.
View 3 Replies
View Related
Jan 12, 2010
how do i modify the ubuntu firewall to let in certain ip addresses but lock others out.
View 6 Replies
View Related
Jul 25, 2010
Is there a firewall I can install that will only let certain MAC addresses through on a certain port?
View 2 Replies
View Related
Mar 18, 2010
I cannot find one single UFW event anywhere. I have researched this and see that others have trouble finding these logs too. I have looked in every /var/log there is and I can't find one event. I have UFW enabled, default deny and logging set to medium from a previous logging low(in hopes this would create more events to be seen). In terminal, UFW is shown as active. I have been using Ubuntu for more than a year now and I recall seeing UFW events with every session in some /var/logs in Ubuntu 9.04 - I'm running 9.10 now. I have also tried looking throughout the system files and have found nothing. Is UFW not working properly or could I just not be experiencing any firewall events(not likely)?
View 9 Replies
View Related
Apr 26, 2011
If anyone knows where does ZEIGEIST put its logs. Is it in my home folder, or is it somewhere else. I have my home folder enrypted and this is really not very secure if someone can see those logs...So. Does ZEITGEIST put logs in my HOME folder or not?
View 7 Replies
View Related
Jun 16, 2010
how to find USB enteries/ logs in linux
View 5 Replies
View Related
Apr 22, 2009
I have connected to my friends machine, for some reason . all the logs are wiped out . ?
CentOS .
There is nothing there? is this a unusual to Linux systems?
View 3 Replies
View Related
Aug 13, 2011
I want to capture all packets from site "www.examplesite.com" so I checked its ip address in an ip address look up and it was 123.456.abc.def.So I set my filter to "dst host 23.456.abc.def"However I then realised that multiple ip address point to ww.examplesite.com, for example say the following ips also go to987.654.321.000111.222.333.444So is there a filter that will automatically capture all traffic going to www.examplesite.com or do I have to go and manually find all it's ip addresses and pass them all to the filter?
View 2 Replies
View Related
Jan 8, 2010
These files seem to contain browsing history:
~/.mozilla/firefox/xxxxx.default/cookies.sqlite ~/.mozilla/firefox/xxxxx.default/formhistory.sqlite ~/.mozilla/firefox/xxxxx.default/downloads.sqlite ~/.mozilla/firefox/xxxxx.default/places.sqlite ~/.mozilla/firefox/xxxxx.default/places.sqlite-journal
~/.mozilla/firefox/xxxxx.default/Cache/
Therefore I have cleared these files using an erasing program. I am wondering if there are other locations where such log files are stored for Internet browsing. I have looked in the /var/log directory and cannot see anything - for example doing a grep on http:// after browsing in Firefox does not reveal anything obvious.
View 6 Replies
View Related
Jul 10, 2010
Does anyone know of any software that can monitor the Apache logs for certain phrases or keywords then send an alert when found? For example I know an attempt to hack has been made when I see log entries like this....
/admin/
/admin/phpadmin/
/phpadmin/
But by the time I see it, the attempt has long since failed or succeeded. What I need is a way for my server to alert me WHILE someone is entering these phrases. I realize there may be a "hit" to performance but my server is not that busy anyway (except for hackers).
View 3 Replies
View Related
Feb 9, 2011
What is happening when I log in to my Ubuntu server machine via ssh and putty. trying to understand everything, primarily securing my server.
I have specified the ssh server to listen on port 5525, and can login without a problem.
When I look at the logs though it says I connected from xxx.xx.xx.xx on port 53602.
What is happening here and why is the logged connection a different port to the one specified in the config file?
View 1 Replies
View Related
Mar 18, 2011
I have in my hands a bunch of samba logs, about 24 different files and I was wondering if there was a tool that would go through them and organize them into something readable.I had a gander at Sawmill
View 2 Replies
View Related
Mar 9, 2011
Iam looking security specific event ID on Linux .hear are thousnds of event ID in Microsoft Windows/XP and VISTA etc. Similar way looking for Linux,unix ,Solaries,AIX etc event ID. I would to correlate and implement with Arcsight.
View 2 Replies
View Related
Mar 24, 2010
Please let me know:1. What LDAP logs are typically available2. How to find them3. How to Parse them
View 3 Replies
View Related
May 23, 2011
CentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what! Last night I got the following in my logwatch : -
Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
[Code]...
The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.
View 2 Replies
View Related
Mar 29, 2011
I have problem with loging, actually iptables logs a data but it seems that for some reasons does not writes in a log file:
Code:
iptables -L -v
Chain INPUT (policy ACCEPT 406 packets, 124K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any xxxxxxxxxxx anywhere tcp dpt:xxxx
[Code]....
i checked /var/log/message and /var/log/syslog nothing is here related to iptables. then i create separate file for Iptables by adding this: kern.warning /var/log/iptables.log in my rsyslog.conf it does create iptables.log file inside /var/ but its still empty
View 4 Replies
View Related
Apr 22, 2010
I have my router configured so that it drops outgoing telnet connections (and other protocols I don't use). It's a 2wire gateway. 192.168.1.65 is the internal IP of my ubuntu box.I'm trying to figure out what normal network traffic looks like and whether I should be worried by this log entry. At the time this happened I was testing out TOR (just navigating to a few sites (dell, ubuntu forums, etc.) nothing all that interesting.)
View 2 Replies
View Related
Feb 12, 2011
Has anybody else seen this kind of attack? I see those messages on 2 exim mailservers. Looks as if someone sends a 50MB big mail header :S What is their goal except from increasing my traffic?
Code:
2011-02-12 07:48:53 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=ns33.medialook.net [91.121.108.5] input="GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
[Code].....
View 4 Replies
View Related
Feb 16, 2011
I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap).
Configured /etc/openldap/slapd.conf (see below)
Configured /etc/openldap/ldap.conf (see below)
[code]...
View 2 Replies
View Related