xorl %eax, %eax

Logging with iptables and syslogd

with 5 comments

Almost certainly you’d wish to be able to see possible DoS attacks or port scans while they take place on your system. Using netfilter/iptables and klogd this is a trivial task. Let’s assume that you want to log any NULL port scan attempt. NULL scans use TCP packets with none of the flags set, this is why it is called NULL scan. We can create a rule that matches this when 10 of these packets arrive within a minute. Here is this rule:

iptables -A INPUT -m tcp --tcp-flags ACK,SYN,FIN,RST,PSH,URG NONE -m limit --limit 10/minute -j DROP

But the above rule, just drops these packets, we need to log them first! There is a special action named LOG which we can use instead of DROP to log these packets. Here is the same rule which logs the matching packets:

iptables -A INPUT -m tcp --tcp-flags ACK,SYN,FIN,RST,PSH,URG NONE -m limit --limit 10/minute -j LOG --log-prefix "***NULL SCAN ATTEMPT*** " --log-level info

If you have configured your syslogd before, you’d know what the log level is. If not, then please read something like this one before moving on. It is important to note here, that action LOG just logs the event, then the packet may continue and perform the scan depending on the rest of your firewall rules. To drop it just use both rules like this:

iptables -A INPUT -m tcp --tcp-flags ACK,SYN,FIN,RST,PSH,URG NONE -m limit --limit 10/minute -j LOG --log-prefix "***NULL SCAN ATTEMPT*** " --log-level info
iptables -A INPUT -m tcp --tcp-flags ACK,SYN,FIN,RST,PSH,URG NONE -m limit --limit 10/minute -j DROP

Using this, the packet will first be logged and then dropped since it matches both rules. That’s nice but where is this log being kept? Well, let’s see… Open your /etc/syslog.conf and add a log file like this:

kern.=info     /var/log/iptables

Then, restart your klogd and it should be ready. Just try it yourself by performing a port scan using nmap and NULL scan option set:

nmap -sN <your-IP-here>

Your log file now should have something similar to (i’ve changed the MAC addresses for privacy):

Feb  3 23:42:11 xorl kernel: ***NULL SCAN ATTEMPT*** IN=eth0 OUT= MAC=aa:bb:cc:dd:ee:ff:aa:bb:cc:dd:ee:ff:aa:bb SRC=192.168.0.24 DST=192.168.0.20 LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=64599 PROTO=TCP SPT=56181 DPT=636 WINDOW=3072 RES=0x00 URGP=0

The information logged by netfilter/iptables here are:

[Time stamp] [hostname kernel] [your logging prefix] [packet details]

Where the packet details are the following for TCP packets:

IN       Input interface
OUT      Output interface
MAC      Destination and Source MAC addresses
SRC      Source IP address
DST      Destination IP address
LEN      Packet length
TOS      Type Of Service
PREC     Precedence of the packet
TTL      Time To Live
ID       Packet ID
PROTO    Protocol
SPT      Source Port
DPT      Destination Port
WINDOW   Window size
RES      Reserved bits
URGP     Urgent Pointer

If you want a more readable output from the iptables’ log files, you can just code a tiny perl or shell script that will parse the log and give a readable for you output. Anyway, this was just a tip for firewall logging. :)

Written by xorl

February 3, 2009 at 22:01

Posted in administration, linux

5 Responses

Subscribe to comments with RSS.

  1. Instead of filling your iptables configuration with redundant rules, you can do something like this:

    iptables -N LOGDROP
    iptables -A LOGDROP -j LOG
    iptables -A LOGDROP -j DROP

    -j LOGDROP

    This way, you end up with a less cluttered and more readable ruleset, which in the long term you will really appreciate.

    ithilgore

    February 4, 2009 at 10:00

  2. You’re right but I was just demonstrating an example. Always, grouping similar rules on chains makes the firewall configuration more readable but since I used just one rule, I thought it would be redundant to create a separate chain.

    xorl

    February 4, 2009 at 13:06

  3. Hi man,

    That’s a good post!
    I’m here just to say a little thing.. Have you already read about PSAD? (http://www.amazon.com/Linux-Firewalls-Detection-Response-iptables/dp/1593271417)

    Check it out this book; i read it times ago and i found it very interesting..

    Regards.

    Anonymous

    August 7, 2009 at 07:20

  4. Hi,

    how do you achieve to have a timestamp for the logged packets ?

    Bernd

    Bernd Lentes

    May 2, 2010 at 12:37

  5. @Bernd Lentes: Using the “-j LOG” option you instruct the iptables/netfilter to log the packets and it’ll automatically add timestamps to the log file.

    xorl

    September 13, 2010 at 17:07


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s