Firewall Logging -How to
Posted: Sun 17 Dec 2006, 01:29
By default in Puppy the firewall logging is not enabled
To enable it AFTER using the firewall wizard go to
/etc/rc.d
Then (right -mouse button) click on rc.firewall
choose open as text
Go to # -- Advanced Configuration Options -- #
and change the LOGGING from no to yes within the " "
LOGGING="yes"
Then go to # -- Advanced Firewall Behavior Options -- #
LOG_LIMIT=""
LOG_BURST="60"
LOG_LEVEL="notice"
Within the quotes
you can choose what you like although it may be possible to
getting flooded with the logs but this is what I have choosen
ie. no log limit, as I check the log frequently and empty it.
Then SAVE the changes and close the rc.firewall document.
What might be interesting is - that when you first log on to the net but dont
do anthing check the INPUT log. And see if there is anything there before
surfing, this is usually when the hackers first try to get your machine.
You will see their IP number proceeding the SRC=
example: SRC=211.251.142.65 Source IP address as the source address
of who attempted or did connect to your machine when you first gain
access to the net. My results were as expected :>()
LOG_LIMIT=""
LOG_BURST="60"
LOG_LEVEL="notice"
You will find the log at /var/log in the messages document
But in order to actually begin to log any thing you need to make a firewall rule
for what you want to log. You can google this for an answer...
But I choose to log all the INPUT so the rule is
iptables -I INPUT -j LOG
Now the -I in the above rule inserts the rule at the begining
of the INPUT chain, as the order of rules in IPTABLES is important
,so is using capitals where specified.
To enter the rule to the iptables open rxvt type the rule and enter.
To check the rule as entered in the iptables, in rxvt type
iptables -L -n -v
and enter
this will display the rules and their number in the chain
with detail
Now you can save this by - in rxvt
iptables-save
enter
And check againg the tables by
iptables -L -n -v
One note is that if you leave the text application open with
the logs in it it may not update the log to the most recent when
you look at it, close and them reopen the "message" document, there
are different ways of doing this, try what you like.
If anyone has anything to add or correct please do so.
Also if you use this and get, what you consider
interesting results just after logging in, message back to this thread....
YMMV
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
Here is a little tutorial on decyphering the meaning of firewall logs.
http://logi.cc/linux/netfilter-log-format.php3
The items are explained in sequence:
Apr 16 00:30:45
megahard kernel: syslog prefix. It is not present if you read log messages from the console.
NF: D(I,Priv)
Enabled with: --log-prefix 'prefix'
An arbitrary, user defined log prefix. Including the spaces.
A trailing space is necessary to keep the prefix separate from the next token; this is a bug in netfilter.
IN=eth1 Interface the packet was received from. Empty value for locally generated packets.
OUT= Interface the packet was sent to. Empty value for locally received packets.
MAC=
00:80:8c:1e:12:60:
00:10:76:00:2f:c2:
08:00 Destination MAC=00:80:8c:1e:12:60,
Source MAC=00:10:76:00:2f:c2,
Type=08:00 (ethernet frame carried an IPv4 datagram)
SRC=211.251.142.65 Source IP address
DST=203.164.4.223 Destination IP address
LEN=60 Total length of IP packet in bytes
TOS=0x00 Type Of Service, "Type" field.
Increasingly being replaced by DS and ECN. Refer to the IP header info below.
PREC=0x00 Type Of Service, "Precedence" field.
Increasingly being replaced by DS and ECN. Refer to the IP header info below.
TTL=44 remaining Time To Live is 44 hops.
ID=31526 Unique ID for this IP datagram, shared by all fragments if fragmented.
CE Presumably the "ECN CE" flag (Congestion Experienced).
This seems to be wrong because according to RFC2481, the CE bit is located in the TOS field. Refer to the IP header info below.
DF "Don't Fragment" flag.
MF "More Fragments following" flag.
FRAG=179 Fragment offset in units of "8-bytes". In this case the byte offset for data in this packet is 179*8=1432 bytes.
OPT (0727..A200) Enabled with: --log-ip-options
IP options. This variable length field is rarely used. Certain IP options, f.e. source routing, are often disallowed by netadmins. Even harmless options like "Record Route" may only be allowed if the transport protocol is ICMP, or not at all.
PROTO=TCP Protocol name or number. Netfilter uses names for TCP, UDP, ICMP, AH and ESP. Other protocols are identified by number. A list is in your /etc/protocols. A complete list is in the file protocol-numbers
SPT=4515 Source port (TCP and UDP). A list of port numbers is in your /etc/services. A complete list is in the file port-numbers
DPT=111 Destination port (TCP and UDP). See SPT above.
SEQ=1168094040 Enabled with: --log-tcp-sequence
Receive Sequence number. By cleverly chosing this number, a cryptographic "cookie" can be implemented while still satisfying TCP protocol requirements. These "SYN-cookies" defeat some types of SYN-flooding DoS attacks and should be enabled on all systems running public TCP servers.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
ACK=0 Same as the Receive Sequence number, but for the other end of the TCP connection.
WINDOW=32120 The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option. If the host supports ECN, then the TCP Receive Window size will also be controlled by that.
RES=0x03 Reserved bits. The ECN flags "CWR" and "ECNE" will show up in the two least significant bits of this field. Refer to the TCP header info below.
URG Urgent flag. See URGP below.
ACK Acknowledgement flag.
PSH Push flag.
RST RST (Reset) flag.
SYN SYN flag, only exchanged at TCP connection establishment.
FIN FIN flag, only exchanged at TCP disconnection.
URGP=0 The Urgent Pointer allows for urgent, "out of band" data transfer. Unfortunately not all protocol implementations agree, so this facility is hardly ever used.
OPT (020405...300) enabled with: --log-tcp-options
TCP options. This variable length field gets a lot of use. Important options include: Window Scaling, Selective
Acknowledgement and Explicit Congestion Notification. Refer to the TCP header info below.
Unfortunately the rule number in the chain which matched the packet is for architectural reasons not available in netfilter logs. You will have to "cook your own" by using the user-prefix feature.
>>>>>>>>>>>>>>>>>>>>>
To enable it AFTER using the firewall wizard go to
/etc/rc.d
Then (right -mouse button) click on rc.firewall
choose open as text
Go to # -- Advanced Configuration Options -- #
and change the LOGGING from no to yes within the " "
LOGGING="yes"
Then go to # -- Advanced Firewall Behavior Options -- #
LOG_LIMIT=""
LOG_BURST="60"
LOG_LEVEL="notice"
Within the quotes
you can choose what you like although it may be possible to
getting flooded with the logs but this is what I have choosen
ie. no log limit, as I check the log frequently and empty it.
Then SAVE the changes and close the rc.firewall document.
What might be interesting is - that when you first log on to the net but dont
do anthing check the INPUT log. And see if there is anything there before
surfing, this is usually when the hackers first try to get your machine.
You will see their IP number proceeding the SRC=
example: SRC=211.251.142.65 Source IP address as the source address
of who attempted or did connect to your machine when you first gain
access to the net. My results were as expected :>()
LOG_LIMIT=""
LOG_BURST="60"
LOG_LEVEL="notice"
You will find the log at /var/log in the messages document
But in order to actually begin to log any thing you need to make a firewall rule
for what you want to log. You can google this for an answer...
But I choose to log all the INPUT so the rule is
iptables -I INPUT -j LOG
Now the -I in the above rule inserts the rule at the begining
of the INPUT chain, as the order of rules in IPTABLES is important
,so is using capitals where specified.
To enter the rule to the iptables open rxvt type the rule and enter.
To check the rule as entered in the iptables, in rxvt type
iptables -L -n -v
and enter
this will display the rules and their number in the chain
with detail
Now you can save this by - in rxvt
iptables-save
enter
And check againg the tables by
iptables -L -n -v
One note is that if you leave the text application open with
the logs in it it may not update the log to the most recent when
you look at it, close and them reopen the "message" document, there
are different ways of doing this, try what you like.
If anyone has anything to add or correct please do so.
Also if you use this and get, what you consider
interesting results just after logging in, message back to this thread....
YMMV
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
Here is a little tutorial on decyphering the meaning of firewall logs.
http://logi.cc/linux/netfilter-log-format.php3
The items are explained in sequence:
Apr 16 00:30:45
megahard kernel: syslog prefix. It is not present if you read log messages from the console.
NF: D(I,Priv)
Enabled with: --log-prefix 'prefix'
An arbitrary, user defined log prefix. Including the spaces.
A trailing space is necessary to keep the prefix separate from the next token; this is a bug in netfilter.
IN=eth1 Interface the packet was received from. Empty value for locally generated packets.
OUT= Interface the packet was sent to. Empty value for locally received packets.
MAC=
00:80:8c:1e:12:60:
00:10:76:00:2f:c2:
08:00 Destination MAC=00:80:8c:1e:12:60,
Source MAC=00:10:76:00:2f:c2,
Type=08:00 (ethernet frame carried an IPv4 datagram)
SRC=211.251.142.65 Source IP address
DST=203.164.4.223 Destination IP address
LEN=60 Total length of IP packet in bytes
TOS=0x00 Type Of Service, "Type" field.
Increasingly being replaced by DS and ECN. Refer to the IP header info below.
PREC=0x00 Type Of Service, "Precedence" field.
Increasingly being replaced by DS and ECN. Refer to the IP header info below.
TTL=44 remaining Time To Live is 44 hops.
ID=31526 Unique ID for this IP datagram, shared by all fragments if fragmented.
CE Presumably the "ECN CE" flag (Congestion Experienced).
This seems to be wrong because according to RFC2481, the CE bit is located in the TOS field. Refer to the IP header info below.
DF "Don't Fragment" flag.
MF "More Fragments following" flag.
FRAG=179 Fragment offset in units of "8-bytes". In this case the byte offset for data in this packet is 179*8=1432 bytes.
OPT (0727..A200) Enabled with: --log-ip-options
IP options. This variable length field is rarely used. Certain IP options, f.e. source routing, are often disallowed by netadmins. Even harmless options like "Record Route" may only be allowed if the transport protocol is ICMP, or not at all.
PROTO=TCP Protocol name or number. Netfilter uses names for TCP, UDP, ICMP, AH and ESP. Other protocols are identified by number. A list is in your /etc/protocols. A complete list is in the file protocol-numbers
SPT=4515 Source port (TCP and UDP). A list of port numbers is in your /etc/services. A complete list is in the file port-numbers
DPT=111 Destination port (TCP and UDP). See SPT above.
SEQ=1168094040 Enabled with: --log-tcp-sequence
Receive Sequence number. By cleverly chosing this number, a cryptographic "cookie" can be implemented while still satisfying TCP protocol requirements. These "SYN-cookies" defeat some types of SYN-flooding DoS attacks and should be enabled on all systems running public TCP servers.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
ACK=0 Same as the Receive Sequence number, but for the other end of the TCP connection.
WINDOW=32120 The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option. If the host supports ECN, then the TCP Receive Window size will also be controlled by that.
RES=0x03 Reserved bits. The ECN flags "CWR" and "ECNE" will show up in the two least significant bits of this field. Refer to the TCP header info below.
URG Urgent flag. See URGP below.
ACK Acknowledgement flag.
PSH Push flag.
RST RST (Reset) flag.
SYN SYN flag, only exchanged at TCP connection establishment.
FIN FIN flag, only exchanged at TCP disconnection.
URGP=0 The Urgent Pointer allows for urgent, "out of band" data transfer. Unfortunately not all protocol implementations agree, so this facility is hardly ever used.
OPT (020405...300) enabled with: --log-tcp-options
TCP options. This variable length field gets a lot of use. Important options include: Window Scaling, Selective
Acknowledgement and Explicit Congestion Notification. Refer to the TCP header info below.
Unfortunately the rule number in the chain which matched the packet is for architectural reasons not available in netfilter logs. You will have to "cook your own" by using the user-prefix feature.
>>>>>>>>>>>>>>>>>>>>>