Iptables to log messages to a different log file
According to man page:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.
By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.
Iptables default log file
For example, if you type the following command, it will display current iptables log from /var/log/messages file:
tail -f /var/log/messages
Output:
————————————————————————–
Oct 4 00:44:28 debian gconfd (anish-4435): Resolved address “xml:readonly:/etc/gconf/gconf.xml.defaults” to a read-only configuration source at position 2
Oct 4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0×00 PREC=0×00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0×00 SYN URGP=0
—————————————————————————–
Procedure to log the iptables messages to a different log file
Open your /etc/syslog.conf file:
vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.
Restart the syslogd (Debian / Ubuntu Linux): /etc/init.d/sysklogd restart On the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.
By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.
Iptables default log file
For example, if you type the following command, it will display current iptables log from /var/log/messages file:
tail -f /var/log/messages
Output:
————————————————————————–
Oct 4 00:44:28 debian gconfd (anish-4435): Resolved address “xml:readonly:/etc/gconf/gconf.xml.defaults” to a read-only configuration source at position 2
Oct 4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC=200.142.84.36 DST=192.168.1.2 LEN=60 TOS=0×00 PREC=0×00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0×00 SYN URGP=0
—————————————————————————–
Procedure to log the iptables messages to a different log file
Open your /etc/syslog.conf file:
vi /etc/syslog.conf
Append following line
kern.warning /var/log/iptables.log
Save and close the file.
Restart the syslogd (Debian / Ubuntu Linux): /etc/init.d/sysklogd restart On the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux:
/etc/init.d/syslog restart
Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
iptables -A INPUT -j DROP
For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit –limit 5/m –limit-burst 7 -j LOG –log-prefix ‘** HACKERS **’ –log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP
Where,
* –log-level 4: Level of logging. The level # 4 is for warning.
* –log-prefix ‘*** TEXT ***’: Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.
You can now see all iptables message logged to /var/log/iptables.log file:
tail -f /var/log/iptables.log
Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
iptables -A INPUT -j DROP
For example, drop and log all connections from IP address 64.55.11.2 to your /var/log/iptables.log file:
iptables -A INPUT -s 64.55.11.2 -m limit –limit 5/m –limit-burst 7 -j LOG –log-prefix ‘** HACKERS **’ –log-level 4
iptables -A INPUT -s 64.55.11.2 -j DROP
Where,
* –log-level 4: Level of logging. The level # 4 is for warning.
* –log-prefix ‘*** TEXT ***’: Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.
You can now see all iptables message logged to /var/log/iptables.log file:
tail -f /var/log/iptables.log
Securing /tmp and /dev/shm
df -h |grep tmp
If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
cat /etc/fstab |grep tmp
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.
Create a ~1000Mb partition
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=1000000
Format the partion
mkfs.ext2 /dev/tmpMnt
When it asks about not being a block special device press Y
Make a backup of the old data
cp -Rp /tmp /tmp_backup
Mount the temp filesystem
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
Set the permissions
chmod 0777 /tmp
Copy the old files back
cp -Rp /tmp_backup/* /tmp/
Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
Open the file in vi:
vi /etc/fstab
Now add this single line at the bottom:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0
Umount and remount /dev/shm for the changes to take effect.
umount /dev/shm
mount /dev/shm
Next delete the old /var/tmp and create a link to /tmp
rm -rf /var/tmp/
ln -s /tmp/ /var/
If everything still works fine you can go ahead and delete the /tmp_backup directory.
rm -rf /tmp_backup
You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories. Like I have said in other articles there are still ways in but this is one of the many layers of security you should have on your system.
Nobody Check
==>What is Nobody Check?
Free Nobody Check security tool for cPanel/Pkesk and DirectAdmin based servers that will greatly enhance server security. Developed exclusively by WebHostGear.com
The Nobody Check tool is a new and unique security tool that can detect malicious processes that are running on your Linux server and report them to you in real time or by email. The tool can be configured to run at selected times and doesn’t eat up resources or interfere with server operations.
Installing Nobody Check
This script get installed at /usr/local/
1) Login to your server as the root user through shell
2) wget http://www.webhostgear.com/projects/nobodycheck/install.sh
3) chmod +x install.sh
4) ./install.sh
Wait for the installer to finish
5) rm -f install.sh
6) Open the /usr/local/nobody_check/nc.conf and put in your email address and select your options. Change the to email address to the address you want reports to be sent to.
Check if cron entry below has been updated
vi /var/spool/cron/root
0 */1 * * * /usr/local/nobody_check/nobody_check >/dev/null 2>&1
Example root cronjob runs once per hour
And then restart CRON
/etc/init.d/crond restart
Reports are only sent when a detection is found.
How to disable direct root login
1. SSH into your server as .admin. and gain root access by su
2. Copy and paste this line to edit the file for SSH logins
vi /etc/ssh/sshd_config
3. Find the line
Protocol 2, 1
4. Uncomment it and change it to look like
Protocol 2
5. Next, find the line
PermitRootLogin yes
6. Uncomment it and make it look like PermitRootLogin no
7. Save the file
8. Now you can restart SSH
/etc/rc.d/init.d/sshd restart
Now, no one will be able to login to root with out first loggin in as admin and .su -. to root, and you will be forcing the use of a more secure protocol. Just make sure you remember both passwords!
Linux Environment Security
Linux Environment Security is intended as a facility to quickly & easily secure RedHat/RPM based environments. It does such by enforcing root-only permissions on system binaries (binaries that have no place being executed by normal users), enforcing root-only path traversal on system paths, enforcing immutable bit on essential rpm package contents (i.e: coreutils), and enforcing immutable bit on shell profile scripts.
The combined usage of all LES options provides an increased level of local environment security, with the goal of preventing environment based attacks. Such attacks would consist of compromised system binaries; tainting the $PATH variable to point to invalid paths where trojan/malicious binaries are located; alterations to user profile scripts to activate key loggers or process based hi-jacking; traversal exploration of the system paths etc…; the possible attack trends are numerious hence the importance of hardening the local environment space.
Installationwget http://rfxnetworks.com/downloads/les-current.tar.gz
tar -zxvf les-current.tar.gz
cd les-0.*
./install.sh
LES run
/usr/local/sbin/les –secure-bin on
/usr/local/sbin/les –secure-path on
Kishore
No comments:
Post a Comment