Aaron Parecki is the co-founder of Geoloqi.com, and specializes in backend systems development.
I was scratching my head on this one for several hours before finally figuring out the solution which turned out to be ridiculously simple.
I wanted to log all incoming tcp connections on port 25 and then drop them. I read through several guides on how to set up logging in iptables. (linuxgurus.com, linuxquestions.org)
Seemed straightforward enough. Here are the rules I ended up with: (output from iptables-save)
-A LOGDROP -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-level 7 --log-prefix "LOGDROP: " -A LOGDROP -j REJECT ... -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -j LOGDROP
Any tcp connections to port 25 should get logged and rejected. You then need to decide what to do with the logged packets, which is where /etc/syslog.conf comes in. You need something like this in /etc/syslog.conf:
kern.=debug /var/log/firewall
Note that there must be no spaces, only tabs in that line. That line tells any kernel messages that have the “debug” level to be written to the file /var/log/firewall. The –log-prefix 7 part of the iptables rule tells iptables to set the level of the message to “debug”. After changing syslog.conf, you need to restart the syslog daemon, with /etc/init.d/syslog restart:
[root@localhost ~]# /etc/init.d/syslog restart Shutting down kernel logger: [PASSED] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [PASSED]
I hadn’t seen [PASSED] show up there before, but I didn’t think much of it at the time.
The problem I was having was that there was nothing in the log file. I could see the packets being logged by running dmesg, but nothing went to the file.
I opened up syslog’s startup script, /etc/init.d/syslog, and examined the part where it is supposed to start klogd, the kernel logger. It was commented out, apparently by my vps host. Here is a snippet of my startup script. The bold lines are the ones I added, the commented out ones are what was originally there
start() { echo -n $"Starting system logger: " daemon syslogd $SYSLOGD_OPTIONS RETVAL=$? echo echo -n $"Starting kernel logger: " #passed klogd skipped #daemon klogd $KLOGD_OPTIONS <b>daemon klogd $KLOGD_OPTIONS</b> echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog return $RETVAL } stop() { echo -n $"Shutting down kernel logger: " #passed klogd skipped #killproc klogd <b>killproc klogd</b> echo echo -n $"Shutting down system logger: " killproc syslogd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/syslog return $RETVAL }
According to some people here, it is not necessary to log kernel messages, and it significantly increases the loadavg. I have already been monitoring my loadavgs on my servers, so I’ll wait a week and see if there is any significant change.
Of course, now that I realize klogd wasn’t even started, this whole thing seems pretty silly.
Dzięki, przydało się.
I like what you guys are up too. This kind of clever work and coverage! Keep up the great works guys I’ve incorporated you guys to my personal blogroll.
Do you mind if I quote a couple of your articles as long as I provide credit and sources back to your weblog? My blog is in the very same niche as yours and my users would truly benefit from some of the information you present here. Please let me know if this alright with you. Thanks a lot!