Syslog to Firewall

From Coolscript
Jump to: navigation, search

About

This is all about security for people who ran internet services on their public (cloud) host.
Nobody wants to have a burglar in front of their doors, trying to guess the login credentials to your services.
If you want to prevent this, then this script might be your solution. Syslog to Firewall is a tool to prevent hackers to get into your system. It runs on Linux and looks into the Syslog / Auth / FTP and Mail Log and searches invalid logons due to wrong user credentials, if it finds them then block it for a certain amount of times. Syslog to Firewall is a script called syslog2fw.

Requried Perl Modules

There are a few Perl modules required which do not get installed by default, please run the following commands:
-Installation sample for Debian

~# apt-get install libhttp-date-perl 
~# apt-get install libxml-simple-perl
~# apt-get install libmail-sendmail-perl

Installation

  • Download and untar the files
tar -ue syslog2fw.tar.gz
  • Run the install script
~# ./install.sh

Script Settings

syslog2fw.xml
Element Array Attribute Description Type
Setup No IPTablesCmd Path and command name to iptables String
AutoAddChain Automatically add the chain if it does not exist Boolean
MaxRequest Maximum amount of password guessing Integer
FirewallRuleName Rule Name for iptables, default = init-script String
FirewallInsertPosition Rule Position for iptables, default = 2 Integer
UseGMT Set Time Zone, default = 0 (None GMT/UTC Zone) Boolean
IgnoreSystemWhitelist Set to disable system whitlisting, default=0
Note: Think what you are doing before setting this
Boolean
Syslog Set to enable system syslog, default=0 Boolean
WriteSplunkLog Set to enable the splunk logging, default=0 Boolean
Logage Age of days for log files, default=3 Integer
DoNotBlock Do not apply iptables, default=0 Boolean
WriteLog Write log to /var/log/..., default = 1 Boolean
FirewallAllowAllLoggededIn In the event of a successful ssh login, we enable access to all internal Boolean
CheckMailLog Parse /var/log/mail.log for invalid smtp/pop/imap login Boolean
CheckFTPLog Parse /var/log/messages for invalid ftp login Boolean
CheckApacheLog Parse /var/log/apache for invalid logons Boolean
Mail No Level Message level Integer
0 = Off Integer
1 = Send false su attemps Integer
2 = Send when login was successful Integer
3 = Send when IP Address is getting blocked Integer
4 = Send successfull logins via mail Integer
5 = Send any attemps via mail Integer
IgnoreLocalNetwork Ignore EMail if the sender is local, default=1 Boolean
Mailserver SMTP Address String
To To Address String
From From Address String
Syslog Yes IP IP Address of syslog server String
Whitelist Yes IP Whitelist IP Address String

Script Configuration

<?xml version="1.0"?>
<CONFIG> 
<Setup 
 IPTablesCmd="/sbin/iptables"
 AutoAddChain="1"	
 BlockTimeDelta="86400"
 ExpireDelta="86400"
 MaxRequest="4"
 FirewallRuleName="init-script"
 FirewallInsertPosition="2"
 UseGMT="0"
 IgnoreSystemWhitelist="0"
 Syslog="0"
 WriteSplunkLog="1"
 Logage="3"
 DoNotBlock="0"
 WriteLog="1"
 FirewallAllowAllLoggededIn="1"
 CheckMailLog="1"
 CheckFTPLog="1"
 CheckApacheLog="0" 
/>
<Mail
 Level="2"
 IgnoreLocalNetwork="1"
 Mailserver="127.0.0.1"
 To="you@domain.com"
 From="you@domain.com"
/>
<Syslog IP="1.2.3.4"/>
<Whitelist IP="1.2.3.4"/>
</CONFIG>

Firewall Init Script

A sample init script, this is a recommendation only, it is up to you how to setup your init script.
The only thing to be aware is that Syslog to Firewall will insert its rule into the second rule position of iptables (default).
Please make sure to initialize your basic rules at the first position of iptables.

The following script is a example:

#!/bin/bash
#
############
#INIT NAMES
############
IPTABLES=/sbin/iptables
INITWHITENAME=init-generic-white
INITGENSRC=init-generic-service
#Set the ip address of your host
INITIP=1.2.3.4
 
###########################
#INIT DEFAULT POLICY - DROP
###########################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
###########################
#Flush Config
###########################
$IPTABLES -F
$IPTABLES -X
#
##########
#Whitelist
##########
#This must be added to the first INPUT chain, please note that chain number 2 will be overwritten dynamicly
#########################################################################################################
#SYSTEM RULES, REMEMBER: THIS IS THE FIRST RECORD FOR IPTABLES, THE SECOND WILL BE INSERTED BY THE SCRIPT
#########################################################################################################
$IPTABLES -N $INITWHITENAME
$IPTABLES -A $INITWHITENAME -s 127.0.0.1 -p all -j ACCEPT
$IPTABLES -A $INITWHITENAME -s $INITIP -p all -j ACCEPT
$IPTABLES -A $INITWHITENAME -i lo -p all -j ACCEPT
 
###################################
#Whitlist, add or remove your rules
###################################
#$IPTABLES -A $INITWHITENAME -s 1.2.3.0/16 -j ACCEPT
#$IPTABLES -A $INITWHITENAME -s 1.2.3.0/16 -j ACCEPT

######################
#SYSTEM ALLOW BY STATE
######################
$IPTABLES -A $INITWHITENAME -m state --state RELATED,ESTABLISHED -j ACCEPT
######################
#SYSTEM to INPUT chain
######################
$IPTABLES -A INPUT -j $INITWHITENAME
#
#######################################################################
#General Services, THIS WILL BE OUR THIRD RULE AFTER THE SCRIPT HAS RUN
#######################################################################
$IPTABLES -N $INITGENSRC
#########################
#Add or remove your rules
#########################
#Allow FTP Inbound
$IPTABLES -A $INITGENSRC -p TCP --dport=21 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow SSH Inbound
$IPTABLES -A $INITGENSRC -p TCP --dport=22 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow SMTP Inbound
$IPTABLES -A $INITGENSRC -p TCP --dport=25 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow WWW Inbound
$IPTABLES -A $INITGENSRC -p TCP --dport=80 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow SSL Inbound
$IPTABLES -A $INITGENSRC -p TCP --dport=443 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow ICMP Inbound
$IPTABLES -A $INITGENSRC -p ICMP -j ACCEPT
######################
#SYSTEM to INPUT chain
######################
$IPTABLES -A INPUT -j $INITGENSRC
#
############
#Return rule
############
#Allow all outputs
$IPTABLES -A OUTPUT -j ACCEPT
#
#############
#LOG AND DROP
#############
$IPTABLES -N my_drop -m comment --comment "Drop Access"
$IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
$IPTABLES -A my_drop -p TCP -j LOG --log-prefix "DROP-TCP "
$IPTABLES -A my_drop -p UDP -j LOG --log-prefix "DROP-UDP "
$IPTABLES -A my_drop -j DROP
$IPTABLES -A INPUT -j my_drop
$IPTABLES -A FORWARD -j my_drop
### Finished ###

Sample Output after the Script initialized

Colored explain of the ourput:

  • Initialized whitelist
  • General allowed services


~# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot       opt      in     out     source               destination
   6   396 init-generic-white    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 init-generic-service  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   0     0 my_drop               all  --  *      *       0.0.0.0/0            0.0.0.0/0
.
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 my_drop    all  --  *      *       0.0.0.0/0            0.0.0.0/0
.
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   4   464 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
.
Chain init-generic-service (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW,ESTABLISHED
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
.
Chain init-generic-white (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
   0     0 ACCEPT     all  --  *      *       192.168.2.10         0.0.0.0/0
   0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   6   396 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  *      *       78.xx.yy.zz          0.0.0.0/0            state NEW,ESTABLISHED
.
Chain my_drop (3 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DROP-ICMP "
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DROP-TCP "
   0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DROP-UDP "
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Sample Output after the Script run

Colored explain of the ourput:

  • Initialized whitelist
  • Inserted iptables rule by the script, remember - the second position of iptables
    • Successful login from 192.168.2.10
    • Blocked login (password guessing) from 12x.12x.21x.3x
  • General allowed services


~# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target       prot opt in     out     source               destination
  28  2435 init-generic-white    all  --  *      *       0.0.0.0/0            0.0.0.0/0
   1    48 init-script           all  --  *      *       0.0.0.0/0            0.0.0.0/0
   1    48 init-generic-service  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   1    48 my_drop               all  --  *      *       0.0.0.0/0            0.0.0.0/0
.
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 my_drop    all  --  *      *       0.0.0.0/0            0.0.0.0/0
.
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
  15  1563 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
.
Chain init-generic-service (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW,ESTABLISHED
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 state NEW,ESTABLISHED
   0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
.
Chain init-generic-white (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
   2   479 ACCEPT     all  --  *      *       192.168.2.10         0.0.0.0/0
   0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   0    10 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   0    20 ACCEPT     all  --  *      *       78.xx.yy.zz         0.0.0.0/0             state NEW,ESTABLISHED
.
Chain init-script (1 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      *       192.168.2.10x        0.0.0.0/0
   0     0 LOG        all  --  *      *       12x.12x.21x.3x       0.0.0.0/0            LOG flags 0 level 4 prefix "DropBy=init-script "
   0     0 DROP       all  --  *      *       12x.12x.21x.3x       0.0.0.0/0
.
Chain my_drop (3 references)
pkts bytes target     prot opt in     out     source               destination
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DROP-ICMP "
   1    48 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DROP-TCP "
   0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DROP-UDP "
   1    48 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0



Cron Job

  • Adding a cronjob by crontab -e, the sample shows the job with the lowest cpu priotity
*/1 * * * * /usr/bin/nice -n 15 /usr/local/syslog2fw/syslog2fw.pl


Download the script
Download