Syslog to Firewall: Difference between revisions
(One intermediate revision by the same user not shown) | |||
Line 335: | Line 335: | ||
|style="width:10%; vertical-align: top;"| | |style="width:10%; vertical-align: top;"| | ||
'''Download the script'''<br> | '''Download the script'''<br> | ||
[[File:Download.png|60px|link= | [[File:Download.png|60px|link=https://coolscript.org/download/scripts/syslog2fw.zip|Download]] | ||
<br> | <br> | ||
|style="width:90%; vertical-align: top;"| | |style="width:90%; vertical-align: top;"| |
Latest revision as of 13:09, 4 March 2022
About
This is all about security for people who ran internet services on their public (cloud) host.
Nobody wants to have a burglar in front of their doors, trying to guess the login credentials to your services.
If you want to prevent this, then this script might be your solution.
Syslog to Firewall is a tool to prevent hackers to get into your system. It runs on Linux and looks into the Syslog / Auth / FTP and Mail Log and searches invalid logons due to wrong user credentials, if it finds them then block it for a certain amount of times. Syslog to Firewall is a script called syslog2fw.
Requried Perl Modules
There are a few Perl modules required which do not get installed by default, please run the following commands:
-Installation sample for Debian
~# apt-get install libhttp-date-perl ~# apt-get install libxml-simple-perl ~# apt-get install libmail-sendmail-perl
Installation
- Download and untar the files
tar -ue syslog2fw.tar.gz
- Run the install script
~# ./install.sh
Script Settings
Element | Array | Attribute | Description | Type |
---|---|---|---|---|
Setup | No | IPTablesCmd | Path and command name to iptables | String |
AutoAddChain | Automatically add the chain if it does not exist | Boolean | ||
MaxRequest | Maximum amount of password guessing | Integer | ||
FirewallRuleName | Rule Name for iptables, default = init-script | String | ||
FirewallInsertPosition | Rule Position for iptables, default = 2 | Integer | ||
UseGMT | Set Time Zone, default = 0 (None GMT/UTC Zone) | Boolean | ||
IgnoreSystemWhitelist | Set to disable system whitlisting, default=0 Note: Think what you are doing before setting this |
Boolean | ||
Syslog | Set to enable system syslog, default=0 | Boolean | ||
WriteSplunkLog | Set to enable the splunk logging, default=0 | Boolean | ||
Logage | Age of days for log files, default=3 | Integer | ||
DoNotBlock | Do not apply iptables, default=0 | Boolean | ||
WriteLog | Write log to /var/log/..., default = 1 | Boolean | ||
FirewallAllowAllLoggededIn | In the event of a successful ssh login, we enable access to all internal | Boolean | ||
CheckMailLog | Parse /var/log/mail.log for invalid smtp/pop/imap login | Boolean | ||
CheckFTPLog | Parse /var/log/messages for invalid ftp login | Boolean | ||
CheckApacheLog | Parse /var/log/apache for invalid logons | Boolean | ||
No | Level | Message level | Integer | |
0 = Off | Integer | |||
1 = Send false su attemps | Integer | |||
2 = Send when login was successful | Integer | |||
3 = Send when IP Address is getting blocked | Integer | |||
4 = Send successfull logins via mail | Integer | |||
5 = Send any attemps via mail | Integer | |||
IgnoreLocalNetwork | Ignore EMail if the sender is local, default=1 | Boolean | ||
Mailserver | SMTP Address | String | ||
To | To Address | String | ||
From | From Address | String | ||
Syslog | Yes | IP | IP Address of syslog server | String |
Whitelist | Yes | IP | Whitelist IP Address | String |
Script Configuration
<?xml version="1.0"?> <CONFIG> <Setup IPTablesCmd="/sbin/iptables" AutoAddChain="1" BlockTimeDelta="86400" ExpireDelta="86400" MaxRequest="4" FirewallRuleName="init-script" FirewallInsertPosition="2" UseGMT="0" IgnoreSystemWhitelist="0" Syslog="0" WriteSplunkLog="1" Logage="3" DoNotBlock="0" WriteLog="1" FirewallAllowAllLoggededIn="1" CheckMailLog="1" CheckFTPLog="1" CheckApacheLog="0" /> <Mail Level="2" IgnoreLocalNetwork="1" Mailserver="127.0.0.1" To="you@domain.com" From="you@domain.com" /> <Syslog IP="1.2.3.4"/> <Whitelist IP="1.2.3.4"/> </CONFIG>
Firewall Init Script
A sample init script, this is a recommendation only, it is up to you how to setup your init script.
The only thing to be aware is that Syslog to Firewall will insert its rule into the second rule position of iptables (default).
Please make sure to initialize your basic rules at the first position of iptables.
The following script is a example:
#!/bin/bash # ############ #INIT NAMES ############ IPTABLES=/sbin/iptables INITWHITENAME=init-generic-white INITGENSRC=init-generic-service #Set the ip address of your host INITIP=1.2.3.4 ########################### #INIT DEFAULT POLICY - DROP ########################### $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # ########################### #Flush Config ########################### $IPTABLES -F $IPTABLES -X # ########## #Whitelist ########## #This must be added to the first INPUT chain, please note that chain number 2 will be overwritten dynamicly ######################################################################################################### #SYSTEM RULES, REMEMBER: THIS IS THE FIRST RECORD FOR IPTABLES, THE SECOND WILL BE INSERTED BY THE SCRIPT ######################################################################################################### $IPTABLES -N $INITWHITENAME $IPTABLES -A $INITWHITENAME -s 127.0.0.1 -p all -j ACCEPT $IPTABLES -A $INITWHITENAME -s $INITIP -p all -j ACCEPT $IPTABLES -A $INITWHITENAME -i lo -p all -j ACCEPT ################################### #Whitlist, add or remove your rules ################################### #$IPTABLES -A $INITWHITENAME -s 1.2.3.0/16 -j ACCEPT #$IPTABLES -A $INITWHITENAME -s 1.2.3.0/16 -j ACCEPT ###################### #SYSTEM ALLOW BY STATE ###################### $IPTABLES -A $INITWHITENAME -m state --state RELATED,ESTABLISHED -j ACCEPT ###################### #SYSTEM to INPUT chain ###################### $IPTABLES -A INPUT -j $INITWHITENAME # ####################################################################### #General Services, THIS WILL BE OUR THIRD RULE AFTER THE SCRIPT HAS RUN ####################################################################### $IPTABLES -N $INITGENSRC ######################### #Add or remove your rules ######################### #Allow FTP Inbound $IPTABLES -A $INITGENSRC -p TCP --dport=21 -m state --state NEW,ESTABLISHED -j ACCEPT #Allow SSH Inbound $IPTABLES -A $INITGENSRC -p TCP --dport=22 -m state --state NEW,ESTABLISHED -j ACCEPT #Allow SMTP Inbound $IPTABLES -A $INITGENSRC -p TCP --dport=25 -m state --state NEW,ESTABLISHED -j ACCEPT #Allow WWW Inbound $IPTABLES -A $INITGENSRC -p TCP --dport=80 -m state --state NEW,ESTABLISHED -j ACCEPT #Allow SSL Inbound $IPTABLES -A $INITGENSRC -p TCP --dport=443 -m state --state NEW,ESTABLISHED -j ACCEPT #Allow ICMP Inbound $IPTABLES -A $INITGENSRC -p ICMP -j ACCEPT ###################### #SYSTEM to INPUT chain ###################### $IPTABLES -A INPUT -j $INITGENSRC # ############ #Return rule ############ #Allow all outputs $IPTABLES -A OUTPUT -j ACCEPT # ############# #LOG AND DROP ############# $IPTABLES -N my_drop -m comment --comment "Drop Access" $IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP " $IPTABLES -A my_drop -p TCP -j LOG --log-prefix "DROP-TCP " $IPTABLES -A my_drop -p UDP -j LOG --log-prefix "DROP-UDP " $IPTABLES -A my_drop -j DROP $IPTABLES -A INPUT -j my_drop $IPTABLES -A FORWARD -j my_drop ### Finished ###
Sample Output after the Script initialized
Colored explain of the ourput:
- Initialized whitelist
- General allowed services
~# iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 6 396 init-generic-white all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 init-generic-service all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 my_drop all -- * * 0.0.0.0/0 0.0.0.0/0 . Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 my_drop all -- * * 0.0.0.0/0 0.0.0.0/0 . Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 464 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 . Chain init-generic-service (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 . Chain init-generic-white (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 0 0 ACCEPT all -- * * 192.168.2.10 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 6 396 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 78.xx.yy.zz 0.0.0.0/0 state NEW,ESTABLISHED . Chain my_drop (3 references) pkts bytes target prot opt in out source destination 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP-ICMP " 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP-TCP " 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP-UDP " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Sample Output after the Script run
Colored explain of the ourput:
- Initialized whitelist
- Inserted iptables rule by the script, remember - the second position of iptables
- Successful login from 192.168.2.10
- Blocked login (password guessing) from 12x.12x.21x.3x
- General allowed services
~# iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 28 2435 init-generic-white all -- * * 0.0.0.0/0 0.0.0.0/0 1 48 init-script all -- * * 0.0.0.0/0 0.0.0.0/0 1 48 init-generic-service all -- * * 0.0.0.0/0 0.0.0.0/0 1 48 my_drop all -- * * 0.0.0.0/0 0.0.0.0/0 . Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 my_drop all -- * * 0.0.0.0/0 0.0.0.0/0 . Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 15 1563 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 . Chain init-generic-service (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 . Chain init-generic-white (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0 2 479 ACCEPT all -- * * 192.168.2.10 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 10 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 20 ACCEPT all -- * * 78.xx.yy.zz 0.0.0.0/0 state NEW,ESTABLISHED . Chain init-script (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 192.168.2.10x 0.0.0.0/0 0 0 LOG all -- * * 12x.12x.21x.3x 0.0.0.0/0 LOG flags 0 level 4 prefix "DropBy=init-script " 0 0 DROP all -- * * 12x.12x.21x.3x 0.0.0.0/0 . Chain my_drop (3 references) pkts bytes target prot opt in out source destination 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP-ICMP " 1 48 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP-TCP " 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "DROP-UDP " 1 48 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Cron Job
- Adding a cronjob by crontab -e, the sample shows the job with the lowest cpu priotity
*/1 * * * * /usr/bin/nice -n 15 /usr/local/syslog2fw/syslog2fw.pl
|