The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

csf dynamic iptable logging

Discussion in 'General Discussion' started by matthewdavis, Nov 12, 2006.

  1. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    I was looking for a way to use something other than the iptables analyzer (fwlogwatch) that csf provides. I found http://www.gege.org/iptables/ This allowed for multiple systems to populate a single db and pull reports from that db (search by port, by host, top offending hosts, etc). I found it was much easier to hack csf's code to match up with what iptables_logger expected. So provided below are the steps I took to allow for you to specify the --log-prefix csf uses.

    1 - Add the following to csf.conf, as these are where you define what is written to syslog:

    TCP_IN_LOG_TEXT = "'[IPTABLES TCP_IN] '"
    TCP_OUT_LOG_TEXT = "'[IPTABLES TCP_OUT] '"
    UDP_IN_LOG_TEXT = "'[IPTABLES UDP_IN] '"
    UDP_OUT_LOG_TEXT = "'[IPTABLES UDP_OUT] '"
    ICMP_IN_LOG_TEXT = "'[IPTABLES ICMP_IN] '"
    ICMP_OUT_LOG_TEXT = "'[IPTABLES ICMP_OUT] '"
    BLOCK_LIST_TEXT = "'[IPTABLES BLOCK_LIST] '"

    2 - Apply the following patch to csf.pl.

    Code:
    --- csf.pl.orig 2006-11-12 02:52:05.000000000 -0500
    +++ csf.pl      2006-11-12 02:24:09.000000000 -0500
    @@ -169,13 +169,13 @@
                            &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -m limit --limit 30/m --limit-burst 5 -j ULOG --ulog-nlgroup 1 --ulog-prefix 'ConfigServer Firewall'");
                            if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j ULOG --ulog-nlgroup 1 --ulog-prefix 'IP Block List'");}
                    } else {
    -                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p tcp -i $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_IN Blocked* '");
    -                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p tcp -o $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *TCP_OUT Blocked* '");
    -                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p udp -i $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *UDP_IN Blocked* '");
    -                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p udp -o $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *UDP_OUT Blocked* '");
    -                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p icmp -i $config{ETH_DEVICE} -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *ICMP_IN Blocked* '");
    -                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p icmp -o $config{ETH_DEVICE} -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *ICMP_OUT Blocked* '");
    -                       if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix 'Firewall: *BLOCK_LIST* '");}
    +                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p tcp -i $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{TCP_IN_LOG_TEXT}");
    +                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p tcp -o $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{TCP_OUT_LOG_TEXT}");
    +                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p udp -i $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{UDP_IN_LOG_TEXT}");
    +                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p udp -o $config{ETH_DEVICE} $dports -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{UDP_OUT_LOG_TEXT}");
    +                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p icmp -i $config{ETH_DEVICE} -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{ICMP_IN_LOG_TEXT}");
    +                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROP -p icmp -o $config{ETH_DEVICE} -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{ICMP_OUT_LOG_TEXT}");
    +                       if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j LOG --log-prefix $config{BLOCK_LIST_TEXT}");}
                    }
            }
            if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -j DROP");}
    
    This doesn't break fwlogwatch, as fwlogwatch doesn't care what the --log-prefix is. But iptables_logger does. Maybe this will be helpful in using other firewall scripts too. I'll also see if chirpy thinks this would be reasonable to include in the main csf distro.
     
  2. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Thanks for this. I did look at that stats logger but decided on the more simplistic approach with fwlogwatch. I'll look at including your instructions in the documentation and the mod into the base code for the lag prefixes :)
     
Loading...

Share This Page