Very Computer

Iptables logs to /var/log/messages, so this quickly becomes a mess of
different logs. Is there a way for iptables to log to a different file,
for example /var/log/iptables ?
Could someone point me in the right direction, cause I don't have any
idea how to search for this.

Thanks !

Quote:> Iptables logs to /var/log/messages, so this quickly becomes a mess of
> different logs. Is there a way for iptables to log to a different file,
> for example /var/log/iptables ?
> Could someone point me in the right direction, cause I don't have any
> idea how to search for this.

I've recently been playing around with this too :)
The program responsible for the logging is syslogd. Lookup "man syslogd"

To modify the settings of what types of logs go where, modify
/etc/syslog.conf. Mine looks like this:

kern.crit                       /dev/console
kern.warn                       /var/log/kernel.log
mail.*                          /var/log/maillog
*.*;mail.none;kern.!warn        /var/log/messages.log

This means that critical kernel errors are put on the machine's console;
kernel "warning" level (that's iptables by default) goes to kernel.log;
everything relating to mail goes in maillog and everything "else" goes in
messages. This seems to keep my logs pretty clean.

--
http://www.pc-tools.net/
DOS, Win32, Linux software

There is also a great advantage to moving all your log files. Most of the
"smart" things that cracker-kiddies do is only smart because a script did it
for them. Make the script fail and a large percentage of the damage done on
breakins goes away.
For a laugh, keep dummies in place with a nightly cron to copy the real logs
to the default location. That way it doesnt error and clue them in.

Another tip is making a seperate directory for copies of ls, ps, find, and
netstat which you add to roots path.

Its only another level of safety but can save you some headache down the
road.

Gandalf  Parker

Hi there Gandalf!

I'm glad I'm not the only one who does these things!  I thought my
paranoia was getting out of control!

--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------
PLEASE NOTE: Spamgard (tm) installed.

------

Luke Vogel wrote at Monday 10 September 2001 09:31 like only he can:

Even better, log additional to another host, using the remote logging
facility syslogd has...:-)

Michael Heiming

Even better, have the default login profiles/RC's in the /etc directory
include an email to you when root or other low logins are used. Each of
those "default" login files include a routine to check for low UID/GID
before setting umask. I tend to add a line there saying

Even better if you can tie it in to a pager so that the machine pages you
"Someone just logged in as root"

Gandalf  Parker
Using standard fixes breeds standard cracks.
Security thru Obscurity and Creativity.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Variations on a theme:

You can use "spawn" via tcp-wrappers to do much the same, although
hosts.allow and hosts.deny are among the first things changed if someone
wants to own a box.

Look for the BOFH patch to bash. It contains the ability to log input to
bash via syslog. You can place the modified bash as /bin/sh and remove that
entry from /etc/shells. If you hook up an old (inexpensive) line printer
you can redirect that logging stream to hardcopy.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE7npmPwBVKl/Nci0oRAg4wAJ401eP16NBLXsRlg8l6Hdrhje8pVgCfXGIZ
Lk7Dv1STHecXXvNpU5eCNmc=
=gT5Z
-----END PGP SIGNATURE-----

Loading a personal bash is also a popular action. But they tend to still use
the default files in /etc

(or they did, until I decided to post this to a public newsgroup  :-)

Gandalf  Parker

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

True enough, a shell or any other utility can be brought in on demand.
Brings to mind Luke's suggestion to obfuscate the location of lynx/wget a
while back. A few weeks later I found a host serving a common automated
exploit with a newly included source code for a simple wget-like utility
along for the ride.

As you yourself have said, breaking with the standard pattern (file
locations, logging routines, etc.) breaks most cracks, but you have to pay
attention either way. Nothing is "set and forget" when it comes to
security, or so I have been told.

-----BEGIN PGP SIGNATURE-----
Comment: Keeping the world safe for geeks.

iD8DBQE7nt4BwBVKl/Nci0oRAhIYAJ9C1wSbi6q5NcYvc7ZfRnepH7TjXQCggBIs
Qqp/wVh4qY1b912pTJ3xHUg=
=S/nw
-----END PGP SIGNATURE-----

Something I found to be amazingly effective is to use some of thier tricks
against them. I never knew of chattr until I had it used on me. Then I found it
in a rootkit script. Doing a   chattr +i   on important binarys and files can
be useful. (not logs though, the subject line has wandered)

Quote:> As you yourself have said, breaking with the standard pattern (file
> locations, logging routines, etc.) breaks most cracks, but you have to pay
> attention either way. Nothing is "set and forget" when it comes to
> security, or so I have been told.

Yes nothing catches all of them. And the word "secure" should always be used
with some kind of modifier such as "temporarily" or "for now.

Gandalf  Parker

Gandalf Parker wrote at Wednesday 12 September 2001 16:52 like only
he can:

Yeah, really amazing effective, someone who managed to root your box
would know how to reset it and it's only available case you use ext2.

Michael Heiming

Totally not true. The majority that root the box only use chattr because
the script does it. They have no clue what it is, what it does, or how to
use it. Hell Ive seen rooters sit for hours tryng to figure out how to
view a list of files.

Very few hackers are actively breaking into boxes. Most are just dumb
crackers or script-kiddies using rootkits.  Its not the script-kiddies you
are combating. Its the writers of the rootkits.

Gandalf  Parker

Gandalf Parker wrote at Wednesday 12 September 2001 21:59 like only
he can:

It's not true, that chattr isn't available on Ie. reiserfs?

The man page on the machine I'm currently writting this, is pretty
clear about that, you'd be better of installing a real OS on your
desktop, instead of writting some wrong statements from your nifty
Winbloze 95 (what a secure system) box.

CHATTR(1)                                               CHATTR(1)

NAME
       chattr - change file attributes on a Linux second extended
       file system

If someone gets rooted by some script kiddies, he shouldn't admin an
unix system.

lsattr -R /bin | awk '!/------------/'

Nuff said.

Michael Heiming

   So any script can chattr target binaries to wide open first, and then
attack/replace them.  The only really non-alterable binary is one you've
burned onto a CDROM.  If you don't modify a production system too often,
a couple of bucks per CD is not too major an expense.  Mind you, loading
binaries from a 4-X CDROM is going to suck speedwise, compared to
loading from a fast harddrive.

  A few questions...

  1) Is there such an animal as a harddrive with an on-off write-protect
     *HARDWARE* switch accessable from the outside (backplane) ?  If so,
     store /bin, /sbin, /etc (etc, etc) on it and writable directories on
     another drive.

  2) Has anybody put together a FAQ or HOWTO demonstrating a CDROM-based
     system ?

  3) A variant on a 1) or 2) above might be to have...

     - machine 1 (lets call it 192.168.0.2) is a standard system with NFS
       or SMB shares.  Heavily armour this sytem, and make sure it gives
       only read access.  It'll also remote-syslogd for its client(s)

     - machine 2 (lets call it 192.168.0.3) boots off a floppy or CD or
       direct network boot off 192.168.0.2.  192.168.0.3 has read-only
       access to 192.168.0.2.  The only data it sends to 192.168.0.2 is
       syslog data.  All writable local user files remain on 192.168.0.3,
       and /bin, /sbin, etc, etc are remote mounts on 192.168.0.2.  A 100
       PCI nic should easily give good "harddrive" speeds.

     - 192.168.0.3 uses a second nic to talk to the net.  Or maybe the
       machines are plugged into a switch/router that isolates the master
       machine from the net.

     Is it possible to squeeze a network-boot kernel into a 1.44 meg
floppy ?  Have I just re-invented .NET for linux <g> ?

--

Procmail-based spam filters http://www.waltdnes.org/email
Read about the New Apartheid in Canada http://www.waltdnes.org/apartheid2001