Logs riseup labs

Logs

Understanding shorewall logs
Console logging
Making the logs go somewhere else

Understanding shorewall logs

Once you've started shorewall up, you will probably almost immediately start getting logs of dropped packets, the internet is a wild wild place, full of noise and people scanning your machine constantly. You didn't know it before, but now its getting logged in /var/log/kern.log, here is an example:

Oct 20 12:21:04 black Shorewall:net2all:DROP: IN=eth0 OUT= MAC=00:30:48:29:84:b0:00:0c:ce:b3:ef:00:08:00  SRC=220.189.242.170 DST=69.90.134.222 LEN=404 TOS=00 PREC=0x00 TTL=113 ID=10040 PROTO=UDP SPT=2621 DPT=1434 LEN=384

This line tells you that a packet came in on eth0, the MAC address of the packet, and the IP of where it came from, and the destination of where it was going. Then some flags that you typically don't need to pay attention to, then the PROTO shows that it was a UDP packet, and the source port it was coming from was 2621, and it was trying to hit port 1434 on our side. If you grep 1434 in /etc/services you will see:

ms-sql-m        1434/tcp          # Microsoft SQL Monitor

Very interesting, but not something we are running, thanks for stopping by to see if we were....

You should pay close attention to these logs when you have first started up your shorewall, this is where you will see if you forgot to add something to your rules because it will be blocked.

Console logging

Its not fun to go to the colo to fix your machine and find that the screen is filled with firewall logs so you can't see what you are typing. Unfortunately the way that Debian comes configured up through sarge (note, this will be fixed in etch) this is what happens.

There are two ways you can stop this from happening. The first is to copy /usr/share/doc/shorewall/start to /etc/shorewall and add the following line to the end:

dmesg -n5

The start file will run the commands you put in it immediately after shorewall has started. Running that dmesg command will set the syslog level that will be printed to the console. Shorewall logs at kern.info, which is level 6, so if you set it to 5 then these logs wont be spit onto the console.

The second way to do this is if you are using klogd. You can edit /etc/init.d/klogd and set this line:

KLOGD="-c 5"

and then:

# /etc/init.d/klogd restart

but if you aren't running klogd this wont do anything.

In etch this will be configurable in /etc/default/klogd.

Making the logs go somewhere else

By default, in Debian, the shorewall logs will get tossed into /var/log/kern.log. This is a fun place, especially if you are running logwatch, or logcheck, as you will be innundated with firewall logs to the point of ignoring those otherwise important emails.

The first thing to do to deal with the firewall logs, is to make them go somewhere else so that you can then process them separately (I'm still looking for a good way to do this, if anyone knows anything, fwanalog etc. just didn't seem to cut it).

Note: The following requires that your kernel was built with ULOG target support. If you are using a debian supplied kernel, this is there (whew!).

To do this first install the ulogd pacakage:

# apt-get install ulogd

Edit /etc/ulogd.conf and change this line:

syslogfile /var/log/ulog/syslogemu.log

syslogfile /var/log/ulog/firewall.log

Then touch /var/log/ulog/firewall.log so it exists:

# touch /var/log/ulog/firewall.log

Then restart the ulog daemon so it takes this setting:

# /etc/init.d/ulogd restart

Then edit /etc/shorewall/params (if you do not have this file, copy the stub from /usr/share/doc/shorewall/default-config/params) and add the following line:

LOG=ULOG

Then edit /etc/shorewall/shorewall.conf and change the LOGFILE line and the following lines to be:

LOGFILE=/var/log/ulog/firewall.log


LOGNEWNOTSYN=$LOG


MACLIST_LOG_LEVEL=$LOG


TCP_FLAGS_LOG_LEVEL=$LOG


RFC1918_LOG_LEVEL=$LOG


SMURF_LOG_LEVEL=$LOG


BOGON_LOG_LEVEL=$LOG

Then edit your /etc/shorewall/policy file and replace all the LOG LEVEL lines (that are probably set to "info") with $LOG, for example, if your policy file has:

net             all             DROP            info


all             all             REJECT          info

Change it to:

net             all             DROP            $LOG


all             all             ACCEPT          $LOG

Then edit your /etc/shorewall/rules file and change any logging entries you have there (if you are doing the SSH brute-force setup, you probably are logging your Limit and Whitelist rules to loglevel "info"):

Limit:$LOG:SSH            net     fw      tcp     ssh


Whitelist:$LOG            net     fw

If you are logging anything else to any other syslog facility, be sure to change those as well.

Once you've changed all this, then reload shorewall to get these settings in place. Watch the new firewall log with tail -f to make sure that it is working (you might have to wait for something to be denied before it shows up though, so be patient!)