patterndb and intrusion prevention
Greetings, In 2011, Bazsi posted an entry [1] about a fellow named Valentijn Sessink doing some interesting work with patterndb and the iptables xt_recent module. I am mostly there (following Valentijn's example), but am having issues. Specifically, it does not seem that syslog-ng is writing the IPs to the xt_recent proc "file". Syslog-ng is writing them to a regular log file, though: # cat /proc/net/xt_recent/syslogblock # other-system$ ssh doug@system other-system$ # cat /var/log/syslogblock 2013-07-30 16:26:42 Failed password for invalid user doug from 131.212.109.58 port 37867 ssh2 +131.212.109.58 2013-07-30 16:26:42 Failed password for invalid user doug from 131.212.109.58 port 37867 ssh2 +131.212.109.58 2013-07-30 16:45:26 Failed none for invalid user doug from 131.212.109.58 port 37956 ssh2 +131.212.109.58 # cat /proc/net/xt_recent/syslogblock # I can add the host by hand to the xt_recent file: # echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock # echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock # echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock # cat /proc/net/xt_recent/syslogblock src=131.212.109.58 ttl: 0 last_seen: 5445045124 oldest_pkt: 3 5445044388, 5445044844, 5445045124 The above is the expected output. Here are my configs: $ cat /etc/syslog-ng/conf.d/ssh-failure-iptables-recent-block.conf # a destination; we have a dual destination here, a file to see the # blocked hosts, and an iptables-destination in /proc to block them. destination d_syslogblock { file( "/proc/net/xt_recent/syslogblock" template("+${usracct.device}\n") ); file( "/var/log/syslogblock" template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $MSG +${usracct.device}\n") ); }; # a parser for the pattern-DB we made in step 1 parser pattern_db { db_parser( file("/var/lib/syslog-ng/patterndb.xml") ); }; # a filter to filter the parser results filter f_syslogblock { tags("secevt") and match( "REJECT" value("secevt.verdict") ); }; # and finally, the log itself: log { source(s_src); parser(pattern_db); filter(f_syslogblock); destination(d_syslogblock); };
Am 31.07.2013 00:00, schrieb Matt Zagrabelny:
# cat /var/log/syslogblock 2013-07-30 16:26:42 Failed password for invalid user doug from 131.212.109.58 port 37867 ssh2 +131.212.109.58
template("+${usracct.device}\n")
Are you sure that usracct.device contains only the IP? I use syslog-ng with xt_recent without any problems: http://blog.schaal-24.de/?p=159&lang=en regards Florian
Hi Florian, On 31-07-13 10:30, Florian Schaal wrote:
I use syslog-ng with xt_recent without any problems: http://blog.schaal-24.de/?p=159&lang=en
... which version of syslog-ng do you use? Which kernel-version? Which distribution and/or OS? Best regards, Valentijn
Hi Matti, I'm having problems as well with my own setup, since migrating to syslog-ng 3.3.4. I only just found out (see my other message from today). I'm getting "I/O error occurred while writing; fd='24', error='Illegal seek (29)'" all over the place. I am guessing (from reading the source, but still, guessing, as I did not really trace calls), that somewhere, an open(O_APPEND) changed to the current lseek() behaviour. And, from what I tried, using lseek() on a /proc file does not seem to work. So there: my own setup doesn't work. I worked around it by using destination d_syslogblock { program ("/bin/cat > /proc/net/xt_recent/syslogblock" template("+${usracct.device}\n") which somewhat works. It seems to do some buffering so it is not quite fast. I'm hoping to get this resolved in a better way though, because calling external programs (even if they're "cat") is what I was trying to avoid... I hope this helps you. Did you find a way out? Best regards, Valentijn On 31-07-13 00:00, Matt Zagrabelny wrote:
but am having issues. Specifically, it does not seem that syslog-ng is writing the IPs to the xt_recent proc "file". Syslog-ng is writing them to a regular log file, though:
Hi Valentijn, Comments inline. On Tue, Aug 27, 2013 at 8:37 AM, Valentijn Sessink <valentyn@blub.net> wrote:
Hi Matti,
I'm having problems as well with my own setup, since migrating to syslog-ng 3.3.4. I only just found out (see my other message from today). I'm getting "I/O error occurred while writing; fd='24', error='Illegal seek (29)'" all over the place. I am guessing (from reading the source, but still, guessing, as I did not really trace calls), that somewhere, an open(O_APPEND) changed to the current lseek() behaviour.
And, from what I tried, using lseek() on a /proc file does not seem to work.
So there: my own setup doesn't work.
Interesting. I am running 3.3.9-1 from Debian/Sid. I did some looking at the logs after I sent my original message and found these: Error opening file for writing; filename='/proc/net/xt_recent/syslogblock', error='No such file or directory (2)' Unfortunately my "free" time has been scooped up by other projects and I haven't gotten back to this one.
I worked around it by using destination d_syslogblock { program ("/bin/cat > /proc/net/xt_recent/syslogblock" template("+${usracct.device}\n")
which somewhat works. It seems to do some buffering so it is not quite fast.
I'm hoping to get this resolved in a better way though, because calling external programs (even if they're "cat") is what I was trying to avoid...
I hope this helps you. Did you find a way out?
Not yet. :/ Cheers, -mz
Hi Matt, Op 27-08-13 16:30, Matt Zagrabelny schreef:
Error opening file for writing; filename='/proc/net/xt_recent/syslogblock', error='No such file or directory (2)'
Could it be that you run syslog_ng before your iptables has started? Because /proc/net/xt_recent/...anything... only exists after you have created an iptables "recent" rule with the name of ...anything... So you could try: - run your iptables ruleset - check if the /proc/net/xt_recent/syslogblock exists - then run (or restart) syslog-ng These efforts are all just to be able to run into the next problem ;-) - which is the one I referenced in my previous e-mail. You may want to save some of your precious free time to do free things - I hope to be back with a solution soon. Best regards, Valentijn
participants (3)
-
Florian Schaal
-
Matt Zagrabelny
-
Valentijn Sessink