[syslog-ng] patterndb and intrusion prevention

Matt Zagrabelny mzagrabe at d.umn.edu
Wed Jul 31 00:00:00 CEST 2013 

Greetings,

In 2011, Bazsi posted an entry [1] about a fellow named Valentijn
Sessink doing some interesting work with patterndb and the iptables
xt_recent module. I am mostly there (following Valentijn's example),
but am having issues. Specifically, it does not seem that syslog-ng is
writing the IPs to the xt_recent proc "file". Syslog-ng is writing
them to a regular log file, though:

# cat /proc/net/xt_recent/syslogblock
#

other-system$ ssh doug at system
other-system$

# cat /var/log/syslogblock
2013-07-30 16:26:42 Failed password for invalid user doug from
131.212.109.58 port 37867 ssh2 +131.212.109.58
2013-07-30 16:26:42 Failed password for invalid user doug from
131.212.109.58 port 37867 ssh2 +131.212.109.58
2013-07-30 16:45:26 Failed none for invalid user doug from
131.212.109.58 port 37956 ssh2 +131.212.109.58

# cat /proc/net/xt_recent/syslogblock
#

I can add the host by hand to the xt_recent file:

# echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock
# echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock
# echo '+131.212.109.58' > /proc/net/xt_recent/syslogblock
# cat /proc/net/xt_recent/syslogblock
src=131.212.109.58 ttl: 0 last_seen: 5445045124 oldest_pkt: 3
5445044388, 5445044844, 5445045124

The above is the expected output.

Here are my configs:

$ cat /etc/syslog-ng/conf.d/ssh-failure-iptables-recent-block.conf

# a destination; we have a dual destination here, a file to see the
# blocked hosts, and an iptables-destination in /proc to block them.
destination d_syslogblock {
    file(
        "/proc/net/xt_recent/syslogblock"
        template("+${usracct.device}\n")
    );
    file(
        "/var/log/syslogblock"
        template("$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC $MSG +${usracct.device}\n")
    );
};

# a parser for the pattern-DB we made in step 1
parser pattern_db {
    db_parser(
        file("/var/lib/syslog-ng/patterndb.xml")
    );
};

# a filter to filter the parser results
filter f_syslogblock {
    tags("secevt")
        and
    match(
        "REJECT"
        value("secevt.verdict")
    );
};

# and finally, the log itself:
log {
    source(s_src);
    parser(pattern_db);
    filter(f_syslogblock);
    destination(d_syslogblock);
};

More information about the syslog-ng mailing list