Centos syslog redirect
This procedure is to have successful and failed login attempts to the TMG unit sent to an external syslog server.
Contents
|
Prerequisites
To implement this, you need to remove the direct access to the web portal from your firewall, so the TMG unit must now be accessed through the SSH port, and the web portal with SSH tunneling.
We use the standard CentOS syslog to also send cron and messages to the syslog server, so the syslog sever needs to be Centos OS
Notes
The default UDP port for the syslog server is 514 and this procedure redirects it to port 1524.
This procedure has been tested for CentOS 5. Change the hostname of the syslog server accordingly. In the procedure below, the hostname if the syslog server is : lab_syslog_server .
Procedure For Syslog redirect
Make sure mgmt0 is available and active
Connect to SSH interface: Connect to SSH
Then do these commands
ifconfig -a mgmt0;ethtool mgmt0
Output:
mgmt0 Link encap:Ethernet HWaddr 00:34:45:94:E3:F7 inet addr:10.10.10.10 Bcast:10.10.10.1 Mask:255.255.255.0 ... Settings for mgmt0: ... Link detected: yes
If mgmt0 does not exist, we need to modify the procedure for this port. Please contact TelcoBridges support.
Check if some firewall rules exist already
iptables -L -v; iptables -t nat -L -n -v
Example of an empty table:
Chain INPUT (policy ACCEPT 602M packets, 157G bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 614M packets, 144G bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 1841K packets, 596M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1222K packets, 478M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13M packets, 4814M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 13M packets, 4814M bytes) pkts bytes target prot opt in out source destination
If some rules exist, we have to know why they are active and if they need to remain there. Please contact TelcoBridges support.
Firewall rules to the management port
Apply these firewall rules on the SSH interface. These rules include SSH, ICMP, DNS, SNMP and Port redirection (514 -> 1524):
iptables -P INPUT ACCEPT iptables -F iptables -N TMG-Firewall-All iptables -A TMG-Firewall-All -p tcp --dport 22 -j ACCEPT iptables -A TMG-Firewall-All -p icmp -j ACCEPT iptables -A TMG-Firewall-All -p udp --sport 53 -j ACCEPT iptables -A TMG-Firewall-All -p udp --dport 53 -j ACCEPT iptables -A TMG-Firewall-All -p udp --dport 161 -j ACCEPT iptables -A TMG-Firewall-All -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A TMG-Firewall-All -j DROP iptables -A INPUT -i mgmt0 -j TMG-Firewall-All iptables -t nat -A OUTPUT -p udp --dport 514 -j DNAT --to-destination :1524 service iptables save service iptables restart
Verify firewall rules
iptables -L -v; iptables -t nat -L -n -v
Final firewall output:
Chain INPUT (policy ACCEPT 685K packets, 303M bytes) pkts bytes target prot opt in out source destination 2441 390K TMG-Firewall-All all -- mgmt0 any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 677K packets, 280M bytes) pkts bytes target prot opt in out source destination Chain TMG-Firewall-All (1 references) pkts bytes target prot opt in out source destination 380 27568 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 408 40586 ACCEPT icmp -- any any anywhere anywhere 25 2994 ACCEPT udp -- any any anywhere anywhere udp spt:domain 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:snmp 90 10046 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 1538 309K DROP all -- any any anywhere anywhere Chain test (0 references) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 2539 packets, 897K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 19007 packets, 7249K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 19006 packets, 7249K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 to::1524
Add information to send to remote syslog
For successful/failed login, messages and cron info, edit this file:
vim /etc/syslog.conf
Add these lines in the file:
#Send to remote syslog authpriv.*;*.info;cron.* @lab_syslog_server
Then restart the syslog service
service syslog restart
If server hostname (syslog_server) is unreachable, edit the hosts file:
cat /etc/hosts
And add this line to the file:
[IP of syslog server] syslog_server
e.g. 192.168.77.88 lab_syslog_server
Instructions to access the web portal with SSH tunneling
See these links for setup. Local port must be a free one and remote port will be 12358
Tunneling with Secure CRT
Tunneling with Putty
How to setup SSH tunnel with Putty
Test the process
Tail the file on the syslog server and access the unit with SSH:
tail -f /var/log/secure
you will see something like this:
Nov 30 10:05:53 10.10.10.10 sshd[3895]: Accepted password for root from 10.10.10.54 port 22501 ssh2
Other information
To activate reception of remote syslog on Server:
cat /etc/sysconfig/syslog SYSLOGD_OPTIONS="-m 0 -r" service syslog restart
If the remote syslog server is on the default port 514, remove this line from the iptables:
iptables -t nat -A OUTPUT -p udp --dport 514 -j DNAT --to-destination :1524
To delete iptables rules:
iptables -t nat -D OUTPUT 1 service iptables save service iptables restart
By default, access information will be sent to this file on the syslog server:
/var/log/secure
and system messages will be sent to this file:
/var/log/messages