Centos rsyslog redirect
This procedure is to have successful and failed login attempts to the TMG unit sent to an external syslog server using rsyslog.
Prerequisites
To implement this, you need to remove the direct access to the web portal from your firewall, so the TMG unit must now be accessed through the SSH port, and the web portal with SSH tunneling.
We use the standard CentOS rsyslog to also send cron and messages to a syslog server
Notes
The default UDP port for the syslog server is 514 and this procedure redirects it to port 1524.
This procedure has been tested for CentOS 5. Change the hostname of the syslog server accordingly. In the procedure below, the hostname if the syslog server is : lab_syslog_server .
This procedure works for a standalone system. To allow 1+1 systems, please add the tcp port 3306 in the iptables for the database access.
Procedure For Syslog redirect
Make sure mgmt0 is available and active
Connect to SSH interface: Connect to SSH
Then do these commands
ifconfig -a mgmt0;ethtool mgmt0
Output:
mgmt0 Link encap:Ethernet HWaddr 00:34:45:94:E3:F7 inet addr:10.10.10.10 Bcast:10.10.10.1 Mask:255.255.255.0 ... Settings for mgmt0: ... Link detected: yes
If mgmt0 does not exist, we need to modify the procedure for this port. Please contact TelcoBridges support.
Check if some firewall rules exist already
iptables -L -v; iptables -t nat -L -n -v
Example of an empty table:
Chain INPUT (policy ACCEPT 602M packets, 157G bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 614M packets, 144G bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 1841K packets, 596M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1222K packets, 478M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13M packets, 4814M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 13M packets, 4814M bytes) pkts bytes target prot opt in out source destination
If some rules exist, we have to know why they are active and if they need to remain there. Please contact TelcoBridges support.
Firewall rules to the management port
Apply these firewall rules on the SSH interface. These rules include SSH, ICMP, DNS, SNMP and Port redirection (514 -> 1524):
iptables -P INPUT ACCEPT iptables -F iptables -N TMG-Firewall-All iptables -A TMG-Firewall-All -p tcp --dport 22 -j ACCEPT iptables -A TMG-Firewall-All -p icmp -j ACCEPT iptables -A TMG-Firewall-All -p udp --sport 53 -j ACCEPT iptables -A TMG-Firewall-All -p udp --dport 53 -j ACCEPT iptables -A TMG-Firewall-All -p udp --dport 161 -j ACCEPT iptables -A TMG-Firewall-All -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A TMG-Firewall-All -j DROP iptables -A INPUT -i mgmt0 -j TMG-Firewall-All iptables -t nat -A OUTPUT -p udp --dport 514 -j DNAT --to-destination :1524 service iptables save service iptables restart
Verify firewall rules
iptables -L -v; iptables -t nat -L -n -v
Final firewall output:
Chain INPUT (policy ACCEPT 685K packets, 303M bytes) pkts bytes target prot opt in out source destination 2441 390K TMG-Firewall-All all -- mgmt0 any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 677K packets, 280M bytes) pkts bytes target prot opt in out source destination Chain TMG-Firewall-All (1 references) pkts bytes target prot opt in out source destination 380 27568 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 408 40586 ACCEPT icmp -- any any anywhere anywhere 25 2994 ACCEPT udp -- any any anywhere anywhere udp spt:domain 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:snmp 90 10046 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 1538 309K DROP all -- any any anywhere anywhere Chain test (0 references) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 2539 packets, 897K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 19007 packets, 7249K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 19006 packets, 7249K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 to::1524
Install rsyslog
On some systems, rsyslog may not be installed by default. You can check with this command:
yum list installed | grep rsyslog
If it is not installed do these commands:
yum clean metadata yum update
Add information to send to remote syslog
For successful/failed login, messages and cron info, do this command:
echo -e "\n#Send to remote syslog\nauthpriv.*;*.info;cron.* @lab_syslog_server\n" >> /etc/rsyslog.conf
Then stop the default syslog service and start the rsyslog service:
service syslog stop service rsyslog start
And make is available on reboot:
chkconfig syslog off chkconfig rsyslog on
If server hostname (syslog_server) is unreachable, edit the hosts file:
cat /etc/hosts
And add this line to the file:
[IP of syslog server] syslog_server e.g. 192.168.77.88 lab_syslog_server
Instructions to access the web portal with SSH tunneling
See these links for setup. Local port must be a free one and remote port will be 12358
Tunneling with Secure CRT
Tunneling with Putty
How to setup SSH tunnel with Putty
Test the process
Tail the file on the syslog server and access the unit with SSH:
tail -f /var/log/secure
you will see something like this:
Jan 4 15:42:11 192.168.101.170 HOSTOSIRIS sshd[3867]: Accepted password for root from 204.23.12.53 port 26149 ssh2
Other information
If the remote device uses syslog, make sure it can receive the events (no need to do if remote is rsyslog):
vim /etc/sysconfig/syslog SYSLOGD_OPTIONS="-m 0 -r" service syslog restart
If the remote syslog server is on the default port 514, remove this line from the iptables:
iptables -t nat -A OUTPUT -p udp --dport 514 -j DNAT --to-destination :1524
To delete iptables rules:
iptables -t nat -D OUTPUT 1 service iptables save service iptables restart
By default, access information will be sent to this file on the syslog server:
tail -f /var/log/secure
and system messages will be sent to this file:
tail -f /var/log/messages