Centos syslog redirect

From TBwiki
Jump to: navigation, search

This procedure is to have successful and failed login attempts to the TMG unit sent to an external syslog server.

Contents

Prerequisites

To implement this, you need to remove the direct access to the web portal from your firewall, so the TMG unit must now be accessed through the SSH port, and the web portal with SSH tunneling.
We use the standard CentOS syslog to also send cron and messages to the syslog server, so the syslog sever needs to be Centos OS

Notes

The default UDP port for the syslog server is 514 and this procedure redirects it to port 1524.
This procedure has been tested for CentOS 5. Change the hostname of the syslog server accordingly. In the procedure below, the hostname if the syslog server is : lab_syslog_server .
This procedure works for a standalone system. To allow 1+1 systems, please add the tcp port 3306 in the iptables for the database access.

Procedure For Syslog redirect

Make sure mgmt0 is available and active

Connect to SSH interface: Connect to SSH
Then do these commands

ifconfig -a mgmt0;ethtool mgmt0

Output:

mgmt0     Link encap:Ethernet  HWaddr 00:34:45:94:E3:F7
          inet addr:10.10.10.10  Bcast:10.10.10.1  Mask:255.255.255.0
...
Settings for mgmt0:
...
       Link detected: yes

If mgmt0 does not exist, we need to modify the procedure for this port. Please contact TelcoBridges support.

Check if some firewall rules exist already

iptables -L -v; iptables -t nat -L -n -v

Example of an empty table:

Chain INPUT (policy ACCEPT 602M packets, 157G bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 614M packets, 144G bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain PREROUTING (policy ACCEPT 1841K packets, 596M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain INPUT (policy ACCEPT 1222K packets, 478M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 13M packets, 4814M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 13M packets, 4814M bytes)
 pkts bytes target     prot opt in     out     source               destination

If some rules exist, we have to know why they are active and if they need to remain there. Please contact TelcoBridges support.

Firewall rules to the management port

Apply these firewall rules on the SSH interface. These rules include SSH, ICMP, DNS, SNMP and Port redirection (514 -> 1524):

iptables -P INPUT ACCEPT
iptables -F
iptables -N TMG-Firewall-All
iptables -A TMG-Firewall-All -p tcp --dport 22 -j ACCEPT
iptables -A TMG-Firewall-All -p icmp -j ACCEPT
iptables -A TMG-Firewall-All -p udp --sport 53 -j ACCEPT
iptables -A TMG-Firewall-All -p udp --dport 53 -j ACCEPT
iptables -A TMG-Firewall-All -p udp --dport 161 -j ACCEPT
iptables -A TMG-Firewall-All -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A TMG-Firewall-All -j DROP
iptables -A INPUT -i mgmt0 -j TMG-Firewall-All
iptables -t nat -A OUTPUT -p udp --dport 514 -j DNAT --to-destination :1524
service iptables save
service iptables restart

Verify firewall rules

iptables -L -v; iptables -t nat -L -n -v

Final firewall output:

Chain INPUT (policy ACCEPT 685K packets, 303M bytes)
 pkts bytes target     prot opt in     out     source               destination
 2441  390K TMG-Firewall-All  all  --  mgmt0  any     anywhere             anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 677K packets, 280M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain TMG-Firewall-All (1 references)
 pkts bytes target     prot opt in     out     source               destination
  380 27568 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
  408 40586 ACCEPT     icmp --  any    any     anywhere             anywhere
   25  2994 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:domain
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:snmp
   90 10046 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
 1538  309K DROP       all  --  any    any     anywhere             anywhere
Chain test (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain PREROUTING (policy ACCEPT 2539 packets, 897K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 19007 packets, 7249K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 19006 packets, 7249K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:514 to::1524

Add information to send to remote syslog

For successful/failed login, messages and cron info, edit this file:

vim /etc/syslog.conf

Add these lines in the file:

 #Send to remote syslog
 authpriv.*;*.info;cron.*                                @lab_syslog_server

Then restart the syslog service

service syslog restart

If server hostname (syslog_server) is unreachable, edit the hosts file:

cat /etc/hosts

And add this line to the file:

 [IP of syslog server] syslog_server
 e.g. 192.168.77.88 lab_syslog_server

Instructions to access the web portal with SSH tunneling

See these links for setup. Local port must be a free one and remote port will be 12358
Tunneling with Secure CRT
Tunneling with Putty
How to setup SSH tunnel with Putty

Test the process

Tail the file on the syslog server and access the unit with SSH:

tail -f /var/log/secure

you will see something like this:

Nov 30 10:05:53 10.10.10.10 sshd[3895]: Accepted password for root from 10.10.10.54 port 22501 ssh2


Other information

To activate reception of remote syslog on Server:

cat /etc/sysconfig/syslog
SYSLOGD_OPTIONS="-m 0 -r"
service syslog restart

If the remote syslog server is on the default port 514, remove this line from the iptables:

iptables -t nat -A OUTPUT -p udp --dport 514 -j DNAT --to-destination :1524

To delete iptables rules:

iptables -t nat -D OUTPUT 1
service iptables save
service iptables restart

By default, access information will be sent to this file on the syslog server:

/var/log/secure

and system messages will be sent to this file:

/var/log/messages
Personal tools