Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
I have setup PSAD on my server. It asks me to add the following iptables rules: Code: iptables -A INPUT -j LOG iptables -A FORWARD -j LOG ip6tables -A INPUT ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2012
    Posts
    12

    PSAD is Giving a Firewall Setup Warning. But UFW Logging is enabled.


    I have setup PSAD on my server. It asks me to add the following iptables rules:

    Code:
    iptables -A INPUT -j LOG
    iptables -A FORWARD -j LOG
    ip6tables -A INPUT -j LOG
    ip6tables -A FORWARD -j LOG
    I'm using UFW to manage iptables. So, I simply ran the command sudo ufw logging on But, whenever I restart PSAD or restart my server, I get an email saying:

    message subject : [psad-status] firewall setup warning on server!

    HTML Code:
    [-] You may just need to add a default logging rule to the /sbin/iptables
        'filter' 'INPUT' chain on *server*.  For more information,
        see the file "FW_HELP" in the psad sources directory or visit:
    
        cipherdyne.org/psad/docs/fwconfig.html
    
    [-] You may just need to add a default logging rule to the /sbin/ip6tables
        'filter' 'INPUT' chain on *server*.  For more information,
        see the file "FW_HELP" in the psad sources directory or visit:
    
        cipherdyne.org/psad/docs/fwconfig.html
    PS : The machine have Ubuntu 12.04 and the latest PSAD 2.2 (compiled from the source)

  2. #2
    Just Joined! Quantum's Avatar
    Join Date
    Jun 2009
    Location
    Seattle, Ecotopia
    Posts
    22
    iptables -L |grep LOG

    I don't know about ufw, but with Shorewall I get:
    Code:
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level warning
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:FORWARD:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:OUTPUT:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:fw2local:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:fw2net:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:local2fw:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:local2net:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info ip-options prefix "Shorewall:logflags:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2fw:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2local:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:smurfs:DROP:"
    I've just installed psad and will test.

  3. #3
    Just Joined!
    Join Date
    Aug 2012
    Posts
    12
    Quote Originally Posted by Quantum View Post
    iptables -L |grep LOG

    I don't know about ufw, but with Shorewall I get:
    Code:
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:INPUT:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level warning
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:FORWARD:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:OUTPUT:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:fw2local:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:fw2net:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:local2fw:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:local2net:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info ip-options prefix "Shorewall:logflags:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2fw:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:net2local:DROP:"
    LOG        all  --  anywhere             anywhere             LOG level info prefix "Shorewall:smurfs:DROP:"
    I've just installed psad and will test.
    My iptables -L |grep LOG output is. I have set the log level to warn... will it be enough for PSAD? :


    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
    LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
    LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "

  4. #4
    Just Joined! Quantum's Avatar
    Join Date
    Jun 2009
    Location
    Seattle, Ecotopia
    Posts
    22
    Not if you want to see scans.

  5. #5
    Just Joined!
    Join Date
    Aug 2012
    Posts
    12
    Quote Originally Posted by Quantum View Post
    Not if you want to see scans.
    Then what level should I set?

  6. #6
    Just Joined! Quantum's Avatar
    Join Date
    Jun 2009
    Location
    Seattle, Ecotopia
    Posts
    22
    info, as above.

  7. #7
    Just Joined!
    Join Date
    Aug 2012
    Posts
    12
    Quote Originally Posted by Quantum View Post
    info, as above.
    Sorry, there's no info in UFW.... Here are the logging levels of UFW :

    Code:
           off    disables ufw managed logging
    
           low    logs  all  blocked packets not matching the default policy (with
                  rate limiting), as well as packets matching logged rules
    
           medium log level low, plus all allowed packets not matching the default
                  policy,  all  INVALID  packets,  and  all  new connections.  All
                  logging is done with rate limiting.
    
           high   log level medium (without rate limiting), plus all packets  with
                  rate limiting
    
           full   log level high without rate limiting
    
           Loglevels  above  medium  generate  a  lot  of  logging output, and may
           quickly fill up your disk.  Loglevel  medium  may  generate  a  lot  of
           logging output on a busy system.
    
           Specifying ’on’ simply enables logging at log level ’low’ if logging is
           currently not enabled.

  8. #8
    Just Joined! Quantum's Avatar
    Join Date
    Jun 2009
    Location
    Seattle, Ecotopia
    Posts
    22
    Oh, as I say I don't know ufw. The end result should be :info when you iptables -L . I could tell you how to do it in Shorewall, but you don't seem to have the needed control in ufw.

  9. #9
    Just Joined!
    Join Date
    Aug 2012
    Posts
    12
    Is it better than UFW? Is it easy to configure? Do i need to learn is specifically? In UFW, I doesn't do much other than blocking the unneeded ports

  10. #10
    Just Joined!
    Join Date
    Aug 2012
    Posts
    12
    Fixed the issue Just added the rules :

    Code:
    -A INPUT -j LOG
    -A FORWARD -j LOG
    to the end of /etc/ufw/after.rules and /etc/ufw/after6.rules (Before COMMIT)

    Restarted and no warnings Thanks for the help

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •