Linux Firewalls - Michael Rash [56]
syslog Configuration
With a good understanding of the requirements imposed by psad on the iptables policy configuration, we'll now turn to the mechanism psad uses to acquire iptables log messages. When a packet is matched by a LOG rule within iptables, the kernel reports this fact via klogd, the kernel logging daemon. The resulting kernel log message is then normally passed on to syslog for eventual reporting to a file, to a named pipe, or even to an entirely separate system via the Berkeley sockets interface. This all depends on the set of features offered by the syslog daemon and how its configuration is set up.
The syslogd and syslog-ng daemons are compatible with psad, and psad also has some limited support for metalog. Both syslogd and syslog-ng can write log messages to named pipes; psad takes advantage of this by configuring all kern.info log messages to be written to the /var/lib/psad/psadfifo named pipe, where they are then picked up by kmsgsd. When kmsgsd receives a syslog message via the psadfifo, it checks to see if the message contains two substrings (IN= and OUT=) to ensure that the syslog message is generated by iptables. If the message passes this test, kmsgsd appends it to the file /var/log/psad/fwdata so that it will be seen by psad. After all, many kern.info syslog messages could be generated by portions of the kernel that have nothing to do with iptables; kmsgsd ensures that only iptables messages are subsequently analyzed by psad.
Note
The IN= and OUT= strings denote the input and output interfaces associated with a packet that has been logged via the iptables LOG target. These strings are always included in iptables log messages.
syslogd
If psad is running on a system with syslogd installed, the following line is appended to the /etc/syslog.conf configuration file at install time; it configures syslogd to write kern.info messages to /var/lib/psad/psadfifo:
kern.info |/var/lib/psad/psadfifo
syslog-ng
If, on the other hand, syslog-ng is the syslog daemon of choice on the local system, then the following lines are appended to the /etc/syslog-ng/syslog-ng.conf configuration file at install time. (A check is performed to ensure that the logging source psadsrc is defined earlier in the syslog-ng.conf file and that it points to /proc/kmsg.)
source psadsrc { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
filter f_psad { facility(kern) and match("IN=") and match("OUT="); };
destination psadpipe { pipe("/var/lib/psad/psadfifo"); };
log { source(psadsrc); filter(f_psad); destination(psadpipe); };
whois Client
An excellent whois client, written by Marco d'Itri, is bundled with the psad sources. This client almost always queries the correct netblock for a given IP address, and psad leverages the client to query IP address ownership information and include it within email alerts (unless the --no-whois command-line switch is given). Having such information simplifies the process of identifying the administrator of the network from which a scan or other attack is detected. For example, the IP address 219.146.161.10 has been a consistent scanner of one of my systems. Using the whois client that comes with psad (which is installed at /usr/bin/whois_psad, so as not to overwrite any existing whois client on the system), we get the following:
$ /usr/bin/whois_psad 219.146.161.10
% [whois.apnic.net node-2]
% whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 219.146.0.0 - 219.147.31.255
netname: CHINATELECOM-sd