Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na
Strony: 1
Zamierzalem kontrolowac polaczenia na INPUT i OUTPUT za pomoca:
dpkg -l | grep ulogd2 ii ulogd2 2.0.5-3 amd64 Netfilter Userspace Logging Daemon
- iptables, regoly z prefixem.
#!/bin/sh conntrack -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -F iptables -X iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m limit --limit 2/min -j NFLOG --nflog-prefix "DROP INPUT: " --nflog-group 1 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -m limit --limit 2/min -j NFLOG --nflog-prefix "DROP INVALID IN: " iptables -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -A FORWARD -m conntrack --ctstate INVALID -j NFLOG --nflog-prefix "DROP INVALID FWD: " iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate INVALID -m limit --limit 2/min -j NFLOG --nflog-prefix "DROP INVALID OUT: " iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
Obie uslugi tzn ulogd2 i firewalla dzialaja:
systemctl status ulogd2.service ● ulogd2.service - Netfilter Userspace Logging Daemon Loaded: loaded (/lib/systemd/system/ulogd2.service; enabled; vendor preset: e Active: active (running) since Sat 2017-05-13 13:33:23 IST; 37min ago Main PID: 28761 (ulogd) Tasks: 1 (limit: 4915) Memory: 828.0K CPU: 6ms CGroup: /system.slice/ulogd2.service └─28761 /usr/sbin/ulogd --daemon --uid ulog --pidfile /run/ulog/ulogd
systemctl status firewall.service ● firewall.service - Iptables firewall Loaded: loaded (/etc/systemd/system/firewall.service; enabled; vendor preset: Active: active (exited) since Sat 2017-05-13 12:17:07 IST; 1h 53min ago Main PID: 339 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 4915) Memory: 0B CPU: 0 CGroup: /system.slice/firewall.service
PROBLEM: brak jakiegoklowiek logowania do pliku.
Jestem prawie pewien, ze przyczyna jest zla konfiguracja pliku ulogd.config.
W tej chwili wyglada tak:
# Example configuration for ulogd # Adapted to Debian by Achilleas Kotsis <> [global] ###################################################################### # GLOBAL OPTIONS ###################################################################### # logfile for status messages logfile="/var/log/ulogd.log" # loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5) # loglevel=1 ###################################################################### # PLUGIN OPTIONS ###################################################################### # We have to configure and load all the plugins we want to use # general rules: # 1. load the plugins _first_ from the global section # 2. options for each plugin in seperate section below plugin="@pkglibdir@/" #plugin="@pkglibdir@/" #plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" #plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" #plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" #plugin="@pkglibdir@/" plugin="@pkglibdir@/" #plugin="@pkglibdir@/" #plugin="@pkglibdir@/" #plugin="@pkglibdir@/" #plugin="@pkglibdir@/" #plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" plugin="@pkglibdir@/" #plugin="@pkglibdir@/" # this is a stack for logging packet send by system via LOGEMU #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for packet-based logging via LOGEMU #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for ULOG packet-based logging via LOGEMU #stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for packet-based logging via LOGEMU with filtering on MARK #stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU # this is a stack for packet-based logging via GPRINT #stack=log1:NFLOG,gp1:GPRINT # this is a stack for flow-based logging via LOGEMU #stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU # this is a stack for flow-based logging via GPRINT #stack=ct1:NFCT,gp1:GPRINT # this is a stack for flow-based logging via XML #stack=ct1:NFCT,xml1:XML # this is a stack for logging in XML #stack=log1:NFLOG,xml1:XML # this is a stack for accounting-based logging via XML #stack=acct1:NFACCT,xml1:XML # this is a stack for accounting-based logging to a Graphite server #stack=acct1:NFACCT,graphite1:GRAPHITE # this is a stack for NFLOG packet-based logging to PCAP #stack=log2:NFLOG,base1:BASE,pcap1:PCAP # this is a stack for logging packet to MySQL #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL # this is a stack for logging packet to PGsql after a collect via NFLOG #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL # this is a stack for logging packet to JSON formatted file after a collect via NFLOG #stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON # this is a stack for logging packets to syslog after a collect via NFLOG #stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG # this is a stack for logging packets to syslog after a collect via NuFW #stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG # this is a stack for flow-based logging to MySQL #stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL # this is a stack for flow-based logging to PGSQL #stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL # this is a stack for flow-based logging to PGSQL without local hash #stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL # this is a stack for flow-based logging to SQLITE3 #stack=ct1:NFCT,sqlite3_ct:SQLITE3 # this is a stack for logging packet to SQLITE3 #stack=log1:NFLOG,sqlite3_pkt:SQLITE3 # this is a stack for flow-based logging in NACCT compatible format #stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT # this is a stack for accounting-based logging via GPRINT #stack=acct1:NFACCT,gp1:GPRINT [ct1] #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 #netlink_resync_timeout=60 # seconds to wait to perform resynchronization #pollinterval=10 # use poll-based logging instead of event-driven # If pollinterval is not set, NFCT plugin will work in event mode # In this case, you can use the following filters on events: #accept_src_filter=,1:2::/64 # source ip of connection must belong to these networks #accept_dst_filter= # destination ip of connection must belong to these networks #accept_proto_filter=tcp,sctp # layer 4 proto of connections [ct2] #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 #reliable=1 # enable reliable flow-based logging (may drop packets) hash_enable=0 # Logging of system packet through NFLOG [log1] # netlink multicast group (the same as the iptables --nflog-group param) # Group O is used by the kernel to log connection tracking invalid message group=0 #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 # set number of packet to queue inside kernel #netlink_qthreshold=1 # set the delay before flushing packet in the queue inside kernel (in 10ms) #netlink_qtimeout=100 # packet logging through NFLOG for group 1 [log2] # netlink multicast group (the same as the iptables --nflog-group param) group=1 # Group has to be different from the one use in log1 #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 # If your kernel is older than 2.6.29 and if a NFLOG input plugin with # group 0 is not used by any stack, you need to have at least one NFLOG # input plugin with bind set to 1. If you don't do that you may not # receive any message from the kernel. #bind=1 # packet logging through NFLOG for group 2, numeric_label is # set to 1 [log3] # netlink multicast group (the same as the iptables --nflog-group param) group=2 # Group has to be different from the one use in log1/log2 numeric_label=1 # you can label the log info based on the packet verdict #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 #bind=1 [ulog1] # netlink multicast group (the same as the iptables --ulog-nlgroup param) nlgroup=1 #numeric_label=0 # optional argument [nuauth1] socket_path="/tmp/nuauth_ulogd2.sock" [emu1] file="/var/log/ulogd_syslogemu.log" sync=1 [op1] file="/var/log/ulogd_oprint.log" sync=1 [gp1] file="/var/log/ulogd_gprint.log" sync=1 timestamp=1 [xml1] directory="/var/log/" sync=1 [json1] sync=1 #file="/var/log/ulogd.json" #timestamp=0 # device name to be used in JSON message #device="My awesome Netfilter firewall" # If boolean_label is set to 1 then the numeric_label put on packet # by the input plugin is coding the action on packet: if 0, then # packet has been blocked and if non null it has been accepted. #boolean_label=1 [pcap1] #default file is /var/log/ulogd.pcap #file="/var/log/ulogd.pcap" sync=1 [mysql1] db="nulog" host="localhost" user="nupik" table="ulog" pass="changeme" procedure="INSERT_PACKET_FULL" # backlog configuration: # set backlog_memcap to the size of memory that will be # allocated to store events in memory if data is temporary down # and insert them when the database came back. #backlog_memcap=1000000 # number of events to insert at once when backlog is not empty #backlog_oneshot_requests=10 [mysql2] db="nulog" host="localhost" user="nupik" table="conntrack" pass="changeme" procedure="INSERT_CT" [pgsql1] db="nulog" host="localhost" user="nupik" table="ulog" #schema="public" pass="changeme" procedure="INSERT_PACKET_FULL" # connstring can be used to define PostgreSQL connection string which # contains all parameters of the connection. If set, this value has # precedence on other variables used to build the connection string. # See # for a complete description of options. #connstring="host=localhost port=4321 dbname=nulog user=nupik password=changeme" #backlog_memcap=1000000 #backlog_oneshot_requests=10 # If superior to 1 a thread dedicated to SQL request execution # is created. The value stores the number of SQL request to keep # in the ring buffer #ring_buffer_size=1000 [pgsql2] db="nulog" host="localhost" user="nupik" table="ulog2_ct" #schema="public" pass="changeme" procedure="INSERT_CT" [pgsql3] db="nulog" host="localhost" user="nupik" table="ulog2_ct" #schema="public" pass="changeme" procedure="INSERT_OR_REPLACE_CT" [pgsql4] db="nulog" host="localhost" user="nupik" table="nfacct" #schema="public" pass="changeme" procedure="INSERT_NFACCT" [dbi1] db="ulog2" dbtype="pgsql" host="localhost" user="ulog2" table="ulog" pass="ulog2" procedure="INSERT_PACKET_FULL" [sqlite3_ct] table="ulog_ct" db="/var/log/ulogd.sqlite3db" buffer=200 [sqlite3_pkt] table="ulog_pkt" db="/var/log/ulogd.sqlite3db" buffer=200 [sys2] facility=LOG_LOCAL2 [nacct1] sync = 1 #file = /var/log/ulogd_nacct.log [mark1] mark = 1 [acct1] pollinterval = 2 # If set to 0, we don't reset the counters for each polling (default is 1). #zerocounter = 0 # Set timestamp (default is 0, which means not set). This timestamp can be # interpreted by the output plugin. #timestamp = 1 [graphite1] host="" port="2003" # Prefix of data name sent to graphite server prefix="netfilter.nfacct"
ulogd -d
Najwazniejszy jest plugin NFLOG, jak go uruchomic?
Odhaszowalem wszystkie mozliwe kombinacje - i niic.
Jak skonfigurowac ulogd.conf plik zeby ww plugin a tym samym logowanie polaczen dzialaly prawidlowo?
Moze ktos ma dzialajacy konfig?
Najlepsze sciagi w Internecie, ktore niewiele pomogly.
- … ebian-jessie/
- … ables-logging
- … t-with-ulogd/
- … 23304066.html
Ps. Gdyby ktos na tym forum uzywal ulogd2 i mial jego ulogd.config plik z wlaczonym i dzialajacym pluginem NFLOG - to by juz rozwiazywalo moj problem.
Ostatnio edytowany przez Novi-cjusz (2017-05-14 20:32:32)
Strony: 1