HOWTO: install syslog-ng on a WL700gE
2007-08-23 tiwag
preferences:
install kfurge's modified firmware WL700gE_1.0.4.6_kc_02a
http://home.comcast.net/~kfurge/wl700g.html
installation:
1. install syslog-ng from http://ipkg.nslu2-linux.org/feeds/op...table/Packages
this installs syslog-ng version 2.0.4-2 (at the time of writing)Code:root$ ipkg update root$ ipkg install syslog-ng
there will be an error message when running the postinstall script
2. edit the postinstall-script
so that the ipkg installation can be run and terminated successfully
here is a copy of mine:
Code:#!/bin/sh ############################################################################### # /opt/lib/ipkg/info/syslog-ng.postinst # 2007-08-23 tiwag # # modified ipkg postinstall script for syslog-ng used on WL700g # echo echo "How to use syslog-ng on a WL700gE" echo "1. kill syslogd before you start syslog-ng." echo " $ killall syslogd" echo "2. Edit the file /opt/etc/init.d/S01syslog-ng." echo " add the path to the configuration file echo " /opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf echo "3. run /opt/etc/init.d/S01syslog-ng." echo echo "Log files will be created by default at /opt/var/log." echo
3. finish the ipkg installation
finishes installation without an error messageCode:root$ ipkg install syslog-ng
4. edit the startup-script
by default syslog-ng_2.0.4-2 expects its config-file
in /opt/etc/syslog-ng.conf (bug?), but the ipkg installer
installs it in /opt/etc/syslog-ng/syslog-ng.conf.
run syslog-ng with proper path to the config-file
example of my startup script:
Code:#!/bin/sh ############################################################################### # /opt/etc/init.d/S01syslog-ng # 2007-08-23 tiwag # # Startup script for syslog-ng used on WL700g # # Stop syslogd if running if [ -n "`pidof syslogd`" ]; then /bin/killall syslogd 2>/dev/null sleep 2 fi # Stop itself if running if [ -n "`pidof syslog-ng`" ]; then /bin/killall syslog-ng 2>/dev/null sleep 2 fi # start syslog-ng with path to syslog-ng.conf file /opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf sleep 2
5. run the startup-script and test syslog-ng,
the syslog can be viewed e.g. with
if everything works as you expected, add the startup scriptCode:root$ cat /opt/var/log/syslog
for syslog-ng to your rc.local file and reboot your brick
HTH, brgds,
--
tiwag
ps.
now i'm going to install fail2ban ... wish me luck !
Last edited by tiwag; 23-08-2007 at 10:50.
its nice that it works well for you,
started another thread where the fail2ban infos can go
http://wl500g.info/showthread.php?t=10400
brgds
--
tiwag
Last edited by tiwag; 23-08-2007 at 18:15. Reason: updated info on fail2ban thread
Hey, thanks so much for the how-to! I have syslog-ng running nicely, however I can no longer see the logs in the web interface. I'm assuming it's just because the logs are now being put someplace different? Is there a way to fix this? Where is it expecting to see the log files, and will I break things if I move it there?
Thanks!
Ok, so as an alternative to viewing the logs in the web interface I've been trying to set up a way to email alerts and daily syslogs. I can see where to set up at least the alerts w/in syslog-ng but I have no idea how to make the mail part happen. I understand I'll need to connect out to a remote SMTP server (my ISP has one and I know the hostname and authentication pieces), but I'm not sure how to go about making that work. I've installed sendmail and played around with it a bit, but really am too green to figure out how to use it to connect out to a remote SMTP server. Can someone point me in the right direction? I'll be happy to write a HOW-TO once I can get this all figured out.
Thanks!
i've installed successfully and use the package esmtp
it is not an email (or smtp) server but it is a smtp relay client.
with esmtp you can send mails using your already existing email account with any provider which allows smtp
you can install it with "ipkg install esmtp"
then you need to edit the file /opt/etc/esmtprc with your account infos
# /opt/etc/esmtprc
#
identity = username@email.org
hostname = smtphost.email.org:25
username = "username"
password = "password"
after that you can use it like sendmail
example: sending a mail to user@mail.com, note the two "\n\n" before the Message text !!
echo -e "From: me\nTo: user@mail.com\nSubject: test\n\nMessage: hello world" | sendmail user@mail.com
Last edited by tiwag; 23-09-2007 at 07:55.
tiwag
So, I'm now able to get syslog-ng sending email alerts when certain simple things happen (like authentication), but I'm not sure how to get it to detect 'attacks'. Any idea how I would do that? By the way, the perl script that I call from syslog-ng.conf is here (I modified someone elses to work with esmtp):
Code:#!/opt/bin/perl -n # thanks to Brian Dowling for an example with security in mind. $TO = 'user@mail.com'; $FROM = 'user@smtphost.net'; s/^<\d{1,2}>//; open(MAIL, "|/opt/sbin/sendmail -t"); print MAIL << "EOT"; From: $FROM To: $TO Subject: Email Alert: Message: $_ EOT
yes i did install syslog-ng and fail2ban in order to be able to detect attacks
and banning attacking ip-addresses.
for me this works with dropbear and vsftpd
i'm using this configuration:
syslog-ng config file:
fail2ban config and filter filesCode:################################################################################ # Syslog-ng configuration for WL700g # /opt/etc/syslog-ng/syslog-ng.conf # ############################################################################### # tiwag's active filters and logs # options { long_hostnames(off); sync(0); }; #source src { pipe("/proc/kmsg");unix-stream("/dev/log"); internal(); }; source src { file("/proc/kmsg");unix-stream("/dev/log"); internal(); }; source net { udp(); }; destination mysyslog { file("/opt/var/log/syslog-ng.log" owner("root") group("root") perm(0640) template("{$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC}{PRI:$PRIORITY}{FAC:$FACILITY}{PRG:$PROGRAM}{{{ $MESSAGE }}}\n") ); }; destination authwarnlog { file("/opt/var/log/authwarn.log" owner("root") group("root") perm(0640) template("{$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC}{PRI:$PRIORITY}{FAC:$FACILITY}{PRG:$PROGRAM}{{{ $MESSAGE }}}\n") ); }; destination vsftpdlog { file("/opt/var/log/vsftpd.log"); }; destination dropbearlog { file("/opt/var/log/dropbear.log"); }; destination cronlog { file("/opt/var/log/cron.log"); }; filter f_ni_syslog-ng { not ( level(info) and program(syslog-ng) ); }; filter f_ni_thttpd { not ( level(info) and program(thttpd) ); }; filter f_ni_vsftpd { not ( level(info) and program(vsftpd) ); }; filter f_vsftpd { ( program(vsftpd) ); }; filter f_dropbear { ( program(dropbear) ); }; filter f_authwarn { ( ( ( level(info) or level(warning) ) and program(dropbear) ) or ( ( level(warning) ) and program(vsftpd) ) ); }; filter f_ni_cron { not ( level(info) and facility(cron) ); }; filter f_cron { program(cron); }; ############################################################################### # active logs # log { source(src); filter(f_ni_vsftpd); filter(f_ni_thttpd); filter(f_ni_syslog-ng); # filter(f_ni_cron); destination(mysyslog); }; log { source(src); filter(f_vsftpd); destination(vsftpdlog); }; log { source(src); filter(f_dropbear); destination(dropbearlog); }; log { source(src); filter(f_authwarn); destination(authwarnlog); }; log { source(src); filter(f_cron); destination(cronlog); };
Code:############################################################################### # Fail2Ban configuration file # /opt/etc/fail2ban/jail.conf # # The DEFAULT allows a global definition of the options. They can be override # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1 # "bantime" is the number of seconds that a host is banned. #bantime = 1800 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 300 # "maxretry" is the number of failures before a host get banned. maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto ############################################################################### # enabled jails # [vsftpd-iptables] enabled = true filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] # sendmail-whois[name=VSFTPD, dest=you@mail.com] logpath = /opt/var/log/authwarn.log maxretry = 3 bantime = 1800 [dropbear-iptables] enabled = true filter = dropbear action = iptables[name=DROPBEAR, port=ssh, protocol=tcp] # sendmail-whois[name=VSFTPD, dest=you@mail.com] logpath = /opt/var/log/authwarn.log maxretry = 3 bantime = 1800
Code:# Fail2Ban configuration file # /opt/etc/fail2ban/filter.d/vsftpd.conf # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = {.*}{PRI:warning}{FAC:ftp}{PRG:vsftpd}{{{ vsftpd: .* FAIL LOGIN: Client \\"<HOST>\\" }}}$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =with this config i can detect attacks and ban the attacking ip-addresses very fine. but it was also necessary to patch dropbear in order to print the IP-addresses for any attack-attemps, where a known username was used.Code:# Fail2Ban configuration file # /opt/etc/fail2ban/filter.d/dropbear.conf # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = {.*}{PRI:warning}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: login attempt .* from <HOST>:.* }}}$ {.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth \(user .* fails\): Disconnect received from IP <HOST>:.* }}}$ {.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth: Timeout before auth from IP <HOST>:.* }}}$ {.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth: Disconnect received from IP <HOST>:.* }}}$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
see the attached files for the dropbear patch
brgds
tiwag
@tiwag or someone else:
is it possible to log with syslog-ng why the internet connection is broken by the router to wan? because when i turn off/on the cable modem it works again (and the problem isn't the modem!).
thanks in advice
grat182
i don't know if there is a log why your connection breaks down,
basically kernel messages are logged and look like this:
e.g. in my log's i have the ip-address-renewal logged, which seems to appear every 24 hours.{2007-10-03 10:50:40}{PRI:warning}{FAC:kern}{PRG:kernel}{{{ change ip from 90177054 to 90177054 }}}
i always get the same ip as before because i have a static ip.
brgds
tiwag
I'm just curious here but does this work with the wl500g premium?