PDA

Bekijk de volledige versie : HOWTO: install syslog-ng



tiwag
23-08-2007, 11:25
HOWTO: install syslog-ng on a WL700gE
2007-08-23 tiwag

preferences:
install kfurge's modified firmware WL700gE_1.0.4.6_kc_02a
http://home.comcast.net/~kfurge/wl700g.html

installation:
1. install syslog-ng from http://ipkg.nslu2-linux.org/feeds/optware/oleg/cross/stable/Packages

root$ ipkg update
root$ ipkg install syslog-ng
this installs syslog-ng version 2.0.4-2 (at the time of writing)

there will be an error message when running the postinstall script

2. edit the postinstall-script
so that the ipkg installation can be run and terminated successfully

here is a copy of mine:


#!/bin/sh
################################################## #############################
# /opt/lib/ipkg/info/syslog-ng.postinst
# 2007-08-23 tiwag
#
# modified ipkg postinstall script for syslog-ng used on WL700g
#

echo
echo "How to use syslog-ng on a WL700gE"
echo "1. kill syslogd before you start syslog-ng."
echo " $ killall syslogd"
echo "2. Edit the file /opt/etc/init.d/S01syslog-ng."
echo " add the path to the configuration file
echo " /opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf
echo "3. run /opt/etc/init.d/S01syslog-ng."
echo
echo "Log files will be created by default at /opt/var/log."
echo



3. finish the ipkg installation

root$ ipkg install syslog-ng

finishes installation without an error message


4. edit the startup-script
by default syslog-ng_2.0.4-2 expects its config-file
in /opt/etc/syslog-ng.conf (bug?), but the ipkg installer
installs it in /opt/etc/syslog-ng/syslog-ng.conf.
run syslog-ng with proper path to the config-file

example of my startup script:



#!/bin/sh
################################################## #############################
# /opt/etc/init.d/S01syslog-ng
# 2007-08-23 tiwag
#
# Startup script for syslog-ng used on WL700g
#

# Stop syslogd if running
if [ -n "`pidof syslogd`" ]; then
/bin/killall syslogd 2>/dev/null
sleep 2
fi


# Stop itself if running
if [ -n "`pidof syslog-ng`" ]; then
/bin/killall syslog-ng 2>/dev/null
sleep 2
fi

# start syslog-ng with path to syslog-ng.conf file
/opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf
sleep 2




5. run the startup-script and test syslog-ng,

the syslog can be viewed e.g. with

root$ cat /opt/var/log/syslog

if everything works as you expected, add the startup script
for syslog-ng to your rc.local file and reboot your brick


HTH, brgds,

--
tiwag



ps.
now i'm going to install fail2ban ... wish me luck !

medsource
23-08-2007, 17:59
ps.
now i'm going to install fail2ban ... wish me luck !

I have it running on my 700ge and it works great! Finally stopping the brute force attacks against vsftpd!

Hopefully it runs as well for you.

tiwag
23-08-2007, 18:39
I have it running on my 700ge and it works great! Finally stopping the brute force attacks against vsftpd!
...

its nice that it works well for you,

started another thread where the fail2ban infos can go
http://wl500g.info/showthread.php?t=10400

brgds

--

tiwag

Maccro
22-09-2007, 18:01
Hey, thanks so much for the how-to! I have syslog-ng running nicely, however I can no longer see the logs in the web interface. I'm assuming it's just because the logs are now being put someplace different? Is there a way to fix this? Where is it expecting to see the log files, and will I break things if I move it there?

Thanks!


HOWTO: install syslog-ng on a WL700gE
2007-08-23 tiwag

preferences:
install kfurge's modified firmware WL700gE_1.0.4.6_kc_02a
http://home.comcast.net/~kfurge/wl700g.html

installation:
1. install syslog-ng from http://ipkg.nslu2-linux.org/feeds/optware/oleg/cross/stable/Packages

root$ ipkg update
root$ ipkg install syslog-ng
this installs syslog-ng version 2.0.4-2 (at the time of writing)

there will be an error message when running the postinstall script

2. edit the postinstall-script
so that the ipkg installation can be run and terminated successfully

here is a copy of mine:


#!/bin/sh
################################################## #############################
# /opt/lib/ipkg/info/syslog-ng.postinst
# 2007-08-23 tiwag
#
# modified ipkg postinstall script for syslog-ng used on WL700g
#

echo
echo "How to use syslog-ng on a WL700gE"
echo "1. kill syslogd before you start syslog-ng."
echo " $ killall syslogd"
echo "2. Edit the file /opt/etc/init.d/S01syslog-ng."
echo " add the path to the configuration file
echo " /opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf
echo "3. run /opt/etc/init.d/S01syslog-ng."
echo
echo "Log files will be created by default at /opt/var/log."
echo



3. finish the ipkg installation

root$ ipkg install syslog-ng

finishes installation without an error message


4. edit the startup-script
by default syslog-ng_2.0.4-2 expects its config-file
in /opt/etc/syslog-ng.conf (bug?), but the ipkg installer
installs it in /opt/etc/syslog-ng/syslog-ng.conf.
run syslog-ng with proper path to the config-file

example of my startup script:



#!/bin/sh
################################################## #############################
# /opt/etc/init.d/S01syslog-ng
# 2007-08-23 tiwag
#
# Startup script for syslog-ng used on WL700g
#

# Stop syslogd if running
if [ -n "`pidof syslogd`" ]; then
/bin/killall syslogd 2>/dev/null
sleep 2
fi


# Stop itself if running
if [ -n "`pidof syslog-ng`" ]; then
/bin/killall syslog-ng 2>/dev/null
sleep 2
fi

# start syslog-ng with path to syslog-ng.conf file
/opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf
sleep 2




5. run the startup-script and test syslog-ng,

the syslog can be viewed e.g. with

root$ cat /opt/var/log/syslog

if everything works as you expected, add the startup script
for syslog-ng to your rc.local file and reboot your brick


HTH, brgds,

--
tiwag



ps.
now i'm going to install fail2ban ... wish me luck !

Maccro
23-09-2007, 04:36
Ok, so as an alternative to viewing the logs in the web interface I've been trying to set up a way to email alerts and daily syslogs. I can see where to set up at least the alerts w/in syslog-ng but I have no idea how to make the mail part happen. I understand I'll need to connect out to a remote SMTP server (my ISP has one and I know the hostname and authentication pieces), but I'm not sure how to go about making that work. I've installed sendmail and played around with it a bit, but really am too green to figure out how to use it to connect out to a remote SMTP server. Can someone point me in the right direction? I'll be happy to write a HOW-TO once I can get this all figured out.

Thanks!

tiwag
23-09-2007, 08:23
Ok, so as an alternative to viewing the logs in the web interface I've been trying to set up a way to email alerts and daily syslogs. I can see where to set up at least the alerts w/in syslog-ng but I have no idea how to make the mail part happen. I understand I'll need to connect out to a remote SMTP server (my ISP has one and I know the hostname and authentication pieces), but I'm not sure how to go about making that work. I've installed sendmail and played around with it a bit, but really am too green to figure out how to use it to connect out to a remote SMTP server. Can someone point me in the right direction? I'll be happy to write a HOW-TO once I can get this all figured out.

Thanks!

i've installed successfully and use the package esmtp
it is not an email (or smtp) server but it is a smtp relay client.
with esmtp you can send mails using your already existing email account with any provider which allows smtp

you can install it with "ipkg install esmtp"


then you need to edit the file /opt/etc/esmtprc with your account infos

# /opt/etc/esmtprc
#

identity = username@email.org
hostname = smtphost.email.org:25
username = "username"
password = "password"


after that you can use it like sendmail

example: sending a mail to user@mail.com, note the two "\n\n" before the Message text !!


echo -e "From: me\nTo: user@mail.com\nSubject: test\n\nMessage: hello world" | sendmail user@mail.com

Maccro
23-09-2007, 15:43
You rock tiwag! It works just dandy for me! I'm going to create filter(s) now and get syslog-ng sending me alerts. Any idea how I'd get it to send daily log digests?

Thanks!!


i've installed successfully and use the package esmtp
it is not an email (or smtp) server but it is a smtp relay client.
with esmtp you can send mails using your already existing email account with any provider which allows smtp

you can install it with "ipkg install esmtp"


then you need to edit the file /opt/etc/esmtprc with your account infos



after that you can use it like sendmail

example: sending a mail to user@mail.com, note the two "\n\n" before the Message text !!

Maccro
23-09-2007, 19:05
So, I'm now able to get syslog-ng sending email alerts when certain simple things happen (like authentication), but I'm not sure how to get it to detect 'attacks'. Any idea how I would do that? By the way, the perl script that I call from syslog-ng.conf is here (I modified someone elses to work with esmtp):



#!/opt/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.

$TO = 'user@mail.com';
$FROM = 'user@smtphost.net';

s/^<\d{1,2}>//;

open(MAIL, "|/opt/sbin/sendmail -t");

print MAIL << "EOT";
From: $FROM
To: $TO
Subject: Email Alert:

Message: $_

EOT



i've installed successfully and use the package esmtp
it is not an email (or smtp) server but it is a smtp relay client.
with esmtp you can send mails using your already existing email account with any provider which allows smtp

you can install it with "ipkg install esmtp"


then you need to edit the file /opt/etc/esmtprc with your account infos



after that you can use it like sendmail

example: sending a mail to user@mail.com, note the two "\n\n" before the Message text !!

tiwag
23-09-2007, 19:43
... I'm not sure how to get it to detect 'attacks'. Any idea how I would do that? ...

yes i did install syslog-ng and fail2ban in order to be able to detect attacks
and banning attacking ip-addresses.

for me this works with dropbear and vsftpd


i'm using this configuration:

syslog-ng config file:

################################################## ##############################
# Syslog-ng configuration for WL700g
# /opt/etc/syslog-ng/syslog-ng.conf
#

################################################## #############################
# tiwag's active filters and logs
#

options { long_hostnames(off); sync(0); };

#source src { pipe("/proc/kmsg");unix-stream("/dev/log"); internal(); };
source src { file("/proc/kmsg");unix-stream("/dev/log"); internal(); };
source net { udp(); };

destination mysyslog {
file("/opt/var/log/syslog-ng.log"
owner("root")
group("root")
perm(0640)
template("{$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC}{PRI:$PRIORITY}{FAC:$FACILITY}{PRG :$PROGRAM}{{{ $MESSAGE }}}\n")
);
};

destination authwarnlog {
file("/opt/var/log/authwarn.log"
owner("root")
group("root")
perm(0640)
template("{$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC}{PRI:$PRIORITY}{FAC:$FACILITY}{PRG :$PROGRAM}{{{ $MESSAGE }}}\n")
);
};

destination vsftpdlog { file("/opt/var/log/vsftpd.log"); };
destination dropbearlog { file("/opt/var/log/dropbear.log"); };
destination cronlog { file("/opt/var/log/cron.log"); };


filter f_ni_syslog-ng { not ( level(info) and program(syslog-ng) ); };
filter f_ni_thttpd { not ( level(info) and program(thttpd) ); };
filter f_ni_vsftpd { not ( level(info) and program(vsftpd) ); };

filter f_vsftpd { ( program(vsftpd) ); };
filter f_dropbear { ( program(dropbear) ); };
filter f_authwarn { ( ( ( level(info) or level(warning)
) and program(dropbear)
)
or ( ( level(warning)
) and program(vsftpd)
)
); };

filter f_ni_cron { not ( level(info) and facility(cron) ); };
filter f_cron { program(cron); };

################################################## #############################
# active logs
#

log { source(src);
filter(f_ni_vsftpd);
filter(f_ni_thttpd);
filter(f_ni_syslog-ng);
# filter(f_ni_cron);
destination(mysyslog); };

log { source(src);
filter(f_vsftpd);
destination(vsftpdlog); };

log { source(src);
filter(f_dropbear);
destination(dropbearlog); };

log { source(src);
filter(f_authwarn);
destination(authwarnlog); };

log { source(src);
filter(f_cron);
destination(cronlog); };


fail2ban config and filter files


################################################## #############################
# Fail2Ban configuration file
# /opt/etc/fail2ban/jail.conf
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1

# "bantime" is the number of seconds that a host is banned.
#bantime = 1800


# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 300

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
# is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto: will choose Gamin if available and polling otherwise.
backend = auto


################################################## #############################
# enabled jails
#

[vsftpd-iptables]

enabled = true
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
# sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /opt/var/log/authwarn.log
maxretry = 3
bantime = 1800


[dropbear-iptables]

enabled = true
filter = dropbear
action = iptables[name=DROPBEAR, port=ssh, protocol=tcp]
# sendmail-whois[name=VSFTPD, dest=you@mail.com]
logpath = /opt/var/log/authwarn.log
maxretry = 3
bantime = 1800





# Fail2Ban configuration file
# /opt/etc/fail2ban/filter.d/vsftpd.conf
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = {.*}{PRI:warning}{FAC:ftp}{PRG:vsftpd}{{{ vsftpd: .* FAIL LOGIN: Client \\"<HOST>\\" }}}$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =



# Fail2Ban configuration file
# /opt/etc/fail2ban/filter.d/dropbear.conf
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = {.*}{PRI:warning}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: login attempt .* from <HOST>:.* }}}$
{.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth \(user .* fails\): Disconnect received from IP <HOST>:.* }}}$
{.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth: Timeout before auth from IP <HOST>:.* }}}$
{.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth: Disconnect received from IP <HOST>:.* }}}$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =


with this config i can detect attacks and ban the attacking ip-addresses very fine. but it was also necessary to patch dropbear in order to print the IP-addresses for any attack-attemps, where a known username was used.

see the attached files for the dropbear patch

brgds

gratitude182
08-10-2007, 11:44
@tiwag or someone else:

is it possible to log with syslog-ng why the internet connection is broken by the router to wan? because when i turn off/on the cable modem it works again (and the problem isn't the modem!).

thanks in advice

grat182

tiwag
09-10-2007, 08:43
i don't know if there is a log why your connection breaks down,

basically kernel messages are logged and look like this:

{2007-10-03 10:50:40}{PRI:warning}{FAC:kern}{PRG:kernel}{{{ change ip from 90177054 to 90177054 }}}


e.g. in my log's i have the ip-address-renewal logged, which seems to appear every 24 hours.
i always get the same ip as before because i have a static ip.

brgds

shinji257
08-06-2008, 01:31
I'm just curious here but does this work with the wl500g premium?