Difference between revisions of "Firewall Logs"

From Atomicorp Wiki
Jump to: navigation, search
m (DROP_ASL_RATE)
m (ASL_AR_DROP)
 
(25 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
= Log format =
 +
 +
The ASL firewall will log a lot of information about a firewall event.  A typical log entry may look like this:
 +
 +
''Mar 24 14:11:11 host kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=12197 CE DF MF PROTO=TCP SPT=3619 DPT=110 SEQ=1917628740 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)''
 +
 +
 +
{| {{table}}
 +
| align="center" style="background:#f0f0f0;"|'''Example Element'''
 +
| align="center" style="background:#f0f0f0;"|'''Explanation'''
 +
|-
 +
| Mar 24 14:11:11||Date/Time Stamp
 +
|-
 +
| host||The Hostname of the system where this occurred (your server)
 +
|-
 +
| kernel:||Application Name (firewall rules are always kernel:)
 +
|-
 +
| DROP_ASL_INPUT||Firewall Rule Name
 +
|-
 +
| IN=eth0||Incoming Interface (This is only populated when the packet is coming into the server)
 +
|-
 +
| OUT=||Outgoing Interface (This is only populated when the packet is going out of the server)
 +
|-
 +
| MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00||The MAC Address of the last hop upstream hardware that send the packet (usually this will be your upstream router)
 +
|-
 +
| SRC=1.2.3.4||Source IP (The IP address for the system that sent this packet)
 +
|-
 +
| DST=5.6.7.8||Destination IP (The IP address the source system requested this packet be sent to)
 +
|-
 +
| LEN=48||Total length of IP packet in bytes
 +
|-
 +
| TOS=0x00||Type Of Service field.  This is rarely used, and is replaced on most systems by DS and ECN.
 +
|-
 +
| PREC=0x00||The "Precedence" Type of Service field.  This is rarely used, and is replaced on most systems by DS and ECN.
 +
|-
 +
| TTL=115||Remaining "Time To Live" for this packet in "hops"
 +
|-
 +
| ID=12197||Unique ID for this IP datagram.  If this is a fragment, all fragments share the same ID.
 +
|-
 +
| CE||ECN Flag, Congestion Experienced (optional)
 +
|-
 +
| DF||Dont Fragment Flag (optional)
 +
|-
 +
| MF||More Fragments to follow (optional)
 +
|-
 +
| PROTO=TCP||Protocol (For example, TCP or UDP)
 +
|-
 +
| SPT=3619||Source Port  (The port the packet came from)
 +
|-
 +
| DPT=110||Destination Port (The port the source IP requested the packet go to)
 +
|-
 +
| SEQ=1917628740||Receive Sequence number
 +
|-
 +
| ACK=0|| Same as the Receive Sequence number above, but for the other end of the TCP connection.  Normally only seen on the reply packet.
 +
|-
 +
| WINDOW=65535||The TCP Receive Window size.
 +
|-
 +
| RES=0x00||Reserved bits.  This field is used, optionally, for things like ECNE and CWR.
 +
|-
 +
| SYN URGP=0||Packet Flags. 
 +
|-
 +
| OPT (020405B401010402)||TCP Options (optional)
 +
|-
 +
|
 +
|}
 +
 
= Auditing rules =
 
= Auditing rules =
  
Line 8: Line 74:
  
 
This logs when an IP on the firewall whitelist has been allowed to connect to the system.  It does not block or shun anything.
 
This logs when an IP on the firewall whitelist has been allowed to connect to the system.  It does not block or shun anything.
 +
 +
ASL only produces these log messages when the following options are enabled:
 +
 +
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_WHITELIST
 +
 +
and
 +
 +
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_WHITELIST_LOG
 +
 +
'''Note:  FW_WHITELIST is not enabled by default.  This can only occur if you enable this option.'''
  
 
== Port Knocking ==
 
== Port Knocking ==
Line 37: Line 113:
 
=== ASL_AR_DROP ===
 
=== ASL_AR_DROP ===
  
ASL has blocked packets from an IP that was automatically shunned by ASL.ASL_AUTOSHUN_BLOCK
+
''These rules are labeled in netfilter with "ASL-ACTIVE-RESPONSE" as the label.''
 +
 
 +
ASL has blocked packets from an IP that was shunned by ASL due to a rule violation.  By default, these shuns are temporary.  You can find out why a shun occurred and remove a shun by following the process in this article:
 +
 
 +
https://www.atomicorp.com/wiki/index.php/Using_ASL#Why_did_ASL_block_an_IP.3F
 +
 
 +
You can manually remove a shun by following this process:
 +
 
 +
https://www.atomicorp.com/wiki/index.php?title=Using_ASL#How_do_you_unblock_an_IP_in_ASL.3F
 +
 
 +
This capability in ASL is enabled by default, and is controlled by this setting:
 +
 
 +
https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#OSSEC_ACTIVE_RESPONSE
 +
 
 +
Shuns are, by default, automatically removed based on this setting:
 +
 
 +
https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#OSSEC_SHUN_ENABLE_TIMEOUT
 +
 
 +
The timeout to automatically remove shuns is set by this configuration setting:
 +
 
 +
https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#OSSEC_SHUN_TIME
 +
 
 +
== Firewall IPS ==
 +
 
 +
=== DROP_ASL: HEARTBEAT ===
 +
 
 +
ASL has detected a TLS heartbeat request.  This extension to TLS is what caused the HeartBleed vulnerability.  This likely means a Heartbleed attack is underway, and ASL has blocked it.
 +
 
 +
=== DROP_ASL: DNS_DDOS ===
 +
 
 +
ASL has detected an attempt to use your DNS server as a possible DNS DDOS amplifier.  This likely means someoneis trying to use your DNS server to launch a DDOS attack against another host, and ASL has blocked this.
 +
 
 +
=== DROP_ASL: NTP_DDOS ===
 +
 
 +
ASL has detected an attempt to use your NTP server as a possible NTP DDOS amplifier.  This likely means someoneis trying to use yourNTP server to launch a DDOS attack against another host, and ASL has blocked this.
  
 
== User Defined Blocks ==
 
== User Defined Blocks ==
 +
 +
===DROP_ASL_TORTIX===
 +
 +
And IP address has been blocked from connecting the ASL web console based on the IP addresses you have configured to allow access.  ASL does not block any IPs by default to the ASL web console.
 +
 +
You can change the IPs you have configured ASL to allow into the ASL web console by editing this file:
 +
 +
/etc/asl/firewall/tortixd-access-list
 +
 +
Then run this command as root:
 +
 +
service asl-firewall restart
  
 
===ASL_SMTP_OUT===
 
===ASL_SMTP_OUT===
  
ASL has blocked a user that you have not authorized from sending SMTP traffic outbound.  ASL does not block any users from sending SMTP traffic outbound by default.
+
ASL has blocked a user that you have not authorized from sending SMTP traffic outbound.  This feature does not prevent users from sending mail out through the systems mail server.  It simply prevents them from bypassing the mail server.  This feature helps to prevent spam bots from operating on the system.
 +
 
 +
'''ASL does not block any users from sending SMTP traffic outbound by default.'''
 +
 
 +
Please see this article to change your configuration for this option, if you wish to allow a user to bypass your local mail server:
 +
 
 +
https://www.atomicorp.com/wiki/index.php?title=ASL_firewall#FW_OUTPUT_MTA
  
 
=== ASL_BLACKLIST_BLOCK ===
 
=== ASL_BLACKLIST_BLOCK ===
  
 
ASL has blocked traffic from an IP that you placed on the ASL blacklist.  This blacklist is manually created by the user, and ASL will not add IPs to this blacklist.  The blacklist is empty by default.
 
ASL has blocked traffic from an IP that you placed on the ASL blacklist.  This blacklist is manually created by the user, and ASL will not add IPs to this blacklist.  The blacklist is empty by default.
 +
 +
Blacklists are directional, that is when an IP is blacklisted all traffic to, and from the the IP is blocked. (SRC and DST)
  
 
===ASL_GEO_BLOCK===
 
===ASL_GEO_BLOCK===
Line 64: Line 194:
 
=== DROP_ASL_INPUT ===
 
=== DROP_ASL_INPUT ===
 
ASL has dropped an inbound packet because you have configured it to do this.  ASL does not block connections to any ports by default.
 
ASL has dropped an inbound packet because you have configured it to do this.  ASL does not block connections to any ports by default.
 +
 +
Please see this setting:
 +
 +
https://www.atomicorp.com/wiki/index.php/ASL_firewall#Inbound.2FOutbound_ports
  
 
===ASL_OUTPUT===
 
===ASL_OUTPUT===
  
 
ASL has dropped a packet because you have configured it to do this.  ASL does not block outbound connections to any ports by default.
 
ASL has dropped a packet because you have configured it to do this.  ASL does not block outbound connections to any ports by default.
 +
 +
Please see this setting:
 +
 +
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_OUTPUT_TCP_SERVICES
  
 
== RBLS ==
 
== RBLS ==
Line 108: Line 246:
  
 
== Bad Packets ==
 
== Bad Packets ==
 +
 +
===ASL_FRAGMENT===
 +
 +
ASL has blocked a fragmented packet.  ASL, when configured properly, has a stateful firewall that will assemble fragmented packets.  If this rule is triggered this means someone has either disabled stateful inspection for user defined rules, or the system is not using the ASL kernel and a third party kernel does not support stateful firewalls.
 +
 +
===DROP_ASL_TOOSMALL===
 +
 +
ASL has blocked a packet that is too small to be valid.
  
 
===ASL_INVALID_INPUT===
 
===ASL_INVALID_INPUT===

Latest revision as of 17:37, 21 September 2015

Contents

[edit] Log format

The ASL firewall will log a lot of information about a firewall event. A typical log entry may look like this:

Mar 24 14:11:11 host kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=12197 CE DF MF PROTO=TCP SPT=3619 DPT=110 SEQ=1917628740 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)


Example Element Explanation
Mar 24 14:11:11 Date/Time Stamp
host The Hostname of the system where this occurred (your server)
kernel: Application Name (firewall rules are always kernel:)
DROP_ASL_INPUT Firewall Rule Name
IN=eth0 Incoming Interface (This is only populated when the packet is coming into the server)
OUT= Outgoing Interface (This is only populated when the packet is going out of the server)
MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 The MAC Address of the last hop upstream hardware that send the packet (usually this will be your upstream router)
SRC=1.2.3.4 Source IP (The IP address for the system that sent this packet)
DST=5.6.7.8 Destination IP (The IP address the source system requested this packet be sent to)
LEN=48 Total length of IP packet in bytes
TOS=0x00 Type Of Service field. This is rarely used, and is replaced on most systems by DS and ECN.
PREC=0x00 The "Precedence" Type of Service field. This is rarely used, and is replaced on most systems by DS and ECN.
TTL=115 Remaining "Time To Live" for this packet in "hops"
ID=12197 Unique ID for this IP datagram. If this is a fragment, all fragments share the same ID.
CE ECN Flag, Congestion Experienced (optional)
DF Dont Fragment Flag (optional)
MF More Fragments to follow (optional)
PROTO=TCP Protocol (For example, TCP or UDP)
SPT=3619 Source Port (The port the packet came from)
DPT=110 Destination Port (The port the source IP requested the packet go to)
SEQ=1917628740 Receive Sequence number
ACK=0 Same as the Receive Sequence number above, but for the other end of the TCP connection. Normally only seen on the reply packet.
WINDOW=65535 The TCP Receive Window size.
RES=0x00 Reserved bits. This field is used, optionally, for things like ECNE and CWR.
SYN URGP=0 Packet Flags.
OPT (020405B401010402) TCP Options (optional)

[edit] Auditing rules

These rules do not block anything, they just log allowed traffic or special events.

[edit] Whitelists

[edit] ASL_WHITELIST

This logs when an IP on the firewall whitelist has been allowed to connect to the system. It does not block or shun anything.

ASL only produces these log messages when the following options are enabled:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_WHITELIST

and

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_WHITELIST_LOG

Note: FW_WHITELIST is not enabled by default. This can only occur if you enable this option.

[edit] Port Knocking

[edit] Advanced Port Knock System

[edit] ASL_KNOCK

This logs when a potential knock packet comes in when using the advanced portknocking system. It does not block or shun anything.

[edit] ASL_KNOCK_IN

This logs the IP of the source of a client when its connects to a portknock protected port. It does not block or shun anything.

[edit] Simple Port Knock System

[edit] ASL_SKNOCK

This logs when a potential knock packet comes in when using the simply portknocking system. It does not block or shun anything.

[edit] ASL_SKNOCK_IN

This logs the IP of the source of a client when its connects to a portknock protected port. It does not block or shun anything.

[edit] Blocking/Dropping rules

[edit] Automatic Blocks

[edit] ASL_AR_DROP

These rules are labeled in netfilter with "ASL-ACTIVE-RESPONSE" as the label.

ASL has blocked packets from an IP that was shunned by ASL due to a rule violation. By default, these shuns are temporary. You can find out why a shun occurred and remove a shun by following the process in this article:

https://www.atomicorp.com/wiki/index.php/Using_ASL#Why_did_ASL_block_an_IP.3F

You can manually remove a shun by following this process:

https://www.atomicorp.com/wiki/index.php?title=Using_ASL#How_do_you_unblock_an_IP_in_ASL.3F

This capability in ASL is enabled by default, and is controlled by this setting:

https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#OSSEC_ACTIVE_RESPONSE

Shuns are, by default, automatically removed based on this setting:

https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#OSSEC_SHUN_ENABLE_TIMEOUT

The timeout to automatically remove shuns is set by this configuration setting:

https://www.atomicorp.com/wiki/index.php?title=ASL_Configuration#OSSEC_SHUN_TIME

[edit] Firewall IPS

[edit] DROP_ASL: HEARTBEAT

ASL has detected a TLS heartbeat request. This extension to TLS is what caused the HeartBleed vulnerability. This likely means a Heartbleed attack is underway, and ASL has blocked it.

[edit] DROP_ASL: DNS_DDOS

ASL has detected an attempt to use your DNS server as a possible DNS DDOS amplifier. This likely means someoneis trying to use your DNS server to launch a DDOS attack against another host, and ASL has blocked this.

[edit] DROP_ASL: NTP_DDOS

ASL has detected an attempt to use your NTP server as a possible NTP DDOS amplifier. This likely means someoneis trying to use yourNTP server to launch a DDOS attack against another host, and ASL has blocked this.

[edit] User Defined Blocks

[edit] DROP_ASL_TORTIX

And IP address has been blocked from connecting the ASL web console based on the IP addresses you have configured to allow access. ASL does not block any IPs by default to the ASL web console.

You can change the IPs you have configured ASL to allow into the ASL web console by editing this file:

/etc/asl/firewall/tortixd-access-list

Then run this command as root:

service asl-firewall restart

[edit] ASL_SMTP_OUT

ASL has blocked a user that you have not authorized from sending SMTP traffic outbound. This feature does not prevent users from sending mail out through the systems mail server. It simply prevents them from bypassing the mail server. This feature helps to prevent spam bots from operating on the system.

ASL does not block any users from sending SMTP traffic outbound by default.

Please see this article to change your configuration for this option, if you wish to allow a user to bypass your local mail server:

https://www.atomicorp.com/wiki/index.php?title=ASL_firewall#FW_OUTPUT_MTA

[edit] ASL_BLACKLIST_BLOCK

ASL has blocked traffic from an IP that you placed on the ASL blacklist. This blacklist is manually created by the user, and ASL will not add IPs to this blacklist. The blacklist is empty by default.

Blacklists are directional, that is when an IP is blacklisted all traffic to, and from the the IP is blocked. (SRC and DST)

[edit] ASL_GEO_BLOCK

ASL has blocked traffic from a country that you have configured ASL to block via ASLs geoblocking. This is manually configured by the user, and ASL will not automatically add countries to the geoblocking lists. No countries are blocked by default.

[edit] DROP_ASL_U_RATE

The Ratelimit you configured for this UDP port has been exceeded. ASL does not set any rate limits by default.


[edit] DROP_ASL_T_RATE

The Ratelimit you configured for this TCP port has been exceeded. ASL does not set any rate limits by default.

[edit] DROP_ASL_INPUT

ASL has dropped an inbound packet because you have configured it to do this. ASL does not block connections to any ports by default.

Please see this setting:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#Inbound.2FOutbound_ports

[edit] ASL_OUTPUT

ASL has dropped a packet because you have configured it to do this. ASL does not block outbound connections to any ports by default.

Please see this setting:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_OUTPUT_TCP_SERVICES

[edit] RBLS

[edit] ASL_TOR_BLOCK

ASL has blocked an IP that is a TOR exit node because you have configured ASL to block tor exit nodes. ASL does not block this by default.

[edit] ASL_AUTOSHUN_BLOCK

ASL has blocked an IP that is on the autoshun RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.

[edit] ASL_CIARMY_BLOCK

ASL has blocked an IP that is on the ciarmy RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.

[edit] ASL_DSHIELD_BLOCK

ASL has blocked an IP that is on the dshield RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.

[edit] ASL_ELASSO_BLOCK

ASL has blocked an IP that is on the spamhaus elasso RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.

[edit] ASL_LASSO_BLOCK

ASL has blocked an IP that is on the spamhaus lasso RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.

[edit] ASL_EMERGING_THREATS_BLOCK

ASL has blocked an IP that is on the emerging threats RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.

[edit] ASL_OPENBL_BLOCK

ASL has blocked an IP that is on the openbl RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.

[edit] ASL_OPENPROXIES_BLOCK

ASL has blocked an IP that is on the openproxies RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.

[edit] Bad Packets

[edit] ASL_FRAGMENT

ASL has blocked a fragmented packet. ASL, when configured properly, has a stateful firewall that will assemble fragmented packets. If this rule is triggered this means someone has either disabled stateful inspection for user defined rules, or the system is not using the ASL kernel and a third party kernel does not support stateful firewalls.

[edit] DROP_ASL_TOOSMALL

ASL has blocked a packet that is too small to be valid.

[edit] ASL_INVALID_INPUT

ASL had dropped an incoming invalid packet.

[edit] ASL_INVALID_FWD

ASL had dropped an invalid packet in the FORWARD chain.

[edit] ASL_INVALID_OUTPUT

ASL had dropped an outgoing invalid packet.

[edit] Port scans

[edit] DROP_ASL_ADVSCAN

ASL has detected and blocked a portscan using the advanced portscan detector in ASL.

[edit] DROP_ASL_PORTSCAN

ASL has detected and blocked a portscan.

[edit] DROP_ASL_GSCAN

ASL has detected a potential banner grab portscan.

[edit] DROP_ASL_CNSCAN

ASL has detected and blocked a connect() portscan.

[edit] DROP_ASL_SSCAN

ASL has detected and blocked a potential SYN portscan.

[edit] DROP_ASL_STSCAN

ASL has detected and blocked a stealth portscan.


[edit] DROP_ASL_MSS

ASL has detected a packet that is too small to be valid.

Personal tools