iptables LOG options

iptables LOG options

[Binish A R]

Hello,

I am trying to write my custom firewall rules.
I want to drop all outgoing ssh for non root users and log any such attempts at the same time.
I want to log the username trying to do that. What option should I give?

The following won't definitely work.

iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root -j LOG --log-prefix "$USER NO SSH ALLOWED"

because the shell expands $USER variable immediately.

Is there any other option to find the value of owner that get matched by the below rule:


iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root


Any help is much appreciated.


Thanks and Regards,

Binish

Re: iptables LOG options

[Robert Vangel]

[-- Attachment #1: Type: text/plain, Size: 792 bytes --]

Binish A R wrote:
> Hello,
> 
> I am trying to write my custom firewall rules.
> I want to drop all outgoing ssh for non root users and log any such 
> attempts at the same time.
> I want to log the username trying to do that. What option should I give?
> 
> The following won't definitely work.
> 
> iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root -j LOG 
> --log-prefix "$USER NO SSH ALLOWED"
> 
> because the shell expands $USER variable immediately.
> 
> Is there any other option to find the value of owner that get matched by 
> the below rule:
> 
> 
> iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root
> 
> 
> Any help is much appreciated.
> 
> 
> Thanks and Regards,
> 
> Binish
> 
> 
> 

Make it `--uid-owner ! root' instead of `! --uid-owner root'

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3166 bytes --]

Re: iptables LOG options

[Binish A R]

Robert Vangel wrote:

> Binish A R wrote:
>
>> Hello,
>>
>> I am trying to write my custom firewall rules.
>> I want to drop all outgoing ssh for non root users and log any such 
>> attempts at the same time.
>> I want to log the username trying to do that. What option should I give?
>>
>> The following won't definitely work.
>>
>> iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root -j 
>> LOG --log-prefix "$USER NO SSH ALLOWED"
>>
>> because the shell expands $USER variable immediately.
>>
>> Is there any other option to find the value of owner that get matched 
>> by the below rule:
>>
>>
>> iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root
>>
>>
>> Any help is much appreciated.
>>
>>
>> Thanks and Regards,
>>
>> Binish
>>
>>
>>
>
> Make it `--uid-owner ! root' instead of `! --uid-owner root'

iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root -j REJECT
is working fine, ie its blocking ssh from non-root users.
What I want is to log the username (uid) trying to do ssh.
Any comments?

Re: iptables LOG options

[Robert Vangel]

[-- Attachment #1: Type: text/plain, Size: 668 bytes --]

Binish A R wrote:
> Robert Vangel wrote:
>> Make it `--uid-owner ! root' instead of `! --uid-owner root'
> 
> 
> iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root -j REJECT
> is working fine, ie its blocking ssh from non-root users.
> What I want is to log the username (uid) trying to do ssh.
> Any comments?
> 
> 

Please don't CC me. Thanks.

Sorry, I misread the question :\.

 From my experience with -m owner/group (extremely limited I must admit) 
I don't think it's possible. The messages in /var/log/messages don't 
seem to have any uid information, and afaik there isn't any sort of 
variables that iptables has in to do this sort of thing.


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3166 bytes --]

Re: iptables LOG options

[Binish A R]

Robert Vangel wrote:

> Binish A R wrote:
>
>> Robert Vangel wrote:
>>
>>> Make it `--uid-owner ! root' instead of `! --uid-owner root'
>>
>>
>>    
>>
>> iptables -I OUTPUT -p tcp --dport 22  -m owner ! --uid-owner root -j 
>> REJECT
>> is working fine, ie its blocking ssh from non-root users.
>> What I want is to log the username (uid) trying to do ssh.
>> Any comments?
>>
>>
>
> Please don't CC me. Thanks.
>
> Sorry, I misread the question :\.
>
> From my experience with -m owner/group (extremely limited I must 
> admit) I don't think it's possible. The messages in /var/log/messages 
> don't seem to have any uid information, and afaik there isn't any sort 
> of variables that iptables has in to do this sort of thing.
>
I apologize for the CC.
Is there any way, I can use environment variables while logging ?

Re: iptables LOG options

[Robert Vangel]

[-- Attachment #1: Type: text/plain, Size: 322 bytes --]

Binish A R wrote:

> Is there any way, I can use environment variables while logging ?

 From what I can think of, no. Environmental variables are parsed then 
and there. Using $USER in your script would translate into `--log prefix 
"root NO SSH ALLOWED"' since the user you are running the iptables 
command as is root.

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3166 bytes --]

Re: iptables LOG options

[Binish A R]

Robert Vangel wrote:

> Binish A R wrote:
>
>> Is there any way, I can use environment variables while logging ?
>
>
> From what I can think of, no. Environmental variables are parsed then 
> and there. Using $USER in your script would translate into `--log 
> prefix "root NO SSH ALLOWED"' since the user you are running the 
> iptables command as is root.

Yes exactly ... thats what is happening. The shell is expanding $USER as root.
I hope there was any way out to log the username :(

Thanks for the replies Robert.

Re: iptables LOG options

[Taylor, Grant]

> From my experience with -m owner/group (extremely limited I must admit)
> I don't think it's possible. The messages in /var/log/messages don't
> seem to have any uid information, and afaik there isn't any sort of
> variables that iptables has in to do this sort of thing.

Would it be possible to get the LOG target to log the PID of the process that tried to send the traffic out?  If this could be done it would be a relatively trivial to write a daemon that would watch the log looking for the LOG liens (presumably with a special pattern in the --log-prefix parameter as a key) and try to identify who ran the process that has the PID in question.  The only caveat that comes to mind is that process might spawn and die / close before the daemon could identify who was running it so I would be tempted to send the traffic to user space QUEUE (I think) to something that would ultimately just drop it but that could introduce a pause long enough (or do the searching it's self) for the user identification to take place?

I am in no way capable of writing such applications / daemons, but I know there are those who are.  This is just my $.02 on it.



Grant. . . .

Re: iptables LOG options

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 24 May 2005, Taylor, Grant wrote:

>> From my experience with -m owner/group (extremely limited I must admit)
>> I don't think it's possible. The messages in /var/log/messages don't
>> seem to have any uid information, and afaik there isn't any sort of
>> variables that iptables has in to do this sort of thing.
>
> Would it be possible to get the LOG target to log the PID of the process that tried to send the traffic out?  If this could be done it would be a relatively trivial to write a daemon that would watch the log looking for the LOG liens (presumably with a special pattern in the --log-prefix parameter as a key) and try to identify who ran the process that has the PID in question.  The only caveat that comes to mind is that process might spawn and die / close before the daemon could identify who was running it so I would be tempted to send the traffic to user space QUEUE (I think) to something that would ultimately just drop it but that could introduce a pause long enough (or do the searching it's self) for the user identification to take place?
>
> I am in no way capable of writing such applications / daemons, but I know there are those who are.  This is just my $.02 on it.
>

Of course these are internal users, and so if one might not beable to 
control the binaries packets, perhaps one looks to control access or 
abilities of users with the binary?  This might be a place for another 
admin tool, say sudo, or chmod/chown?


Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFClCFLst+vzJSwZikRAr9QAJwLlw1sWvrTIvc1TX5Db4NmJ7qSWACfRib5
mAQOsllflyFhPuUnkVMUyDI=
=LjzP
-----END PGP SIGNATURE-----