* iptables LOG options
@ 2005-05-24 3:38 Binish A R
2005-05-24 4:00 ` Robert Vangel
0 siblings, 1 reply; 9+ messages in thread
From: Binish A R @ 2005-05-24 3:38 UTC (permalink / raw)
To: netfilter
Hello,
I am trying to write my custom firewall rules.
I want to drop all outgoing ssh for non root users and log any such attempts at the same time.
I want to log the username trying to do that. What option should I give?
The following won't definitely work.
iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root -j LOG --log-prefix "$USER NO SSH ALLOWED"
because the shell expands $USER variable immediately.
Is there any other option to find the value of owner that get matched by the below rule:
iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root
Any help is much appreciated.
Thanks and Regards,
Binish
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: iptables LOG options
2005-05-24 3:38 iptables LOG options Binish A R
@ 2005-05-24 4:00 ` Robert Vangel
2005-05-24 4:17 ` Binish A R
0 siblings, 1 reply; 9+ messages in thread
From: Robert Vangel @ 2005-05-24 4:00 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 792 bytes --]
Binish A R wrote:
> Hello,
>
> I am trying to write my custom firewall rules.
> I want to drop all outgoing ssh for non root users and log any such
> attempts at the same time.
> I want to log the username trying to do that. What option should I give?
>
> The following won't definitely work.
>
> iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root -j LOG
> --log-prefix "$USER NO SSH ALLOWED"
>
> because the shell expands $USER variable immediately.
>
> Is there any other option to find the value of owner that get matched by
> the below rule:
>
>
> iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root
>
>
> Any help is much appreciated.
>
>
> Thanks and Regards,
>
> Binish
>
>
>
Make it `--uid-owner ! root' instead of `! --uid-owner root'
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3166 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: iptables LOG options
2005-05-24 4:00 ` Robert Vangel
@ 2005-05-24 4:17 ` Binish A R
2005-05-24 5:01 ` Robert Vangel
0 siblings, 1 reply; 9+ messages in thread
From: Binish A R @ 2005-05-24 4:17 UTC (permalink / raw)
To: Robert Vangel; +Cc: netfilter
Robert Vangel wrote:
> Binish A R wrote:
>
>> Hello,
>>
>> I am trying to write my custom firewall rules.
>> I want to drop all outgoing ssh for non root users and log any such
>> attempts at the same time.
>> I want to log the username trying to do that. What option should I give?
>>
>> The following won't definitely work.
>>
>> iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root -j
>> LOG --log-prefix "$USER NO SSH ALLOWED"
>>
>> because the shell expands $USER variable immediately.
>>
>> Is there any other option to find the value of owner that get matched
>> by the below rule:
>>
>>
>> iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root
>>
>>
>> Any help is much appreciated.
>>
>>
>> Thanks and Regards,
>>
>> Binish
>>
>>
>>
>
> Make it `--uid-owner ! root' instead of `! --uid-owner root'
iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root -j REJECT
is working fine, ie its blocking ssh from non-root users.
What I want is to log the username (uid) trying to do ssh.
Any comments?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: iptables LOG options
2005-05-24 4:17 ` Binish A R
@ 2005-05-24 5:01 ` Robert Vangel
2005-05-24 5:16 ` Binish A R
2005-05-24 14:43 ` Taylor, Grant
0 siblings, 2 replies; 9+ messages in thread
From: Robert Vangel @ 2005-05-24 5:01 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 668 bytes --]
Binish A R wrote:
> Robert Vangel wrote:
>> Make it `--uid-owner ! root' instead of `! --uid-owner root'
>
>
> iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root -j REJECT
> is working fine, ie its blocking ssh from non-root users.
> What I want is to log the username (uid) trying to do ssh.
> Any comments?
>
>
Please don't CC me. Thanks.
Sorry, I misread the question :\.
From my experience with -m owner/group (extremely limited I must admit)
I don't think it's possible. The messages in /var/log/messages don't
seem to have any uid information, and afaik there isn't any sort of
variables that iptables has in to do this sort of thing.
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3166 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: iptables LOG options
2005-05-24 5:01 ` Robert Vangel
@ 2005-05-24 5:16 ` Binish A R
2005-05-24 5:30 ` Robert Vangel
2005-05-24 14:43 ` Taylor, Grant
1 sibling, 1 reply; 9+ messages in thread
From: Binish A R @ 2005-05-24 5:16 UTC (permalink / raw)
To: netfilter
Robert Vangel wrote:
> Binish A R wrote:
>
>> Robert Vangel wrote:
>>
>>> Make it `--uid-owner ! root' instead of `! --uid-owner root'
>>
>>
>>
>>
>> iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root -j
>> REJECT
>> is working fine, ie its blocking ssh from non-root users.
>> What I want is to log the username (uid) trying to do ssh.
>> Any comments?
>>
>>
>
> Please don't CC me. Thanks.
>
> Sorry, I misread the question :\.
>
> From my experience with -m owner/group (extremely limited I must
> admit) I don't think it's possible. The messages in /var/log/messages
> don't seem to have any uid information, and afaik there isn't any sort
> of variables that iptables has in to do this sort of thing.
>
I apologize for the CC.
Is there any way, I can use environment variables while logging ?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: iptables LOG options
2005-05-24 5:01 ` Robert Vangel
2005-05-24 5:16 ` Binish A R
@ 2005-05-24 14:43 ` Taylor, Grant
2005-05-25 6:55 ` R. DuFresne
1 sibling, 1 reply; 9+ messages in thread
From: Taylor, Grant @ 2005-05-24 14:43 UTC (permalink / raw)
To: netfilter
> From my experience with -m owner/group (extremely limited I must admit)
> I don't think it's possible. The messages in /var/log/messages don't
> seem to have any uid information, and afaik there isn't any sort of
> variables that iptables has in to do this sort of thing.
Would it be possible to get the LOG target to log the PID of the process that tried to send the traffic out? If this could be done it would be a relatively trivial to write a daemon that would watch the log looking for the LOG liens (presumably with a special pattern in the --log-prefix parameter as a key) and try to identify who ran the process that has the PID in question. The only caveat that comes to mind is that process might spawn and die / close before the daemon could identify who was running it so I would be tempted to send the traffic to user space QUEUE (I think) to something that would ultimately just drop it but that could introduce a pause long enough (or do the searching it's self) for the user identification to take place?
I am in no way capable of writing such applications / daemons, but I know there are those who are. This is just my $.02 on it.
Grant. . . .
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: iptables LOG options
2005-05-24 14:43 ` Taylor, Grant
@ 2005-05-25 6:55 ` R. DuFresne
0 siblings, 0 replies; 9+ messages in thread
From: R. DuFresne @ 2005-05-25 6:55 UTC (permalink / raw)
To: Taylor, Grant; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 24 May 2005, Taylor, Grant wrote:
>> From my experience with -m owner/group (extremely limited I must admit)
>> I don't think it's possible. The messages in /var/log/messages don't
>> seem to have any uid information, and afaik there isn't any sort of
>> variables that iptables has in to do this sort of thing.
>
> Would it be possible to get the LOG target to log the PID of the process that tried to send the traffic out? If this could be done it would be a relatively trivial to write a daemon that would watch the log looking for the LOG liens (presumably with a special pattern in the --log-prefix parameter as a key) and try to identify who ran the process that has the PID in question. The only caveat that comes to mind is that process might spawn and die / close before the daemon could identify who was running it so I would be tempted to send the traffic to user space QUEUE (I think) to something that would ultimately just drop it but that could introduce a pause long enough (or do the searching it's self) for the user identification to take place?
>
> I am in no way capable of writing such applications / daemons, but I know there are those who are. This is just my $.02 on it.
>
Of course these are internal users, and so if one might not beable to
control the binaries packets, perhaps one looks to control access or
abilities of users with the binary? This might be a place for another
admin tool, say sudo, or chmod/chown?
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFClCFLst+vzJSwZikRAr9QAJwLlw1sWvrTIvc1TX5Db4NmJ7qSWACfRib5
mAQOsllflyFhPuUnkVMUyDI=
=LjzP
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2005-05-25 6:55 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-24 3:38 iptables LOG options Binish A R
2005-05-24 4:00 ` Robert Vangel
2005-05-24 4:17 ` Binish A R
2005-05-24 5:01 ` Robert Vangel
2005-05-24 5:16 ` Binish A R
2005-05-24 5:30 ` Robert Vangel
2005-05-24 5:39 ` Binish A R
2005-05-24 14:43 ` Taylor, Grant
2005-05-25 6:55 ` R. DuFresne
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.