Changing APF log for TDP/UDP drop's

If you’re tired of seeing your /var/log/messages log file full of dropped traffic from APF firewall then we have a solution! We’ll create a separate log file for TCP/UDP OUTPUT and drops which will leave your messages log nice and clean for easy browsing!

Requirements:

APF Firewall 0.9.3 or above. It may work on previous versions but we haven’t tested. If you’re using an older version you should upgrade anyways. Install APF by following our firewall tutorial.

Changing APF’s configuration:

1) Login to your server and su to root shell.

2) Create a new log file just for the TCP/UDP output/drops from APF.
touch /var/log/iptables

Set user permissions to restrict access.
chmod 600 /var/log/iptables

3) Change the syslog so it will tell iptables to use your new log file.
First lets make a backup to be safe:
cp /etc/syslog.conf /etc/syslog.conf.bak

pico /etc/syslog.conf

4) Add the following line at the bottom

# Send iptables LOGDROPs to /var/log/iptables
kern.=debug /var/log/iptables

5) Save the changes, ctrl + X then Y

6) Reload the syslogd service for the change to take effect.
/sbin/service syslog reload

7) Open APF and edit the firewall configuration.
First lets make a backup to be safe:
cp /etc/apf/firewall /etc/apf/firewall.bak

pico /etc/apf/firewall

Find the following: DROP_LOG

You should see this:

if [ "$DROP_LOG" == "1" ]; then
# Default TCP/UDP INPUT log chain
        $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-prefix "** IN_TCP DROP ** "
        $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-prefix "** IN_UDP DROP ** "

Replace with the following:

if [ "$DROP_LOG" == "1" ]; then
# Default TCP/UDP INPUT log chain
        $IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug
        $IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IF -j LOG --log-level debug

Find the following one more time: DROP_LOG

You should see this:

if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then
# Default TCP/UDP OUTPUT log chain
        $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $IF -j LOG --log-prefix "** OUT_TCP DROP ** "
        $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $IF -j LOG --log-prefix "** OUT_UDP DROP ** "

Replace with the following:

if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then
# Default TCP/UDP OUTPUT log chain
        $IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $IF -j LOG --log-level debug
        $IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $IF -j LOG --log-level debug

8) Save the changes to firewall.
Ctrl + X then Y

9) Restart apf for the changes to take effect.

/etc/apf/apf –r

10) Make sure the new log file is getting written to:
tail –f /var/log/iptables

You should see things like:

Aug 27 15:48:31 fox kernel: IN=eth0 OUT= MAC=00:0d:61:37:76:84:00:d0:02:06:08:00:08:00 SRC=192.168.1.1 DST=192.168.1.1 LEN=34 TOS=0x00 PREC=0x00 TTL=118 ID=57369 PROTO=UDP SPT=4593 DPT=28000 LEN=14

Also check the messages log to make sure APF still isn’t writing to it.
tail –f /var/log/messages

Final notes:
APF is written by R-fx Networks: http://www.rfxnetworks.com/apf.php

Article from: http://webhostgear.com/167.html

Similar Articles : Compile 2.6.7, 2.6.8, 2.6.8.1, 2.6.9, 2.6.10, 2.6.11.6 Kernel w/module-init-tools, Rkhunter Installation, Detect and Clean a hacked server T0rnkit Tutorial, How to install KISS Firewall, How to Disable Telnet, How to install mod_security for Apache, How to install BFD (Brute Force Detection), How to install APF (Advanced Policy Firewall), E-mail Alert on Root SSH Login, Mask Your Web Server for Enhanced Security, Guide to Chkrootkit - checking for intruders, Creating a Welcome message for SSH logins, Disable Direct Root Login, RootCheck - Root Check, Changing APF log for TDP/UDP drop's