Connection logging with iptables

Posted on by

This is a short tutorial on how to log connections for analysis or detecting attacks with iptables. For connection auditing on data critical services like SSH, IMAP, HTTP and so forth, it is handy to log every new connection to these services with things like timestamp and source IP. With such data it’s possible to detect a intrusion or maintain present security systems.

This is an example for logging new TCP connections.
For better maintainability we create a new chain for the logging rules and create a new rule in the INPUT chain, which says, all TCP traffic with SYN flag set, jump to LOGGING chain.

iptables -N LOGGING
iptables -A INPUT -p tcp --syn -j LOGGING

Now we add a rule for logging every new TCP connection on port 143 (usual IMAP).

iptables -I LOGGING -p tcp --destination-port 143 -j LOG --log-level info --log-prefix '*LOG*'

iptables is using the kernel log, so we have to specify a log level for syslog. Logging data most of the time is for wasting disk space, but sometimes for further analysis. To make the row grabbing a little easier, we prefix each log entry with *LOG*.
On creation of a new connection on port 143, a row like this will be created.

Jan  6 17:20:49 myhost kernel: [8304902.490996] *LOG*IN=eth0 OUT= MAC=XXX SRC=XXX DST=XXX LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=5137 DF PROTO=TCP SPT=28889 DPT=143 WINDOW=5840 RES=0x00 SYN URGP=0

In detail, this row will always be created if a TCP packet for destination port 143 got the SYN flag set, so you can detect SYN floods, too.

For detecting other attacks, for example brutforcing on SSH, you can add the following.

iptables -N LOGSSH
iptables -I LOGSSH -j ACCEPT -m limit --limit 5/m
iptables -A LOGSSH -j LOG --log-level info --log-prefix '*ATTACK*'

iptables -A LOGGING -p tcp --destination-port 22 -j LOG --log-level info --log-prefix '*LOG*' -m limit --limit 5/m
iptables -A LOGGING -p tcp --destination-port 22 -j LOGSSH

This creates a new chain called LOGSSH, which got 2 rules.
The first rule is using the limit match. The limit match does rate limiting based on packets per time. The first rule means, any TCP packet jumped into LOGSSH chain, will be accepted, while the source IP is in the limit of 5 matches per minute. Once the connecting party is above the limit of 5 connections per minute, the second rule will be triggered, which is logging with prefix *ATTACK*. After that we add 2 additional rules, where the order is very important. First one is for logging all non *ATTACK* connections to port 22 and the second is for jumping into LOGSSH, to check if this is an attack. Log entries will not be duplicated, if it’s a non *ATTACK* connection the row will have the prefix *LOG*, if not it will have *ATTACK*, because of the -m limit –limit 5/m in the *LOG* prefixed rule.

These examples are only for analysis or intrusion detection, but you also could use such instruments, to prevent a attack. Please be aware of the data amount, which is logged! It’s not a good idea to enable such logging for services, which are known to have a lot of new connections or are a major target for SYN flooding. If you don’t care, you will DDoS yourself, with a lot of I/O or even a full hdd.

For further informations on this topic:

  • man 8 iptables
  • iptables -m limit –help

Comments are closed.