Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Logging Attacks
- Thread starter Almin
- Start date
Syslog server, and in the router...
router(config)#hostname blablabla
router(config)#logging on
router(config)#logging traps (whatever level you choose---do a "?" for your choices. I do debugging myself to see everything)
router(config)#logging host x.x.x.x---the ip address of the syslog server
router(config)#logging buffered (number---if logging to a syslog server, I would reduce this to 4096 rather than the default of 65536 to save on memory resources)
You can do
router(config)#logging ?
for the other choices, but what I have posted are the minimum
I use Kiwi (free version) syslog server daemon and it works GREAT.
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
router(config)#hostname blablabla
router(config)#logging on
router(config)#logging traps (whatever level you choose---do a "?" for your choices. I do debugging myself to see everything)
router(config)#logging host x.x.x.x---the ip address of the syslog server
router(config)#logging buffered (number---if logging to a syslog server, I would reduce this to 4096 rather than the default of 65536 to save on memory resources)
You can do
router(config)#logging ?
for the other choices, but what I have posted are the minimum
I use Kiwi (free version) syslog server daemon and it works GREAT.
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
You can filter things---you'll have to play with it. I log everything (level 7, debugging), and here is a sample...it's easy to spot an attack---look for warning...
2010-02-27 20:30:31 Local7.Notice 10.68.68.1 439315: 439322: Feb 28 02:30:31: %SYS-5-CONFIG_I: Configured from console by r00t on vty0 (10.68.68.71)
2010-02-27 20:31:07 Local7.Info 10.68.68.1 439316: 439323: Feb 28 02:31:07: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.103(80) -> 75.58.187.44(1256), 1 packet
2010-02-27 20:31:13 Local7.Info 10.68.68.1 439317: 439324: Feb 28 02:31:12: %SEC-6-IPACCESSLOGP: list 103 denied tcp 72.163.4.161(443) -> 75.58.187.44(1257), 1 packet
2010-02-27 20:31:34 Local7.Info 10.68.68.1 439318: 439325: Feb 28 02:31:34: %SEC-6-IPACCESSLOGP: list 103 denied tcp 83.150.67.33(80) -> 75.58.187.44(1258), 1 packet
2010-02-27 20:31:45 Local7.Info 10.68.68.1 439319: 439326: Feb 28 02:31:45: %SEC-6-IPACCESSLOGP: list 103 denied tcp 204.13.248.112(80) -> 75.58.187.44(36475), 6 packets
2010-02-27 20:31:45 Local7.Info 10.68.68.1 439320: 439327: Feb 28 02:31:45: %SEC-6-IPACCESSLOGP: list 103 denied tcp 204.13.248.112(80) -> 75.58.187.44(60002), 6 packets
2010-02-27 20:31:49 Local7.Info 10.68.68.1 439321: 439328: Feb 28 02:31:48: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.17(443) -> 75.58.187.44(1259), 1 packet
2010-02-27 20:32:10 Local7.Info 10.68.68.1 439322: 439329: Feb 28 02:32:10: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.18(443) -> 75.58.187.44(1260), 1 packet
2010-02-27 20:32:13 Local7.Info 10.68.68.1 439323: 439330: Feb 28 02:32:12: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.103(80) -> 75.58.187.44(1261), 1 packet
2010-02-27 20:32:22 Local7.Info 10.68.68.1 439324: 439331: Feb 28 02:32:22: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.103(80) -> 75.58.187.44(1262), 1 packet
2010-02-27 20:32:34 Local7.Warning 10.68.68.1 439325: 439332: Feb 28 02:32:33: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:34 Local7.Info 10.68.68.1 439326: 439333: Feb 28 02:32:33: %SEC-6-IPACCESSLOGDP: list 103 denied icmp 72.163.4.161 -> 75.58.187.44 (0/0), 1 packet
2010-02-27 20:32:36 Local7.Warning 10.68.68.1 439327: 439334: Feb 28 02:32:35: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:38 Local7.Warning 10.68.68.1 439328: 439335: Feb 28 02:32:37: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:39 Local7.Info 10.68.68.1 439329: 439336: Feb 28 02:32:39: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.138(80) -> 75.58.187.44(1263), 1 packet
2010-02-27 20:32:40 Local7.Warning 10.68.68.1 439330: 439337: Feb 28 02:32:39: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:42 Local7.Warning 10.68.68.1 439331: 439338: Feb 28 02:32:41: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:43 Local7.Info 10.68.68.1 439332: 439339: Feb 28 02:32:43: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.99(80) -> 75.58.187.44(1264), 1 packet
2010-02-27 20:32:45 Local7.Info 10.68.68.1 439333: 439340: Feb 28 02:32:45: %SEC-6-IPACCESSLOGP: list 103 permitted udp 64.113.32.5(123) -> 75.58.187.44(123), 5 packets
2010-02-27 20:33:00 Local7.Info 10.68.68.1 439334: 439341: Feb 28 02:33:00: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.101(80) -> 75.58.187.44(1265), 1 packet
2010-02-27 20:33:04 Local7.Info 10.68.68.1 439335: 439342: Feb 28 02:33:04: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.105(80) -> 75.58.187.44(1266), 1 packet
2010-02-27 20:33:21 Local7.Info 10.68.68.1 439336: 439343: Feb 28 02:33:21: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.139(80) -> 75.58.187.44(1267), 1 packet
2010-02-27 20:33:21 Local7.Warning 10.68.68.1 439337: 439344: Feb 28 02:33:21: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:23 Local7.Warning 10.68.68.1 439338: 439345: Feb 28 02:33:23: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:25 Local7.Warning 10.68.68.1 439339: 439346: Feb 28 02:33:25: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:26 Local7.Info 10.68.68.1 439340: 439347: Feb 28 02:33:25: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.104(80) -> 75.58.187.44(1268), 1 packet
2010-02-27 20:33:27 Local7.Warning 10.68.68.1 439341: 439348: Feb 28 02:33:27: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:29 Local7.Warning 10.68.68.1 439342: 439349: Feb 28 02:33:29: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:43 Local7.Info 10.68.68.1 439343: 439350: Feb 28 02:33:42: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.102(80) -> 75.58.187.44(1269), 1 packet
2010-02-27 20:33:45 Local7.Info 10.68.68.1 439344: 439351: Feb 28 02:33:45: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 14 packets
2010-02-27 20:33:47 Local7.Info 10.68.68.1 439345: 439352: Feb 28 02:33:47: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.106(80) -> 75.58.187.44(1270), 1 packet
2010-02-27 20:34:04 Local7.Info 10.68.68.1 439346: 439353: Feb 28 02:34:03: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.113(80) -> 75.58.187.44(1271), 1 packet
2010-02-27 20:34:08 Local7.Info 10.68.68.1 439347: 439354: Feb 28 02:34:08: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.147(80) -> 75.58.187.44(1272), 1 packet
2010-02-27 20:34:09 Local7.Warning 10.68.68.1 439348: 439355: Feb 28 02:34:09: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:11 Local7.Warning 10.68.68.1 439349: 439356: Feb 28 02:34:11: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:13 Local7.Warning 10.68.68.1 439350: 439357: Feb 28 02:34:13: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:15 Local7.Warning 10.68.68.1 439351: 439358: Feb 28 02:34:15: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:17 Local7.Warning 10.68.68.1 439352: 439359: Feb 28 02:34:17: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:25 Local7.Info 10.68.68.1 439353: 439360: Feb 28 02:34:25: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.100(80) -> 75.58.187.44(1273), 1 packet
2010-02-27 20:34:30 Local7.Info 10.68.68.1 439354: 439361: Feb 28 02:34:29: %SEC-6-IPACCESSLOGP: list 103 denied tcp 83.150.67.33(80) -> 75.58.187.44(1274), 1 packet
Info lets you know about acl hits, notifications will tell you about config changes, and warnings will tell you about an IPS signature being matched.
You can set Kiwi up to email you (like your phone) when a warning comes up. The acl hits are no worry---script kiddies trying to ftp or html into your router---easily blocked with an acl---just allow what you need in, block the rest.
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
2010-02-27 20:30:31 Local7.Notice 10.68.68.1 439315: 439322: Feb 28 02:30:31: %SYS-5-CONFIG_I: Configured from console by r00t on vty0 (10.68.68.71)
2010-02-27 20:31:07 Local7.Info 10.68.68.1 439316: 439323: Feb 28 02:31:07: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.103(80) -> 75.58.187.44(1256), 1 packet
2010-02-27 20:31:13 Local7.Info 10.68.68.1 439317: 439324: Feb 28 02:31:12: %SEC-6-IPACCESSLOGP: list 103 denied tcp 72.163.4.161(443) -> 75.58.187.44(1257), 1 packet
2010-02-27 20:31:34 Local7.Info 10.68.68.1 439318: 439325: Feb 28 02:31:34: %SEC-6-IPACCESSLOGP: list 103 denied tcp 83.150.67.33(80) -> 75.58.187.44(1258), 1 packet
2010-02-27 20:31:45 Local7.Info 10.68.68.1 439319: 439326: Feb 28 02:31:45: %SEC-6-IPACCESSLOGP: list 103 denied tcp 204.13.248.112(80) -> 75.58.187.44(36475), 6 packets
2010-02-27 20:31:45 Local7.Info 10.68.68.1 439320: 439327: Feb 28 02:31:45: %SEC-6-IPACCESSLOGP: list 103 denied tcp 204.13.248.112(80) -> 75.58.187.44(60002), 6 packets
2010-02-27 20:31:49 Local7.Info 10.68.68.1 439321: 439328: Feb 28 02:31:48: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.17(443) -> 75.58.187.44(1259), 1 packet
2010-02-27 20:32:10 Local7.Info 10.68.68.1 439322: 439329: Feb 28 02:32:10: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.18(443) -> 75.58.187.44(1260), 1 packet
2010-02-27 20:32:13 Local7.Info 10.68.68.1 439323: 439330: Feb 28 02:32:12: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.103(80) -> 75.58.187.44(1261), 1 packet
2010-02-27 20:32:22 Local7.Info 10.68.68.1 439324: 439331: Feb 28 02:32:22: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.103(80) -> 75.58.187.44(1262), 1 packet
2010-02-27 20:32:34 Local7.Warning 10.68.68.1 439325: 439332: Feb 28 02:32:33: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:34 Local7.Info 10.68.68.1 439326: 439333: Feb 28 02:32:33: %SEC-6-IPACCESSLOGDP: list 103 denied icmp 72.163.4.161 -> 75.58.187.44 (0/0), 1 packet
2010-02-27 20:32:36 Local7.Warning 10.68.68.1 439327: 439334: Feb 28 02:32:35: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:38 Local7.Warning 10.68.68.1 439328: 439335: Feb 28 02:32:37: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:39 Local7.Info 10.68.68.1 439329: 439336: Feb 28 02:32:39: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.138(80) -> 75.58.187.44(1263), 1 packet
2010-02-27 20:32:40 Local7.Warning 10.68.68.1 439330: 439337: Feb 28 02:32:39: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:42 Local7.Warning 10.68.68.1 439331: 439338: Feb 28 02:32:41: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [72.163.4.161:0 -> 75.58.187.44:0]
2010-02-27 20:32:43 Local7.Info 10.68.68.1 439332: 439339: Feb 28 02:32:43: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.99(80) -> 75.58.187.44(1264), 1 packet
2010-02-27 20:32:45 Local7.Info 10.68.68.1 439333: 439340: Feb 28 02:32:45: %SEC-6-IPACCESSLOGP: list 103 permitted udp 64.113.32.5(123) -> 75.58.187.44(123), 5 packets
2010-02-27 20:33:00 Local7.Info 10.68.68.1 439334: 439341: Feb 28 02:33:00: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.101(80) -> 75.58.187.44(1265), 1 packet
2010-02-27 20:33:04 Local7.Info 10.68.68.1 439335: 439342: Feb 28 02:33:04: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.105(80) -> 75.58.187.44(1266), 1 packet
2010-02-27 20:33:21 Local7.Info 10.68.68.1 439336: 439343: Feb 28 02:33:21: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.139(80) -> 75.58.187.44(1267), 1 packet
2010-02-27 20:33:21 Local7.Warning 10.68.68.1 439337: 439344: Feb 28 02:33:21: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:23 Local7.Warning 10.68.68.1 439338: 439345: Feb 28 02:33:23: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:25 Local7.Warning 10.68.68.1 439339: 439346: Feb 28 02:33:25: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:26 Local7.Info 10.68.68.1 439340: 439347: Feb 28 02:33:25: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.104(80) -> 75.58.187.44(1268), 1 packet
2010-02-27 20:33:27 Local7.Warning 10.68.68.1 439341: 439348: Feb 28 02:33:27: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:29 Local7.Warning 10.68.68.1 439342: 439349: Feb 28 02:33:29: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [209.85.225.99:0 -> 75.58.187.44:0]
2010-02-27 20:33:43 Local7.Info 10.68.68.1 439343: 439350: Feb 28 02:33:42: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.102(80) -> 75.58.187.44(1269), 1 packet
2010-02-27 20:33:45 Local7.Info 10.68.68.1 439344: 439351: Feb 28 02:33:45: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 14 packets
2010-02-27 20:33:47 Local7.Info 10.68.68.1 439345: 439352: Feb 28 02:33:47: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.106(80) -> 75.58.187.44(1270), 1 packet
2010-02-27 20:34:04 Local7.Info 10.68.68.1 439346: 439353: Feb 28 02:34:03: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.113(80) -> 75.58.187.44(1271), 1 packet
2010-02-27 20:34:08 Local7.Info 10.68.68.1 439347: 439354: Feb 28 02:34:08: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.147(80) -> 75.58.187.44(1272), 1 packet
2010-02-27 20:34:09 Local7.Warning 10.68.68.1 439348: 439355: Feb 28 02:34:09: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:11 Local7.Warning 10.68.68.1 439349: 439356: Feb 28 02:34:11: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:13 Local7.Warning 10.68.68.1 439350: 439357: Feb 28 02:34:13: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:15 Local7.Warning 10.68.68.1 439351: 439358: Feb 28 02:34:15: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:17 Local7.Warning 10.68.68.1 439352: 439359: Feb 28 02:34:17: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:2 ICMP Echo Rply [198.36.171.18:0 -> 75.58.187.44:0]
2010-02-27 20:34:25 Local7.Info 10.68.68.1 439353: 439360: Feb 28 02:34:25: %SEC-6-IPACCESSLOGP: list 103 denied tcp 209.85.225.100(80) -> 75.58.187.44(1273), 1 packet
2010-02-27 20:34:30 Local7.Info 10.68.68.1 439354: 439361: Feb 28 02:34:29: %SEC-6-IPACCESSLOGP: list 103 denied tcp 83.150.67.33(80) -> 75.58.187.44(1274), 1 packet
Info lets you know about acl hits, notifications will tell you about config changes, and warnings will tell you about an IPS signature being matched.
You can set Kiwi up to email you (like your phone) when a warning comes up. The acl hits are no worry---script kiddies trying to ftp or html into your router---easily blocked with an acl---just allow what you need in, block the rest.
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
I can imagine a lot of warning being generated and getting so many that they get over-looked, i guess thats where "the tinkering around" part comes into play.
So you run IPS on your router huh?
I'm thinking about turning it on my ISR, but didnt know if its common deployment. Is it pretty common for most place to have that running on there edge, and do you just use the built in signatures?
No, I have a CCO account, and update the attack.sdf file on a regular basis. The warnings do not come in so much.
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
/
tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
- Status
Similar threads
- Locked
- Question