iplog導入

作成:2021年03月10日

iplog導入

ホストOS:Debian GNU/Linux 10.7
ゲストOS:FreeBSD 12.2-RELEASE r366954 GENERIC amd64 

参考サイト:
iplog 2.2.3 by Ryan McCabe
iplogでステルススキャンを感知する!

iplogを導入してポートスキャンを検知する。
ログは、1MBでローテーションを行いバックアップは10世代保存する。

pkgでインストール

# pkg install iplog-2.2.3_3
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        iplog: 2.2.3_3

Number of packages to be installed: 1

35 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching iplog-2.2.3_3.txz: 100%   35 KiB  35.5kB/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Installing iplog-2.2.3_3...
[1/1] Extracting iplog-2.2.3_3: 100%
=====
Message from iplog-2.2.3_3:

サンプル設定ファイルをコピーして設定する。

# cp /usr/local/etc/iplog.conf.sample /usr/local/etc/iplog.conf

interfaceはifconfigで確認して 、監視ポートは適宜環境に合わせて設定する。

# vi /usr/local/etc/iplog.conf

** $Id: example-iplog.conf,v 1.2 2000/12/31 18:40:40 odin Exp $
**
** Example iplog configuration file.
** Edit me and copy me to /usr/local/etc/iplog.conf
**
** See iplog.conf(5) for details on syntax and a full description
** of available options.
*/

# Run as an unprivileged account with the login "iplog"
user iplog

# Run with group "nogroup"
group nogroup

# User "iplog" has write permission for the directory "/var/run/iplog"
pid-file /var/run/iplog/iplog.pid

# Log to /var/log/iplog
logfile /var/log/iplog

# Use the syslog(3) facility log_daemon.
facility log_daemon

# Use the syslog(3) priority (level) log_info.
priority log_info

# Log the IP address as well as the hostname of packets.
set log_ip true

# Do not log the destination of packets.
set log_dest false

# Ignore DNS traffic from nameservers in /etc/resolv.conf.
#set ignore_dns

# Listen on eth0 and eth1
interface vtnet0
ignore icmp
ignore tcp dport 53
ignore udp dport 53
ignore udp dport 123

# Operate in promiscuous mode and watch the 192.168.0.x network
# promisc 192.168.0.0/24

/*
** Ignore DNS traffic from nameservers.
** Using the -d option will add similar rules for all nameservers
** listed in /etc/resolv.conf
*/
#ignore udp from 192.168.0.1 sport 53
#ignore udp from 192.168.0.2 sport 53

# Example log statement.
#log tcp dport 1045:1055 sport ftp-data

# Ignore ftp-data connections from to ports 1024 and above.
#ignore tcp dport 1024: sport 20

# Ignore WWW connections, if you're running a WWW server.
#ignore tcp dport 80

# Ignore ICMP unreach.
#ignore icmp type unreach

# Ignore all ICMP except ICMP echo packets.
#ignore icmp type !echo

# Ignore UDP traffic from the 127.1.2 network
#ignore udp from 127.1.2/24

# or
#ignore udp from 127.1.2/255.255.255.0

サービスの起動の設定を/etc/rc.confに記載する。

# vi /etc/rc.conf
iplog_enable="YES"

iplogを起動する。

# /usr/local/etc/rc.d/iplog start
Starting iplog.

/etc/newsyslog.confに、ログローテーションを記載する。

vi /etc/newsyslog.conf
/var/log/iplog iplog:nogroup 644 10 1024 * J /var/run/iplog/iplog.pid

ログが肥大化する場合、ログローテーションのタイミング修正が必要である。