Mon
06
Jan
2014
I was trying to find a good reason to buy the well-known raspberry pi, apart from the usual ones, and I decided that it would be ideal to make it a syslog server for my home firewall (running on pfsense). No grahpics required, not significant cpu-power or memory requirements, etc, some just storage for storing text logs.
As an OS, I decided to use moebius linux, a Raspbian based and consequently, Debian based one, just because it is minimalistic, as a syslog server should be.
After copying the image to a 2GB SD card, it seems to be more than enough, (for installation instructions please check here), login into it (using ssh of course), configuring it (using moebius.config or moebius.config --normal), updating it (apt-get update and then apt-get upgrade, as in any Debian-based system), and finally, restarting it, it's now time to tailor it according to our needs.
First, create your user:
useradd myuser -d /home/myuser -m -s /bin/bash
Configure myuser's password
passwd myuser
Of course, do not forget to change your root's password too, if you haven't already done it.
Now, it's time for some hardening.
First, let's harden ssh. Moebius does not use OpenSSH, but Dropbear (it saves more than 10 MBytes of RAM):
vi /etc/default/dropbear
Add the following lines:
DROPBEAR_PORT=45323 #the TCP port that your Dropbear server will listen on
DROPBEAR_EXTRA_ARGS="-w" #Disallow root logins
Restart the service
/etc/init.d/dropbear restart
Now, we'll add the required software / packages. First of all, install iptables, to use them as a host firewall to our syslog server:
apt-get install iptables
Assuming that your SOHO firewall (the logs of which you want to store into the syslog server) has an IP of 192.168.1.101 and your PC from where you access the raspberry has an IP of 192.168.1.60, let's configure the iptables to accept the required connections only by them (of course, do the following as root):
iptables -I INPUT 1 -p udp --src 192.168.1.101 --dport 514 -j ACCEPT #to accept syslog connections from your SOHO firewall
iptables -I INPUT 2 -p tcp --src 192.168.1.60 --dport 45323 -m state --state NEW -j ACCEPT #to accept ssh connections from your pc
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -I INPUT 3 --src 192.168.1.60 -p icmp -m icmp --icmp-type 8 -j ACCEPT #to check from your PC whether raspberry is alive
iptables -P INPUT DROP #Default dropping policy
iptables-save > /etc/iptables.conf
echo '#!/bin/bash' > /etc/network/if-up.d/iptables
echo '/sbin/iptables-restore < /etc/iptables.conf' >> /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables
Moebius uses the inetutils-syslogd software. Uninstall it, for our purposes we shall use syslog-ng:
apt-get remove inetutils-syslogd
apt-get install syslog-ng
Now, let's configure syslog-ng:
vi /etc/syslog-ng/syslog-ng.conf
Go at #Sources and comment internal(), as following:
source s_src {
system();
# internal();
};
Now, add the following lines:
source s_net { udp(ip(0.0.0.0) port(514)); }; #0.0.0.0 will bind to all interfaces on your syslog server.
destination pfsense { file(“/var/log/pfsense.log”); };
log { source(s_net); destination(pfsense); };
Exit the configuration file and start the service:
service syslog-ng start
Create the corresponding log file:
touch /var/log/pfsense.log
Almost done. Time to configure pfsense to send the logs to your brand-new minimalistic syslog server. At the web interface of pfsense, go to:
Status -> System Logs -> Remote Logging Options
Check Send log messages to remote syslog server
Enter your syslog server's IP at: Remote Syslog Servers Server 1
At the Remote Syslog Contents enable (tick) just the Firewall events (this is what
we are interested in).
Press the Save button below and you are all set.
You'll find your logs at /var/log/pfsense.log . If you want to check them very quickly, just run:
cat pfsense.log | grep -v match | grep -v From | grep \> | awk -F " " '{print $6 " > " $8 " "$9 " " $10}'
You should see sth like:
178.151.224.39.65421 > 212.251.127.252.24922: Flags [S],
178.151.224.39.65421 > 212.251.127.252.24922: Flags [S],
178.151.224.39.65421 > 212.251.127.252.24922: Flags [S],
84.125.77.90.42601 > 212.251.127.252.35074: UDP, length
200.120.43.102.59696 > 212.251.127.252.19783: UDP, length
212.253.163.15.49425 > 212.251.127.252.19783: Flags [S],
212.253.163.15.58323 > 212.251.127.252.19783: UDP, length
212.253.163.15.49425 > 212.251.127.252.19783: Flags [S],
212.253.163.15.58323 > 212.251.127.252.19783: UDP, length
212.253.163.15.49425 > 212.251.127.252.19783: Flags [S],
212.253.163.15.58323 > 212.251.127.252.19783: UDP, length
46.117.45.207.61116 > 212.251.127.252.35074: Flags [S],
46.117.45.207.61116 > 212.251.127.252.35074: Flags [S],
46.117.45.207.61116 > 212.251.127.252.35074: Flags [S],
46.117.45.207.61116 > 212.251.127.252.35074: Flags [S],
46.117.45.207.61116 > 212.251.127.252.35074: Flags [S],
46.117.45.207.61116 > 212.251.127.252.35074: Flags [S],
46.117.45.207.61116 > 212.251.127.252.35074: Flags [S],
46.117.45.207.61116 > 212.251.127.252.35074: Flags [S],
212.253.163.15.50420 > 212.251.127.252.19783: Flags [S],
212.253.163.15.58323 > 212.251.127.252.19783: UDP, length
212.253.163.15.58323 > 212.251.127.252.19783: UDP, length
212.253.163.15.50420 > 212.251.127.252.19783: Flags [S],
186.177.13.108.36363 > 212.251.127.252.49455: Flags [S],
186.177.13.108.36363 > 212.251.127.252.49455: Flags [S],
186.177.13.108.36363 > 212.251.127.252.49455: Flags [S],
186.177.13.108.36363 > 212.251.127.252.49455: Flags [S],
186.177.13.108.36363 > 212.251.127.252.49455: Flags [S],
123.243.30.8.55691 > 212.251.127.252.35074: Flags [S],
123.243.30.8.55691 > 212.251.127.252.35074: Flags [S],
123.243.30.8.55691 > 212.251.127.252.35074: Flags [S],
186.198.163.87.1024 > 212.251.127.252.19783: UDP, length
212.253.163.15.58323 > 212.251.127.252.19783: UDP, length
212.253.163.15.58323 > 212.251.127.252.19783: UDP, length
....
Enjoy!