Something I was just now wishing I could see ,as I was combing through logs, is when you go to GATEWAY -> INTRUSION PREVENTION. The Block List is really good the way it is but it would be so much more useful if it displayed the reason for the block or the rule it tripped. Time left on block would be nice too but that is not near as handy as the reason why.
Thanks,
Donnie
Thanks,
Donnie
Share this post:
Responses (5)
-
Accepted Answer
You can enable firewall logging but it potentially generates big logs. In 5.x you used to be able to do it by changing a single parameter in a configuration file. I am not sure that you can now, but you can add something like:
to the custom firewall module or to /etc/clearos/firewall.d/local. The logs go into /var/log/messages. You can redirect the output into another file with minimal playing in /etc/rsyslog.d/anything.conf, but if you do that it would also be a good idea to set up a logrotate function so the file did not grow too big. Alternatively if you leave the messages in /var/log/messages and install logwatch, I think you can get get daily notifications of blocked packets.iptables -A INPUT -j LOG --log-level INFO --log-prefix "Blocked_IPs: " -
Accepted Answer
I have a noobie question. I have told the system the email address to use for notifications.
Why do I not get notified of any attacks against this system?
Prior to putting up C/OS, I was using Netgear equipment (a standalone F/W and a WiFI F/W, etc.). I could go look at their logs and see DDOSes, smurf, etc.
With C/OS, I spend time going through logs and I don't see anything.
When I lose Internet connections, I would like it to email me (obviously once it is back) so I can use this with my ISP.
What could I be doing wrong that I don't get notifications?
My ISP took immediate action when I showed them how many IP addresses "close" to me were involved in DDOS. I can't believe that this stopped all the attacks....
OTOH -- I've not had to recycle my cable modem or even C/OS since I put it up.
-Steve -
Accepted Answer
Actually this capability is already there, but perhaps not where you think:
for ClearOS 6.5 look in .../app/incoming_firewall you'll see the "Blocked Incoming Connections" box, go ahead and put your blocked hosts there. Although I'd agree with you, a way to do this automagically would be very nice.
-David -
Accepted Answer
I know this is an old thread, but Tim I think you do some third-party stuff that can be added via marketplace if I'm not mistaken?
I have a request, maybe others might think this useful also: Adding a "Black List" section to the Intrusion Prevention page. It would be the converse of the "White List" and allow the user to add/remove IPs to this "Black List", thereby permanently blocking the IP.
Thoughts? -
Accepted Answer
I patched this in 5.2 as a small PHP hack, i'll revisit it for 6.x when I get a chance 
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »