Ubuntu Firewall Project

Contents Introduction ...... 4 Prerequisites ...... 7 Firewall Management Machine ...... 7 Install Ubuntu Jaunty 9.04 Desktop ...... 7 Configuration ...... 9 Login ...... 9 Update Manager ...... 9 Install VMware‐tools ...... 10 Set Static IP Address ...... 11 Install Webmin ...... 12 Download Webmin ...... 12 Webmin Security Setup ...... 13 Install FWBuilder 3.07 ...... 14 Download FWBuilder 3.07 ...... 14 Install FWBuilder ...... 15 Configure Host file ...... 15 Finish Firewall server before continuing ...... 16 Firewall Machine ...... 16 Install Ubuntu Jaunty 9.04 Server ...... 16 Configuration ...... 20 Login ...... 20

Page 1 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Update Manager ...... 20 Install VMware‐tools ...... 20 Set Static IP Addresses (Temporary) ...... 22 Install wget ...... 22 Install IP Tables ...... 22 Install SSH ...... 22 Install Webmin ...... 23 Download Webmin ...... 23 Webmin Security Setup ...... 24 Set Static IP Address (Permanent) ...... 25 FWBuilder Configuration ...... 26 Firewall machine ...... 26 FWmanagement machine ...... 28 Configure your Policy ...... 29 Configure FWBuilder log prefix and options ...... 35 Save and Compile Rules ...... 35 Deploy the Firewall Rules ...... 36 Test SSH access ...... 36 Create test Policy Rule ...... 36 Configure Logging ...... 39 Install MySQL ...... 39 Configure MySQL ...... 40 Install Rsyslog ...... 58 Configure Rsyslog ...... 59 Firewall Configuration ...... 59

Page 2 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell FW Management Configuration ...... 61 Install phpLogCon ...... 63 Install PHP ...... 63 Install Apache2 ...... 63 Install & Configure phpLogCon ...... 63 Configure Log Rotation ...... 91 Firewall Log Rotation ...... 91 Useful Links ...... 92 About the Author ...... 93

Page 3 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Introduction First off, do not let the amount of pages intimidate you. There are pictures and code that take up a lot of space, as well as, extra documentation to explain steps for the newbie. This document was written by a Linux newbie for the Linux newbie. I wanted to produce a document that would answer most questions about this project and explain exactly how to get from A to Z. Usually there are countless amount of hours spent investigating the different pieces of a project (for the Linux newbie) to get it to work properly. I decided to try and make it a little easier for the next person. I know that some of the Linux gurus will read this document and poke a lot of holes in it and that is fine. I am actually hoping that will happen to produce a better document and understanding for all who read it. I would also like to thank all the groups that have produced the applications I used for this project. You are doing an excellent job creating products that help with the day to day needs of IT professionals.

This document will explain how to create a Linux firewall (running IP Tables), a management station with a proper log viewer. The three main components that make up this environment are the firewall policy creator (FWBuilder) (http://www.fwbuilder.org), the system log mechanism (Rsyslog) (http://www.rsyslog.com), and the log viewer (phpLogCon) (http://www.phplogcon.com). The FWbuilder application is a GUI front‐ end for creating firewall rules on different platforms. It allows the novice firewall user to create complex and stable rule policies without having to know the command line options and simplifying the process. The Rsyslog application is a replacement of the system logging mechanism. Rsyslog allows you to create custom filters to separate logs into different repositories based on a number of categories. Instead of being limited to the basic Linux categories, you can create your own and then decide where you want those messages to reside. The phpLogCon is a web based interface to read log files. It wraps the log messages into a nice customizable website and allows for dynamic searching to be performed. No more having to use GREP (a tool that allows the filtering of text files for specific information) to go through a log trying to find the correct data. Now all the data is presented to you or just a few clicks, only what you want to see. None of these applications/programs were written by me. The groups that develop and support these projects are doing a great job and I hope they continue to do so. All I did was put the three pieces together.

Basically what this document will explain is how to build a firewall (running Ubuntu 9.04 and IP tables) and a management station (running Ubuntu 9.04, FWbuilder, Rsyslog, and phpLogCon). There are a few different ways that you could configure this environment layout. You could collapse all the functions onto the one system (firewall) and be done with it. I personally do not like that reason because I believe that a firewall should only be a firewall and nothing else. I wanted to reduce the load from the firewall and keep its footprint as small as possible. For those particular reasons, I decided on the following layout:

Page 4 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Page 5 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell This is how the system works:

1. The firewall is running IP tables and Rsyslog a. IP tables are responsible for the protection of the network. These are the firewall rules. b. Rsyslog is responsible for the logging aspect. Any traffic entering in/out of the network could be logged and sent to a log file. i. In this scenario, the transportation of the logs to the management station is only using TCP (plain text). You can setup SSL to encrypt the logs going to the management station. If the management station is shared or outside the local network, then you should definitely do so. ii. In my case I am sending the firewall logs to a local file and to the FWmanagement station. (in case of any communication error between the firewall and management system, there is still a copy of the firewall logs to view) 2. The FWmanagement system is running Rsyslog, FWbuilder, and phpLogCon a. FWbuilder is responsible for building the firewall rules and applying them to the firewall. b. Rsyslog is responsible for collecting the firewall logs from the firewall and placing them into a MySQL database. c. phpLogCon is the log viewer that allows you to view the logs in a web interface and easily search the data. 3. The PC is not necessary. It is only there to show the possible applications. You can use the management system to view the logs, a PC on the local network, or (if you dare) view the logs from a system outside your network (that is why I installed SSL).

** You can adapt the configurations and layout. Please use the passwords provided until you get all systems working. Then go back and change passwords for security reasons. **

Page 6 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Prerequisites 1. VMware environment a. If you do not have a VMware environment, you can run these on standalone machines. Just skip the VMtools section 2. Ubuntu Jaunty a. 9.04 i. Desktop ii. Server 3. Internet connection a. Both machines need to be able to connect to the Internet during the installation/configuration process. You will have to download software packages. Once the systems are configure, you can them move this into their final positions to protect your network. 4. You will have to hit the “Enter” key after each command line you type 5. Remember that everything in Linux is case sensitive. a. E.g. Folder, Files, and usernames i. Folder named “Test” is completely different from a folder called “test” in the same directory

Firewall Management Machine

Install Ubuntu Jaunty 9.04 Desktop 2. Prerequisites a. Disk space = 10GB i. Minimum = 6GB b. Memory = 1.5GB i. Minimum = 1GB c. Network card (NIC) = 1 d. IP address = static i. For this example we will use: 1. IP = 10.10.10.10 2. Subnet Mask = 255.255.255.0 3. Boot from Ubuntu CD 4. Install screen a. Choose

Page 7 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. Install Ubuntu 5. Welcome screen a. Choose your language b. Forward 6. Where are you? Screen a. This is for your system time b. Region i. Pick your region c. City i. Pick your city d. Forward 7. Keyboard layout a. Suggested option: USA i. Change this if you have a non‐standard keyboard b. Forward 8. Prepare disk space a. For the newbie i. Choose 1. Use the entire disk b. For the experts or customization i. Choose 1. Specify partitions manually c. Forward 9. Who are you? Screen a. What is your name? i. You can use your real name or the name of an account you wish to create 1. E.g. RegularUser b. What name do you want to use to log in? i. You can change this to something different if you wish 1. Recommended to leave as is. Less confusion c. Choose a password i. Self explanatory d. What is the name of this computer? Page 8 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. Choose a name for this computer. Something simple. 1. E.g. FWmanagement.local.local e. Enable i. Require a password to log in f. Forward 10. Install 11. Installation Complete a. Restart Now

Configuration

Login 1. Login screen a. Username i. This is the name you chose in step 9b ii. Hit Enter b. Password i. This is the password you set in step 9c

Update Manager 1. Update Manager a. The first time you login, you might notice a window in the task bar area. Open this up. b. DO NOT click the “upgrade” button i. The builds of FWBuilder used in this document are dependent on the Ubuntu Jaunty builds c. Important security updates i. This will show you all the important security updates 1. Click Install updates d. Sometimes the new updates installed will require a reboot for them to take effect; this will have a pop‐up window associated with it. i. Restart Required 1. Click Restart Now e. Sometimes the new updates do not require a reboot. In this case, the Update Manager screen will appear and have no updates listed

Page 9 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Install VMwaretools 1. Attach the VMware‐tools via the VMware console 2. You will notice an new desktop icon a. VMware Tools 3. Open a terminal window a. Navigate to Applications > Accessories > Terminal 4. Make a new directory to copy the VMware tools to a. Type i. mkdir /home/RegularUser/vmware 1. RegularUser = whatever name you created in step 9b. 5. Find the version of VMware tools are about to copy a. Type i. cd /media/cdrom0 ii. ls 1. the “ls” command will list folders and files in a directory 2. You should see something like: a. VMwareTools‐4.0.0‐208167.tar.gz 3. This is the file name you will use in the next command 6. Copy the VMware tools to the new directory a. Type i. cp /media/cdrom0/VMwareTools‐4.0.0‐208167.tar.gz /home/RegularUser/vmware 7. Extract the VMware Tools a. Type i. cd /home/RegularUser/vmware ii. gunzip VMwareTools‐4.0.0‐208167.tar.gz iii. tar –xf VMwareTools‐4.0.0‐208167.tar 1. This will extract the files into a directory called vmware‐tools‐distrib iv. cd vmware‐tools‐distrib v. sudo ./vmware‐install.pl 8. VMware Tools Installation Wizard a. Choose all the defaults

Page 10 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Set Static IP Address 1. Navigate to System > Preferences > Network Connections 2. Network Connections a. Wired tab i. You should see only one NIC called something like “Auto eth0” ii. Highlight 1. Auto eth0 iii. Click Edit iv. Editing Auto eth0 1. IPv4 Settings tab a. Method i. Manual b. Addresses i. Click Add ii. Click under Address and a text box will enable 1. Type a. 10.10.10.10 iii. Click under Netmask and a text box will enable 1. Type a. 255.255.255.0 iv. Click under Gateway and a text box will enable 1. Type a. 10.10.10.1 b. Click back under Netmask i. This will keep the settings in that text box c. Your Gateway IP address depends on your network. Usually it will be setup as the first IP address or last in the range (10.10.10.1 or 10.10.10.254). v. DNS Servers 1. If you are unsure what your ISP DNS servers are, you can use a public DNS a. Type i. 4.2.2.2 2. Click Apply

Page 11 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Install Webmin Webmin is a web‐based administration tool to allow multiple different configuration changes. It is a great tool for less experienced Linux users to quickly and accurately make system changes

Download Webmin I am going to show you the method how to download via the command line. This is a necessary tool to learn as you will need it when you setup the server as you do not have a GUI to rely on. You can also download the file through a web browser like normal. Ubuntu Linux comes with a program called FireFox.

1. Open a terminal window a. Navigate to Applications > Accessories > Terminal 2. Make a new directory to save Webmin to a. Type i. mkdir /home/RegularUser/webmin 3. Change directory to the new directory a. Type i. cd /home/RegularUser/webmin 4. Download the Webmin install files a. Type i. sudo wget http://sourceforge.net/projects/webadmin/files/webmin/1.500/webmin_1.500_all.deb/download 5. Check to verify the file downloaded into the webmin directory a. Type i. ls 1. You should see a file called webmin_1.500_all.deb 6. Install the .DEB package a. Type i. sudo dpkg –i webmin_1.500_all.deb 7. Fixing the dependencies a. Not all the required software is currently installed onto your system to run/install Webmin properly. There is an easy fix for this. i. Type 1. sudo apt‐get –f install b. This command will go out and get all the dependencies that are required to run/install Webmin correctly automatically c. You should receive a message something like:

Page 12 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. Install complete. You can now login to https://FWmanagement:10000 8. Login to Webmin a. You will need to launch a web browser i. You can launch this on the current computer or another computer if you have one b. For the address, you the IP address instead of the computer name i. Type 1. http://10.10.10.10:10000 c. You will see a login window i. The username and password are same you have been using 1. Username a. RegularUser 2. Password a. The password you chose when you did the initial computer setup ii. Click Login

Webmin Security Setup We want to restrict usage of this program because it is remote administration tool. I am only going to show you the basic security measures to securing Webmin. There are more features available but I would recommend these as the minimum security measures.

1. Click Webmin a. These are the modules on the left‐hand side of the page 2. Click Webmin Configuration 3. Click SSL Encryption a. SSL settings tab i. SSL Support 1. Enable SSL if available? a. Yes 2. Redirect non‐SSL requests to SSL mode? a. No b. Click Save 4. Click Authentication a. Enable i. Auto‐logout after 10 minutes of inactivity b. Click Save Page 13 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell c. Click Return to Webmin configuration 5. You might have to log back in 6. Navigate back to Webmin > Webmin Configuration 7. Click IP Access Control a. Ensure your settings and data are correct here before continuing. You can lock yourself out of Webmin b. Allowed IP addresses i. Enable 1. Only allow from listed addresses ii. In the text box 1. Type a. 127.0.0.1 b. 10.10.10.10 iii. You can add other IP addresses or networks. The above settings will ensure that the local machine will be able to connect to itself. iv. Click Save v. Click Return to Webmin configuration

Install FWBuilder 3.07

Download FWBuilder 3.07 1. Login to the FWmanagement 2. Open a terminal window 3. Make a directory for the FWBuilder install files a. Type i. mkdir /home/RegularUser/fwbuilder 4. Change to the new directory fwbuilder a. Type i. cd /home/RegularUser/fwbuilder 5. Download the FWBuilder 3.07 install files a. For 64‐bit Unbuntu b. Type i. sudo wget http://sourceforge.net/projects/fwbuilder/files/Current_Packages/3.0.7/libfwbuilder_3.0.7‐b1477‐ubuntu‐ jaunty‐1_amd64.deb/download

Page 14 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell ii. sudo wget http://sourceforge.net/projects/fwbuilder/files/Current_Packages/3.0.7/fwbuilder_3.0.7‐b1477‐ubuntu‐ jaunty‐1_amd64.deb/download c. For 32‐bit Ubuntu d. Type i. sudo wget http://sourceforge.net/projects/fwbuilder/files/Current_Packages/3.0.7/libfwbuilder_3.0.7‐b1477‐ubuntu‐ jaunty‐1_i386.deb/download ii. sudo wget http://sourceforge.net/projects/fwbuilder/files/Current_Packages/3.0.7/fwbuilder_3.0.7‐b1477‐ubuntu‐ jaunty‐1_i386.deb/download 6. The following command assumes you are running 64‐bit Unbuntu Linux. If you are running 32‐bit, change the file names to what was downloaded above.

Install FWBuilder 1. Install the libfwbuilder module a. Type i. sudo dpkg ‐i libfwbuilder_3.0.7‐b1477‐unbuntu‐jaunty‐1_amd64.deb ii. sudo apt‐get –f install 2. Install the fwbuilder module a. Type i. sudo dkg –i fwbuilder_3.0.7‐b1477‐unbuntu‐jaunty‐1_amd64.deb ii. sudo apt‐get –f install

Configure Host file This will allow you to get around the issue of no internal DNS server

1. Open Webmin to the FWmanagement machine 2. Navigate to Networking > Network Configuration > Host Addresses a. Click Add a new host address i. IP address 1. 10.10.10.10 ii. Hostname 1. FWmanagement.local.local iii. IP address 1. 10.10.10.1 iv. Hostname Page 15 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 1. Firewall.local.local v. Click Save

Finish Firewall server before continuing You will have to configure the firewall server before continuing with FWBuilder. You will need certain information that will be obtained from the server. Once completed section “Firewall Machine”, go to section “FWBuilder Configuration”.

Firewall Machine

Install Ubuntu Jaunty 9.04 Server 1. Prerequisites b. Disk space = 5GB i. Minimum = 3GB c. Memory = 712MB i. Minimum = 256MB d. Network card = 2 e. IP address = static i. For this example we will use: 1. External NIC a. IP = 192.168.10.1 b. Subnet Mask = 255.255.255.0 2. Internal NIC a. IP = 10.10.10.1 b. Subnet Mask = 255.255.255.0 2. Boot from Ubuntu CD 3. Install screen a. Press F4 i. Choose 1. Install a minimal virtual machine ii. Hit Enter iii. Hit Enter again to start the installation 1. This will choose a special option that allows you to install a stripped down version of server optimized for Virtualization Page 16 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 4. Choose Language screen a. Choose your language b. Hit Enter c. Choose your country d. Hit Enter 5. Ubuntu installer main menu screen a. If you have a standard keyboard i. Choose 1. No 2. Hit Enter b. If you have a non‐standard keyboard i. Choose 1. Yes 2. Hit Enter 3. Follow the wizard 6. Origin of Keyboard screen a. Choose your origin i. Usually USA if you have a standard keyboard ii. Hit Enter 7. Keyboard layout screen a. Usually USA if you have a standard keyboard b. Hit Enter 8. Configure the Network screen a. Primary network interface: i. Choose the External NIC 1. Usually it will be the first NIC a. Eth0 ii. Hit Enter b. The Auto Network will probably fail unless you are using a DHCP c. Network configuration method i. Choose 1. Configure network manually ii. Hit Enter Page 17 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell iii. IP address 1. 192.168.10.1 iv. Hit Enter v. NetMask 1. 255.255.255.0 vi. Hit Enter vii. Gateway 1. This is the IP address of the gateway to you network a. Usually this would be your Internal IP address of your DSL modem or the gateway to you network 2. 192.168.10.254 viii. Name server addresses (DNS) 1. 4.2.2.2 a. If you want to use a generic public DNS server 2. Your ISP DNS or Internal DNS 3. Hit Enter ix. Hostname 1. Choose a name for this computer. Something simple a. E.g. Firewall.local.local 2. Hit Enter x. Domain name 1. Leave blank unless you are running a domain a. If you are unsure, you are not running a domain 9. Configure the clock screen a. Choose your time zone b. Hit Enter 10. Partition disks screen a. Guided – use entire disk b. Hit Enter c. Select disk to partition i. There should only be one choice d. Hit Enter e. Write the changes to disks i. Yes Page 18 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell f. Hit Enter 11. Set up users and passwords screen a. Full name of the new user i. Choose a name that you will use on a regular basis to administrate the box. This will not be the account that is used to run the firewall program 1. E.g. User1 2. Hit Enter b. Username for your account i. Keep the same as the full name. Less confusion. 1. E.g. User1 2. Hit Enter c. Choose a password for the new user i. Choose a complicated and complex password for security reasons. This is your firewall after all. 1. Do not forget to write this down in a safe place ii. Hit Enter d. Encrypt your home directory i. Yes ii. Hit Enter 12. Configure the package manager screen a. HTTP proxy information i. Leave blank 1. If you have to ask, you are not behind one b. Hit Enter 13. Select and install software a. Choose i. No automatic updates ii. Hit Enter 14. Software selection screen a. Do not choose anything b. Hit Enter 15. Finish the installation screen a. Remove the CD b. Hit Enter Page 19 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Configuration

Login 1. The first thing you will notice about the server is that there is no GUI (Graphical User Interface) [Linux uses a program called X11 to produce the basic GUI]. Everything you do on the server will be via the command line. a. There is a web GUI that we will install to help with some of the tasks for the newbie. i. I personally like this program. Just my two cents. 2. Login name a. This is the name you chose in step 11b 3. Password a. This is the password you chose in step 11c

Update Manager 1. You will have to hit “Enter” after each command line you type 2. Update Manager a. First thing to do is apply all the security updates to the system i. Type 1. sudo apt‐get update a. This actually updates the list of lists of each package repository 2. sudo apt‐get upgrade ii. Do you want to continue? 1. Y

Install VMwaretools 1. Install Linux headers a. Type i. sudo apt‐get install linux‐headers‐server build‐essential 2. Connect the VMware tools via the VM console 3. Mount the cdrom. a. This means to virtually connect the cdrom drive to the OS. This will allow you to access the files. i. Type 1. mount /cdrom 4. Verify the mount operation worked and the name of the file a. Type Page 20 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. cd /cdrom ii. ls 1. You should see a file something like: a. VMwareTools‐4.0.0‐208167.tar.gz 2. Take note of this file name as you will need it in the later steps 5. Make a directory for to copy the VMware‐tool install files to. a. Type i. cd /home/User1/ ii. mkdir /home/User1/vmware 6. Copy the VMware‐tool installation files to the vmware directory a. Type i. cd /home/User1/vmware ii. cp /cdrom/VMwareTools‐4.0.0‐208167.tar.gz /home/User1/vmware iii. ls 1. You should see a file called VMwareTools‐4.0.0‐208167.tar.gz in that directory now 7. Unmount the Vmware‐tools CD a. Type i. umount /cdrom 8. Extract the Vmware‐tools a. Type i. cd /home/User1/vmware ii. sudo gunzip VMwareTools‐4.0.0‐208167.tar.gz iii. sudo tar –xf VMwareTools‐4.0.0‐208167.tar iv. ls 1. Take notice of the new folder that was created a. Should be something like i. vmware‐tools‐distrib 9. Install the Vmware‐tools a. Type i. cd /home/User1/vmware/vmware‐tools‐distrib ii. ls 1. Take notice of a file called something like a. vmware‐install.pl Page 21 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell iii. sudo ./vmware‐install.pl b. Choose all the defaults 10. Reboot the system a. Type i. Sudo reboot

Set Static IP Addresses (Temporary) 1. The external NIC was configured via the install setup earlier. 2. Set the IP address of the internal NIC a. Type i. ip addr b. This will give you the information about the NIC and how they are configured. You will notice that the Internal NIC is not active c. Type i. sudo ifconfig eth1 10.10.10.1 netmask 255.255.255.0 up d. This will not make this permanent. If you reboot at this point, you will lose this IP setting. I will show you in later steps how to make this permanent.

Install wget This is a tool that allows you to download from the Internet without a web browser. You used this program earlier on the management machine but it is not installed by default on the Ubuntu virtual server we installed.

1. Install Wget a. Type i. sudo apt‐get install wget

Install IP Tables This utility is the basis of the firewall. It controls the access and firewall rules. Without it, FWBuilder does nothing.

1. Install IPtables a. Type i. sudo apt‐get install iptables

Install SSH This will allow the management machine to securely connect to the server.

Page 22 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 1. Install SSH a. Type i. sudo apt‐get install ssh

Install Webmin Webmin is a web‐based administration tool to allow multiple different configuration changes. It is a great tool for less experienced Linux users to quickly and accurately make system changes

Download Webmin 1. Make a new directory to save Webmin to a. Type i. mkdir /home/User1/webmin 2. Change directory to the new directory a. Type i. cd /home/User1/webmin 3. Download the Webmin install files a. Type i. sudo wget http://sourceforge.net/projects/webadmin/files/webmin/1.500/webmin_1.500_all.deb/download 4. Check to verify the file downloaded into the webmin directory a. Type i. ls ii. You should see a file called webmin_1.500_all.deb 5. Install the .DEB package a. Type i. sudo dpkg –I webmin_1.500_all.deb 6. Fixing the dependencies a. Not all the required software is currently installed onto your system to run/install Webmin properly. There is an easy fix for this. i. Type 1. sudo apt‐get –f install b. This command will go out and get all the dependencies that are required to run/install Webmin correctly automatically c. You should receive a message something like: i. Install complete. You can now login to https://Firewall:10000 7. Login to Webmin

Page 23 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell a. You will need to launch a web browser i. You can launch this on the current computer or another computer if you have one b. For the address, you the IP address instead of the computer name i. Type 1. http://192.168.10.1:10000 c. You will see a login window i. The username and password are same you have been using 1. Username a. User1 2. Password a. The password you chose when you did the initial computer setup ii. Click Login

8. Click Webmin a. These are the modules on the left‐hand side of the page 9. Click Webmin Configuration 10. Click SSL Encryption a. SSL settings tab i. SSL Support 1. Enable SSL if available? a. Yes 2. Redirect non‐SSL requests to SSL mode? a. No b. Click Save 11. Click Authentication a. Enable i. Auto‐logout after 10 minutes of inactivity b. Click Save c. Click Return to Webmin configuration 12. You might have to log back in Page 24 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 13. Navigate back to Webmin > Webmin Configuration 14. Click IP Access Control a. Ensure your settings and data are correct here before continuing. You can lock yourself out of Webmin b. Allowed IP addresses i. Enable 1. Only allow from listed addresses ii. In the text box 1. Type a. 127.0.0.1 b. 10.10.10.1 c. 10.10.10.10 iii. You can add other IP addresses or networks. The above settings will ensure that the local machine and the FWmanagement machine will be able to connect. iv. Click Save c. Click Return to Webmin configuration

Set Static IP Address (Permanent) 1. Launch Webmin 2. Navigate to Networking > Network Configuration a. Located in the modules on the left‐hand side 3. Set IP address a. Click Network Interfaces i. Activated at Boot tab 1. Add a new interface a. Boot Time Interface Parameters i. Name 1. eth1 ii. Address source 1. Static configuration a. IP address i. 10.10.10.1 b. Netmask i. 255.255.255.0

Page 25 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell c. Broadcast i. 10.10.10.255 b. Click Create and Apply ii. Click Return to the network configuration link iii. Click Return to network configuration 4. Set Host Addresses for FWmanagement a. This will allow the firewall to communicate to the management machine via a name instead of an IP address b. Click on Host Addresses i. Click Add a new host address 1. IP Address a. 10.10.10.10 2. Hostname a. FWmanagement.local.local 3. IP Address a. 10.10.10.1 4. Hostname a. Firewall.local.local ii. Click Save

FWBuilder Configuration

Firewall machine 1. Create user for FWbuilder to use a. Type i. sudo adduser fwadmin b. Choose defaults through wizard c. Make sure to pick a complicated password and write is down in a safe place 2. Create the directories for FWBuilder and make the account fwadmin the owner a. Type i. sudo mkdir /etc/fw ii. sudo mkdir /etc/fw/tmp iii. sudo chgrp fwadmin /etc/fw

Page 26 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell iv. sudo chgrp fwadmin /etc/fw/tmp v. chmod g+w /etc/fw vi. chmod g+w /etc/fw/tmp 3. The reset of the commands are very specific. If you mess up, close the file without saving and start over by following this procedure: a. Press ‘Esc’ key b. Hold ‘Shift’ and ‘Q’ i. You will notice a colon at the bottom left‐hand corner c. Type i. q! d. Press ‘Enter’ 4. Permit account fwadmin to run certain sudo commands a. Type i. sudo visudo b. Press i c. Use the arrow keys to navigate to the line Defaults env_reset d. Replace that line with: i. Defaults:%fwadmin !lecture , passwd_timeout=1 , timestamp_timeout=1 e. Use the arrow keys to navigate to the blank line under #User alias specification f. Type i. %fwadmin ALL = PASSWD: /etc/fw/.fw , /usr/bin/pkill , /sbin/shutdown ii. %fwadmin ALL = PASSWD: /etc/fw/.fw , /usr/bin/pkill , /sbin/shutdown g. Press ‘Esc’ key h. Hold ‘Shift’ and ‘Q’ i. Type i. wq j. Press Enter 5. Your file should look like this:

Page 27 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

6. Reboot server a. Type i. sudo reboot

FWmanagement machine 1. Make a repository folder for FWBuilder to use to save policy files a. Open a terminal b. Type i. Mkdir /home/RegularUser1/fwbuilder/repo 2. Launch FWBuilder a. System > Administration > FWBuilder 3. Configure System Preferences

Page 28 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell a. Edit > Preferences i. General tab 1. Working directory a. /home/RegularUser1/fwbuilder/repo/ ii. Objects tab 1. Enable a. Enable object tooltips i. This will help explain the different components and functions inside FWBuilder iii. Data tab 1. Enable a. Periodically save data to file every 10 min i. This will ensure you do not lose work iv. Click OK

Configure your Policy 1. You should have a window up split in two. a. The right half is labeled Firewall/ruleset i. This is blank now but will show the actual rule set, once configured, that will be applied to the firewall b. The left half is the Object Configuration (there is no actual label) i. This area has a dropdown menu. 1. Currently it says User a. This is for custom objects that you want to make or configure to use in your firewall ruleset 2. The other option is Standard a. These are built‐in objects that you can use in your firewall ruleset 2. Create your firewall a. Right‐click on Firewalls > New Firewall i. This is located on the Object Configuration window with the User menu b. Enter the name of the new object i. Firewall 1. You can name it whatever but recommend that you give it the name of the firewall to cause less confusion c. Choose firewall software i. Iptables d. Choose OS the new firewall runs

Page 29 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. Linux 2.4/2.6 e. Enable i. Use preconfigured template firewall objects 1. This option will allow you to pick a template that will create most of the rules for you. f. Click Next g. Choose i. Fw template 1 h. Click Next i. Click Finish 3. You should have a window that looks like this:

Page 30 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

Page 31 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 4. Configure the Firewall NICs a. Underneath the Firewall object you just created, you will notice a list i. Outside = This is the NIC that faces the Internet ii. Inside = This is the NIC that faces your internal network iii. Loopback = This is a special NIC. It is a virtual NIC that exists in all TCP/IP ready machines b. Configure Outside (External) NIC i. Highlight Outside 1. Located under Firewall on the Object Configuration window ii. On the right‐hand side, at the bottom of the firewall/policy window, you will notice an Interface window iii. Enable 1. Regular interface iv. Click Apply v. Right‐click Outside > Add IP Address 1. Located under Firewall on the Object Configuration window vi. On the right‐hand side, at the bottom of the firewall/policy window, you will notice an Address window 1. Address a. 192.168.10.1 2. Netmask a. 255.255.255.0 3. Click Apply c. Configure Inside (Internal) NIC i. Highlight Inside > firewall:eth1:ip 1. Located under Firewall on the Object Configuration window ii. On the right‐hand side, at the bottom of the firewall/policy window, you will notice an Address window 1. Address a. 10.10.10.1 2. Netmask a. 255.255.255.0 iii. Click Apply 5. Configure Firewall object settings a. Highlight Firewall i. Located under Object Configuration window b. On the right‐hand side, at the bottom of the firewall/policy window, you will notice an Firewall window Page 32 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. Version 1. 1.4.3 or later ii. Click Apply iii. Click Firewall Settings 1. Compiler tab a. Enable i. Always permit ssh access from the management workstation b. Type (in the box adjacent to the above rule) i. 10.10.10.10 2. Installer tab a. Directory on the firewall where script should be installed i. /etc/fw/ b. User name used to authenticate to the firewall i. Fwadmin 3. Click OK 6. Create new network objects a. Right‐click on Objects > Network > New Network i. Located under Object Configuration window b. On the right‐hand side, at the bottom of the firewall/policy window, you will notice an Network window i. Name 1. Net‐10.10.10.0 ii. Address 1. 10.10.10.0 iii. Netmask 1. 255.255.255.0 iv. Click Apply 7. Modify Network Address Translation (NAT) rules a. Highlight Firewalls > Firewall > NAT i. Located under Object Configuration window b. On the right‐hand side you will notice the rules have changed. These are the NAT rules. c. The network object you just created, click and drag it into the first rule under Original Src i. It should look like this:

Page 33 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell ii. Now right‐click net‐192.168.1.0 (in the first rule under Original Src) > Delete d. You are going to use this same type of technique to change the Policy rules 8. Change the Policy Rules a. Highlight Firewalls > Firewall > Policy i. Located under Object Configuration window b. On the right‐hand side you will notice the rules have changed. These are the Policy rules c. Replace each rule object that uses the “net‐192.168.1.0” with your “10.10.10.0” i. Same thing you did in the NAT rule d. It should look like this:

Page 34 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Configure FWBuilder log prefix and options 1. Log into the firewall management system 2. Open FWBuilder 3. Open the file you saved earlier with FWBuilder 4. Navigate, under the User section, to your firewall 5. Double‐click on your firewall 6. Click Firewall Settings (You should notice on the right‐hand side of the screen at the bottom a button labeled Firewall Settings) 7. Navigate to Logging tab a. Change the Log prefix: i. RULE=%N ACT=%A b. Enable i. Log TCP seq. numbers ii. Log TCP options iii. Log IP options

Save and Compile Rules Now that you have configured your firewall object, your NAT rules, and Policy rules, you need to save the file and compile it.

1. Save the file a. Click File > Save as i. Choose name and location for the file screen 1. Name a. Firewall.fwb 2. Save in folder a. /home/RegularUser/fwbuilder/repo/ 3. Click Save 2. Compile the rules a. Click Rules > Compile i. Fwbuilder screen 1. There should be one item listed with a check mark under the Compile column 2. Click Next 3. You should receive a message to say a. Firewall Success 4. If you received an error, there is a log to the right that will give you some hints on what is going wrong Page 35 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 5. Click Finish b. Now you have compiled the rules. This needs to be done every time a change is done to the rules and then you install the Policy.

Deploy the Firewall Rules

Test SSH access 1. Login to the FWmanagement machine 2. Open a terminal a. Applications > Accessories > Terminal 3. Type a. ssh –l fwadmin Firewall 4. You should get a response similar to: The authenticity of host 'Firewall (10.10.10.1)' can't be established. RSA key fingerprint is 64:0b:7c:e9:ff:12:23:3a:12:e5:b2:13:f1:ea:7c:1e. Are you sure you want to continue connecting (yes/no)? a. Type i. Yes 5. You have successfully connected to the Firewall machine via SSH

Create test Policy Rule You are going to make an addition to the rule set to block ICMP (ping request).

1. Test to make sure Ping works a. Open a Terminal b. Type i. ping firewall c. You should receive a response like : 64 bytes from Firewall (10.10.10.1): icmp_seq=2 ttl=64 time=0.260 ms d. Press ‘Ctrl’ key and ‘C’ to stop the ping 2. This verifies that the management machine can communicate to the firewall 3. Create a rule to deny Ping a. Open FWBuilder b. Navigate to Firewalls > Firewall > Policy Page 36 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. Located under the Object Configuration window c. Right‐click on Rule 2 > Add rule below i. Located in the Firewall/Policy window on the right d. You will notice that Rule 3 has now become Rule 4 and an empty rule is now Rule 3 e. Drag the objects into the appropriate column i. Source 1. Net‐10.10.10.0 ii. Destination 1. Firewall iii. Service 1. Any ICMP a. You will acquire this object from the Object Configuration window. Change the dropdown menu to Standard and navigate to Services > ICMP 4. It should look like this:

5. Save the file a. File > Save 6. Compile and deploy a. Rules > Install i. Select firewall to compile and install screen Page 37 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 1. Enable a. Compile b. Install ii. Click Next iii. This first window is just the compile part 1. It should finish with a message of Success iv. Click Next v. Install Options screen 1. Username a. Should already have fwadmin 2. Password a. Enter the password you setup for fwadmin on the firewall server 3. Address that will be used to communicate with the firewall a. 10.10.10.1 4. Enable a. Verbose i. This will help with any troubleshooting b. Store a copy of the fwb on the firewall i. This is a secondary backup in case you loss or corrupt your FWB file c. Test run i. This is a great feature to test your rules before you make them permanent. If your rules lock you out or cause other serious issues, just reboot the firewall and the policy will not be enforced. vi. Click OK vii. You should receive a message of Success 7. Test results via Ping a. Open a Terminal b. Type i. ping firewall c. You should receive a response like : PING Firewall (10.10.10.1) 56(84) bytes of data. ^C ‐‐‐ Firewall ping statistics ‐‐‐ Page 38 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 6 packets transmitted, 0 received, 100% packet loss, time 5038ms 1. Press ‘Ctrl’ key and ‘C’ to stop the ping d. This means your rules worked 8. Make your firewall enforce your policy after reboot a. At this point, the firewall policy you installed is only temporary. If you reboot your firewall machine, the Policy rules will not be in effect. b. Reboot the Firewall machine (your Webmin connection will fail unless you have already inserted a rule to allow the machine to connect over TCP port 10000) c. Open Webmin to the Firewall machine d. Navigate to System > Boot up and Shutdown i. Click on rc.local 1. At the bottom of the file type a. /etc/fw/Firewall.fw ii. Click Save e. Now every time your firewall reboots, it will run that script to enforce your Policy rules 9. If you ever get completely locked out of your firewall by a rule you inserted a. Login to the firewall b. Edit the /etc/rc.local file by removing that last line c. Reboot d. No rules will be applied and you can start over

Configure Logging

Install MySQL 1. Login to the FWmanagement system 2. Open a terminal window 3. Install MySql a. Type i. sudo apt‐get install mysql‐server b. MySQL configuration i. New password for the MySQL root user 1. Enter a password (this is the root user for MySQL. It is not the same thing as a root user for the OS)

Page 39 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 4. Install MySQL Admin Tools a. Type i. sudo apt‐get install mysql‐admin

Configure MySQL 1. Login to the FWmanagement system 2. Navigate to Applications > Programming > MySQL Query Browser 3. Login a. Server hostname i. localhost b. Username i. Root c. password i. The root password that you must enter is the MySQL root password you entered in the steps above when you installed MySQL 4. You should see a screen like this:

Page 40 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

Page 41 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell 5. Copy the following code into the script window ‐‐ MySQL Administrator dump 1.4 ‐‐ ‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐ Server version 5.1.41‐3~bpo50+1‐log

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; /*!40101 SET NAMES utf8 */;

/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;

‐‐ ‐‐ Create schema EFL_DB ‐‐

CREATE DATABASE IF NOT EXISTS EFL_DB; USE EFL_DB;

‐‐ ‐‐ Definition of table `EFL_DB`.`EFL_FWLOGS_TBL` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.ÈFL_FWLOGS_TBL`; CREATE TABLE ÈFL_DB`.ÈFL_FWLOGS_TBL` ( ÌD` int(10) unsigned NOT NULL AUTO_INCREMENT, `DATE` datetime DEFAULT NULL, `TIME` time DEFAULT NULL, Page 42 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell `SYSTEM` varchar(30) DEFAULT NULL, ÀCTION` varchar(20) DEFAULT NULL, `RULE` int(10) unsigned DEFAULT NULL, ÌNT_IN` varchar(10) DEFAULT NULL, `SRC_IP` varchar(20) DEFAULT NULL, `SRC_PORT` int(10) unsigned DEFAULT NULL, `PROTO` varchar(10) DEFAULT NULL, ÌNT_OUT` varchar(20) DEFAULT NULL, `DST_IP` varchar(20) DEFAULT NULL, `DST_PORT` int(10) unsigned DEFAULT NULL, `MAC` varchar(50) DEFAULT NULL, `TOS` varchar(8) DEFAULT NULL, `TTL` int(10) unsigned DEFAULT NULL, `SEQ` bigint(20) unsigned DEFAULT NULL, `MSG` char(5) DEFAULT NULL, PRIMARY KEY (ÌD`), KEY ÌD_IDX` (ÌD`), KEY ÌNT_IN_IDX` (ÌNT_IN`), KEY ÌNT_OUT_IDX` (ÌNT_OUT`), KEY `SRC_IP_IDX` (`SRC_IP`), KEY `DST_IP_IDX` (`DST_IP`), KEY `SYSTEM_IDX` (`SYSTEM`), KEY ÀCTION_IDX` (ÀCTION`), KEY `RULE_IDX` (`RULE`), KEY `PROTO_IDX` (`PROTO`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 ROW_FORMAT=DYNAMIC;

‐‐ ‐‐ Dumping data for table `EFL_DB`.`EFL_FWLOGS_TBL` ‐‐

/*!40000 ALTER TABLE ÈFL_FWLOGS_TBL` DISABLE KEYS */; LOCK TABLES ÈFL_FWLOGS_TBL` WRITE; Page 43 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell INSERT INTO ÈFL_DB`.ÈFL_FWLOGS_TBL` VALUES (1,'2010‐02‐26 21:13:37','21:13:37','cdafw003','DENY',6,'eth1','10.10.100.10',138,'UDP','','10.10.100.255',138,'ff:ff:ff:ff:ff:ff:00:0c:29:a1: 59:f7:08:00','0x00',128,0,'LOG'); UNLOCK TABLES; /*!40000 ALTER TABLE ÈFL_FWLOGS_TBL` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`SystemEvents` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`SystemEvents`; CREATE TABLE ÈFL_DB`.`SystemEvents` ( ÌD` int(10) unsigned NOT NULL AUTO_INCREMENT, `CustomerID` bigint(20) DEFAULT NULL, `ReceivedAt` datetime DEFAULT NULL, `DeviceReportedTime` datetime DEFAULT NULL, `Facility` smallint(6) DEFAULT NULL, `Priority` smallint(6) DEFAULT NULL, `FromHost` varchar(60) DEFAULT NULL, `Message` text, `NTSeverity` int(11) DEFAULT NULL, Ìmportance` int(11) DEFAULT NULL, ÈventSource` varchar(60) DEFAULT NULL, ÈventUser` varchar(60) DEFAULT NULL, ÈventCategory` int(11) DEFAULT NULL, ÈventID` int(11) DEFAULT NULL, ÈventBinaryData` text, `MaxAvailable` int(11) DEFAULT NULL, `CurrUsage` int(11) DEFAULT NULL, `MinUsage` int(11) DEFAULT NULL, `MaxUsage` int(11) DEFAULT NULL, ÌnfoUnitID` int(11) DEFAULT NULL, Page 44 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell `SyslogTag` varchar(60) DEFAULT NULL, ÈventLogType` varchar(60) DEFAULT NULL, `GenericFileName` varchar(60) DEFAULT NULL, `SystemID` int(11) DEFAULT NULL, PRIMARY KEY (ÌD`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1;

‐‐ ‐‐ Dumping data for table `EFL_DB`.`SystemEvents` ‐‐

/*!40000 ALTER TABLE `SystemEvents` DISABLE KEYS */; LOCK TABLES `SystemEvents` WRITE; UNLOCK TABLES; /*!40000 ALTER TABLE `SystemEvents` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`SystemEventsProperties` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`SystemEventsProperties`; CREATE TABLE ÈFL_DB`.`SystemEventsProperties` ( ÌD` int(10) unsigned NOT NULL AUTO_INCREMENT, `SystemEventID` int(11) DEFAULT NULL, `ParamName` varchar(255) DEFAULT NULL, `ParamValue` text, PRIMARY KEY (ÌD`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1;

‐‐ ‐‐ Dumping data for table `EFL_DB`.`SystemEventsProperties` ‐‐ Page 45 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

/*!40000 ALTER TABLE `SystemEventsProperties` DISABLE KEYS */; LOCK TABLES `SystemEventsProperties` WRITE; UNLOCK TABLES; /*!40000 ALTER TABLE `SystemEventsProperties` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_charts` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_charts`; CREATE TABLE ÈFL_DB`.`logcon_charts` ( ÌD` int(11) NOT NULL AUTO_INCREMENT, `DisplayName` varchar(255) NOT NULL, `chart_enabled` tinyint(1) NOT NULL DEFAULT '1', `chart_type` int(11) NOT NULL, `chart_width` int(11) NOT NULL, `chart_field` varchar(255) NOT NULL, `maxrecords` int(11) NOT NULL, `showpercent` tinyint(1) NOT NULL, ùserid` int(11) DEFAULT NULL, `groupid` int(11) DEFAULT NULL, PRIMARY KEY (ÌD`) ) ENGINE=MyISAM AUTO_INCREMENT=5 DEFAULT CHARSET=latin1 COMMENT='This table contains all configured charts';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_charts` ‐‐

/*!40000 ALTER TABLE `logcon_charts` DISABLE KEYS */; LOCK TABLES `logcon_charts` WRITE; Page 46 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell INSERT INTO `EFL_DB`.`logcon_charts` VALUES (1,'Top Hosts',1,3,400,'FROMHOST',10,0,NULL,NULL), (2,'SyslogTags',1,1,400,'syslogtag',10,0,NULL,NULL), (3,'Severity Occurences',1,2,400,'syslogseverity',10,1,NULL,NULL), (4,'Usage by Day',1,1,400,'timereported',10,1,NULL,NULL); UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_charts` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_config` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_config`; CREATE TABLE ÈFL_DB`.`logcon_config` ( `propname` varchar(32) NOT NULL, `propvalue` varchar(255) DEFAULT NULL, `propvalue_text` text, ìs_global` tinyint(1) NOT NULL, ùserid` int(11) DEFAULT NULL, `groupid` int(11) DEFAULT NULL ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='Table to store global and user specific configurations';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_config` ‐‐

/*!40000 ALTER TABLE `logcon_config` DISABLE KEYS */; LOCK TABLES `logcon_config` WRITE; INSERT INTO `EFL_DB`.`logcon_config` VALUES ('database_installedversion','8',NULL,1,NULL,NULL), ('ViewDefaultLanguage','en','',1,NULL,NULL), ('ViewDefaultTheme','default','',1,NULL,NULL), ('ViewUseTodayYesterday','0','',1,NULL,NULL), ('ViewEnableDetailPopups','1','',1,NULL,NULL), Page 47 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell ('EnableIPAddressResolve','0','',1,NULL,NULL), ('MiscShowDebugMsg','0','',1,NULL,NULL), ('MiscShowDebugGridCounter','0','',1,NULL,NULL), ('MiscShowPageRenderStats','1','',1,NULL,NULL), ('MiscEnableGzipCompression','1','',1,NULL,NULL), ('SuppressDuplicatedMessages','0','',1,NULL,NULL), ('TreatNotFoundFiltersAsTrue','0','',1,NULL,NULL), ('ViewMessageCharacterLimit','80','',1,NULL,NULL), ('ViewStringCharacterLimit','30','',1,NULL,NULL), ('ViewEntriesPerPage','100','',1,NULL,NULL), ('ViewEnableAutoReloadSeconds','0','',1,NULL,NULL), ('PopupMenuTimeout','3000','',1,NULL,NULL), ('PrependTitle','','',1,NULL,NULL), ('SearchCustomButtonCaption','I\'d like to feel sad','',1,NULL,NULL), ('SearchCustomButtonSearch','error','',1,NULL,NULL), ('DefaultViewsID','SYSLOG','',1,NULL,NULL); INSERT INTO `EFL_DB`.`logcon_config` VALUES ('DefaultSourceID','1','',1,NULL,NULL), ('DebugUserLogin','0','',1,NULL,NULL), ('MiscDebugToSyslog','0','',1,NULL,NULL), ('MiscMaxExecutionTime','30','',1,NULL,NULL), ('InjectHtmlHeader','','',1,NULL,NULL), ('InjectBodyHeader','','',1,NULL,NULL), ('InjectBodyFooter','','',1,NULL,NULL), ('PhplogconLogoUrl','','',1,NULL,NULL); UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_config` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_dbmappings` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_dbmappings`; Page 48 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell CREATE TABLE ÈFL_DB`.`logcon_dbmappings` ( ÌD` int(11) NOT NULL AUTO_INCREMENT, `DisplayName` varchar(64) NOT NULL, `Mappings` varchar(1024) NOT NULL, PRIMARY KEY (ÌD`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_dbmappings` ‐‐

/*!40000 ALTER TABLE `logcon_dbmappings` DISABLE KEYS */; LOCK TABLES `logcon_dbmappings` WRITE; INSERT INTO `EFL_DB`.`logcon_dbmappings` VALUES (1,'EFL_MAPPING','uID=>ID,timereported=>DATE,EFL_TIME=>TIME,EFL_SYSTEM=>SYSTEM,EFL_ACTION=>ACTION,EFL_R ULE=>RULE,EFL_INT_IN=>INT_IN,EFL_SRC_IP=>SRC_IP,EFL_SRC_PORT=>SRC_PORT,EFL_PROTO=>PROTO,EFL_INT_OUT= >INT_OUT,EFL_DST_IP=>DST_IP,EFL_DST_PORT=>DST_PORT,EFL_MAC=>MAC,EFL_TOS=>TOS,EFL_TTL=>TTL,EFL_SEQ=>S EQ,msg=>MSG'); UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_dbmappings` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_fields` ‐‐

DROP TABLE IF EXISTS `EFL_DB`.`logcon_fields`; CREATE TABLE `EFL_DB`.`logcon_fields` ( `FieldID` varchar(64) NOT NULL, `FieldDefine` varchar(64) NOT NULL, `FieldCaption` varchar(255) NOT NULL, `FieldType` int(11) NOT NULL, `Sortable` tinyint(1) NOT NULL, Page 49 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell `DefaultWidth` int(11) NOT NULL, `FieldAlign` varchar(32) NOT NULL, `SearchField` varchar(64) NOT NULL, `SearchOnline` tinyint(1) NOT NULL, `Trunscate` int(11) NOT NULL, PRIMARY KEY (`FieldID`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='This table stores custom fields';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_fields` ‐‐

/*!40000 ALTER TABLE `logcon_fields` DISABLE KEYS */; LOCK TABLES `logcon_fields` WRITE; INSERT INTO `EFL_DB`.`logcon_fields` VALUES ('EFL_ACTION','EFL_ACTION','Action',0,0,50,'center','EFL_ACTION',0,0), ('EFL_DATE','EFL_DATE','Date',2,0,50,'center','EFL_DATE',0,0), ('EFL_DST_IP','EFL_DST_IP','DST_IP',0,0,50,'center','EFL_DST_IP',0,0), ('EFL_DST_PORT','EFL_DST_PORT','DST_PORT',1,0,50,'center','EFL_DST_PORT',0,0), ('EFL_INT_IN','EFL_INT_IN','INT_IN',0,0,50,'center','EFL_INT_IN',0,0), ('EFL_MAC','EFL_MAC','MAC',0,0,50,'center','EFL_MAC',0,0), ('EFL_PROTO','EFL_PROTO','PROTO',0,0,50,'center','EFL_PROTO',0,0), ('EFL_RULE','EFL_RULE','Rule',1,0,50,'center','EFL_RULE',0,0), ('EFL_SRC_IP','EFL_SRC_IP','SRC_IP',0,0,50,'center','EFL_SRC_IP',0,0), ('EFL_SRC_PORT','EFL_SRC_PORT','SRC_PORT',1,0,50,'center','EFL_SRC_PORT',0,0), ('EFL_SYSTEM','EFL_SYSTEM','System',0,0,50,'center','EFL_SYSTEM',0,0), ('EFL_TIME','EFL_TIME','Time',0,0,50,'center','EFL_TIME',0,0), ('EFL_TOS','EFL_TOS','TOS',0,0,50,'center','EFL_TOS',0,0), ('EFL_TTL','EFL_TTL','TTL',1,0,50,'center','EFL_TTL',0,0), ('EFL_INT_OUT','EFL_INT_OUT','INT_OUT',0,0,50,'center','EFL_INT_OUT',0,0); INSERT INTO `EFL_DB`.`logcon_fields` VALUES ('EFL_SEQ','EFL_SEQ','Sequence',1,0,50,'center','EFL_SEQ',0,0); UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_fields` ENABLE KEYS */;

Page 50 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_groupmembers` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_groupmembers`; CREATE TABLE ÈFL_DB`.`logcon_groupmembers` ( ùserid` int(11) NOT NULL, `groupid` int(11) NOT NULL, ìs_member` tinyint(1) NOT NULL DEFAULT '1' ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='Helpertable to store which users are in which group';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_groupmembers` ‐‐

/*!40000 ALTER TABLE `logcon_groupmembers` DISABLE KEYS */; LOCK TABLES `logcon_groupmembers` WRITE; UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_groupmembers` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_groups` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_groups`; CREATE TABLE ÈFL_DB`.`logcon_groups` ( ÌD` int(11) NOT NULL AUTO_INCREMENT, `groupname` varchar(32) NOT NULL, `groupdescription` varchar(255) NOT NULL, `grouptype` int(11) NOT NULL, PRIMARY KEY (ÌD`) Page 51 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='Table for phplogcon groups';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_groups` ‐‐

/*!40000 ALTER TABLE `logcon_groups` DISABLE KEYS */; LOCK TABLES `logcon_groups` WRITE; UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_groups` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_searches` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_searches`; CREATE TABLE ÈFL_DB`.`logcon_searches` ( ÌD` int(11) NOT NULL AUTO_INCREMENT, `DisplayName` varchar(255) NOT NULL, `SearchQuery` varchar(1024) NOT NULL, ùserid` int(11) DEFAULT NULL, `groupid` int(11) DEFAULT NULL, PRIMARY KEY (ÌD`) ) ENGINE=MyISAM AUTO_INCREMENT=8 DEFAULT CHARSET=latin1 COMMENT='Stores custom user searches';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_searches` ‐‐

/*!40000 ALTER TABLE `logcon_searches` DISABLE KEYS */; LOCK TABLES `logcon_searches` WRITE;

Page 52 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell INSERT INTO `EFL_DB`.`logcon_searches` VALUES (1,'Syslog Warnings and Errors','filter=severity%3A0%2C1%2C2%2C3%2C4&search=Search',NULL,NULL), (2,'Syslog Errors','filter=severity%3A0%2C1%2C2%2C3&search=Search',NULL,NULL), (3,'All messages from the last hour','filter=datelastx%3A1&search=Search',NULL,NULL), (4,'All messages from last 12 hours','filter=datelastx%3A2&search=Search',NULL,NULL), (5,'All messages from last 24 hours','filter=datelastx%3A3&search=Search',NULL,NULL), (6,'All messages from last 7 days','filter=datelastx%3A4&search=Search',NULL,NULL), (7,'All messages from last 31 days','filter=datelastx%3A5&search=Search',NULL,NULL); UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_searches` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_sources` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_sources`; CREATE TABLE ÈFL_DB`.`logcon_sources` ( ÌD` int(11) NOT NULL AUTO_INCREMENT, `Name` varchar(255) NOT NULL, `Description` text NOT NULL, `SourceType` tinyint(4) NOT NULL, `MsgParserList` varchar(255) NOT NULL, `MsgNormalize` tinyint(1) NOT NULL DEFAULT '0', `MsgSkipUnparseable` tinyint(1) NOT NULL DEFAULT '0', `ViewID` varchar(64) NOT NULL, `LogLineType` varchar(64) DEFAULT NULL, `DiskFile` varchar(255) DEFAULT NULL, `DBTableType` varchar(64) DEFAULT NULL, `DBType` tinyint(4) DEFAULT NULL, `DBServer` varchar(255) DEFAULT NULL, `DBName` varchar(64) DEFAULT NULL, `DBUser` varchar(64) DEFAULT NULL, Page 53 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell `DBPassword` varchar(255) DEFAULT NULL, `DBTableName` varchar(64) DEFAULT NULL, `DBEnableRowCounting` tinyint(1) DEFAULT NULL, `DBRecordsPerQuery` int(11) NOT NULL DEFAULT '100', ùserid` int(11) DEFAULT NULL, `groupid` int(11) DEFAULT NULL, PRIMARY KEY (ÌD`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 COMMENT='Table to store datasources in phplogcon';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_sources` ‐‐

/*!40000 ALTER TABLE `logcon_sources` DISABLE KEYS */; LOCK TABLES `logcon_sources` WRITE; INSERT INTO `EFL_DB`.`logcon_sources` VALUES (1,'EFL_SRC','',2,'',0,0,'1',NULL,NULL,'efl',0,'localhost','EFL_DB','rsyslog','1qaz!QAZ','EFL_FWLOGS_TBL',0,100,NULL,NULL); UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_sources` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_users` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_users`; CREATE TABLE ÈFL_DB`.`logcon_users` ( ÌD` int(11) NOT NULL AUTO_INCREMENT, ùsername` varchar(32) NOT NULL, `password` varchar(32) NOT NULL, ìs_admin` tinyint(1) NOT NULL DEFAULT '0', `last_login` int(4) NOT NULL, Page 54 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell PRIMARY KEY (ÌD`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 COMMENT='Table for the phplogcon users';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_users` ‐‐

/*!40000 ALTER TABLE `logcon_users` DISABLE KEYS */; LOCK TABLES `logcon_users` WRITE; INSERT INTO `EFL_DB`.`logcon_users` VALUES (1,'fwadmin','172b5048e8d31bb3236fbf1f649dd76b',1,1267212961); UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_users` ENABLE KEYS */;

‐‐ ‐‐ Definition of table `EFL_DB`.`logcon_views` ‐‐

DROP TABLE IF EXISTS ÈFL_DB`.`logcon_views`; CREATE TABLE ÈFL_DB`.`logcon_views` ( ÌD` int(11) NOT NULL AUTO_INCREMENT, `DisplayName` varchar(255) NOT NULL, `Columns` text NOT NULL, ùserid` int(11) DEFAULT NULL, `groupid` int(11) DEFAULT NULL, PRIMARY KEY (ÌD`) ) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 COMMENT='Stores custom defined user views.';

‐‐ ‐‐ Dumping data for table `EFL_DB`.`logcon_views` ‐‐

/*!40000 ALTER TABLE `logcon_views` DISABLE KEYS */; Page 55 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell LOCK TABLES `logcon_views` WRITE; INSERT INTO `EFL_DB`.`logcon_views` VALUES (1,'EFL_VIEW','uID, timereported, EFL_TIME, EFL_SYSTEM, EFL_ACTION, EFL_RULE, EFL_INT_IN, EFL_SRC_IP, EFL_SRC_PORT, EFL_PROTO, EFL_INT_OUT, EFL_DST_IP, EFL_DST_PORT, EFL_MAC, EFL_TOS, EFL_TTL, EFL_SEQ, msg',NULL,NULL); UNLOCK TABLES; /*!40000 ALTER TABLE `logcon_views` ENABLE KEYS */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; 6. Click Execute 7. Right‐click the Schemata window > Refresh Schema a. The schema window is the window on the top right‐hand side. At current you should only see Information_schema and mysql 8. You should now see EFL_DB 9. Configure new MySQL user a. Navigate to Applications > Programming > MySQL Administrator b. Login i. Using the MySQL root account and password c. You should see a screen like this:

Page 56 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

Page 57 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. Right‐click in the User Accounts box > New user 1. User Information tab a. MySQL User i. Rsyslog b. Password i. 1qaz!QAZ 2. Schema Privileges tab a. Highlight EFL_DB under the Schema window b. Highlight all Available Privileges (except Grant) and move to them to the Assigned Privileges 3. Click Apply

Install Rsyslog 1. Login to the firewall 2. Modify package sources a. Type i. sudo vi /etc/apt/sources.list b. Modify the file with vi i. Add the following line under the section for Backports 1. Type a. deb http://www.backports.org/debian lenny‐backports main c. Save the file 3. Update the package database a. Type i. sudo apt‐get update 4. Type a. sudo apt‐get install rsyslog 5. Answer Yes to adding components 6. Verify version of Rsyslog a. Type i. sudo rsyslogd –v b. It should return i. Rsyslogd 4.4.2 7. Modify package sources (We do not want other programs or updates from this source)

Page 58 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell a. Type i. sudo vi /etc/apt/sources.list b. Modify the file with vi i. Modify the following line under the section for Backports (Add the # symbol in front of the line added that was added in the step above) 1. Type a. # deb http://www.backports.org/debian lenny‐backports main 8. Repeat this process on the FW management system

Configure Rsyslog

Firewall Configuration 1. Login to the firewall 2. Navigate to /etc/rsyslog.d/ 3. Create and configure the file efl.conf (This will send all firewall logs to a file locally called efl.log and send them to the firewall management system) a. Type i. sudo sh –c “cat >> efl.conf” << EOF ii. :msg, contains, “RULE=” ‐/var/log/efl.log iii. :msg, contains, “RULE=” @@10.10.100.12:514 iv. & ~ v. EOF 4. Make the log file a. Type i. sudo touch /var/log/efl.log 5. Configure the /etc/rsyslog.conf file a. Type i. Sudo vi /etc/rsyslog.conf b. Modify the following section to look like this:

# /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see

Page 59 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell # /usr/share/doc/rsyslog‐doc/html/rsyslog_conf.html

################# #### MODULES #### #################

$ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides ‐‐MARK‐‐ message capability

# provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514

# provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514

########################### #### GLOBAL DIRECTIVES #### ###########################

# # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $ActionFileDefaultTemplate RSYSLOG_ForwardFormat

Page 60 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell FW Management Configuration 1. Login to the FW management system 2. Navigate to /etc/rsyslog.d/ 3. Create and configure the file efl.conf a. Type i. sudo vi /etc/rsyslog.d/efl.conf b. Configure the file to look like this: ### Configuration file for rsyslog‐mysql ### Changes are preserved

### Module Control ### Load the MySQL connection module $ModLoad ommysql

### Template Control ### Use the custom LogFilter template with Rsyslog to populate the MySQL database $template logfilter_template, "INSERT INTO EFL_FWLOGS_TBL (DATE, TIME, SYSTEM, ACTION, RULE, INT_IN, SRC_IP, SRC_PORT, PROTO, INT_OUT, DST_IP, DST_PORT, MAC, TOS, TTL, SEQ, MSG) values ('%timegenerated:::date‐mysql%', '%timegenerated:::date‐mysql%', '%hostname%', '%msg:R,ERE,1,BLANK,0:ACT=([A‐Z]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:RULE=([0‐9]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:IN=([0‐9a‐z]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:SRC=([0‐ 9\.]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:SPT=([0‐9]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:PROTO=([0‐9a‐zA‐Z]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:OUT=([0‐9a‐z]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:DST=([0‐9\.]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:DPT=([0‐9]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:MAC=([0‐9a‐f\:]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:TOS=(0x[0‐9a‐f]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:TTL=([0‐9]+)‐‐end%', '%msg:R,ERE,1,BLANK,0:SEQ=([0‐9]+)‐‐end%', 'LOG')",SQL

### Message Rule Control ### Only post messages that meet the following criteria :msg, contains, "RULE=" :ommysql:localhost,EFL_DB,rsyslog,1qaz!QAZ;logfilter_template & ~

Page 61 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

4. Configure the /etc/rsyslog.conf a. Type i. sudo vi /etc/rsyslog.conf b. Modify the following section to look like this: ################# #### MODULES #### #################

# provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514

# provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 $AllowedSender TCP, 10.10.100.12/24

########################### #### GLOBAL DIRECTIVES #### ###########################

# # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

Page 62 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

Install phpLogCon

Install PHP 1. Login to FWmanagement 2. Open a terminal window 3. Type a. sudo apt‐get install php5 4. Type a. sudo apt‐get install php5‐mysql

Install Apache2 1. Login to the FWmanagement 2. Open a terminal window 3. Type a. sudo apt‐get install apache2

Install & Configure phpLogCon 1. Login to the FWmanagement 2. Open Firefox (web browser) 3. Navigate to http://www.phplogcon.org/downloads 4. Download phpLogCon 2.8.1 a. Save the file to /home/RegularUser/phplogcon/ 5. Open a terminal window 6. Type a. cd /home/RegularUser/phplogcon b. sudo gunzip phplogcon‐2.8.1.tar.gz c. sudo tar –xf phplogcon‐2.8.1.tar 7. Make the directory for your website a. Type i. sudo mkdir /var/www/efl 8. Copy the phpLogCon source files to your website directory Page 63 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell a. Type i. cd $HOME/phplogcon/phplogcon‐2.8.1/src ii. sudo cp –r * /var/www/efl 9. Copy the script files a. Type i. cd $HOME/phplogcon/phplogcon‐2.8.1/contrib ii. sudo cp *.sh /var/www/efl 10. Change permissions on the script files a. Type i. cd /var/www/efl ii. sudo chmod +x configure.sh iii. sudo chmod +x secure.sh 11. Restart apache2 service a. Type i. sudo /etc/init.d/apache2 restart 12. Run install script a. Type i. sudo ./configure.sh 13. Configure SSL for Apache a. Make a working directory i. Type 1. sudo mkdir /etc/ssl/certwork 2. sudo chmod 600 /etc/ssl/certwork b. Create an SSL cert i. Type 1. sudo su 2. cd /etc/ssl/certwork 3. openssl genrsa –des3 –out server.key 4096 a. Enter pass phrase for server key i. Enter a password for your certificate. Ensure you copy the password down in a safe place. You can use the same password for all steps requiring a SSL pass phrase. ii. Type 1. Openssl req –new –key server.key –out server.csr Page 64 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell iii. Answer certificate questions 1. Enter a password for your certificate. Ensure you copy the password down in a safe place. You can use the same password for all steps requiring a SSL pass phrase. 2. Country Name a. Enter country 2 letter code i. E.g. USA=US Canada=CA UnitedKingdom=UK 1. If you don’t know your country code use Google to look it up 3. State or Province a. Enter your state or province name 4. Locality a. Enter your city name 5. Organization Name a. This can be your company name or a made up or fake name 6. Organization Name a. This is the department name of your organization 7. Common Name a. This name has to equal the Fully Qualified Domain Name (FQDN) of your server or the IP address. This name does not have to be registered to a real external DNS or have a real world IP address. i. E.g. FWmanagement.local.local 8. Email Address a. You can enter a real email address but you do not have a SMTP service setup on this box and that is outside the scope of this document. b. Hit Enter to bypass 9. A challenge password a. Hit enter to bypass 10. An optional company name a. Hit enter to bypass iv. Sign the certificate 1. Type a. openssl x509 ‐req ‐days 3650 ‐in server.csr ‐signkey server.key ‐out server.crt 2. Enter pass phrase for server key a. Enter a password for your certificate. Ensure you copy the password down in a safe place. You can use the same password for all steps requiring a SSL pass phrase. Page 65 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell v. Create key without password 1. Type a. openssl rsa –in server.key –out server.key.insecure b. mv server.key server.key.secure c. mv server.key.insecure server.key d. exit c. Configure Apache to use the SSL certificate i. Type 1. sudo mkdir /etc/apache2/ssl ii. Copy the certs into the folder 1. Type a. sudo cp /etc/ssl/certwork/server.key /etc/apache2/ssl b. sudo cp /etc/ssl/certwork/server.crt /etc/apache2/ssl iii. Configure SSL default site 1. Type a. sudo mv /etc/apache2/sites‐enabled/000‐default /etc/apache2/sites‐available/000‐default b. sudo cp /etc/apache2/sites‐available/efl‐ssl /etc/apache2/sites‐enabled/001‐efl‐ssl iv. Modify 001‐efl‐ssl to add certificate locations 1. Type a. Sudo gedit /etc/apache2/sites‐enabled/001‐efl‐ssl 2. Modify the file to look like this (The highlighted code was modified) ServerAdmin webmaster@localhost

DocumentRoot /var/www Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Page 66 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell Order allow,deny allow from all

ScriptAlias /cgi‐bin/ /usr/lib/cgi‐bin/ AllowOverride None Options +ExecCGI ‐MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn

CustomLog /var/log/apache2/ssl_access.log combined

Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128

# SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on

Page 67 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

# A self‐signed (snakeoil) certificate can be created by installing # the ssl‐cert package. See # /usr/share/doc/apache2.2‐common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. # SSLCertificateFile /etc/ssl/certs/ssl‐cert‐snakeoil.pem # SSLCertificateKeyFile /etc/ssl/private/ssl‐cert‐snakeoil.key SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key

# Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server‐ca.crt

# Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca‐bundle.crt

# Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client Page 68 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca‐bundle.crl

# Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10

# Access Control: # With SSLRequire you can do per‐directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0‐9]+$/ #

# SSL Engine Options: # Set various options for the SSL engine. Page 69 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM‐encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per‐directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLOptions +StdEnvVars SSLOptions +StdEnvVars

Page 70 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl‐unclean‐shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain‐dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl‐accurate‐shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain‐dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep‐alive facility, so you usually additionally want to disable # keep‐alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade‐1.0" and # "force‐response‐1.0" for this. BrowserMatch ".*MSIE.*" \ nokeepalive ssl‐unclean‐shutdown \ downgrade‐1.0 force‐response‐1.0

d. Load the SSL apache module Page 71 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell i. Type 1. sudo a2enmod ssl e. Restart Apache service i. Type 1. sudo /etc/init.d/apache2 restart 14. Config files a. There are a copy of files that need to be setup for this to work b. Edit the /var/www/efl/config.php i. Open a terminal window ii. Type 1. sudo gedit /var/www/efl/config.php iii. Remove all text inside of file iv. Replace with this: Configuration need variables for the Database connection * * Copyright (C) 2008 Adiscon GmbH. * * This file is part of phpLogCon. * * PhpLogCon is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * PhpLogCon is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of Page 72 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with phpLogCon. If not, see . * * A copy of the GPL can be found in the file "COPYING" in this * distribution. ********************************************************************* */

// ‐‐‐ Avoid directly accessing this file! if ( !defined('IN_PHPLOGCON') ) { die('Hacking attempt'); exit; } // ‐‐‐

// ‐‐‐ UserDB options /* If UserDB is enabled, all options will and have to be configured in the database. * All Options below the UserDB options here will not be used, unless a setting * is missing in the database. */ $CFG['UserDBEnabled'] = true; $CFG['UserDBServer'] = 'localhost'; $CFG['UserDBPort'] = 3306; $CFG['UserDBName'] = 'EFL_DB'; $CFG['UserDBPref'] = 'logcon_'; $CFG['UserDBUser'] = 'rsyslog'; $CFG['UserDBPass'] = '1qaz!QAZ'; $CFG['UserDBLoginRequired'] = true; // ‐‐‐ Page 73 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

// ‐‐‐ Misc Options $CFG['MiscShowDebugMsg'] = 0; // if enabled, you will get additional output on certain places $CFG['MiscDebugToSyslog'] = 0; // if enabled, debug messages from phpLogCon will be send to syslog on linux, and into the EventLog on Windows $CFG['MiscShowDebugGridCounter'] = 0; // Only for debugging purposes, will add a counter column into the grid! $CFG["MiscShowPageRenderStats"] = 1; // If enabled, you will see Pagerender Settings $CFG['MiscEnableGzipCompression'] = 1; // If enabled, phplogcon will use gzip compression for output, we recommend // to have this option enabled, it will highly reduce bandwith usage. $CFG['MiscMaxExecutionTime'] = 30; // phpLogCon will try to overwrite the default script timeout with this value during runtime! // This can of course only work if phpLogCon is allowed to changed the script timeout. $CFG['DebugUserLogin'] = 0; // if enabled, you will see additional informations on failed logins // ‐‐‐

// ‐‐‐ Default Frontend Options $CFG['PrependTitle'] = ""; // If set, this text will be prepended withint the title tag $CFG['ViewUseTodayYesterday'] = 1; // If enabled, the date from today and yesterday is displayed as "today" and "yesterday" $CFG['ViewMessageCharacterLimit'] = 80; // Default character limit for the message gets trunscated! 0 means NO trunscation. $CFG['ViewStringCharacterLimit'] = 30; // Default character limit for all other string type fields before they get trunscated! 0 means NO trunscation. $CFG['ViewEntriesPerPage'] = 100; // Default number of syslog entries shown per page $CFG['ViewEnableDetailPopups'] = 1; // If enabled, you will see additional Details for each syslog message on mouse over. Page 74 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $CFG['ViewDefaultTheme'] = "default"; // This sets the default theme the user is going to see when he opens phplogcon the first time. // Currently only "default" and "dark" are available. $CFG['ViewDefaultLanguage'] = "en"; // Sets the default display language $CFG['ViewEnableAutoReloadSeconds'] = 0; // If "ViewEnableAutoReloadSeconds" is set to anything higher the 0 (which means disabled), this means auto reload is enabled by default.

$CFG['SearchCustomButtonCaption'] = "I'd like to feel sad"; // Default caption for the custom fast search button $CFG['SearchCustomButtonSearch'] = "error"; // Default search string for the custom search button

$CFG['EnableIPAddressResolve'] = 0; // If enabled, IP Addresses inline messages are automatically resolved and the result is added in brackets {} behind the IP Address $CFG['SuppressDuplicatedMessages'] = 0; // If enabled, duplicated messages will be suppressed in the main display. $CFG['TreatNotFoundFiltersAsTrue'] = 0; // If you filter / search for messages, and the fields you are filtering for is not found, the filter result is treaten as TRUE! $CFG['PopupMenuTimeout'] = 3000; // This variable defines the default timeout value for popup menus in milliseconds. (those menus which popup when you click on the value of a field. $CFG['PhplogconLogoUrl'] = ""; // Put an Url to a custom toplogo you want to use. // ‐‐‐

// ‐‐‐ Custom HTML Code $CFG['InjectHtmlHeader'] = ""; // Use this variable to inject custom html into the html area! $CFG['InjectBodyHeader'] = ""; // Use this variable to inject custom html into the begin of the area! $CFG['InjectBodyFooter'] = ""; // Use this variable to inject custom html into the end of the area! // ‐‐‐

// ‐‐‐ Define which fields you want to see Page 75 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell //$CFG['ShowMessage'] = true; // If enabled, the Message column will be appended to the columns list. //Eventlog based fields: $CFG['Columns'] = array ( SYSLOG_DATE, SYSLOG_HOST, SYSLOG_EVENT_LOGTYPE, SYSLOG_EVENT_SOURCE, /*SYSLOG_EVENT_CATEGORY, */SYSLOG_EVENT_ID, SYSLOG_MESSAGE ); //$CFG['Columns'] = array ( SYSLOG_DATE, SYSLOG_FACILITY, SYSLOG_SEVERITY, SYSLOG_HOST, SYSLOG_SYSLOGTAG, SYSLOG_MESSAGETYPE, SYSLOG_MESSAGE ); $CFG['DefaultViewsID'] = ""; // ‐‐‐

// ‐‐‐ Predefined Searches! $CFG['Search'][] = array ( "DisplayName" => "Syslog Warnings and Errors", "SearchQuery" => "filter=severity%3A0%2C1%2C2%2C3%2C4&search=Search" ); $CFG['Search'][] = array ( "DisplayName" => "Syslog Errors", "SearchQuery" => "filter=severity%3A0%2C1%2C2%2C3&search=Search" ); $CFG['Search'][] = array ( "DisplayName" => "All messages from the last hour", "SearchQuery" => "filter=datelastx%3A1&search=Search" ); $CFG['Search'][] = array ( "DisplayName" => "All messages from last 12 hours", "SearchQuery" => "filter=datelastx%3A2&search=Search" ); $CFG['Search'][] = array ( "DisplayName" => "All messages from last 24 hours", "SearchQuery" => "filter=datelastx%3A3&search=Search" ); $CFG['Search'][] = array ( "DisplayName" => "All messages from last 7 days", "SearchQuery" => "filter=datelastx%3A4&search=Search" ); $CFG['Search'][] = array ( "DisplayName" => "All messages from last 31 days", "SearchQuery" => "filter=datelastx%3A5&search=Search" ); // $CFG['Search'][] = array ( "DisplayName" => "", "SearchQuery" => "" ); // ‐‐‐

// ‐‐‐ Predefined Charts! $CFG['Charts'][] = array ( "DisplayName" => "Top Hosts", "chart_type" => CHART_BARS_HORIZONTAL, "chart_width" => 400, "chart_field" => SYSLOG_HOST, "maxrecords" => 10, "showpercent" => 0, "chart_enabled" => 1 ); $CFG['Charts'][] = array ( "DisplayName" => "SyslogTags", "chart_type" => CHART_CAKE, "chart_width" => 400, "chart_field" => SYSLOG_SYSLOGTAG, "maxrecords" => 10, "showpercent" => 0, "chart_enabled" => 1 );

Page 76 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $CFG['Charts'][] = array ( "DisplayName" => "Severity Occurences", "chart_type" => CHART_BARS_VERTICAL, "chart_width" => 400, "chart_field" => SYSLOG_SEVERITY, "maxrecords" => 10, "showpercent" => 1, "chart_enabled" => 1 ); $CFG['Charts'][] = array ( "DisplayName" => "Usage by Day", "chart_type" => CHART_CAKE, "chart_width" => 400, "chart_field" => SYSLOG_DATE, "maxrecords" => 10, "showpercent" => 1, "chart_enabled" => 1 ); // ‐‐‐

// ‐‐‐ Source Options /* Example for DiskType Source: $CFG['Sources']['Source1']['ID'] = "Source1"; $CFG['Sources']['Source1']['Name'] = "Syslog Disk File"; $CFG['Sources']['Source1']['Description'] = "More details you want to see about this source"; $CFG['Sources']['Source1']['SourceType'] = SOURCE_DISK; $CFG['Sources']['Source1']['LogLineType'] = "syslog"; $CFG['Sources']['Source1']['MsgParserList'] = ""; $CFG['Sources']['Source1']['MsgNormalize'] = 0; $CFG['Sources']['Source1']['DiskFile'] = "/var/log/syslog"; $CFG['Sources']['Source1']['ViewID'] = "SYSLOG";

$CFG['Sources']['Source2']['ID'] = "Source5"; $CFG['Sources']['Source2']['Name'] = "WinSyslog DB"; $CFG['Sources']['Source1']['Description'] = ""; $CFG['Sources']['Source2']['SourceType'] = SOURCE_DB; $CFG['Sources']['Source1']['MsgParserList'] = ""; $CFG['Sources']['Source2']['DBTableType'] = "winsyslog"; $CFG['Sources']['Source2']['DBType'] = DB_MYSQL; $CFG['Sources']['Source2']['DBServer'] = "localhost"; $CFG['Sources']['Source2']['DBName'] = "phplogcon"; $CFG['Sources']['Source2']['DBUser'] = "root"; $CFG['Sources']['Source2']['DBPassword'] = ""; $CFG['Sources']['Source2']['DBTableName'] = "systemevents"; $CFG['Sources']['Source2']['ViewID'] = "SYSLOG"; */ Page 77 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

$CFG['DefaultSourceID'] = 'Source1';

$CFG['Sources']['Source1']['ID'] = 'Source1'; $CFG['Sources']['Source1']['Name'] = 'My Syslog Source'; $CFG['Sources']['Source1']['ViewID'] = 'SYSLOG'; $CFG['Sources']['Source1']['SourceType'] = SOURCE_DB; $CFG['Sources']['Source1']['DBTableType'] = 'monitorware'; $CFG['Sources']['Source1']['DBType'] = DB_MYSQL; $CFG['Sources']['Source1']['DBServer'] = 'localhost'; $CFG['Sources']['Source1']['DBName'] = 'EFL_DB'; $CFG['Sources']['Source1']['DBUser'] = 'rsyslog'; $CFG['Sources']['Source1']['DBPassword'] = '1qaz!QAZ'; $CFG['Sources']['Source1']['DBTableName'] = 'EFL_FWLOGS_TBL'; $CFG['Sources']['Source1']['DBEnableRowCounting'] = false;

// ‐‐‐

c. Edit the /etc/php/apache2/php.ini to avoid memory allocation issues i. Open a terminal window ii. Type 1. sudo gedit /etc/php5/apache2/php.ini iii. Modify the memory_limit to this: 1. memory_limit = 48M d. Edit the /var/www/efl/include/constants_logstream.php i. Open a terminal window 1. Type a. sudo gedit /var/www/efl/include/constants_logstream.php 2. Remove all text inside the file 3. Replace with this: www.phplogcon.org <‐ * * ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ * * Some constants * * * * ‐> Stuff which has to be static and predefined * * * * All directives are explained within this file * * * Copyright (C) 2008 Adiscon GmbH. * * This file is part of phpLogCon. * * PhpLogCon is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * PhpLogCon is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with phpLogCon. If not, see . * * A copy of the GPL can be found in the file "COPYING" in this * distribution. Page 79 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell ********************************************************************* */

// ‐‐‐ Avoid directly accessing this file! if ( !defined('IN_PHPLOGCON') ) { die('Hacking attempt'); exit; } // ‐‐‐

// ‐‐‐ Define properties names of all know fields define('SYSLOG_UID', 'uID'); define('SYSLOG_DATE', 'timereported'); define('SYSLOG_HOST', 'FROMHOST'); define('SYSLOG_MESSAGETYPE', 'IUT'); define('SYSLOG_MESSAGE', 'msg');

// Syslog specific define('SYSLOG_FACILITY', 'syslogfacility'); define('SYSLOG_SEVERITY', 'syslogseverity'); define('SYSLOG_SYSLOGTAG', 'syslogtag'); define('SYSLOG_PROCESSID', 'procid');

// EventLog specific define('SYSLOG_EVENT_ID', 'id'); define('SYSLOG_EVENT_LOGTYPE', 'NTEventLogType'); define('SYSLOG_EVENT_SOURCE', 'sourceproc'); define('SYSLOG_EVENT_CATEGORY', 'category'); define('SYSLOG_EVENT_USER', 'user');

// Weblog specific define('SYSLOG_WEBLOG_USER', 'http_user'); Page 80 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell define('SYSLOG_WEBLOG_METHOD', 'http_method'); define('SYSLOG_WEBLOG_URL', 'http_url'); define('SYSLOG_WEBLOG_QUERYSTRING', 'http_querystring'); define('SYSLOG_WEBLOG_PVER', 'http_ver'); define('SYSLOG_WEBLOG_STATUS', 'http_status'); define('SYSLOG_WEBLOG_BYTESSEND', 'http_bytessend'); define('SYSLOG_WEBLOG_REFERER', 'http_referer'); define('SYSLOG_WEBLOG_USERAGENT', 'http_useragent'); // ‐‐‐

// Define possible FIELD Types define('FILTER_TYPE_STRING', 0); define('FILTER_TYPE_NUMBER', 1); define('FILTER_TYPE_DATE', 2); define('FILTER_TYPE_UNKNOWN', 99);

// Define possible alignments define('ALIGN_CENTER', 'center'); define('ALIGN_LEFT', 'left'); define('ALIGN_RIGHT', 'right');

// ‐‐‐ Predefine fields array! $fields[SYSLOG_UID]['FieldID'] = SYSLOG_UID; $fields[SYSLOG_UID]['FieldDefine'] = 'SYSLOG_UID'; $fields[SYSLOG_UID]['FieldCaption'] = 'uID'; $fields[SYSLOG_UID]['FieldType'] = FILTER_TYPE_NUMBER; $fields[SYSLOG_UID]['Sortable'] = false; $fields[SYSLOG_UID]['DefaultWidth'] = "50"; $fields[SYSLOG_UID]['FieldAlign'] = "center"; $fields[SYSLOG_UID]['SearchOnline'] = false; $fields[SYSLOG_DATE]['FieldID'] = SYSLOG_DATE; $fields[SYSLOG_DATE]['FieldDefine'] = 'SYSLOG_DATE'; $fields[SYSLOG_DATE]['FieldCaption'] = 'Date'; Page 81 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $fields[SYSLOG_DATE]['FieldType'] = FILTER_TYPE_DATE; $fields[SYSLOG_DATE]['Sortable'] = true; $fields[SYSLOG_DATE]['DefaultWidth'] = "115"; $fields[SYSLOG_DATE]['FieldAlign'] = "center"; $fields[SYSLOG_DATE]['SearchOnline'] = false; $fields[SYSLOG_HOST]['FieldID'] = SYSLOG_HOST; $fields[SYSLOG_HOST]['FieldDefine'] = 'SYSLOG_HOST'; $fields[SYSLOG_HOST]['FieldCaption'] = 'Host'; $fields[SYSLOG_HOST]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_HOST]['Sortable'] = true; $fields[SYSLOG_HOST]['DefaultWidth'] = "80"; $fields[SYSLOG_HOST]['FieldAlign'] = "left"; $fields[SYSLOG_HOST]['SearchField'] = "source"; $fields[SYSLOG_HOST]['SearchOnline'] = false; $fields[SYSLOG_MESSAGETYPE]['FieldID'] = SYSLOG_MESSAGETYPE; $fields[SYSLOG_MESSAGETYPE]['FieldDefine'] = 'SYSLOG_MESSAGETYPE'; $fields[SYSLOG_MESSAGETYPE]['FieldCaption'] = 'Messagetype'; $fields[SYSLOG_MESSAGETYPE]['FieldType'] = FILTER_TYPE_NUMBER; $fields[SYSLOG_MESSAGETYPE]['Sortable'] = true; $fields[SYSLOG_MESSAGETYPE]['DefaultWidth'] = "90"; $fields[SYSLOG_MESSAGETYPE]['FieldAlign'] = "center"; $fields[SYSLOG_MESSAGETYPE]['SearchField'] = "messagetype"; $fields[SYSLOG_MESSAGETYPE]['SearchOnline'] = false;

// Syslog specific $fields[SYSLOG_FACILITY]['FieldID'] = SYSLOG_FACILITY; $fields[SYSLOG_FACILITY]['FieldDefine'] = 'SYSLOG_FACILITY'; $fields[SYSLOG_FACILITY]['FieldCaption'] = 'Facility'; $fields[SYSLOG_FACILITY]['FieldType'] = FILTER_TYPE_NUMBER; $fields[SYSLOG_FACILITY]['Sortable'] = true; $fields[SYSLOG_FACILITY]['DefaultWidth'] = "50"; $fields[SYSLOG_FACILITY]['FieldAlign'] = "center"; $fields[SYSLOG_FACILITY]['SearchField'] = "facility"; Page 82 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $fields[SYSLOG_FACILITY]['SearchOnline'] = true; $fields[SYSLOG_SEVERITY]['FieldID'] = SYSLOG_SEVERITY; $fields[SYSLOG_SEVERITY]['FieldDefine'] = 'SYSLOG_SEVERITY'; $fields[SYSLOG_SEVERITY]['FieldCaption'] = 'Severity'; $fields[SYSLOG_SEVERITY]['FieldType'] = FILTER_TYPE_NUMBER; $fields[SYSLOG_SEVERITY]['Sortable'] = true; $fields[SYSLOG_SEVERITY]['DefaultWidth'] = "50"; $fields[SYSLOG_SEVERITY]['FieldAlign'] = "center"; $fields[SYSLOG_SEVERITY]['SearchField'] = "severity"; $fields[SYSLOG_SEVERITY]['SearchOnline'] = true; $fields[SYSLOG_SYSLOGTAG]['FieldID'] = SYSLOG_SYSLOGTAG; $fields[SYSLOG_SYSLOGTAG]['FieldDefine'] = 'SYSLOG_SYSLOGTAG'; $fields[SYSLOG_SYSLOGTAG]['FieldCaption'] = 'Syslogtag'; $fields[SYSLOG_SYSLOGTAG]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_SYSLOGTAG]['Sortable'] = true; $fields[SYSLOG_SYSLOGTAG]['DefaultWidth'] = "85"; $fields[SYSLOG_SYSLOGTAG]['FieldAlign'] = "left"; $fields[SYSLOG_SYSLOGTAG]['SearchField'] = "syslogtag"; $fields[SYSLOG_SYSLOGTAG]['SearchOnline'] = true; $fields[SYSLOG_PROCESSID]['FieldID'] = SYSLOG_PROCESSID; $fields[SYSLOG_PROCESSID]['FieldDefine'] = 'SYSLOG_PROCESSID'; $fields[SYSLOG_PROCESSID]['FieldCaption'] = 'ProcessID'; $fields[SYSLOG_PROCESSID]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_PROCESSID]['Sortable'] = true; $fields[SYSLOG_PROCESSID]['DefaultWidth'] = "65"; $fields[SYSLOG_PROCESSID]['FieldAlign'] = "center"; $fields[SYSLOG_PROCESSID]['SearchField'] = "processid"; $fields[SYSLOG_PROCESSID]['SearchOnline'] = false;

// EventLog specific $fields[SYSLOG_EVENT_ID]['FieldID'] = SYSLOG_EVENT_ID; $fields[SYSLOG_EVENT_ID]['FieldDefine'] = 'SYSLOG_EVENT_ID'; $fields[SYSLOG_EVENT_ID]['FieldCaption'] = 'Event ID'; Page 83 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $fields[SYSLOG_EVENT_ID]['FieldType'] = FILTER_TYPE_NUMBER; $fields[SYSLOG_EVENT_ID]['Sortable'] = true; $fields[SYSLOG_EVENT_ID]['DefaultWidth'] = "65"; $fields[SYSLOG_EVENT_ID]['FieldAlign'] = "center"; $fields[SYSLOG_EVENT_ID]['SearchField'] = "eventid"; $fields[SYSLOG_EVENT_ID]['SearchOnline'] = true; $fields[SYSLOG_EVENT_LOGTYPE]['FieldID'] = SYSLOG_EVENT_LOGTYPE; $fields[SYSLOG_EVENT_LOGTYPE]['FieldDefine'] = 'SYSLOG_EVENT_LOGTYPE'; $fields[SYSLOG_EVENT_LOGTYPE]['FieldCaption'] = 'Eventlog Type'; $fields[SYSLOG_EVENT_LOGTYPE]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_EVENT_LOGTYPE]['Sortable'] = true; $fields[SYSLOG_EVENT_LOGTYPE]['DefaultWidth'] = "100"; $fields[SYSLOG_EVENT_LOGTYPE]['FieldAlign'] = "left"; $fields[SYSLOG_EVENT_LOGTYPE]['SearchField'] = "eventlogtype"; $fields[SYSLOG_EVENT_LOGTYPE]['SearchOnline'] = true; $fields[SYSLOG_EVENT_SOURCE]['FieldID'] = SYSLOG_EVENT_SOURCE; $fields[SYSLOG_EVENT_SOURCE]['FieldDefine'] = 'SYSLOG_EVENT_SOURCE'; $fields[SYSLOG_EVENT_SOURCE]['FieldCaption'] = 'Event Source'; $fields[SYSLOG_EVENT_SOURCE]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_EVENT_SOURCE]['Sortable'] = true; $fields[SYSLOG_EVENT_SOURCE]['DefaultWidth'] = "100"; $fields[SYSLOG_EVENT_SOURCE]['FieldAlign'] = "left"; $fields[SYSLOG_EVENT_SOURCE]['SearchField'] = "eventlogsource"; $fields[SYSLOG_EVENT_SOURCE]['SearchOnline'] = true; $fields[SYSLOG_EVENT_CATEGORY]['FieldID'] = SYSLOG_EVENT_CATEGORY; $fields[SYSLOG_EVENT_CATEGORY]['FieldDefine'] = 'SYSLOG_EVENT_CATEGORY'; $fields[SYSLOG_EVENT_CATEGORY]['FieldCaption'] = 'Event Category'; $fields[SYSLOG_EVENT_CATEGORY]['FieldType'] = FILTER_TYPE_NUMBER; $fields[SYSLOG_EVENT_CATEGORY]['Sortable'] = true; $fields[SYSLOG_EVENT_CATEGORY]['DefaultWidth'] = "50"; $fields[SYSLOG_EVENT_CATEGORY]['FieldAlign'] = "center"; $fields[SYSLOG_EVENT_CATEGORY]['SearchField'] = "eventcategory"; $fields[SYSLOG_EVENT_CATEGORY]['SearchOnline'] = false; Page 84 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $fields[SYSLOG_EVENT_USER]['FieldID'] = SYSLOG_EVENT_USER; $fields[SYSLOG_EVENT_USER]['FieldDefine'] = 'SYSLOG_EVENT_USER'; $fields[SYSLOG_EVENT_USER]['FieldCaption'] = 'Event User'; $fields[SYSLOG_EVENT_USER]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_EVENT_USER]['Sortable'] = true; $fields[SYSLOG_EVENT_USER]['DefaultWidth'] = "85"; $fields[SYSLOG_EVENT_USER]['FieldAlign'] = "left"; $fields[SYSLOG_EVENT_USER]['SearchField'] = "eventuser"; $fields[SYSLOG_EVENT_USER]['SearchOnline'] = false;

// Weblogfile specific $fields[SYSLOG_WEBLOG_USER]['FieldID'] = SYSLOG_WEBLOG_USER; $fields[SYSLOG_WEBLOG_USER]['FieldDefine'] = 'SYSLOG_WEBLOG_USER'; $fields[SYSLOG_WEBLOG_USER]['FieldCaption'] = 'HTTP User'; $fields[SYSLOG_WEBLOG_USER]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_WEBLOG_USER]['Sortable'] = false; $fields[SYSLOG_WEBLOG_USER]['DefaultWidth'] = "75"; $fields[SYSLOG_WEBLOG_USER]['FieldAlign'] = "left"; $fields[SYSLOG_WEBLOG_USER]['SearchField'] = SYSLOG_WEBLOG_USER; $fields[SYSLOG_WEBLOG_USER]['SearchOnline'] = false; $fields[SYSLOG_WEBLOG_METHOD]['FieldID'] = SYSLOG_WEBLOG_METHOD; $fields[SYSLOG_WEBLOG_METHOD]['FieldDefine'] = 'SYSLOG_WEBLOG_METHOD'; $fields[SYSLOG_WEBLOG_METHOD]['FieldCaption'] = 'Method'; $fields[SYSLOG_WEBLOG_METHOD]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_WEBLOG_METHOD]['Sortable'] = false; $fields[SYSLOG_WEBLOG_METHOD]['DefaultWidth'] = "50"; $fields[SYSLOG_WEBLOG_METHOD]['FieldAlign'] = "center"; $fields[SYSLOG_WEBLOG_METHOD]['SearchField'] = SYSLOG_WEBLOG_METHOD; $fields[SYSLOG_WEBLOG_METHOD]['SearchOnline'] = false; $fields[SYSLOG_WEBLOG_URL]['FieldID'] = SYSLOG_WEBLOG_URL; $fields[SYSLOG_WEBLOG_URL]['FieldDefine'] = 'SYSLOG_WEBLOG_URL'; $fields[SYSLOG_WEBLOG_URL]['FieldCaption'] = 'URL'; $fields[SYSLOG_WEBLOG_URL]['FieldType'] = FILTER_TYPE_STRING; Page 85 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $fields[SYSLOG_WEBLOG_URL]['Sortable'] = false; $fields[SYSLOG_WEBLOG_URL]['DefaultWidth'] = "200"; $fields[SYSLOG_WEBLOG_URL]['FieldAlign'] = "left"; $fields[SYSLOG_WEBLOG_URL]['SearchField'] = SYSLOG_WEBLOG_URL; $fields[SYSLOG_WEBLOG_URL]['SearchOnline'] = false; $fields[SYSLOG_WEBLOG_QUERYSTRING]['FieldID'] = SYSLOG_WEBLOG_QUERYSTRING; $fields[SYSLOG_WEBLOG_QUERYSTRING]['FieldDefine'] = 'SYSLOG_WEBLOG_QUERYSTRING'; $fields[SYSLOG_WEBLOG_QUERYSTRING]['FieldCaption'] = 'Querystring'; $fields[SYSLOG_WEBLOG_QUERYSTRING]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_WEBLOG_QUERYSTRING]['Sortable'] = false; $fields[SYSLOG_WEBLOG_QUERYSTRING]['DefaultWidth'] = "200"; $fields[SYSLOG_WEBLOG_QUERYSTRING]['FieldAlign'] = "left"; $fields[SYSLOG_WEBLOG_QUERYSTRING]['SearchField'] = SYSLOG_WEBLOG_QUERYSTRING; $fields[SYSLOG_WEBLOG_QUERYSTRING]['SearchOnline'] = false; $fields[SYSLOG_WEBLOG_PVER]['FieldID'] = SYSLOG_WEBLOG_PVER; $fields[SYSLOG_WEBLOG_PVER]['FieldDefine'] = 'SYSLOG_WEBLOG_PVER'; $fields[SYSLOG_WEBLOG_PVER]['FieldCaption'] = 'Version'; $fields[SYSLOG_WEBLOG_PVER]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_WEBLOG_PVER]['Sortable'] = false; $fields[SYSLOG_WEBLOG_PVER]['DefaultWidth'] = "50"; $fields[SYSLOG_WEBLOG_PVER]['FieldAlign'] = "center"; $fields[SYSLOG_WEBLOG_PVER]['SearchField'] = SYSLOG_WEBLOG_PVER; $fields[SYSLOG_WEBLOG_PVER]['SearchOnline'] = false; $fields[SYSLOG_WEBLOG_STATUS]['FieldID'] = SYSLOG_WEBLOG_STATUS; $fields[SYSLOG_WEBLOG_STATUS]['FieldDefine'] = 'SYSLOG_WEBLOG_STATUS'; $fields[SYSLOG_WEBLOG_STATUS]['FieldCaption'] = 'Status'; $fields[SYSLOG_WEBLOG_STATUS]['FieldType'] = FILTER_TYPE_NUMBER; $fields[SYSLOG_WEBLOG_STATUS]['Sortable'] = false; $fields[SYSLOG_WEBLOG_STATUS]['DefaultWidth'] = "50"; $fields[SYSLOG_WEBLOG_STATUS]['FieldAlign'] = "center"; $fields[SYSLOG_WEBLOG_STATUS]['SearchField'] = SYSLOG_WEBLOG_STATUS; $fields[SYSLOG_WEBLOG_STATUS]['SearchOnline'] = false; $fields[SYSLOG_WEBLOG_BYTESSEND]['FieldID'] = SYSLOG_WEBLOG_BYTESSEND; Page 86 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $fields[SYSLOG_WEBLOG_BYTESSEND]['FieldDefine'] = 'SYSLOG_WEBLOG_BYTESSEND'; $fields[SYSLOG_WEBLOG_BYTESSEND]['FieldCaption'] = 'Bytes Send'; $fields[SYSLOG_WEBLOG_BYTESSEND]['FieldType'] = FILTER_TYPE_NUMBER; $fields[SYSLOG_WEBLOG_BYTESSEND]['Sortable'] = false; $fields[SYSLOG_WEBLOG_BYTESSEND]['DefaultWidth'] = "75"; $fields[SYSLOG_WEBLOG_BYTESSEND]['FieldAlign'] = "left"; $fields[SYSLOG_WEBLOG_BYTESSEND]['SearchField'] = SYSLOG_WEBLOG_BYTESSEND; $fields[SYSLOG_WEBLOG_BYTESSEND]['SearchOnline'] = false; $fields[SYSLOG_WEBLOG_REFERER]['FieldID'] = SYSLOG_WEBLOG_REFERER; $fields[SYSLOG_WEBLOG_REFERER]['FieldDefine'] = 'SYSLOG_WEBLOG_REFERER'; $fields[SYSLOG_WEBLOG_REFERER]['FieldCaption'] = 'Referer'; $fields[SYSLOG_WEBLOG_REFERER]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_WEBLOG_REFERER]['Sortable'] = false; $fields[SYSLOG_WEBLOG_REFERER]['DefaultWidth'] = "200"; $fields[SYSLOG_WEBLOG_REFERER]['FieldAlign'] = "left"; $fields[SYSLOG_WEBLOG_REFERER]['SearchField'] = SYSLOG_WEBLOG_REFERER; $fields[SYSLOG_WEBLOG_REFERER]['SearchOnline'] = true; $fields[SYSLOG_WEBLOG_USERAGENT]['FieldID'] = SYSLOG_WEBLOG_USERAGENT; $fields[SYSLOG_WEBLOG_USERAGENT]['FieldDefine'] = 'SYSLOG_WEBLOG_USERAGENT'; $fields[SYSLOG_WEBLOG_USERAGENT]['FieldCaption'] = 'User Agent'; $fields[SYSLOG_WEBLOG_USERAGENT]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_WEBLOG_USERAGENT]['Sortable'] = false; $fields[SYSLOG_WEBLOG_USERAGENT]['DefaultWidth'] = "100"; $fields[SYSLOG_WEBLOG_USERAGENT]['FieldAlign'] = "left"; $fields[SYSLOG_WEBLOG_USERAGENT]['SearchField'] = SYSLOG_WEBLOG_USERAGENT; $fields[SYSLOG_WEBLOG_USERAGENT]['SearchOnline'] = true;

// Message is the last element, this order is important for the Detail page for now! $fields[SYSLOG_MESSAGE]['FieldID'] = SYSLOG_MESSAGE; $fields[SYSLOG_MESSAGE]['FieldDefine'] = 'SYSLOG_MESSAGE'; $fields[SYSLOG_MESSAGE]['FieldCaption'] = 'Message'; $fields[SYSLOG_MESSAGE]['FieldType'] = FILTER_TYPE_STRING; $fields[SYSLOG_MESSAGE]['Sortable'] = false; Page 87 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $fields[SYSLOG_MESSAGE]['DefaultWidth'] = "100%"; $fields[SYSLOG_MESSAGE]['FieldAlign'] = "left"; $fields[SYSLOG_MESSAGE]['SearchField'] = ""; $fields[SYSLOG_MESSAGE]['SearchOnline'] = false; // ‐‐‐

// ‐‐‐ Define default Database field mappings! $dbmapping['monitorware']['ID'] = "monitorware"; $dbmapping['monitorware']['DisplayName'] = "MonitorWare"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_UID] = "ID"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_DATE] = "DeviceReportedTime"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_HOST] = "FromHost"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_MESSAGETYPE] = "InfoUnitID"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_MESSAGE] = "Message"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_FACILITY] = "Facility"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_SEVERITY] = "Priority"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_SYSLOGTAG] = "SysLogTag"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_EVENT_ID] = "EventID"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_EVENT_LOGTYPE] = "EventLogType"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_EVENT_SOURCE] = "EventSource"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_EVENT_CATEGORY] = "EventCategory"; $dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_EVENT_USER] = "EventUser"; //$dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_PROCESSID] = "ProcessID";

$dbmapping['efl']['ID'] = "efl"; $dbmapping['efl']['DisplayName'] = "EFL"; $dbmapping['efl']['DBMAPPINGS'][SYSLOG_UID] = "ID"; $dbmapping['efl']['DBMAPPINGS'][SYSLOG_DATE] = "DATE"; $dbmapping['efl']['DBMAPPINGS'][EFL_TIME] = "TIME"; $dbmapping['efl']['DBMAPPINGS'][EFL_SYSTEM] = "SYSTEM"; $dbmapping['efl']['DBMAPPINGS'][EFL_ACTION] = "ACTION"; $dbmapping['efl']['DBMAPPINGS'][EFL_RULE] = "RULE"; $dbmapping['efl']['DBMAPPINGS'][EFL_SRC_IP] = "SRC_IP"; Page 88 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell $dbmapping['efl']['DBMAPPINGS'][EFL_SRC_PORT] = "SRC_PORT"; $dbmapping['efl']['DBMAPPINGS'][EFL_PROTO] = "PROTO"; $dbmapping['efl']['DBMAPPINGS'][EFL_INT_OUT] = "INT_OUT"; $dbmapping['efl']['DBMAPPINGS'][EFL_DST_IP] = "DST_IP"; $dbmapping['efl']['DBMAPPINGS'][EFL_DST_PORT] = "DST_PORT"; $dbmapping['efl']['DBMAPPINGS'][EFL_MAC] = "MAC"; $dbmapping['efl']['DBMAPPINGS'][EFL_TOS] = "TOS"; $dbmapping['efl']['DBMAPPINGS'][EFL_TTL] = "TTL"; $dbmapping['efl']['DBMAPPINGS'][EFL_SEQ] = "SEQ"; $dbmapping['efl']['DBMAPPINGS'][SYSLOG_MESSAGE] = "MSG"; //$dbmapping['monitorware']['DBMAPPINGS'][SYSLOG_PROCESSID] = "ProcessID";

$dbmapping['syslogng']['ID'] = "syslogng"; $dbmapping['syslogng']['DisplayName'] = "SyslogNG"; $dbmapping['syslogng']['DBMAPPINGS'][SYSLOG_UID] = "seq"; $dbmapping['syslogng']['DBMAPPINGS'][SYSLOG_DATE] = "datetime"; $dbmapping['syslogng']['DBMAPPINGS'][SYSLOG_HOST] = "host"; $dbmapping['syslogng']['DBMAPPINGS'][SYSLOG_MESSAGE] = "msg"; //NOT POSSIBLE YET $dbmapping['syslogng'][SYSLOG_FACILITY] = "Facility"; //NOT POSSIBLE YET $dbmapping['syslogng'][SYSLOG_SEVERITY] = "Priority"; $dbmapping['syslogng']['DBMAPPINGS'][SYSLOG_SYSLOGTAG] = "tag"; $dbmapping['syslogng']['DBMAPPINGS'][SYSLOG_PROCESSID] = "program";

// Convert all fieldnames to lowercase to avoid problems with case sensitive array keys later foreach( $dbmapping as &$myMapping ) { foreach( $myMapping['DBMAPPINGS'] as &$myField ) $myField = strtolower($myField); }

// ‐‐‐

// EventTime Constants Page 89 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell define('EVTIME_TIMESTAMP', '0'); define('EVTIME_TIMEZONE', '1'); define('EVTIME_MICROSECONDS', '2');

15. First time configuration a. Open FireFox (web browser) b. Navigate to https://127.0.0.1/efl i. You will be prompted by a Secure Connection Failed. At the bottom of the screen you will see a hyperlink “or you can add an exception”. Click the link ii. Click Add Exception iii. Add Security Exception 1. Click Get Certificate 2. Click Confirm Security Exception c. You will see a login prompt i. User 1. fwadmin ii. Password 1. fwadmin d. You should now see a window like this:

Page 90 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

e. The one record is only there to show you that all the systems are in place. f. You will have to push a firewall policy out to the firewall and generate traffic i. E.g. Try to ping the firewall from a machine. This should create Deny logs and you should be able to see them in your log viewer

Configure Log Rotation

Firewall Log Rotation 1. Log into the Firewall system 2. Open a terminal window 3. Create and configure the file efl a. Type i. sudo sh –c “cat >> /etc/logrotate.d/efl” << EOF ii. /var/log/efl.log iii. { Page 91 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell iv. rotate 7 v. daily vi. missingok vii. notifempty viii. delaycompress ix. compress x. postrotate xi. invoke‐rc.d rsyslog reload > /dev/null xii. endscript xiii. xiv. } xv. EOF

Useful Links 1. http://www.rsyslog.com/ 2. http://www.phplogcon.com/ 3. http://www.fwbuilder.org/docs/users_guide/book1.htm 4. http://www.webmin.com 5. http://ubuntu‐tutorials.com/ 6. http://www.tc.umn.edu/~brams006/selfsign.html

Page 92 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell

About the Author To start with, I consider myself a Linux newbie even though I have been dabbling with Linux since 1998. I never got too involved with it and explored the depths of Linux. I would use it to play with, create basic DHCP, DNS, FTP servers, and odd programs. It is now becoming more and more prevalent in my personal and professional IT goals and demands. I have 12+ years of professional experience in the IT field (Microsoft, VMware, and Cisco) but now am trying to bring Linux into my foreground of expertise.

This has been something I have thought about for about five years. It all started with needing a proper firewall at home but not to spend last month’s paycheck. That is what lead me to a great product called FWbuilder. It is an IP tables (amongst other formats) GUI front‐end to configure firewalls. This was great for newbie users like me to allow for a fully customizable firewall in my house for little or no money. The one thing that lacked (no fault of FWbuilder as its purpose is to create the policies not log them) was the logging aspect. Now with my discovery of Rsyslog and phpLogCon, I can now create a user‐friendly firewall environment. Enjoy.

Page 93 of 93 Ubuntu Firewall Project v1.0 (2010.02.28) Author: Brandt Winchell