1 Introduction

1.1 Goals

1.2 Notes

2 Exercises

3 0. Log in to your PC or open a terminal window as the root user:

$ sudo -s

4 1. Let's enable logging of everything to a single file:

# editor /etc/rsyslog.d/30-routerlogs.conf 
    local0.*            -?RouterLogs

... and add a new line below:

    local0.*            /var/log/network/everything

... this will enable logging of ALL messages to a single file, so that we can run a monitoring script on the messages.

    # service rsyslog restart

5 2. Enable a daily automated script to truncate the log file so it doesn't

grow too big:

    # editor /etc/logrotate.d/everything
/var/log/network/everything {
  daily
  copytruncate
  rotate 1
  postrotate
    /etc/init.d/swatch restart
  endscript
}

6 3. Install swatch

# apt-get install swatch

7 4. Create the file /etc/swatch.conf and add the following rules in the file:

# editor /etc/swatch.conf

watchfor /PRIV_AUTH_PASS/
    mail=sysadm,subject=Enable mode entered
    threshold type=limit,count=1,seconds=3600

watchfor /CONFIG_I/
    mail=sysadm,subject=Router configuration
    threshold type=limit,count=1,seconds=3600

watchfor /LINK/
    mail=sysadm,subject=Link state change
    threshold type=limit,count=1,seconds=3600

watchfor /SSH/
    mail=sysadm,subject=SSH connection
    threshold type=limit,count=1,seconds=3600

Save the file and exit

8 5. Start swatch:

# swatch -c /etc/swatch.conf --daemon -t /var/log/network/everything

Check that it is running:

# ps ax | grep swatch

9 6. Log in to your router, and run some "config" commands (example below):

# telnet 10.10.X.254        [where "X" is your router number]
rtrX> enable
Password: <password>

rtrX# config terminal
rtrX(config)# int FastEthernet0/0
rtrX(config-if)# description Description Change for FastEthernet0/0 for Swatch
rtrX(config-if)# ctrl-z
rtrX# write memory
rtrX# exit

Just as in the previous exercise, attempt to shutdown / no shutdown a loopback interface

10 7. Verify that you are receiving emails to the sysadmin user from Swatch

$ su - sysadmn
$ mutt -f /var/mail/sysadm

11 8. Let's add some ACLs to the router

rtrX# conf t
rtrX(config)# access-list 123 deny tcp any host 10.10.X.254 eq 23 log
rtrX(config)# access-list 123 permit ip any any
rtrX(config)# interface fastEthernet 0/1
rtrX(config-if)# ip access-group 123 in
rtrX(config-if)# exit
rtrX(config)# exit

(remember, X is the number of your group)

Explanation: we are now filtering Telnet to the router, on the inside interface, explicitly, but we allow anything else. The "permit" statement is required or we will be disabling all IP access to the router!

12 9. Test that it works:

From your PC:

$ telnet 10.10.X.254
Trying 10.10.X.254...
telnet: Unable to connect to remote host: No route to host
$

Notice that it says "No route to host" instead of "Connection refused"

This is because, although we have disabled Telnet already by enabling SSH on the routers, an active ACL will respond differently than a closed port (TCP RST vs. ICMP Host Unreachable)

Now look at the logfile:

$ tail /var/log/network/everything
Jun  2 13:46:14 rtrX 6133: *Jun  2 15:46:13.552: %SEC-6-IPACCESSLOGP: list 123 denied tcp 10.10.X.37(43523) -> 10.10.X.254(23), 1 packet

Hint: if your log is filled with "SSH-5-*" messages, ignore them like this:

$ grep -v SSH-5 /var/log/network/everything | tail

... you should see SEC-6-IPACCESSLOGP messages

13 10. Add a new swatch rule to detect these events

# editor /etc/swatch.conf

Add the following lines

watchfor /SEC-6-IPACCESS/
    mail=sysadm,subject=Blocked connection
    threshold type=limit,count=1,seconds=3600

14 11. Kill swatch, and restart it:

# ps ax |grep swatch | grep -v grep
\12345 ?        Ss     0:00 /usr/bin/swatch -c /etc/swatch.conf --daemon -t /var/log/network/everything

The number on the LEFT is the number you need to kill - here 12345

# kill 12345    (the number YOU got!!)

15 12. Restart swatch

# swatch -c /etc/swatch.conf --daemon -t /var/log/network/everything

16 13. Try to telnet to the router again, and check your mail!