7

Is it possible to only write a log-entry when a connection is established ? I have tried:

iptables -I OUTPUT -p tcp --dport 22 -j LOG --log-level notice --log-prefix "outgoing ssh connection"

to log outgoing SSH connections but this logs every single packet and this is as you can imagine a bit overwhelming for monitoring purposes. I am running SLES 11 SP3. So I would be grateful if anyone could point out a way to only write a log-entry when the conenction is established.

phenom135
  • 107
  • 1
  • 4
  • 13

2 Answers2

5

The Line you would need to log the traffic, might look possible as: 

iptables -I OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j LOG --log-prefix "Outgoing SSH connection"

On another terminal view the logs

while :; do iptables -L OUTPUT -v -n --line-n; sleep 2; done

I am using -m state --state. However I would recommand to use --ctstate

man iptables for more.

If you feel that you are being overwhelmed by the logs, you might consider changing the --log-level. http://www.netfilter.org/ can tell you more.

Valentin Bajrami
  • 3,870
  • 1
  • 17
  • 25
  • This worked wonders for me to track down a compromised server, but I used tail -F /var/log/syslog | grep "Outgoing SSH connection" because it only output information when a connection was attempted vs constant output. – FreeSoftwareServers Oct 29 '16 at 03:47
3

val0x00ff's suggestion of using --state, also by Petter H in a comment, should work well.

However, you don't need to introduce session state tracking just for that. You can add the --syn flag to make the rule match only packets with the SYN flag set, which is set only on new connection attempts.

Community
  • 1
user
  • 4,267
  • 4
  • 32
  • 70