Rate Limiting; Administrative Access Log Messages; Boot Log Messages - McAfee SG310 Administration Manual

System Log

Rate limiting

Rate limiting
iptables has the facility for rate-limiting the log messages that are generated in order to avoid denial of
service issues arising out of logging these access attempts. To achieve this, use the following option:
--limit rate
rate is the maximum average matching rate, specified as a number with an optional /second, /minute,
/hour, or /day suffix. The default is 3/hour.
--limit-burst number
number is the maximum initial number of packets to match. This number gets recharged by one every
time the limit specified above is not reached, up to this number. The default is 5.
iptables has many more options. Perform a Web search for manpage iptables to find the relevant
documentation.
The LOG rules configured by default (for example, Default Deny:) are all limited to:
--limit 3/hour --limit-burst 5

Administrative access log messages

When a user tries to log onto the Management Console, one of the following log messages appears:
Jan 30 01:54:14 httpd: Authentication successful for root from 10.46.8.10
Jan 30 23:44:10 httpd: Authentication attempt failed for root from 10.46.8.1 because:
Bad Password
The messages show the date and time, whether the authentication succeeded or failed (and reason for the
failure), the user attempting authentication (in this case root) and the IP address from which the attempt
was made.
Successful Telnet (Command Line Interface) login attempts appear as follows:
Jan 31 00:06:45 login[32098]: Authentication successful for root from 10.46.8.66
Unsuccessful Telnet login attempts appear as follows:
Jan 31 00:09:02 login[32161]: Authentication attempt failed for root from 10.46.8.66
because: Bad Password
The messages show the same information as a Web login attempt.
Successful SSH (Secure Shell) login attempts appear as follows:
Jan 31 00:09:14 /bin/sshd[32166]: Accepted password for root from ::ffff:10.46.8.66 port
1463 ssh2
Unsuccessful SSH login attempts appear as follows:
Jan 31 00:08:52 /bin/sshd[32154]: Illegal user fred from ::ffff:10.46.8.66
Jan 31 00:08:52 /bin/sshd[32154]: Failed none for illegal user fred from
::ffff:10.46.8.66 port 1459 ssh2 <6>Jan 31 00:09:14 /bin/sshd[32170]: Address 10.46.8.66
maps to somepc, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!

Boot log messages

The startup boot time messages of the UTM Firewall appliance are identified by log messages similar to the
following:
Jan 30 01:54:02 kernel: Linux version 2.4.31-uc0 (build@sgbuild) (gcc version 3.3.2) #1
Tue Oct 17 02:00:32 EST 2006
This also shows the version of the operating system (Linux), and the build date and time.
376 McAfee UTM Firewall 4.0.4 Administration Guide