22.11  Security Log

A log for security-related messages. Records of the following types may appear in the log:

  1. Anti-spoofing log records

    Messages about packets that where captured by the Anti-spoofing module (packets with invalid source IP address — see section 17.2  Special Security Settings for details)

    Example

    [17/Jul/2008 11:46:38] Anti-Spoofing: Packet from LAN, proto:TCP, len:48, ip/port:61.173.81.166:1864 -> 195.39.55.10:445, flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0

    • packet from — packet direction (either from, i.e. sent via the interface, or to, i.e. received via the interface)

    • LAN — interface name (see chapter 5  Network interfaces for details)

    • proto: — transport protocol (TCP, UDP, etc.)

    • len: — packet size in bytes (including the headers) in bytes

    • ip/port: — source IP address, source port, destination IP address and destination port

    • flags: — TCP flags

    • seq: — sequence number of the packet (TCP only)

    • ack: — acknowledgement sequence number (TCP only)

    • win: — size of the receive window in bytes (it is used for data flow control — TCP only)

    • tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only)

  2. FTP protocol parser log records

    Example 1

    [17/Jul/2008 11:55:14] FTP: Bounce attack attempt: client: 1.2.3.4, server: 5.6.7.8, command: PORT 10,11,12,13,14,15

    (attack attempt detected — a foreign IP address in the PORT command)

    Example 2

    [17/Jul/2008 11:56:27] FTP: Malicious server reply: client: 1.2.3.4, server: 5.6.7.8, response: 227 Entering Passive Mode (10,11,12,13,14,15)

    (suspicious server reply with a foreign IP address)

  3. Failed user authentication log records

    Message format:

    Authentication: <service>: Client: <IP address>: <reason>

    • <service> — The WinRoute service to which the user attempted to authenticate (Admin = administration using Kerio Administration Console, WebAdmin = web administration interface, WebAdmin SSL = secure web administration interface, Proxy = proxy server user authentication)

    • <IP address> — IP address of the computer from which the user attempted to authenticate

    • <reason> — reason of the authentication failure (nonexistent user / wrong password)

    Note: For detailed information on user quotas, refer to chapters 15.1  Viewing and definitions of user accounts and 10.1  Firewall User Authentication.

  4. Information about the start and shutdown of the WinRoute Firewall Engine

    a) Engine Startup:

    [17/Dec/2008 12:11:33] Engine: Startup.

    b) Engine Shutdown:

    [17/Dec/2008 12:22:43] Engine: Shutdown.