A log for security-related messages. Records of the following types may appear in the log:
Anti-spoofing log records
Messages about packets that where captured by the Anti-spoofing module (packets with invalid source IP address — see section 17.2 Special Security Settings for details)
[17/Jul/2008 11:46:38] Anti-Spoofing: Packet from LAN, proto:TCP, len:48, ip/port:61.173.81.166:1864 -> 195.39.55.10:445, flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0
packet from
— packet direction (either from
, i.e. sent via the interface, or to
, i.e. received via the interface)
LAN
— interface name (see chapter 5 Network interfaces for details)
proto:
— transport protocol (TCP, UDP, etc.)
len:
— packet size in bytes (including the headers) in bytes
ip/port:
— source IP address, source port, destination IP address and destination port
flags:
— TCP flags
seq:
— sequence number of the packet (TCP only)
ack:
— acknowledgement sequence number (TCP only)
win:
— size of the receive window in bytes (it is used for data flow control — TCP only)
tcplen:
— TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only)
FTP protocol parser log records
[17/Jul/2008 11:55:14] FTP: Bounce attack attempt: client: 1.2.3.4, server: 5.6.7.8, command: PORT 10,11,12,13,14,15
(attack attempt detected — a foreign IP address in the PORT
command)
[17/Jul/2008 11:56:27] FTP: Malicious server reply: client: 1.2.3.4, server: 5.6.7.8, response: 227 Entering Passive Mode (10,11,12,13,14,15)
(suspicious server reply with a foreign IP address)
Failed user authentication log records
Message format:
Authentication: <service>: Client: <IP address>: <reason>
<service>
— The WinRoute service to which the user attempted to authenticate (Admin
= administration using Kerio Administration Console, WebAdmin
= web administration interface, WebAdmin SSL
= secure web administration interface, Proxy
= proxy server user authentication)
<IP address>
— IP address of the computer from which the user attempted to authenticate
<reason>
— reason of the authentication failure (nonexistent user / wrong password)
Note: For detailed information on user quotas, refer to chapters 15.1 Viewing and definitions of user accounts and 10.1 Firewall User Authentication.
Information about the start and shutdown of the WinRoute Firewall Engine
a) Engine Startup:
[17/Dec/2008 12:11:33] Engine: Startup.
b) Engine Shutdown:
[17/Dec/2008 12:22:43] Engine: Shutdown.