000032180 - How to enable iptables rules for VSFTPD file reader collection in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032180
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector, Virtual Log Collector (VLC)
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
Platform (Other): VSFTPD
O/S Version: EL6
IssueSpecific iptables rules must be added in order to allow files to be collected via VSFTPD.
Resolution
Perform the steps below to enable the proper iptables rules for VSFTPD file reader collection.

  1. Connect to either the VLC or Log Decoder (depending on where the logs are sent) via SSH as the root user.
  2. Stop the iptables service.
    service iptables stop

  3. Using the vi editor, include the lines in red below in the /etc/sysconfig/iptables file anywhere after “:OUTPUT ACCEPT [nn:nn]” parameter and before the "COMMIT" line.
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m comment --comment "000 INPUT allow related and established" -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -m comment --comment "001 accept all icmp requests" -j ACCEPT
    -A INPUT -i lo -p tcp -m comment --comment "002 INPUT allow loopback" -j ACCEPT
    -A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT
    -A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT
    -A INPUT -p tcp -m multiport --ports 50001 -m comment --comment "1 LogCollector Port" -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 21 -m comment --comment "VSFTP connection" -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 20 -m comment --comment "VSFTP File Transfer" -m state --state NEW -j ACCEPT
    -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    -A OUTPUT -p tcp -m multiport --dport 21 -m comment --comment "VSFTP Connect 2" -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m multiport --dport 20 -m comment --comment "VSFTP Transfer 2 " -m state --state NEW -j ACCEPT
    -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

    COMMIT

  4. Save the /etc/sysconfig/iptables file by typing :wq! in the vi editor.
  5. Start the iptables service again.
    service iptables start

  6. Using an FTP client such as FileZilla, try connecting to the appliance and transferring a dummy file, which should be successful.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes