Article Number
000002794
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector, Virtual Log Collector (VLC)
RSA Version/Condition: 10.4.x, 10.5.x
Platform: CentOS
Platform (Other): VSFTPD
O/S Version: EL6
Issue
Specific iptables rules must be added in order to allow files to be collected via VSFTPD.
Resolution
Perform the steps below to enable the proper iptables rules for VSFTPD file reader collection.
- Connect to either the VLC or Log Decoder (depending on where the logs are sent) via SSH as the root user.
- Stop the iptables service.
service iptables stop
- Using the vi editor, include the lines in red below in the /etc/sysconfig/iptables file anywhere after “:OUTPUT ACCEPT [nn:nn]” parameter and before the "COMMIT" line.
:OUTPUT ACCEPT [0:0]
-A INPUT -m comment --comment "000 INPUT allow related and established" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m comment --comment "001 accept all icmp requests" -j ACCEPT
-A INPUT -i lo -p tcp -m comment --comment "002 INPUT allow loopback" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 5671 -m comment --comment "1 AMQPS" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50006 -m comment --comment "1 Appliance Port" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 50001 -m comment --comment "1 LogCollector Port" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 21 -m comment --comment "VSFTP connection" -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m multiport --dports 20 -m comment --comment "VSFTP File Transfer" -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dport 21 -m comment --comment "VSFTP Connect 2" -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m multiport --dport 20 -m comment --comment "VSFTP Transfer 2 " -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
COMMIT
- Save the /etc/sysconfig/iptables file by typing :wq! in the vi editor.
- Start the iptables service again.
service iptables start
- Using an FTP client such as FileZilla, try connecting to the appliance and transferring a dummy file, which should be successful.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.